Removing the FlashDrive autorun.

inf Virus

Desai Kalpesh

1 of 6

Removing the FlashDrive autorun.inf Virus

• • • •

1. 2. 3.

1. 2. 1. 2. 3. 4. 5.

Some of the symptoms of an infected computer: Hidden files cannot be viewed. Changing options in Tools/Folder Options has no effect. Changing registry values has no effect. No restriction removal tools like RRT etc are able to fix the problem. Regedit cannot be found when you try to invoke it from the RUN box. Task Manager has been disabled by Administrator. You cannot enter a particular drive ie when you click on your drive letters(C, D, E etc) in My Computer nothing happens. Computer has become slow and there is noticeable delay in characters to appear on screen when you press in keyboard. The left and right strafing keys in Counter Strike 1.6 dont work. They work on CS: Condition Zero tho. Virus Removal Strategy that works for me: Full System scan A full system scan using any of the following Antiviruses/antispyware tools usually do the trick. Eset NOD32 or Eset Smart Security Business Edition. DOS mode virus scan using the antivirus tools in HirensBootCD* Spyware Doctor and AdAware. Identifying the Virus manually Most of the time a virus gets detected but the antivirus software is unable to remove it. This is because either the virus is currently running on your system as one of the processes or is being protected by the Operating System Itself. So before doing the virus scan you have to take a few precautions: Download ProcessXP if you Task Manager is disabled. Download HijackThis from TendMicro Both of these tools are helpful in revealing and killing hidden processes running on your system or those which have recently make changes. If you find something like: monit.exe- runs under explorer.exe, keylogger app, creates problems with Counter Strike scvhost.exe or 713xRMTmon.exe - not to be confused with svchost.exe, an important windows process. wscript.exe - a harmless process which can be made to execute harmful VBScripts like mswin32.dll.vbs amvo.exe or amva.exe autorun.inf - Its actually a harmless file. more info. But can be used to invoke a virus when you click a folder/drive which has this file. Its best to kill/terminate them by Right Click/End Process Tree. Also a good practice is to EndProcessTree** Explorer.exe as well. And starting the antivirus executable from TaskManager/File/Run. And then run a system scan. Explorer can be started again from TaskManager/File/Run/ Type explorer [enter]. Several antivirus support forums help out people who submit their HijackThis log files. Viruses usually invoke at startup. So its a good idea to check the startup list by StartMenu/Run/msconfig/Startup where you should find something suspicious Uncheck them(only if suspicious ones!)like scvhost.exe. Uncheck them(only if suspicious ones!). Restart your PC. Do system scan. So how do you findout which process is malicious? Google them. If your data is important to you and you really want to remove the virus without formatting, you have to do this bit. When you familiar with which System processes you should be able to isolate the culprit by just seeing the list.

