Virus Autorun.inf !
Solved
ChronoTrigger
-
Skrillex1132 Posted messages 118 Status Membre -
Skrillex1132 Posted messages 118 Status Membre -
Hello everyone!
Well, I am more than desperate, I spent the whole night trying to fix the problem, to no avail.
I caught this crap when I went to bring my USB stick to the local print shop to print a project (I don't even want to imagine how many people caught it).
Once I got home, I didn't notice anything because I use a Mac, so no problem.
But when my sister used my USB on her PC, Avast triggered the never-ending alert. "E:/autorun.inf" and flagged as VBS:Malware-gen.
No matter what I try, the constant alerts keep coming back. I started by formatting my USB, but it always seems to come back. Off on a hunt for the pest, I realize I can't display hidden files! I'm almost certain it's related, so I decide to be clever and use MSDOS commands to search the root of C: and what do I see? autorun.inf. So I type the command to delete it, I check, it's gone but I still can't display hidden files. I restart, everything is fine until I plug my USB back in, the Avast alert comes back... I've run every possible and imaginable scan that came my way during this ordeal. Ad-aware, Spybot, AVG, ...
The autorun.inf from the root C: doesn't reappear after the problem comes back. I'm almost traumatized, I turn to you ^^
Well, I am more than desperate, I spent the whole night trying to fix the problem, to no avail.
I caught this crap when I went to bring my USB stick to the local print shop to print a project (I don't even want to imagine how many people caught it).
Once I got home, I didn't notice anything because I use a Mac, so no problem.
But when my sister used my USB on her PC, Avast triggered the never-ending alert. "E:/autorun.inf" and flagged as VBS:Malware-gen.
No matter what I try, the constant alerts keep coming back. I started by formatting my USB, but it always seems to come back. Off on a hunt for the pest, I realize I can't display hidden files! I'm almost certain it's related, so I decide to be clever and use MSDOS commands to search the root of C: and what do I see? autorun.inf. So I type the command to delete it, I check, it's gone but I still can't display hidden files. I restart, everything is fine until I plug my USB back in, the Avast alert comes back... I've run every possible and imaginable scan that came my way during this ordeal. Ad-aware, Spybot, AVG, ...
The autorun.inf from the root C: doesn't reappear after the problem comes back. I'm almost traumatized, I turn to you ^^
11 réponses
Hello everyone,
Well, I think it's time to take down this virus once and for all ;)
Let me explain
*/ First of all, the file "Autorun.inf" is not a virus but a file that gives the order to execute other files (you can modify it as you like using Windows Notepad) and it has many other uses, such as autoruns for CDs... etc
*/ Secondly, to make it disappear from USB keys and hard drives, you just need to "virginize" it, if that’s a word, and here are the 3 SOLUTIONS I mentioned:
1) Either we modify it (with Notepad) in such a way that it is no longer dangerous by deleting, for example, the following command line:
autorun="virus.exe"
2) Secondly, we delete the file called "Autorun.inf" and create a new folder with the same name "Autorun.inf" (Note: it’s a folder and not a file that just has the same name) and in this folder, we put any file, but it must be "READ ONLY" so that the virus cannot overwrite our folder.
(Note: this is my preferred solution and it guarantees 100%)
(Note 2: to delete the file "Autorun.inf" you need to enable the "show hidden files" option, otherwise with WINRAR, yes WINRAR, you launch it then search for your USB key and there you will see all the files contained in it, including hidden files, and you can delete it)
(Note 3: you have to be quick between deleting and creating the new folder because the virus will restore the deleted file in a few seconds, from 2 to 5 seconds, so I advise you to create the folder on the desktop so you can copy it directly)
3) Or, if you are not too strong, you can use special software like:
- Flash_Disinfector (Best)
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
And finally, I tell you VIVA JSK
Well, I think it's time to take down this virus once and for all ;)
Let me explain
*/ First of all, the file "Autorun.inf" is not a virus but a file that gives the order to execute other files (you can modify it as you like using Windows Notepad) and it has many other uses, such as autoruns for CDs... etc
*/ Secondly, to make it disappear from USB keys and hard drives, you just need to "virginize" it, if that’s a word, and here are the 3 SOLUTIONS I mentioned:
1) Either we modify it (with Notepad) in such a way that it is no longer dangerous by deleting, for example, the following command line:
autorun="virus.exe"
2) Secondly, we delete the file called "Autorun.inf" and create a new folder with the same name "Autorun.inf" (Note: it’s a folder and not a file that just has the same name) and in this folder, we put any file, but it must be "READ ONLY" so that the virus cannot overwrite our folder.
