Autorun.INF is usually used by CD Installers to autoplay their installations but Hard disks by default should not have AUTORUN.INF in the drive.
Now, it is possible that your computer is infected by those viruses if you try to display the content of the your computer through command prompt,using the dir /ah command
—-
The said virus hides itself inside a folder named Recycled. The folder has a hidden/system/read-only attribute, that’s why you can’t see it if you will use the Search window. When your system is infected by the said virus, it infects every drive connected to your PC by dropping VCAB.DLL to the internet temporary folder and creating the CTFMON.EXE to folder Recyled & AUTORUN.INF to the root directory of every drive. That’s why when you connect your USB sticks to the infected PC it will be infected immediately, the USB disks will be the new carrier for the virus. The program runs every time you start your computer because it copy itself in the Startup folder of the Start Menu. It also run every time your insert the infected USB disk and it triggers every time you Double-Click the infected drive (bcoz of the AUTORUN.INF). The virus infects .EXEs and .DLLs.
To check if your system is infected by the said virus without using an antivirus, do the following steps:
- Go to command prompt.
- Type CD\ in drive C to go the root directory
- Type DIR /AH and press ENTER key. This will display all hidden files in your drive C
- If you see a file AUTORUN.INF and a folder Recycled, then your system is infected.
- Try doing this to your USB drive and check if your USB stick contains the same folder and AUTORUN.INF, if it does then your system is really infected..
To remove it download and install a trial version of Trendmicro and scan your system.
To manually remove it (but i’m not recommending it especially if the infections of Bacalid is very high try using an anti-virus such as McAfee or TrendMicro’s PCCillin) follow the following steps (This is the step I take when i repair my computer without an internet connection. Note you should understand what you’re about to do, you try it at your own risk!)
Boot your system in Safemode
- Go to command prompt, in Drive C do the following commands.
- Type -> ATTRIB -H -R -S AUTORUN.INF then press enter
- Type -> DEL AUTORUN.INF then press enter
- Type -> ATTRIB -H -R -S Recycled then press enter
- In Windows Explorer in Safemode, remove the folder Recycled in drive C use Shift-Delete to delete the folder.
- Repeat Step 3 to 6 for all drives of your system including the USB drive.
- Search for CTFMON.EXE in your system using the Search of Windows found in Start Menu. If you find a file that is not located in C:\WINDOWS\SYSTEM32, delete it immediately. Dont forget to empty the recycle bin afterwards (Usually the virus will copy itself in the Startup folder of the Startmenu. Check if the file is present there and delete it then.)
To disable autorun of drives (i.e. everytime you double-click a drive or cd or usb, it is auto open) follow the following step:
Click Start->Run->type REGEDIT.EXE
- Go to this key from the register HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Policies\Explorer
- Look for the entry NoDriveTypeAutoRun, double click the entry
- Type a new value : 0FF (Hex) for the NoDriveTypeAutoRun, this will turn off the AutoRun for all drives, and press ENTER
- Reboot the system.
Viruses that uses Autorun.INF
There are several viruses that uses the autorun.inf to spread itself such as the Bacalid (hides itself in ctfmon.exe) and the RavMon.EXE. These viruses set its file attributes to System+Hidden+Read-Only attributes so some anti-viruses will have a hard time detecting or finding them. These viruses save itself in the root directory of every available drives of the current infected computer and runs itself every time you Double-Click the drive. In USB Sticks and CDs that are infected by the virus runs automatically especially if drive autorun is enabled for the current drives (which is usually by default, autorun for drives are enabled).
Disable AUTORUN from Registry
Now you can disable the AUTORUN for all drives by configuring the registry. Open the registry by typing regedit.exe to the command prompt (if your still at the command prompt) or execute it in Run. Look for the HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Policies\Explorer as shown below:
<!–[if !vml]–><!–[endif]–>Double-click the NoDriveAutorun DWORD entry and type the value HEX: FF (255 in Decimal). (If the NoDriveAutorun does not exists, you can creat it by right-clicking the right side area of the regedit window, then click New->DWord Value -> type NoDriveAutorun) Close the registry and restart the computer. This procedure will disable all the autorun for all drives of your computer and at least will prevent the autorun function of infected USB drives or CDs and avoid the infection of viruses like the Bacalid and RavMon.exe
If you want to prevent viruses that uses autorun.inf to infect your USB flash drive, try to do this:
1. Open your flash drive via Command Prompt (do this via Start->Run->cmd.exe)
2. Change your logged drive to your USB flash drive (e.g. if your drive is at drive E: then type E: on the command prompt then press enter)
3. Create a folder named: AUTORUN.INF on the root directory of your flash drive. (to do this type the command: MD\AUTORUN.INF). If an error: a subdirectory already exists… shows, try to follow the instruction above to remove existing autorun.inf before doing this instruction.
