The Autorun Virus attacks your Autorun.inf file on your flash/usb drive


You may have this virus when you

cannot double click to open the drive
The image of your drive in my computer looks like a folder




What you need to do is


Click start -- then Run -- -- then hit enter
Type cmd -- -- then hit enter
After you have gotten the prompt
Type the Letter of the drive EG. G:, E:, F: -- -- then hit enter

type attrib autorun.inf -s -h -r -- then hit enter
type del autorun.inf -- then hit enter
unplug the drive and reinsert it

The virus should be gone

wow thanks for the useful information.

I usually have autorun.inf on my flash disks.. I just insert them on any Mac laptop then I delete the autorun.. I think that works lol

>> and for infected flash drives/external devices,

the first way to avid the virus from running..

you should explore the flash drive...

not double click..

it is a way of the others to double click their devices when they are on the My Computer window... if you double click.. the autorun will generate and will run the virus.. oh yeahh.. good luck..

so beware.. :p

also... the in the tools menu bar, then folder options, check show hidden and hidden system files.. you should know that most of the virus nowadays is hidden.. :D

just delete them.. and they're dead.. :p

Actually most of the viruses enter their info in the autorun.inf file which is present in removable media, its perfectly normal to have an autorun file on the disk. Its not a virus but on an info file which displays content of the disk automatically upon inserting it. Whenever you insert a media, the disk is scanned for presence of the autorun file, and if its present, windows loads the infomation that it has to display (like autorun can start the setup file present on the disk, or display pics or whatever its written in there for it to do.)

Disabling autorun is one thing but it wont stop the virus unless cleaned/scanned by an antivirus. Basically the autorun is an easy way for a virus to load itself (as its automatically accessed) into the memory and infect the computer.

Best way to clean an infected removable disk is first scan it properly, and then copy the data on it to the drive and format it (not quick format though) if that's not happening then it means it is unable to clean the drive and your antivirus definitions may need an update. If that's the case then;

Update your antivirus definitions first. After updating the virusdefns, boot into Safe Mode (while the computer starts press F8 key) and when you boot into safe mode only the essential windows operations run and no autorun and stuff like that. Start the antivirus in safe mode (as it wont start by itself) , insert the drive (flashdrive that is) and scan it.

Best way to clean a pc of a virus is scheduling a boot time scan in the antivirus console, Doing it regularly (like twice a month) takes time but its worth it ;)

In my experience, just disable the autoplay feature. if you can't live without the autoplay feature there's a software from panda (free) called "Panda USB and AutoRun Vaccine" (http://research.pandasecurity.com/archive/Panda-USB-and-AutoRun-Vaccine.aspx). No need to explain here just visit the webpage and read on :)
----------
you can follow these instructions to remove autorun viruses that are currently known

How to remove trojans that uses autorun.inf file

These trojans uses autorun.inf file for infects systems. Once infected with autorun.inf trojan your computer will display many popups, Internet Explorer start page can to be change, TaskManager and Registry editor can be disabled. Also autorun.inf trojan configures itself to run automatically every time, when you start your computer. In addition the autorun.inf trojan creates a files with strange names, some examples:

ampfrb.cmd, hbs.exe, yfog8p.exe, as.bat, phwe.com, o0s.cmd, xa2c.exe, AutoStart.exe, ncyrf.bat, rcukd.cmd, 2u.com, q.com, RavMon.exe, x6.bat, rqq2v.bat, t.com, xp19.com, x0.cmd, yg.cmd, ntde1ect.com, tio8×6.cmd, d6fagcs8.cmd, gbiehbsb.dll, tio8×6.cmd, fooool.exe, 8ng8w.com, x.com, xn1i9x.com, invwft2h.com, selamat_berposa_dari_umt.js, ktnquo.exe, NewVirusRemoval.vbs, kinza.exe, rs.cmd, yssjnngm.cmd, h3.bat, 6fnlpetp.exe, boot.exe, winde32.exe, 6j2j.com, kjibu.com, fun.xls.exe, iqe68o.bat, boot.exe, killVBS.vbs, autorun.pif, lin32.exe, USB.exe, RisinG.exe. f.bat, uxdeiect.com, awda2.exe, clshsy.cmd, kongxsg.exe, autorunme.exe, x2tpc.cmd, winconfig.dll.vbs, w1hva13.exe, jun.exe, xpbkh.com, nfdmg.com, m9ma.exe

The trojans may drastically slow the performance of your computer.
Step1: Remove autorun.inf files from all your drives, include any usb/flash drives.