(Note: this is my preferred solution and it guarantees 100%)
(Note 2: to delete the file "Autorun.inf" you need to enable the "show hidden files" option, otherwise with WINRAR, yes WINRAR, you launch it then search for your USB key and there you will see all the files contained in it, including hidden files, and you can delete it)
(Note 3: you have to be quick between deleting and creating the new folder because the virus will restore the deleted file in a few seconds, from 2 to 5 seconds, so I advise you to create the folder on the desktop so you can copy it directly)
3) Or, if you are not too strong, you can use special software like:
- Flash_Disinfector (Best)
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
And finally, I tell you VIVA JSK
Do you doubt that your USB key is infected with an autorun virus??
The easiest thing to do is to check it!!
To do this, you only need Windows!!
First, plug in your USB key without executing it!!
Then follow these instructions:
*In the start menu, choose run then type "cmd"
*In the window that appears, write the letter that designates your key followed by ":" (to find out the letter, go to my computer and look at the letter that precedes your removable drive) for example g:
*Now write Attrib *.*
*A list of files on your key will appear. In this list, look for the infamous autorun.inf; if you find it, that means your key is infected with such a virus. If not, the key is not infected ;)
Now to delete it, follow this:
*Type Attrib -s -r -h autorun.inf
*Then type del autorun.inf
There you go, it’s done
To avoid doubt, retype Attrib *.*
Now it should not contain autorun.inf
You can now access your USB without the risk of being infected!!
P.S. We just deleted autorun.inf and not the virus!!! The virus is still there on the key but is now inactive (WARNING the virus is not visible to Windows even when activating the display of hidden files, only antivirus can detect it!!) To remove it completely (in case your antivirus does not detect it), make sure to cut your files from the key and put them on your computer, then format the key!!
This method works 100% and I always use it even if my antivirus works wonderfully!!
Thank you and good luck to everyone :D
Your friend Adil
The easiest thing to do is to check it!!
To do this, you only need Windows!!
First, plug in your USB key without executing it!!
Then follow these instructions:
*In the start menu, choose run then type "cmd"
*In the window that appears, write the letter that designates your key followed by ":" (to find out the letter, go to my computer and look at the letter that precedes your removable drive) for example g:
*Now write Attrib *.*
*A list of files on your key will appear. In this list, look for the infamous autorun.inf; if you find it, that means your key is infected with such a virus. If not, the key is not infected ;)
Now to delete it, follow this:
*Type Attrib -s -r -h autorun.inf
*Then type del autorun.inf
There you go, it’s done
To avoid doubt, retype Attrib *.*
Now it should not contain autorun.inf
You can now access your USB without the risk of being infected!!
P.S. We just deleted autorun.inf and not the virus!!! The virus is still there on the key but is now inactive (WARNING the virus is not visible to Windows even when activating the display of hidden files, only antivirus can detect it!!) To remove it completely (in case your antivirus does not detect it), make sure to cut your files from the key and put them on your computer, then format the key!!
This method works 100% and I always use it even if my antivirus works wonderfully!!
Thank you and good luck to everyone :D
Your friend Adil
Hello everyone, to remove this virus, you need to proceed as follows:
Open your workstation>tools>folder options>view tab>uncheck the box "hide protected operating system files" and click apply without confirming on the OK button.
Open another workstation>go to c: documents and settings>user account name inside you will see the three responsible files.
which need to be deleted
alg.exe
ciaror.exe or a similar name
autorun.inf
the two exe files can be found in the task manager under the processes tab.
End them and then delete them.
Open your workstation>tools>folder options>view tab>uncheck the box "hide protected operating system files" and click apply without confirming on the OK button.
Open another workstation>go to c: documents and settings>user account name inside you will see the three responsible files.
which need to be deleted
alg.exe
ciaror.exe or a similar name
autorun.inf
the two exe files can be found in the task manager under the processes tab.
End them and then delete them.
Hello; personally; I have already had the same issue; a virus that ruined everything; and in response; I reset my PC to zero and since then no more of that virus.
