"The number one benefit of information technology is that it empowers people to do what they want to do. It lets people be creative. It lets people be productive. It lets people learn things they didn't think they could learn before, and so in a sense it is all about potential".

Home » Post Item » how to remove autorun.inf virus

how to remove autorun.inf virus

January 30, 2008

Autorun.inf virus removal 

Autorun.INF is usually used by CD Installers to autoplay their installations but Hard disks by default should not have AUTORUN.INF in the drive.

Now, it is possible that your computer is infected by those viruses if you try to display the content of  the your computer through command prompt, using the dir /ah command.

 

 The said virus hides itself inside a folder named Recycled. The folder has a hidden/system/read-only attribute, that’s why you can’t see it if you will use the Search window. When your system is infected by the said virus, it infects every drive connected to your PC by dropping VCAB.DLL to the internet temporary folder and creating the CTFMON.EXE to folder Recyled & AUTORUN.INF to the root directory of every drive. That’s why when you connect your USB sticks to the infected PC it will be infected immediately, the USB disks will be the new carrier for the virus. The program runs every time you start your computer because it copy itself in the Startup folder of the Start Menu. It also run every time your insert the infected USB disk and it triggers every time you Double-Click the infected drive (bcoz of the AUTORUN.INF). The virus infects .EXEs and .DLLs.

To check if your system is infected by the said virus without using an antivirus, do the following steps:

  1. Go to command prompt.
  2. Type CD\ in drive C to go the root directory
  3. Type DIR /AH and press ENTER key. This will display all hidden files in your drive C
  4. If you see a file AUTORUN.INF and a folder Recycled, then your system is infected.
  5. Try doing this to your USB drive and check if your USB stick contains the same folder and AUTORUN.INF, if it does then your system is really infected..


To remove it download and install a trial version of Trendmicro and scan your system.

 To manually remove it (but i’m not recommending it especially if the infections of Bacalid is very high try using an anti-virus such as McAfee or TrendMicro’s PCCillin) follow the following steps (This is the step I take when i repair my computer without an internet connection. Note you should understand what you’re about to do, you try it at your own risk!)

Boot your system in Safemode

  1. Go to command prompt, in Drive C do the following commands.
  2. Type -> ATTRIB -H -R -S AUTORUN.INF then press enter
  3. Type -> DEL AUTORUN.INF then press enter
  4. Type -> ATTRIB -H -R -S Recycled then press enter
  5. In Windows Explorer in Safemode, remove the folder Recycled in drive C use Shift-Delete to delete the folder.
  6. Repeat Step 3 to 6 for all drives of your system including the USB drive.
  7. Search for CTFMON.EXE in your system using the Search of Windows found in Start Menu. If you find a file that is not located in C:\WINDOWS\SYSTEM32, delete it immediately. Dont forget to empty the recycle bin afterwards (Usually the virus will copy itself in the Startup folder of the Startmenu. Check if the file is present there and delete it then.)

 To disable autorun of drives (i.e. everytime you double-click a drive or cd or usb, it is auto open) follow the following step:

 Click Start->Run->type REGEDIT.EXE

  1. Go to this key from the register HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Policies\Explorer
  2. Look for the entry NoDriveTypeAutoRun, double click the entry
  3. Type a new value : 0FF (Hex) for the NoDriveTypeAutoRun, this will turn off the AutoRun for all drives, and press ENTER
  4. Reboot the system.

Viruses that uses Autorun.INF

 There are several viruses that uses the autorun.inf to spread itself such as the Bacalid (hides itself in ctfmon.exe) and the RavMon.EXE. These viruses set its file attributes to System+Hidden+Read-Only attributes so some anti-viruses will have a hard time detecting or finding them. These viruses save itself in the root directory of every available drives of the current infected computer and runs itself every time you Double-Click the drive. In USB Sticks and CDs that are infected by the virus runs automatically especially if drive autorun is enabled for the current drives (which is usually by default, autorun for drives are enabled). 

Disable AUTORUN from Registry 

Now you can disable the AUTORUN for all drives by configuring the registry. Open the registry by typing regedit.exe to the command prompt (if your still at the command prompt) or execute it in Run. Look for the HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Policies\Explorer as shown below:

Double-click the NoDriveAutorun DWORD entry and type the value HEX: FF (255 in Decimal). (If the NoDriveAutorun does not exists, you can creat it by right-clicking the right side area of the regedit window, then click New->DWord Value -> type NoDriveAutorun) Close the registry and restart the computer. This procedure will disable all the autorun for all drives of your computer and at least will prevent the autorun function of infected USB drives or CDs and avoid the infection of viruses like the Bacalid and RavMon.exe

If you want to prevent viruses that uses autorun.inf  to infect your USB flash drive, try to do this:

1. Open your flash drive via Command Prompt (do this via Start->Run->cmd.exe) 

2. Change your logged drive to your USB flash drive (e.g. if your drive is at drive E: then type E: on the command prompt then press enter)

3. Create a folder named: AUTORUN.INF on the root directory of your flash drive. (to do this type the command: MD\AUTORUN.INF). If an error: a subdirectory already exists… shows, try to follow the instruction above to remove existing autorun.inf before doing this instruction.

