Removing the FlashDrive autorun.

inf Virus Desai Kalpesh 1 of 6

Removing the FlashDrive autorun.inf Virus

Some of the symptoms of an infected computer:
• Hidden files cannot be viewed. Changing options in Tools/Folder Options has no effect.
Changing registry values has no effect. No restriction removal tools like RRT etc are able to fix
the problem.
• Regedit cannot be found when you try to invoke it from the RUN box.
• Task Manager has been disabled by Administrator.
• You cannot enter a particular drive ie when you click on your drive letters(C, D, E etc) in
My Computer nothing happens.
• Computer has become slow and there is noticeable delay in characters to appear on screen
when you press in keyboard. The left and right strafing keys in Counter Strike 1.6 dont
work. They work on CS: Condition Zero tho.
Virus Removal Strategy that works for me:
Full System scan
A full system scan using any of the following Antiviruses/antispyware tools usually do the
trick.
1. Eset NOD32 or Eset Smart Security Business Edition.
2. DOS mode virus scan using the antivirus tools in HirensBootCD*
3. Spyware Doctor and AdAware.
Identifying the Virus manually
Most of the time a virus gets detected but the antivirus software is unable to remove it. This is
because either the virus is currently running on your system as one of the processes or is being
protected by the Operating System Itself. So before doing the virus scan you have to take a few
precautions:
1. Download ProcessXP if you Task Manager is disabled.
2. Download HijackThis from TendMicro
Both of these tools are helpful in revealing and killing hidden processes running on your
system or those which have recently make changes. If you find something like:
1. monit.exe- runs under explorer.exe, keylogger app, creates problems with Counter Strike
2. scvhost.exe or 713xRMTmon.exe - not to be confused with svchost.exe, an important windows
process.
3. wscript.exe - a harmless process which can be made to execute harmful VBScripts like
mswin32.dll.vbs
4. amvo.exe or amva.exe
5. autorun.inf - Its actually a harmless file. more info. But can be used to invoke a virus when you
click a folder/drive which has this file.
Its best to kill/terminate them by Right Click/End Process Tree. Also a good practice is to
EndProcessTree** Explorer.exe as well. And starting the antivirus executable from
TaskManager/File/Run. And then run a system scan. Explorer can be started again from
TaskManager/File/Run/ Type explorer [enter].
Several antivirus support forums help out people who submit their HijackThis log files.
Viruses usually invoke at startup. So its a good idea to check the startup list by
StartMenu/Run/msconfig/Startup where you should find something suspicious Uncheck
them(only if suspicious ones!)like scvhost.exe. Uncheck them(only if suspicious ones!).
Restart your PC. Do system scan.
So how do you findout which process is malicious? Google them. If your data is important to
you and you really want to remove the virus without formatting, you have to do this bit. When
you familiar with which System processes you should be able to isolate the culprit by just
seeing the list.
 Removing the FlashDrive autorun.inf Virus Desai Kalpesh 2 of 6
You can also goto the command prompt StartMenu/Run/command and then CD\ now you
should be at the C:\ prompt. Now write type autorun.inf You should be able to see the
contents of the autorun.inf file which for me was like

Deleting** Identified Virus files - Harddisk, Registry

Now that you have identified a file say like autorun.inf or mswin32.dll.vbs in the root of all
drives or in your system drive. Immediately delete all instance of it on your system. If its
protected download http://www.gibinsoft.net/gipoutils/ locate the file and delete it. For more
details read my article to Restore access to drives under My Computer.