However; try uninstalling Avast and reinstalling it afterwards; it's also one of the solutions I have already tried;
good luck.
However; try uninstalling Avast and reinstalling it afterwards; it's also one of the solutions I have already tried;
good luck.
Reinstall for what?
Some viruses detect the installation of antivirus software or other programs to become invisible!
That's why it's essential to ALWAYS perform a virus scan (with updated definitions) before installing this kind of product!
Moreover, Avast has vulnerabilities: I've tested it from A to Z!
I only use it for troubleshooting.
NOTE: To view hidden files and folders, simply modify the folder options and run in Admin mode...
Some viruses detect the installation of antivirus software or other programs to become invisible!
That's why it's essential to ALWAYS perform a virus scan (with updated definitions) before installing this kind of product!
Moreover, Avast has vulnerabilities: I've tested it from A to Z!
I only use it for troubleshooting.
NOTE: To view hidden files and folders, simply modify the folder options and run in Admin mode...
Hello everyone,
Apparently, no one has noticed there’s a Macintosh around!!! I’m surprised, given that these people claim to know about computers.
1/ The USB drive did not manage to infect the MAC (good choice) because viruses are mostly made for Windows. When you detect an infected USB drive with a self-executing virus, just plug it into the Macintosh, edit the "autorun.inf" file to see the name of the virus it calls, then delete both the "autorun.inf" file and the virus or the files it calls.
2/ On the infected Windows machine, you can install "NOD32," a very light and powerful antivirus, provided that you uninstall any other antivirus programs, if there are any, then update it and run a full scan of the machine.
Otherwise, there is a solution to permanently get rid of viruses (which I did), which consists of buying a Macintosh, and if you use some software that only runs on Windows, you can install "Parallels Desktop" which allows you to easily install Windows as if it were another PC while waiting to find the equivalent software for Mac.
In any case, I have found all the software I used on Windows in equivalent versions for Macintosh.
See you later!
Apparently, no one has noticed there’s a Macintosh around!!! I’m surprised, given that these people claim to know about computers.
1/ The USB drive did not manage to infect the MAC (good choice) because viruses are mostly made for Windows. When you detect an infected USB drive with a self-executing virus, just plug it into the Macintosh, edit the "autorun.inf" file to see the name of the virus it calls, then delete both the "autorun.inf" file and the virus or the files it calls.
2/ On the infected Windows machine, you can install "NOD32," a very light and powerful antivirus, provided that you uninstall any other antivirus programs, if there are any, then update it and run a full scan of the machine.
Otherwise, there is a solution to permanently get rid of viruses (which I did), which consists of buying a Macintosh, and if you use some software that only runs on Windows, you can install "Parallels Desktop" which allows you to easily install Windows as if it were another PC while waiting to find the equivalent software for Mac.
In any case, I have found all the software I used on Windows in equivalent versions for Macintosh.
See you later!
I have an external hard drive infected with autorun.inf, so I wanted to follow your advice because I have a Mac. But actually, I don't understand what you mean by editing the file; I'm a beginner with Mac and I need you to detail the steps.
I tried to send the file directly to the trash, but it's impossible because it's read-only.
Thank you.
I tried to send the file directly to the trash, but it's impossible because it's read-only.
Thank you.
"I have a MAC because I don't know how to use a Windows computer properly... banana, sorry, apple, sad but increasingly common unfortunately for Apple machines that will be severely overpriced in the coming years... especially since Apple is now second in the market but don't worry, autorun isn't too bad, we can get rid of it by going through the cmd console, you just have to look it up on Google, the commands are provided.
Equip yourself with a live CD or a live USB stick containing a bootable Linux, go through the console, by removing it, the worm will be inactive, take the opportunity to remove it from the stick, remove it from your Windows partitions but be careful some autoruns under Windows are not infected. You will often find this little nuisance at the root of the stick.
And if you don't want to be reinfected, stop plugging your USB sticks anywhere... by the way, I caught it on a virtualized system, authentic malware distributor servers... just like with Macs, people call it progress if only they knew..."
Equip yourself with a live CD or a live USB stick containing a bootable Linux, go through the console, by removing it, the worm will be inactive, take the opportunity to remove it from the stick, remove it from your Windows partitions but be careful some autoruns under Windows are not infected. You will often find this little nuisance at the root of the stick.