Removing the FlashDrive autorun.inf Virus

Desai Kalpesh

2 of 6

You can also goto the command prompt StartMenu/Run/command and then CD\ now you should be at the C:\ prompt. Now write type autorun.inf You should be able to see the contents of the autorun.inf file which for me was like Deleting** Identified Virus files - Harddisk, Registry Now that you have identified a file say like autorun.inf or mswin32.dll.vbs in the root of all drives or in your system drive. Immediately delete all instance of it on your system. If its protected download http://www.gibinsoft.net/gipoutils/ locate the file and delete it. For more details read my article to Restore access to drives under My Computer. You can also delete a file from DOS. the command DIR /w/a displays all hidden files and folders. with command attrib -s -h -r <filename>. Then delete <filename> A virus also hides itself in the System Volume Information and PREFETCH folder. So it might be a good idea to turn off System Restore for a while. Doing so will delete all you previous system. Another thing that I do this remove all traces of the virus file from the windows registry. Start regedit - StartMenu/Run/regedit. If your system cant find regedit. Copy it from C:\WINDOWS\system32\dllcache to C:\WINDOWS\system32\ or download it. After you open regedit Edit/Find/search for all entries of names of virus files mentioned earlier. Keep pressing F3 key to look for next result and delete** all of them. To prevent future infections in your USB Drive, what you could try is create an empty autorun.inf file and set read only attribute to it. This should prevent a malicious autorun.inf taking its place. I tried it on some systems, it works! Ive deleted the virus, But why is my task manager still disabled and files hidden?? … etc This is because a virus/trojan/worm is the mother alien which an antivirus can remove. But the the settings and changes which they make does not concern an AV. You will have to change them back manually. If you still cant, that means there is some virus file enforcing those settings, like disabling Task Manager, Hiding files etc. TaskManager disabled - Use RRT, or Follow instructions on mentioned here. Files and Folders Hidden - Use RRT, or Goto registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\Advanced\Folder\Hidden\NOHIDDEN “CheckedValue”=0 “DefaultValue”=2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\Advanced\Folder\Hidden\SHOWALL “CheckedValue”=0 “DefaultValue”=2 or download and run this regitry key. In the end, there are a few golden rules that I find are always true. A virus is harmful while it is running. If you cant change your settings, that means something is blocking it or continuously enforcing it. So stop the virus from running. Delete all traces of the virus. Change back the settings manually. Warnings! * Contains illegal compilation of shareware softwares. Im not encouraging you and take no responsibility if you go ahead and use them. ** Be very careful while deleting or modifying system files/registry entries, your system may not even boot the next time you restart your computer. Something might go wrong anyway, thats how it is with these things. updated: 18th April

• • o o

Responses

Removing the FlashDrive autorun.inf Virus

Desai Kalpesh

3 of 6

Your page is the best I’ve seen, thanks. Ed My replicating INF looks like this …. PWS-LegMir.gen.k - Password Stealer ;j444i [AutoRun] ;Xaj3j2i5D2A3Dpjo3airklC3aiKwaoarr04o3a1wls44s2rJ7SeKwlwd3s5Sk4o2jDa1jaFjd open=bqk.bat ;12wklSf3mqi47siaaqq430IKowd7a4sswdsjkk5C5skrrOAeafrZeLjwAZ40n89iLk3s4Dr5wo8 eKUiipk22aSodwswp2 shell\open\Command=bqk.bat ;43KKfocdki3l7CkiXa3sdA0n19r2w8f shell\open\Default=1 ;4a shell\explore\Command=bqk.bat …. and so on Hi, Thanks! From the looks of your autorun.inf it seems bqk.bat is the virus file. I would suggest finding one of those bqk.bat files and opening them using any text editor(notepad). The contents should reveal what exactly the virus file is doing. Its important that you find the virus executable currently running on your system, terminate it, and then begin the cleaning procedure. hi, i have AVG scanner which scans my system at start up…i recieeve a mess saying Virus is detected at C:\Autorun.inf…And i press c for continuing..i have scaned my pc but i am unable to del it..also i tried to see da contents of it in dos mode..it shows some mess like shell execute or somethn…even cant find the entry in Reg Edit…could u help me..should i download AD Aware ..and try to scann my pc..plz help..due to this trojan/virus…. pc hs foll prob.. 1.i cnt enter my Drives when i click on them.. 2.my ctrl +alt+del doesnt work 3.after sme time..my pc gets hanged.. thnx in advance. Hi Riya, First of all I would strongly recommend getting ESET NOD32 antivirus and Spyware Doctor and doing a full system scan. I have personally tested almost all major AV brands and find NOD32 to be the best(and fastest). Email me if you need help getting them at -> a e l i e n at gmail because it might be illegal to share download links publicly. After you scan your system using the two above, if problem persists, reply back. [...] .exe files inside a folder, with the same name as the folder. To remove that virus, check out the And Back Up blog, after you’re done with this removal. Fire up your Task Manager (Alt+Ctrl+Del) and end [...] ---- Hi. I was recently infected with a virus or worm of some sort. Similar to one of the examples you’ve mentioned about in another post, I couldn’t get into my partitions from My Computer when I clicked the icon. Also my antivirus would constantly notify me of some virus. Since then I have formated my computer and the laptop itself is free of virus. However, here my real problem now. Before I formatted my infected computer, I also had an external drive (F:) attached to my laptop and I had saved some of my precious pictures and videos and some