You can also delete a file from DOS. the command DIR /w/a displays all hidden files and
folders. with command attrib -s -h -r <filename>. Then delete <filename>
A virus also hides itself in the System Volume Information and PREFETCH folder. So it
might be a good idea to turn off System Restore for a while. Doing so will delete all you
previous system.
Another thing that I do this remove all traces of the virus file from the windows registry. Start
regedit - StartMenu/Run/regedit. If your system cant find regedit. Copy it from
C:\WINDOWS\system32\dllcache to C:\WINDOWS\system32\ or download it. After you
open regedit Edit/Find/search for all entries of names of virus files mentioned earlier. Keep
pressing F3 key to look for next result and delete** all of them.
To prevent future infections in your USB Drive, what you could try is create an empty
autorun.inf file and set read only attribute to it. This should prevent a malicious autorun.inf
taking its place. I tried it on some systems, it works!
Ive deleted the virus, But why is my task manager still disabled and files hidden?? … etc
This is because a virus/trojan/worm is the mother alien which an antivirus can remove. But the
the settings and changes which they make does not concern an AV. You will have to change
them back manually. If you still cant, that means there is some virus file enforcing those
settings, like disabling Task Manager, Hiding files etc.
• TaskManager disabled - Use RRT, or Follow instructions on mentioned here.
• Files and Folders Hidden - Use RRT, or Goto registry
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\NOHIDDEN “CheckedValue”=0 “DefaultValue”=2
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL “CheckedValue”=0 “DefaultValue”=2
or download and run this regitry key.
In the end, there are a few golden rules that I find are always true. A virus is harmful while it is
running. If you cant change your settings, that means something is blocking it or continuously
enforcing it. So stop the virus from running. Delete all traces of the virus. Change back the
settings manually.
Warnings!
* Contains illegal compilation of shareware softwares. Im not encouraging you and take no
responsibility if you go ahead and use them.
** Be very careful while deleting or modifying system files/registry entries, your system may
not even boot the next time you restart your computer. Something might go wrong anyway,
thats how it is with these things.
updated: 18th April

Responses
Removing the FlashDrive autorun.inf Virus Desai Kalpesh 3 of 6

Your page is the best I’ve seen, thanks. Ed

My replicating INF looks like this ….
PWS-LegMir.gen.k - Password Stealer
;j444i
[AutoRun]
;Xaj3j2i5D2A3Dpjo3airklC3aiKwaoarr04o3a1wls44s2rJ7SeKwlwd3s5Sk4o2jDa1jaFjd
open=bqk.bat
;12wklSf3mqi47siaaqq430IKowd7a4sswdsjkk5C5skrrOAeafrZeLjwAZ40n89iLk3s4Dr5wo8
eKUiipk22aSodwswp2
shell\open\Command=bqk.bat
;43KKfocdki3l7CkiXa3sdA0n19r2w8f
shell\open\Default=1
;4a
shell\explore\Command=bqk.bat …. and so on

Hi, Thanks!
From the looks of your autorun.inf it seems bqk.bat is the virus file. I would suggest
finding one of those bqk.bat files and opening them using any text editor(notepad).
The contents should reveal what exactly the virus file is doing.
Its important that you find the virus executable currently running on your system, terminate it,
and then begin the cleaning procedure.

hi, i have AVG scanner which scans my system at start up…i recieeve a mess saying
Virus is detected at C:\Autorun.inf…And i press c for continuing..i have scaned my
pc but i am unable to del it..also i tried to see da contents of it in dos mode..it shows
some mess like shell execute or somethn…even cant find the entry in Reg Edit…could u help
me..should i download AD Aware ..and try to scann my pc..plz help..due to this trojan/virus….
pc hs foll prob..
1.i cnt enter my Drives when i click on them..
2.my ctrl +alt+del doesnt work
3.after sme time..my pc gets hanged..
thnx in advance.

Hi Riya,
First of all I would strongly recommend getting ESET NOD32 antivirus and Spyware
Doctor and doing a full system scan. I have personally tested almost all major AV
brands and find NOD32 to be the best(and fastest). Email me if you need help getting them at
-> a e l i e n at gmail because it might be illegal to share download links publicly.
After you scan your system using the two above, if problem persists, reply back.