The reason why this will avoid future infection is that autorun.inf viruses usually generates a file autorun.inf. Having an AUTORUN.INF folder on the root directory of your drives will make virus programs unable to create their own autorun.inf file, virus can’t even overwrite it because it’s a folder and not a file…
Thank you for good information~~*
Please comeback to visit my blog too : http://about-computerrepair.blogspot.com/
I’m sorry , If you think this is spam. but may i thank you again.
Bye
Though I have not tried it yet but it is logical so I am sure It will work. good work.
Thanks
Nice one,
I’d realy liked the idea of the directory of “autorun.inf”
the only problem now that it seems to loop of trying creating its own file and I don’t know how to stop it :S
Trend Micro for some reason didn’t show me that Virus but the Nod32 did. NOD32 doesn’t let that file be created but when I take that U3 DiskOnKey to other comp it seems to create it over again
thx anyway
I need help I wanna know how to make an autorun virus…
To prevent these kinds of viruses on infecting your PC, you need to disable autorun function in your computer, unfortunately, just shutting down autoplay is not a fix. You might think that you could protect yourself from AutoRun by adding two (2) keys to your Registry (NoDriveAutoRun and NoDriveTypeAutoRun) but these keys can be overridden by some programs.
Solution is here:
1. Start Notepad [Start Menu-All Programs-Accessories-Notepad] or right-click any empty space in your desktop then select New-Text Document
2. Copy the following text. (note: Everything in between the square brackets should be in one line)
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”
3. Save the file with a name (anything) like DisableAutoRun.reg (The extension .reg is the important part)
4. Double Click your newly created registry file. Choose yes or continue to the warning that will appear.
my system is infected by autorun.inf.
Instead of drive’s photo ,it shows thb.ico .
also the name of drive’s is changed.
plz tell me how to correct it.
i tried the above method but it didn’t worked.
nor even my updated nod eset antivirus could correct it.
on opening orkut in internet tab, it is showing jammer virus infecting…
my friend gave me an advise if there is no autorun.inf yet in your system.
this is just simple.
create a folder. rename it AUTORUN.INF
make sure there is at least a single file in it. any file, even a .txt file with a sentence or phrase. any file would do. usually what i do is i create in notepad and save is as txt. or even mp3 file.
why?
if there is an autorun.inf in your system, the autorun.inf virus will not replicate it since it will think it IS infected but the fact is, IT IS NOT. its like fooling the virus.
where to place the folder?
in root directories of your drives.
in C: , where the windows folder and Documents & settinggs folder is found
D:, if you have a second or a partition
E: if you have USB drive
the thing is, place it in the ROOT directory of ALL your DRIVES
Thanks for this useful articles.
i hope I can solve my pc problems.
regards 🙂
hey, useful tip, but whenever I do this, it says that “autorun.inf cannot be found”. what should I do?
thanks in advance. 😀
Thanks Buddy, I’ve had this problem for a while now. Removing the “RECYCLER” (in my case) fixed it after reboot.
Thank you very much.
I encountered the autorun.inf virus recently on all three of my flash drives and it was a bugger to remove. I spent (literally) hours on Command Prompt trying to get rid of the ASHR on it. So I finally typed “edit e:\autorun.inf”. I found that there was something called “RECYCLER\INFO.exe” that was re-SHR-ing autorun.inf every time that I un-SHR’d it. So, I bagan work on un-SHR-ing RECYCLER\INFO.exe. I would un-SHR it, but when I typed “del e:\recycler\info.exe” it would tell me the file was not found. I was pretty PO’d at this point, so I quit. Then today I had an idea. My mother is a teacher and the school district buys Macintosh computers. Macintosh computers (however lousy they may be) do not have the ‘SH’ possibility; so, I plugged in my flash drives and the autorun.inf and RECYCLER files popped right up. I deleted autorun.inf with ease, but it wouldn’t let me delete RECYCLER. I deleted its contents. I then plugged my flash drives pack in the PC. IT WAS BACK!! So, I moved back to te mac and deleted autorun.inf and RECYCLER’s contents again, but this time I made a file named “autorun.inf” and files inside RECYCLER named “desktop.ini” and “info.exe”. I plugged my flash drives into the PC, the virus was gone because there were files by their name already, so they could not remake themselves by their appointed name. My problem was solved.
So here are the steps:
1 Plug your infected flashdrive into a Macintosh
2 delete autorun.inf and the files in RECYCLER or whatever your re-shr-er file is
3 make files with the deleted files’ names in the same spots the original files were located (i.e. if the original virus path was e:\RECYCLER\ you would put the file with the virus’ name in RECYCLER in drive e)
4 your problem is solved!
Dear Sir/Madam,
Could you help me, my computer got virus in side
can not write regedit and can not write cmd in Run, after type cmd and enter and than show that press any key to continue but when i press any key and than exit command prom.
my computer already have symantice anti virus
my pendrive got infected with autorun.inf. could u plz tell me how can i remove it
The best free antivirus download is at ESET NOD32 Smart Security 4 and ESET NOD32 Antivirus4
It grabbed my interest and I could read it over over again. I really like this content. Thank you.
http://www.y8flashgames.net