1. Manually:

* Reboot your PC in Safe mode.

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

* Click Start -> Run.
* In the type box enter cmd and press Enter.
* In the command console type del /a:h /f c:\autorun.*
* Repeat previous step to all drives, make replacing “c” with the appropriate drive letter.

2. Automatically.

* Download Flash_Disinfector (http://www.myantispyware.com/2009/01/08/flash-disinfector-free-autoruninf-trojans-removal-tool/) by sUBs and save it to your desktop.
* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone.
* Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.

Note: Flash_Disinfector will remove any autorun.inf files, create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder. It will help protect your drives from future infection.
Step 2: Remove autorun.inf trojan from the windows registry.

Download and install HijackThis (http://www.myantispyware.com/2005/12/05/hijackthis-your-first-tool-for-remove-homepage-hijackers/).
Run HijackThis, click Do a system scan only button.
Put a checkmark next to the following items (if exists):

F2 – REG:system.ini: Shell=Explorer.exe csrcs.exe
O4 – HKLM\..\Run: [SystemDrive] c:\windows\system32\SVCH0ST.EXE
O4 – HKCU\..\Run: [avp] C:\WINDOWS\system32\avp.exe
O4 – HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 – HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 – HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 – HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe
O4 – HKCU\..\Run: [TaskMonitor] C:\WINDOWS\system32\TaskMonitor.exe
O4 – HKCU\..\Run: [Realshade] C:\WINDOWS\system32\realshade.exe
O4 – HKCU\..\Run: [cftmonn] C:\WINDOWS\system32\cftmonn.exe
O4 – HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\kamsoft.exe
O4 – HKCU\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe
O4 – HKCU\..\Run: [kmmsoft] C:\WINDOWS\system32\revo.exe
O4 – HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 – HKCU\..\Run: [cbvcs] C:\WINDOWS\system32\urretnd.exe
O4 – HKCU\..\Run: [jvsoft] C:\WINDOWS\system32\j3ewro.exe
O4 – HKCU\..\Run: [ckvo] c:\windows\system32\ckvo.exe
O4 – HKLM\..\Run: [winconfig] C:\WINDOWS\winconfig.dll.vbs
O4 – HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O4 – HKCU\..\Run: [WinUpdater AutoRun] C:\AutoProtect\DrvMonitor.exe
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.
Step 3: Remove autorun.inf trojans files.

Download Avenger from here (http://swandog46.geekstogo.com/avenger.zip) and unzip to your desktop.
Run Avenger, copy,then paste the following text in Input script Box:

