Archive for 2013

Remove Autorun.inf (Removal Guide)

Thursday, October 3, 2013
Posted by silent aja
Tag :


Autorun.inf Description


Autorun.inf is a generic file used to determine basic computer behavior for CDs. Although harmless in and of itself, Autorun.inf may also be used to run harmful Trojans and other malware. Since the probability of infecting other systems with a CD infected by a malicious Autorun.inf file is very high, you should make every effort to delete the infection before using the CD further. An Autorun.inf infection is rarely the only case of infection in a system, and will usually only be a symptom of other malware problems that should also be taken care of.

Getting to Know Autorun.inf


Legitimate software use Autorun.inf to run program menus instantly when the CD is placed in the computer’s drive. The Autorun.inf file can also determine the kinds of menu commands shown when right-clicking the drive icon, as well as icons that show up when the CD is being read. Autorun.inf is a simple text file that takes up negligible space and has no real functionality besides the above mentioned capabilities.
 
In most cases both benign and malware-based, Autorun.inf will be set to have the Hidden attribute. This will make Autorun.inf invisible to any users who’ve retained default file viewing settings that prevent Hidden files from being seen.

If you want to see whether a CD has an Autorun.inf file or not, alter your file viewing settings appropriately.
 
Legitimate software CDs don’t spontaneously acquire Autorun.inf, but have the Autorun.inf file included along with all other basic program files. If a CD was previously lacking in an Autorun.inf file but suddenly shows one, then it’s highly likely that this was caused by a Trojan or other kind of malware.

Autorun.inf’s Fall to Malware


Unfortunately, despite its useful applications, Autorun.inf can also be created and used by malware. Typically this will cause the CD in question to run the malware instantly as soon as the CD is inserted into any computer’s drive. This allows infections to spread very rapidly if not identified quickly. Infections will not necessarily show any obvious signs of interfering with the new victimized computer, since many kinds of malware are designed to stay hidden even during installation.
 
The original malware that creates the abusive Autorun.inf file may or may not allow you to delete Autorun.inf directly. In most situations, one should reboot into Safe Mode and use security software to scan for and delete the infection in all its forms. Only once the infection is deleted are you guaranteed the ability to remove the corrupt Autorun.inf file permanently.
 
Since Autorun.inf is a text file, one may be able to inspect the contents of the file to discern whether Autorun.inf’s an infection or a legitimate inclusion. As a commonly-used software element, Autorun.inf’s presence isn’t necessarily harmful. However, one shouldn’t neglect the possibility of infection when Autorun.inf’s present, and be ready to use anti-malware programs to remove corrupt Autorun.inf files whenever reading a new CD.

Remove autorun.inf
?
The said virus hides itself inside a folder named Recycled/Recycler. The folder has a hidden/system/read-only attribute, that’s why you can’t see it if you will use the Search window. When your system is infected by the said virus, it infects every drive connected to your PC by dropping VCAB.DLL to the internet temporary folder and creating the CTFMON.EXE to folder Recyled & AUTORUN.INF to the root directory of every drive. That’s why when you connect your USB sticks to the infected PC it will be infected immediately, the USB disks will be the new carrier for the virus. The program runs every time you start your computer because it copy itself in the Startup folder of the Start Menu. It also run every time your insert the infected USB disk and it triggers every time you Double-Click the infected drive (bcoz of the AUTORUN.INF). The virus infects .EXEs and .DLLs. 
To check if your system is infected by the said virus without using an antivirus, do the following steps:
1. Go to command prompt.
2. Type CD\ in drive C: to go to the root directory
3. Type DIR /AH and press ENTER key. This will display all hidden files in your drive C:
4. If you see a file AUTORUN.INF and a folder Recycled, then your system is infected.
5. Try doing this to your USB drive and check if your USB stick contains the same folder and AUTORUN.INF, if it does then your system is really infected..
?
To manually remove it follow the following steps (Note: you should understand what you’'re about to do, you try it at your own risk!)
Boot your system in Safemode
1. Go to command prompt, in Drive C do the following commands.
2. Type -> ATTRIB -H -R -S AUTORUN.INF then press enter
3. Type -> DEL AUTORUN.INF then press enter
4. Type -> ATTRIB -H -R -S Recycled then press enter
5. In Windows Explorer in Safemode, remove the folder Recycled in drive C use Shift-Delete to delete the folder.
6. Repeat Step 3 to 6 for all drives of your system including the USB drive.
7. Search for CTFMON.EXE in your system using the Search of Windows found in Start Menu. If you find a file that is not located in C:\WINDOWS\SYSTEM32, delete it immediately. Dont forget to empty the recycle bin afterwards (Usually the virus will copy itself in the Startup folder of the Startmenu. Check if the file is present there and delete it then.)
?To disable autorun of drives (i.e. everytime you double-click a drive or cd or usb, it is auto open) follow the following step:
?Click Start->Run->type REGEDIT.EXE
1. Go to this key from the register HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Policies\Explorer
2. Look for the entry NoDriveTypeAutoRun, double click the entry
3. Type a new value :?0FF?(Hex) for the NoDriveTypeAutoRun, this will turn off the AutoRun for all drives, and press ENTER
4. Reboot the system. 

