Computers, mobile phones, accessories, widgets and speedos point of views. Computer security will be discussed also and some tips about computer tweaks.

Home » Post Item » How to remove and prevent autorun.inf virus

How to remove and prevent autorun.inf virus

January 26, 2008

    My gateway laptop has Windows XP Pro installed in it and I am doing some projects. I usually use up most of the memory resources on my gadget by launching too many applications at the same time; which is not recommended. When one of them fails & hangs, I simply press CTRL + ALT + DEL for the task manager window and end the application, or the .exe file under processes tab. It is frustrating when you cannot launch the task manager and it says "Task Manager has been restricted by an administrator". This means my windows registry has been tampered with by malicious viruses.

    What I do next is launch the registry editor by typing "regedit" (without the quotation marks) and pressing the enter key to open it and manually disable the entries prohibiting the launchcing of the task manager. Another way is by starting it through typing at RUN the executable"cmd" or opening the start menu>programs>accessories>command prompt and type "regedit"; but the editor window only opens up for about 10 miliseconds. It is present, however can’t be launched. Your system will restart everytime you launch the command prompt in either way.
Updating my mcafee ver 8.5i with its latest virus definitions and scanning my computer solves the problem, but wait! We’re not done yet. Autorun.inf manually still has to be deleted manually.
There are several viruses that use autorun.inf to spread themselves; such as the Bacalid, which hides itself in ctfmon.exe, and the RavMon.EXE. These viruses set their file attributes to System+Hidden+Read-Only. These attributes make it hard for some anti-viruses programs to detecti them. These viruses save themselves in the root directory of every available drive of the infected computer and run themselves every time you open the drive. Both USB Sticks and CDs are infected by the virus that runs automatically, especially if drive autorun is enabled for the current drives, which is usually by default.

    Autorun.INF is typically used by CD Installers to autoplay their installations, but Hard disks by default should not have AUTORUN.INF in the drive.

    When I am finished updating my anti virus software and scanning the hard drive, I try to display the content of my computer by way of command prompt in my root directory C:\ using the dir /ah command. The following information should then be displayed:

    You can see from this window that drive C contains a hidden file autorun.inf, this is a possibility that the computer is infected. To erase this, restart your windows into Safe Mode with Command Prompt. This is done by rebooting your computer and pressing F8 before windows goes out and select from the advanced options menu. On drive C and all other root directories type the following commands: 1. attrib -h -r -s autorun.inf 2. del autorun.inf
Repeat these steps for all of the other drives root’s directories to disable autorun.inf .

Disable AUTORUN from Registry

    Now you are able to disable the AUTORUN for all drives by configuring the registry. Open the registry by typing regedit.exe to the command prompt (if your still at the command prompt) or execute it in Run and type regedit and press enter. Look for the HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Policies\Explorer as shown below:

 
 

    Double-click the NoDriveAutorun DWORD entry and type the value HEX: FF (255 in Decimal). If the NoDriveAutorun does not exists, you can create it by right-clicking the right side area of the regedit window, then click New->DWord Value -> type NoDriveAutorun. Close the registry and restart the computer. This procedure will disable all the autorun for all drives of your computer and should prevent the autorun function of infected USB drives or CDs and avoid the infection of viruses like the Bacalid and RavMon.exe./Ravmone.exe.
I do hope this helps you in some way. Enjoy!

Thanks to my friend bleuken for sharing his ideas.
 

 

 


Posted by pointblank at 11:37 pm | permalink

Previous Comments

GREAT !! MATE,

GOOD POST

THANKS A LOT

Posted by CARLOS E at April 12, 2008, 10:42 pm

thank u very very much i helped me a lot

Posted by sayeed at July 3, 2008, 1:16 am

I realy apriciate this site
thanks a lot
Well done

Posted by Anteneh Assefa at July 4, 2008, 7:26 pm

I have a question, it say on your image NoDriveTypeAutorun, should we us that or the NoDriveAutorun for disabling the Autorun?

Thanks for the tip. I hope you post a blog on how to prevent viruses from getting inside your USB. Thanks again.

Posted by Ragnarok at August 21, 2008, 9:25 am

I ran Safe Mode but no autorun.inf file was in my c, e, or f drive as indicated by BitDefender. I rebooted and it seems to be normal. Is this a false reading by BitDefender. I had this a week ago and ran a full anitivirus scan and it found some then.

Posted by Ken at January 21, 2009, 1:32 pm

I encountered the autorun.inf virus recently on all three of my flash drives and it was a bugger to remove. I spent (literally) hours on Command Prompt trying to get rid of the ASHR on it. So I finally typed “edit e:\autorun.inf”. I found that there was something called “RECYCLER\INFO.exe” that was re-SHR-ing autorun.inf every time that I un-SHR’d it. So, I bagan work on un-SHR-ing RECYCLER\INFO.exe. I would un-SHR it, but when I typed “del e:\recycler\info.exe” it would tell me the file was not found. I was pretty PO’d at this point, so I quit. Then today I had an idea. My mother is a teacher and the school district buys Macintosh computers. Macintosh computers (however lousy they may be) do not have the ‘SH’ possibility; so, I plugged in my flash drives and the autorun.inf and RECYCLER files popped right up. I deleted autorun.inf with ease, but it wouldn’t let me delete RECYCLER. I deleted its contents. I then plugged my flash drives pack in the PC. IT WAS BACK!! So, I moved back to te mac and deleted autorun.inf and RECYCLER’s contents again, but this time I made a file named “autorun.inf” and files inside RECYCLER named “desktop.ini” and “info.exe”. I plugged my flash drives into the PC, the virus was gone because there were files by their name already, so they could not remake themselves by their appointed name. My problem was solved.

So here are the steps:
1 Plug your infected flashdrive into a Macintosh
2 delete autorun.inf and the files in RECYCLER or whatever your re-shr-er file is
3 make files with the deleted files’ names in the same spots the original files were located (i.e. if the original virus path was e:\RECYCLER\ you would put the file with the virus’ name in RECYCLER in drive e)
4 your problem is solved!

Posted by Sinjid Fragmenteau at June 11, 2009, 2:38 pm

excellent dude its working. thanks for ur help.

Posted by prashanth at July 1, 2009, 6:41 pm

excellent dude its working. thanks for ur help. thanx

Posted by prashanth at July 1, 2009, 6:44 pm

hello i’m using windows xp… tried deleting the autorun.inf virus in command but the message “access denied” keeps popping up.. what should i do.. also my computer is being plagued by the recycler and system volume information virus…

Posted by mhel at July 10, 2009, 1:09 pm

great work… Thanks for the information.

Posted by Computer Support at December 16, 2009, 5:55 pm

WHAT ARE THE OTHER NAMES OF THESE VIRUSES? COZ I DON’T SEE RAVMON OR BACALID IN MY SYSTEM THOUGH A VIRUS SPREADS ON MY USB EVERY TIME I PLUG IT IN. PLS HELP!

Posted by WEW at June 23, 2010, 8:51 am

All comments are moderated. Your comments will not appear here unless approved by the blog owner. Thank you.

Add a comment