Removing the FlashDrive autorun.inf Virus

Desai Kalpesh

4 of 6

applications in it. I use my external as my backup and so I haven’t formatted my external yet. I did do an antivirus check one last time on the external before I formated my computer. I deleted whatever worm or trojan it found. At this moment, I haven’t tried to plug it back into my laptop yet because I am afraid it might still be infected. The last thing is for me to format and erase everything on it. =(. Please help me!! Is there anyways I can retrieve my pictures and videos and documents at most before I have to format my external too??? THANK YOU MUCH!! Hi! Well you need not worry. There will NEVER be a need to delete your pictures and videos. and its a very good thing that you have put it all on an external hardrive in the first place! There is high probability that your external hd might still be infected with a virus/worm. I think the best approach should be to first establish whether the external hd is infected or not. You can seek help from a friend who is good at this stuff or someone who is on a linux system. And then we can try a few things. OR 1) you can plug your hd to your own or someone elses computer 2) there should be an autorun menu popping up asking you what do you wanna do: Play video. Open files etc etc. cancel. and do not try to access your HD from My Computer or anything which might invoke the virus program. 3) download the tool i made from this post http://andback.wordpress.com/2008/04/19/restoreaccess-drives-under-my-computer/ and run it The above tool might not necessarily delete your virus but it will render it harmless. Needless to say its risky, but it will work. Do backup your important data onto DVDs! @Piyush You can access your file through DOS. 1. Goto command prompt to the location your files are hidden 2. DIR /W/A (lists all files in the directory with hidden attributes) 3. when you know the exact file name of your hidden file attrib -a -h -r filename.ext. This will unhide your file. @lio Well its a gamble, if the virus files have copied themselves in each the folders of the files you wanna copy, then surely yes it will go into the disk. So if you cant see hidden files on your system, you might wanna check the folder you want to write for suspicious files by the process mentioned above. I couldnt get your second post. If your PC is infected, checkout my previous blog post on this. If your disk is infected, im afraid theres nothing you can really other than discard the disk after copy all the files with a good antivirus turned ON(to stop the virus from getting into ur system) I used a software called Salamander 2.5 RC1 to “kill” the virus in my disk on key ( meant this one :http://www.firefold.com/images/products/SANDISK-1GB.jpg) but the autorun virus is still in my pc in its one the memory since every 3 sec it recreat its self if I delete it Folder are not visible in usb drive but files are visible

Removing the FlashDrive autorun.inf Virus

Desai Kalpesh

5 of 6

no since i am afraid that its the auto run of the sys but in 2 weeks I ll do it after my tests is there a specific software to delete it ? since I dont know how to work with HijackThis and the other software this is how the autorun.inf looks like in mine ;853D44sajwdwi1iso2wow00s51Aakda7s12ek0K2d57kqjikw83a7diK9SOqk0kfKf94oa7sl21e klasCldanoKAsaJicA4qXZL54DlSfras3J3s3aa0K2LjK5L [AutoRun] ;Kl4SDOdLwe3lwdSKqLs0wakKiqpidfwAK84sq8iwrrDSA30Dkaoqi2lZ3oAKJ4r7a4siA3djd open=klp8j6i.com ;3kwilSaoA3a0pr4lKZw5oFww5KLKo4wkss3skkiadOKl2p3ki29lfpkK8K shell\open\Command=klp8j6i.com ;mDoKkaAllw7LJXi337esIo55df0H31JlwOfLaK4idkwdsKFaiK494qJ4rqroew7wssqJAawK3 w9a3jL2qoak0iD1CsowSfqa0siKqdD shell\open\Default=1 ;2lksKDs22rXJk29OUFkKkidls24peJdDjl4Al14L0aaJLsa3aSwlkidAd0rfkLKwDckokkIwiii80 4di shell\explore\Command=klp8j6i.com ;9ZILm4Ssiw4KisaaDlraiK80aas4k99fS4kdfs0k7Kc0AeL2Cidawwjp3ikak281Z2LAka13qjDl dDKsiq @nabin - well its the first time im hearing of such a thing, why dont you try the solution i suggested to Piyush’s problem! Maybe the folders have gotten hidden. @Lio - Its a good thing you posted the contents of the autorun.inf file. we can clearly infer from it that there exists a file named klp8j6i.com which is invoked by the autorun.inf file. I suggest you try out the methods mentioned above and in my post titled Restore access to drives under My Computer after your exams. If sure you will be able to trace out all locations where the file is hidden. Otherwise ill try to write a code to find and delete them.