Viruses that uses Autorun.INF
?There are several viruses that uses the autorun.inf to spread itself such as the Bacalid (hides itself in ctfmon.exe) and the RavMon.EXE. These viruses set its file attributes to System+Hidden+Read-Only attributes so some anti-viruses will have a hard time detecting or finding them. These viruses save itself in the root directory of every available drives of the current infected computer and runs itself every time you Double-Click the drive. In USB Sticks and CDs that are infected by the virus runs automatically especially if drive autorun is enabled for the current drives (which is usually by default, autorun for drives are enabled).? 
Disable AUTORUN from Registry? 
Now you can disable the AUTORUN for all drives by configuring the registry. Open the registry by typing regedit.exe to the command prompt (if your still at the command prompt) or execute it in Run. Look for the HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Policies\Explorer
Double-click the NoDriveAutorun DWORD entry and type the value HEX: FF (255 in Decimal). (If the NoDriveAutorun does not exists, you can creat it by right-clicking the right side area of the regedit window, then click New->DWord Value -> type NoDriveAutorun) Close the registry and restart the computer. This procedure will disable all the autorun for all drives of your computer and at least will prevent the autorun function of infected USB drives or CDs and avoid the infection of viruses like the Bacalid and RavMon.exe
If you want to prevent viruses that uses autorun.inf? to infect your USB flash drive, try to do this:
1. Open your flash drive via Command Prompt (do this via Start->Run->cmd.exe)?
2. Change your logged drive to your USB flash drive (e.g. if your drive is at drive E: then type E: on the command prompt then press enter)
3. Create a folder named: AUTORUN.INF on the root directory of your flash drive. (to do this type the command: MD\AUTORUN.INF). If an error: a subdirectory already exists… shows, try to follow the instruction above to remove existing autorun.inf before doing this instruction. 
The reason why this will avoid future infection is that autorun.inf viruses usually generates a file autorun.inf. Having an AUTORUN.INF folder on the root directory of your drives will make virus programs unable to create their own autorun.inf file, virus can’t even overwrite it because it’s a folder and not a file.
1st Method :

Start–>Run–> Type Cmd –>Click Ok

so just type this stuff
at c:\ prompt

attrib a*.inf -h -a -s -r
del autorun.inf

Note : Then Change the Drive Letter C,D,E,F,G….and repaeat the Same Process..

Example :

2nd Method:

This Method is Simple and Easy,

Here is a simple code to remove autorun.inf: (start copying from the next line down):

cd\
c:
attrib -r -s -h autorun.inf
del autorun.inf
d:
attrib -r -s -h autorun.inf
del autorun.inf
e:
attrib -r -s -h autorun.inf
del autorun.inf
f:
attrib -r -s -h autorun.inf
del autorun.inf
g:
attrib -r -s -h autorun.inf
del autorun.inf
h:
attrib -r -s -h autorun.inf
del autorun.inf
i:
attrib -r -s -h autorun.inf
del autorun.inf
j:
attrib -r -s -h autorun.inf
del autorun.inf
k:
attrib -r -s -h autorun.inf
del autorun.inf
l:
attrib -r -s -h autorun.inf
del autorun.inf
m:
attrib -r -s -h autorun.inf
del autorun.inf
n:
attrib -r -s -h autorun.inf
del autorun.inf
o:
attrib -r -s -h autorun.inf
del autorun.inf
p:
attrib -r -s -h autorun.inf
del autorun.inf
q:
attrib -r -s -h autorun.inf
del autorun.inf
r:
attrib -r -s -h autorun.inf
del autorun.inf
s:
attrib -r -s -h autorun.inf
del autorun.inf
Copy this in a NOTEPAD file, then save the notepad file as : “file.bat” and then run it to remove all the rubbish of autorun.inf



So many of us are Facing the Problem With the autorun.inf Virus.When you choose to open a drive, it will open in new window, and in some cases the Drive cannot open.You want to browse the drive by using the command Ctrl+E.


In worst cases, the hidden files also wont show, event though we had enabled the option Show hidden files, it is also the wonder of the autorun.info virus

Some uses antivirus applications for removing this virus, but i am giving an simple method for removing manually by using Winrar



Steps to Follow


1) Going to the first step, Please Disable CD or DVD/USB autorun in the windows


2) Open the Winrar.exe ( start > Programs >Winrar> Winrar.exe )
                                         

3) Now browse the infected file through the Winrar application


4) We can watch the hidden files for the particular drive using Winrar now.


5) Look for the file autorun.inf and open by using Notepad


6) When you open, We can find a >exe file in that.It is the main danger .


7) Note this .exe file and close the autorun.inf file


8) Now look for that .Exe file in the Drive (e.g d:/ ) ,Now delete the autorun.inf file and .exe file together


9) Restart your system, now there is no virus in your system.
Welcome to My Blog

Popular Post

Blogger templates

Powered by Blogger.

- Copyright © how to remove virus manually -Robotic Notes- Powered by Blogger - Designed by Johanes Djogan -