[...] .exe files inside a folder, with the same name as the folder. To remove that virus,
check out the And Back Up blog, after you’re done with this removal. Fire up your
Task Manager (Alt+Ctrl+Del) and end [...]
----
Hi. I was recently infected with a virus or worm of some sort. Similar to one of the examples
you’ve mentioned about in another post, I couldn’t get into my partitions from My Computer
when I clicked the icon. Also my antivirus would constantly notify me of some virus. Since
then I have formated my computer and the laptop itself is free of virus. However, here my real
problem now. Before I formatted my infected computer, I also had an external drive (F:)
attached to my laptop and I had saved some of my precious pictures and videos and some
Removing the FlashDrive autorun.inf Virus Desai Kalpesh 4 of 6
applications in it. I use my external as my backup and so I haven’t formatted my external yet. I
did do an antivirus check one last time on the external before I formated my computer. I
deleted whatever worm or trojan it found. At this moment, I haven’t tried to plug it back into
my laptop yet because I am afraid it might still be infected. The last thing is for me to format
and erase everything on it. =(. Please help me!! Is there anyways I can retrieve my pictures and
videos and documents at most before I have to format my external too??? THANK YOU
MUCH!!

Hi!
Well you need not worry. There will NEVER be a need to delete your pictures and
videos. and its a very good thing that you have put it all on an external hardrive in the
first place!
There is high probability that your external hd might still be infected with a virus/worm. I think
the best approach should be to first establish whether the external hd is infected or not. You can
seek help from a friend who is good at this stuff or someone who is on a linux system. And
then we can try a few things.
OR
1) you can plug your hd to your own or someone elses computer
2) there should be an autorun menu popping up asking you what do you wanna do: Play video.
Open files etc etc. cancel. and do not try to access your HD from My Computer or anything
which might invoke the virus program.
3) download the tool i made from this post http://andback.wordpress.com/2008/04/19/restore-
access-drives-under-my-computer/
and run it
The above tool might not necessarily delete your virus but it will render it harmless. Needless
to say its risky, but it will work.
Do backup your important data onto DVDs!

@Piyush
You can access your file through DOS.
1. Goto command prompt to the location your files are hidden
2. DIR /W/A (lists all files in the directory with hidden attributes)
3. when you know the exact file name of your hidden file attrib -a -h -r filename.ext. This
will unhide your file.
@lio
Well its a gamble, if the virus files have copied themselves in each the folders of the files you
wanna copy, then surely yes it will go into the disk. So if you cant see hidden files on your
system, you might wanna check the folder you want to write for suspicious files by the process
mentioned above.
I couldnt get your second post. If your PC is infected, checkout my previous blog post on this.
If your disk is infected, im afraid theres nothing you can really other than discard the disk after
copy all the files with a good antivirus turned ON(to stop the virus from getting into ur system)

I used a software called Salamander 2.5 RC1 to “kill” the virus in my disk on key
( meant this one
:http://www.firefold.com/images/products/SANDISK-1GB.jpg)
but the autorun virus is still in my pc
in its one the memory since every 3 sec it recreat its self if I delete it

Folder are not visible in usb drive but files are visible
 Removing the FlashDrive autorun.inf Virus Desai Kalpesh 5 of 6
no since i am afraid that its the auto run of the sys but in 2 weeks I ll do it after my
tests
is there a specific software to delete it ?
since I dont know how to work with HijackThis and the other software

this is how the autorun.inf looks like in mine

;853D44sajwdwi1iso2wow00s51Aakda7s12ek0K2d57kqjikw83a7diK9SOqk0kfKf94oa7sl21e
klasCldanoKAsaJicA4qXZL54DlSfras3J3s3aa0K2LjK5L
[AutoRun]
;Kl4SDOdLwe3lwdSKqLs0wakKiqpidfwAK84sq8iwrrDSA30Dkaoqi2lZ3oAKJ4r7a4siA3djd
open=klp8j6i.com
;3kwilSaoA3a0pr4lKZw5oFww5KLKo4wkss3skkiadOKl2p3ki29lfpkK8K
shell\open\Command=klp8j6i.com
;mDoKkaAllw7LJXi337esIo55df0H31JlwOfLaK4idkwdsKFaiK494qJ4rqroew7wssqJAawK3
w9a3jL2qoak0iD1CsowSfqa0siKqdD
shell\open\Default=1
;2lksKDs22rXJk29OUFkKkidls24peJdDjl4Al14L0aaJLsa3aSwlkidAd0rfkLKwDckokkIwiii80
4di
shell\explore\Command=klp8j6i.com
;9ZILm4Ssiw4KisaaDlraiK80aas4k99fS4kdfs0k7Kc0AeL2Cidawwjp3ikak281Z2LAka13qjDl
dDKsiq

