Documente Academic
Documente Profesional
Documente Cultură
AUTORUN.INF Viruses are virus that uses the Autorun feature of Windows to spread itself on computers. This virus makes a copy of the autorun.inf file to the root or main directory of all the drives on your PC, internal and / or external disks, to make the virus runs every time the external disks like pendrives or USB drives were inserted or every time you double-click the drives through the Windows Explorer. A lot of this infections were found on Bolivia,Viet Nam, Ecuador, Pakistan, Philippines, India, Indonesia, Malaysia, Colombia and Mexico (this list of countries were based on the Google Trends results for the AUTORUN.INF VIRUS keyword search: http://www.google.com/trends?q=autorun.inf+virus). Based on the same source, late of 2007 was the peak of this kind of computer virus infections but it also shows that in year 2008 the autorun.inf virus are still prevalent and keep on spreading. Thats why I decided to write an article about this autorun.inf virus. Known virus variants of this kind are the YahLover (which uses scvhost.exe and killer.exe), Bacalid (which uses ctfmon.exe), IMGKULOT and FAIZAL.JS virus.
Download: DISABLE-AUTORUN.REG and save this file on your computer. After downloading the file, open the folder where you download it and double-click the file. You will be confirmed by Registry Editor if you want to proceed, just click Yes button to continue. (If a different message was seen such as Registry Editing has been disabled by your administrator., possibly your PC is infected already by a virus that prevents registry access. To correct this read the section on Removing Autorun.INF virus.) Restart your computer to apply these changes.
2. Another method is to create an AUTORUN.INF folder on the root directories (main directory usually represented by backslash symbol \ ) . You can do this via Windows Explorer or Command Prompt but I will recommend the method via Command Prompt.
To run command prompt, click Start then Run or press the key combination: Winkey + R Type CMD then press enter. This will open the black and white environment. On the prompt, type MD C:\AUTORUN.INF then press enter key. Repeat this procedure to other hard drives and USB drives. Just replace the C letter from the command with the appropriate drive letter of each storage device. If this fails, maybe your computer is infected already by the virus so read the next section for the solution of this problem. 1
CD \ This change the current folder to the main directory of drive C DIR /AH Displays all files that are hidden. Usually virus hides their files by changing its attributes to Hidden and System attributes. If you find a file: AUTORUN.INF, it confirms the infection of the virus. TYPE AUTORUN.INF This shows the content of the file autorun.inf. From the picture below you will see that the name of the virus is SAMPLE-VIRUS.EXE, which the name will usually comes with the line Open or Explore or Shell line of the autorun.inf. This shows that the virus carrier is the file SAMPLE-VIRUS.EXE
Command Prompt window after dir/ah and type autorun.inf 3. To remove the infection based on the analysis above type the following command:
DEL C:\AUTORUN.INF Repeat this step to other drives by replacing C:\ with other letters
4. To make sure that the carrier will not run during start-up, you need to make sure that it is disabled. Do this using the MSCONFIG tool of windows.
On the same Safemode Command Prompt Mode, type MSCONFIG This will run the System Configuration Utility. As shown below, uncheck the suspected file. This will disable it from start-up and will not run again. To see other places where programs were place to run on startup, see my previous posts: How to Determine the Windows Startup Programs?
System Configuration Utility window Note: This manual removal is only recommended when your installed anti-virus is not working due to the said autorun.inf virus infection. My advice is that when the virus is already removed manually, try reinstalling or installing an antivirus and update your virus definition file and scan your system to ensure a virus-free PC. If these steps specified here does not work for you, use TrendMicro Hijackthis (this is free and downloadable). Use it to analyze the system and produce a file called HIJACKTHIS.LOG. Send hijackthis.log produced to my email address so that I could analyze it and suggest an appropriate solution for it http://www.bleuken.com/2008/07/01/preventing-and-removing-autoruninf-virus/