Files to delete:
c:\0jbnlnu8.exe
C:\11rhbu.cmd
c:\1q8p0y.com
C:\2fiy.bat
c:\2g.com
C:\32agsg.exe
c:\39ysi89.com
c:\3jkka91.com
c:\6fnlpetp.exe
C:\6fnlpetp.exe
C:\6j2j.com
C:\8.bat
c:\80avp08.com
C:\8ng8w.com
c:\92j11sm.com
c:\a.exe
C:\a2h2.com
c:\ampfrb.cmd
c:\as.bat
c:\AutoRun\autorun.pif
c:\AutoRun\AutoStart.exe
c:\AutoRun\AutoStart.exe
C:\AutoProtect\DrvMonitor.exe
c:\awda2.exe
c:\bo1dhu.bat
C:\bwpncb6.com
c:\boot.exe
c:\cjrp8.com
c:\clshsy.cmd
C:\d1vmq.exe
C:\d6fagcs8.cmd
c:\dp.exe
C:\e.cmd
C:\eaywxx.cmd
C:\f9cvum.exe
C:\fooool.exe
c:\fun.xls.exe
C:\gbiehbsb.dll
C:\gfqgq.cmd
C:\gi2ky.exe
C:\gldegkby.cmd
c:\gumkrhf.bat
C:\qxty9be.cmd
C:\gy.exe
c:\h3.bat
c:\hbs.exe
c:\ioockw.bat
C:\ij.bat
C:\imo.exe
c:\invwft2h.com
C:\ioockw.bat
c:\iqe68o.bat
C:\j60osk9.cmd
C:\jeorels.cmd
c:\jg6w3yx.com
c:\killVBS.vbs
c:\kinza.exe
C:\kjibu.com
c:\ktnquo.exe
c:\m9ma.exe
c:\main.vbs
c:\MicrosoftPowerPoint.exe
c:\NewVirusRemoval.vbs
c:\nfdmg.com
C:\ntde1ect.com
c:\ntnq.exe
c:\nw0t1l0d.exe
c:\o0s.cmd
c:\phwe.com
C:\pook.com
c:\q0rppr.exe
C:\qphdin.com
C:\rcukd.cmd
c:\Recycled\ctfmon.exe
c:\resycled\boot.com
c:\RECYCLED\appmgmt.exe
C:\rqq2v.bat
c:\rs.cmd
C:\sq.com
C:\system.exe
c:\System\DriveGuard\DriveProtect.exe
C:\t.com
C:\tio8x6.cmd
c:\tj8odymw.exe
C:\tjjqtejq.bat
C:\tvlx2fg.exe
c:\uh31.exe
c:\usbcash.exe
c:\USBFlash.exe
C:\uvsqfgwd.cmd
c:\uxdeiect.com
c:\vnkucvv.com
c:\VirusCleaner.vbe
c:\VirusRemoval.vbs
c:\w1hva13.exe
C:\x0.cmd
c:\x2tpc.cmd
c:\xa2c.exe
C:\x.com
C:\x.cmd
C:\x2csvg.exe
C:\xih9.cmd
C:\xn1i9x.com
C:\xp19.com
c:\xpq63xl.exe
c:\xwpehlv.com
c:\yfog8p.exe
C:\yg.cmd
c:\yssjnngm.cmd
C:\w98.com
%Temp%\dwg3gngs.exe
%Temp%\kxvo.exe
%Temp%\new folder\ufjtre.exe
%Temp%\o2g.exe
%Temp%\ufjtre.exe
%Windir%\expiorer.exe
%windir%\system32\afmain0.dll
%Windir%\system32\amvo.exe
%Windir%\system32\avp.exe
%windir%\system32\avpo.exe
%Windir%\system32\Bitkv0.dll
%Windir%\system32\Bitkv1.dll
%Windir%\system32\cftmonn.exe
%Windir%\system32\ckvo0.dll
%Windir%\system32\ckvo.exe
%windir%\system32\expiorer.exe
%Windir%\system32\gasretyw0.dll
%Windir%\system32\gasretyw1.dll
%windir%\system32\haozs0.dll
%Windir%\system32\j3ewro.exe
%Windir%\system32\jwedsfdo0.dll
%Windir%\system32\kamsoft.exe
%Windir%\system32\kavo0.dll
%Windir%\system32\kavo1.dll
%Windir%\system32\kavo.exe
%Windir%\system32\kxvo.exe
%windir%\system32\locale.exe
%windir%\system32\nmdfgds1.dll
%windir%\system32\nmdfgds0.dll
%windir%\system32\olhrwef.exe
%windir%\system32\optyhww0.dll
%windir%\system32\optyhww1.dll
%Windir%\system32\RavMon.exe
%Windir%\system32\realshade.exe
%Windir%\system32\revo.exe
%Windir%\system32\revo1.dll
%Windir%\system32\revo2.dll
%Windir%\system32\revo6.dll
%Windir%\system32\revo5.dll
%Windir%\system32\revo4.dll
%Windir%\system32\revo3.dll
%Windir%\system32\SCVVHSOT.exe
%Windir%\System32\taskmagr.exe
%Windir%\system32\TaskMonitor.exe
%Windir%\system32\tavo0.dll
%Windir%\system32\tavo1.dll
%Windir%\system32\tavo.exe
%Windir%\system32\urretnd.exe
%Windir%\system32\usbmons.exe
%Windir%\system32\usbmons.dll
%Windir%\system32\vamsoft.exe
%Windir%\system32\vbsdfe0.dll
%Windir%\system32\vbsdfe1.dll
%Windir%\system32\wincab.sys
%Windir%\winconfig.dll.vbs

Then click on ‘Execute’.
Your computer will be reloaded.
Note: if you still having any files with strange names, then manually remove them.

(if this doesn't solve your problem, your first clue to removing the virus is knowing its name or the files it's associated with. It's usually found within the autorun.inf file itself. Once you get it, google it like so " [virusname] removal")

To avoid problems like that...

1) I'm a bit paranoid about connecting other people's USB devices on my computer so if it's possible, I just ask them to email me the file.

2) If email is not an option and I really have to use their USB drive... then after they hand me their usb drive, I tell them that I'll get back on it later... but in reality, I'm gonna do all sorts of tests first... hehe...

3) If it's really urgent and they need me to do it right in front of them... I just say it blatantly.... "I don't trust your device dude... let me check on it first!" Bwahahaha! :mayuri:

Btw ... what Va9rant said about disabling the autoplay is a sure fire way to avoid this problem. :D