@nabin - well its the first time im hearing of such a thing, why dont you try the
solution i suggested to Piyush’s problem! Maybe the folders have gotten hidden.
@Lio - Its a good thing you posted the contents of the autorun.inf file. we can clearly
infer from it that there exists a file named klp8j6i.com which is invoked by the autorun.inf file.
I suggest you try out the methods mentioned above and in my post titled Restore access to
drives under My Computer after your exams.
If sure you will be able to trace out all locations where the file is hidden. Otherwise ill try to
write a code to find and delete them.
•
and another antivirus shows that a r.cmd is a virus
and it is created in the same time like autorun.inf so its the same virus with a
“backup” ( like )

help me please… i have problem with this virus called r.cmd and it has also an
autorun.inf file in it. ill paste whats inside the r.cmd file and as well as the autorun.inf
file…
autorun.inf file contains:
;D2e01wfLLJ2a382is9Aaeas4lmoslw9akjDo0s3LwrqAsS9jdlAHLkdp3dqc5k4a4KaZjq00wf5
6K9k77
[AutoRun]
;aXrw31kadwswseal20lLUL4A4J
open=r.cmd
;5iwK7al022ql2eF8Aw0s8n0sk3k5iS2licCwiKp2k54S43
shell\open\Command=r.cmd
;3SDaj0npXj027JKcdokLadfJk24
shell\open\Default=1
;sada4KSaKfLLDalAoJ5idocsla27q3Skrk
Removing the FlashDrive autorun.inf Virus Desai Kalpesh 6 of 6
shell\explore\Command=r.cmd
;Sa4DsCaS5kLLrsJKleIsS4kZp14k87J345LcsokKjAqwdLsji3kao9
r.cmd file contains:
MZ ﾐ ÿÿ ¸ @ Ð
´ Í!¸ LÍ!This program cannot be run in DOS mode.$ ›úVäß›8·ß›8·ß›8·ß›9·è›8·\“e·

Joax & lio - about the r.cmd, try reading another post of and back titled “restore
access drives under my computer”, here’s the link:
http://andback.wordpress.com/2008/04/19/restore-access-drives-under-my-computer/

Hi,
Well ive never come across a problem like yours. It looks a like a massive change in
system configuration and user privileges on the system. But if I were you, I would
1) run the Unlock v.1.2 tool (link on the other blog post)
2) Install ESET NOD32 Antivirus and Spyware Doctor and so a full scan.
3) get hold of a DOS mode antivirus scanner.
I cant give you further details because though they work much better than stock software
packages, but are sadly illegal.
If problem persists, I suggest you backup your data and do a system format. Because reverting
back to existing setting might be a total bitch.
Ping back after you have tried the methods mentioned earlier, ill try to help

My pc and flash drive were infected with the amvo virsu and I used a script which
found at mygeekside.com, it worked beautifully in seconds.

please help me..i am a student in de la salle zobel, when i placed my flashdrive, and
got home, i saw a file named “FLASHY” after i saw it.. i got worried and i tried
pressing CRTL+ALT+DELETE.. and there, it says disabled by administrator.. please
help me about the flashy thing..because i know its a virus in school i got..dang..i cant
remove it..please help me..i have, AVG,windows defender,spyhunter3,uniblue registry booster
2.. when i tried using the registry booster 2,when i press REPAIR 120 errors, 120 pop-ups
came saying its disabled by the administrator..please help me..my computer became slower and
crtl,alt,delete doesnt work..please help me..

dear sir i got virus win32.dill.vbs in my c and d drive i canot open it in the normal
way i have to explorer to open it,plz suggest me some idea to recover this.
thanku!
waiting for ur kind information