and another antivirus shows that a r.cmd is a virus and it is created in the same time like autorun.inf so its the same virus with a “backup” ( like ) help me please… i have problem with this virus called r.cmd and it has also an autorun.inf file in it. ill paste whats inside the r.cmd file and as well as the autorun.inf file… autorun.inf file contains: ;D2e01wfLLJ2a382is9Aaeas4lmoslw9akjDo0s3LwrqAsS9jdlAHLkdp3dqc5k4a4KaZjq00wf5 6K9k77 [AutoRun] ;aXrw31kadwswseal20lLUL4A4J open=r.cmd ;5iwK7al022ql2eF8Aw0s8n0sk3k5iS2licCwiKp2k54S43 shell\open\Command=r.cmd ;3SDaj0npXj027JKcdokLadfJk24 shell\open\Default=1 ;sada4KSaKfLLDalAoJ5idocsla27q3Skrk

Removing the FlashDrive autorun.inf Virus

Desai Kalpesh

6 of 6

shell\explore\Command=r.cmd ;Sa4DsCaS5kLLrsJKleIsS4kZp14k87J345LcsokKjAqwdLsji3kao9 r.cmd file contains: MZ ミ ÿÿ ¸ @ Ð ´ Í!¸ LÍ!This program cannot be run in DOS mode.$ ›úVäß›8·ß›8·ß›8·ß›9·è›8·\“e· Joax & lio - about the r.cmd, try reading another post of and back titled “restore access drives under my computer”, here’s the link: http://andback.wordpress.com/2008/04/19/restore-access-drives-under-my-computer/ Hi, Well ive never come across a problem like yours. It looks a like a massive change in system configuration and user privileges on the system. But if I were you, I would 1) run the Unlock v.1.2 tool (link on the other blog post) 2) Install ESET NOD32 Antivirus and Spyware Doctor and so a full scan. 3) get hold of a DOS mode antivirus scanner. I cant give you further details because though they work much better than stock software packages, but are sadly illegal. If problem persists, I suggest you backup your data and do a system format. Because reverting back to existing setting might be a total bitch. Ping back after you have tried the methods mentioned earlier, ill try to help My pc and flash drive were infected with the amvo virsu and I used a script which found at mygeekside.com, it worked beautifully in seconds. please help me..i am a student in de la salle zobel, when i placed my flashdrive, and got home, i saw a file named “FLASHY” after i saw it.. i got worried and i tried pressing CRTL+ALT+DELETE.. and there, it says disabled by administrator.. please help me about the flashy thing..because i know its a virus in school i got..dang..i cant remove it..please help me..i have, AVG,windows defender,spyhunter3,uniblue registry booster 2.. when i tried using the registry booster 2,when i press REPAIR 120 errors, 120 pop-ups came saying its disabled by the administrator..please help me..my computer became slower and crtl,alt,delete doesnt work..please help me.. dear sir i got virus win32.dill.vbs in my c and d drive i canot open it in the normal way i have to explorer to open it,plz suggest me some idea to recover this. thanku! waiting for ur kind information

Sign up to vote on this title
UsefulNot useful