The reason why this will avoid future infection is that autorun.inf viruses usually generates a file autorun.inf. Having an AUTORUN.INF folder on the root directory of your drives will make virus programs unable to create their own autorun.inf file, virus can’t even overwrite it because it’s a folder and not a file…

See all Related Post…

 



Share and Enjoy:
  • del.icio.us

Posted by edzzy at 1:23 pm | permalink

Previous Comments

thanks bro… its helps me get rid of that annoying virus.. more power!

Posted by nex at February 16, 2008, 6:19 am

i have tries this process and its an efficient method of deleting the these kinds of viruses,it helped me alot for maiking my computer virusfree.
Thanks

Posted by ankit at February 22, 2008, 10:49 pm

Ive written a detailed blog about removing the autorun.inf virus and other issues at http://andback.wordpress.com

also talks about removing those viruses which even the antivirus cant remove and to revert back to settings prior to infection. and fixing the hidden folder and task manager disabled thing.

Hope this helps too.

Posted by Anurag at March 22, 2008, 1:33 am

wow!!!!!!!! its great really it helped me very much thank u very much!!!!!!!

Posted by Harshit at June 23, 2008, 2:00 am

Hi,m name is SUDATTA PADHYE.When I go in the folder option and click on Show hiden files and folders hidden files are not displayed.PLz help me to remove the virus.

Posted by sudatta at September 13, 2008, 2:22 am

Thank you so much. I was able to remove the pesky autorun.inf and the MyMP3.vbs in my Creative Zen Stone Plus. Keep up the good work!

Posted by mahavatar at September 23, 2008, 7:10 pm

Hi! im Victor from the philippines. this really helps but how can i enable my task manager when it is disabled? it was disabled by that darn brontok virus. please help me

Posted by Victor Topacio at September 30, 2008, 1:01 pm

HI again.. i try the command prompt that your telling..
i didnt see autorun there but there is RECYCLER like in your example..
so whats that..
is my pc infected or what..

Posted by peygaspar at October 9, 2008, 2:20 am

Thank you very much, I appreciate your kindness, by giving these types of helps to the users.

Posted by Fareed at December 2, 2008, 7:30 pm

have a prov wit my old n6600 it was ifected by commwarrior virus.i already scan and remove it wit zeon anti virus but it didnt work and iha rformat it already.but wen i restart the pone virus came again.is it has a auto run?

Posted by edgar at December 22, 2008, 11:25 am

Hi. I am having trouble with my pc. again, it has to do with the autorun.inf.

i tried deleting “autorun.inf” using the command prompt two months ago. however, the virus scanner - AVG (i’m not really sure if this thing works!) keeps on detecting it after several attempts of deleting via command prompt. during that time, i am not using any removable disk.

so, i finally give up. nevertheless, i am continuously irritated by the scan result of AVG that there still an autorun.inf, although it has been “healed” during the previous scanning. this time, i really have to use the flash disk to transfer my school files.

so, hoping to clean the flash disk, i tried doing it using the command prompt but i was NOT able to have an access. the pc is automatically turned off. i tried doing it again (after turning on the system) and the pc turned off on me the second time when i tried to access command prompt.

What shall i do??? PLEASE HELP.

P.S. i know you can also help me with this: everytime i turn on my pc, i have to wait a considerable number of minutes before i can use it. Furthermore, this message pops up (notepad):

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

What shall i do? PLEASE HELP.

Posted by Caren at January 23, 2009, 8:26 am

thanks, this will help many people like me that is very annoyed by this kind of virus.

Posted by phoenic at March 7, 2009, 3:37 pm

good day!
Ive been following your blog for a month now and i am very interested with the tips and tricks that you share here.
i have a question: what specific damages does autorun.inf virus do to a computer that is affected?

and which among trend micro’s free trial downloads must I get? i have a very slow connection and every download I do is precious..given the longer download time that i must endure and have to wait for..hehe..you know what i mean .:)

hope you get to me soon.

thank you and more power!!

Posted by Arcel at April 7, 2009, 12:33 pm

All comments are moderated. Your comments will not appear here unless approved by the blog owner. Thank you.

Add a comment