And if you don't want to be reinfected, stop plugging your USB sticks anywhere... by the way, I caught it on a virtualized system, authentic malware distributor servers... just like with Macs, people call it progress if only they knew..."
Hi everyone
thanks a lot Aghiles
but I can't edit or move that damned autorun.inf file at home
not even create a folder with the same name (file used by another person or program)
(by the way editing means opening with a double click and changing the content
removing a line or completely everything so it's no longer dangerous ..)
and apparently it gets recreated every time a utility deletes it
(like rav.exe rav antivirus from evosla.com.. or others) which allows me to say that the virus is elsewhere
not on the USB drive
maybe in the registry
and it’s the one recreating this .inf file
however I will try scanning with nod32
to be continued
have a nice day
thanks a lot Aghiles
but I can't edit or move that damned autorun.inf file at home
not even create a folder with the same name (file used by another person or program)
(by the way editing means opening with a double click and changing the content
removing a line or completely everything so it's no longer dangerous ..)
and apparently it gets recreated every time a utility deletes it
(like rav.exe rav antivirus from evosla.com.. or others) which allows me to say that the virus is elsewhere
not on the USB drive
maybe in the registry
and it’s the one recreating this .inf file
however I will try scanning with nod32
to be continued
have a nice day
Hello Kysid,
It’s true that the Autorun.inf file is restored after a few seconds, but you have three solutions to eliminate it permanently:
1- Use the software called "USB Disk Security 5.1" which cleans USB drives of viruses (Very effective but paid)
2- Use Kaspersky antivirus which also removes it, provided it is updated, of course.
3- Otherwise, the MANUAL solution (described earlier by Aghiles), but I want to emphasize the need to be QUICK BETWEEN THE REMOVAL OF THE VIRUS AND THE COPYING OF THE FOLDER WITH THE SAME NAME before it is restored.
I have tried all three solutions and they work very well.
If you need further help, feel free to ask your questions on this page.
Thank you
--
Viva JSK, The Lions of Africa.
It’s true that the Autorun.inf file is restored after a few seconds, but you have three solutions to eliminate it permanently:
1- Use the software called "USB Disk Security 5.1" which cleans USB drives of viruses (Very effective but paid)
2- Use Kaspersky antivirus which also removes it, provided it is updated, of course.
3- Otherwise, the MANUAL solution (described earlier by Aghiles), but I want to emphasize the need to be QUICK BETWEEN THE REMOVAL OF THE VIRUS AND THE COPYING OF THE FOLDER WITH THE SAME NAME before it is restored.
I have tried all three solutions and they work very well.
If you need further help, feel free to ask your questions on this page.
Thank you
--
Viva JSK, The Lions of Africa.
Good evening Aghiles
It's too bad I can't afford an antivirus
I always use a trial version
and right now I just have Kaspersky / but >>> the icon (contextual menu right click) is greyed out/inactive
Another remark / it seems that the content of autorun.inf changes / I found this out after having opened that pest several times (sorry)
On another note, is it possible to force its deletion with a .bat file
I tried to delete a file that I named test.inf
using this::
attrib -s -r -h test.inf
del test.inf /F /Q
attrib -s -r -h FileName.extension
del g:\autorun.inf
and it worked
but on the other hand
attrib -s -r -h autorun.inf
del autorun.inf /F /Q
attrib -s -r -h FileName.extension
del g:\autorun.inf
does not delete the cursed autorun.inf
I think I'm going to opt for formatting ..
but first I'm waiting a bit for your help
please help
It's too bad I can't afford an antivirus
I always use a trial version
and right now I just have Kaspersky / but >>> the icon (contextual menu right click) is greyed out/inactive
Another remark / it seems that the content of autorun.inf changes / I found this out after having opened that pest several times (sorry)
On another note, is it possible to force its deletion with a .bat file
I tried to delete a file that I named test.inf
using this::
attrib -s -r -h test.inf
del test.inf /F /Q
attrib -s -r -h FileName.extension
del g:\autorun.inf
and it worked
but on the other hand
attrib -s -r -h autorun.inf
del autorun.inf /F /Q
attrib -s -r -h FileName.extension
del g:\autorun.inf
does not delete the cursed autorun.inf
I think I'm going to opt for formatting ..
but first I'm waiting a bit for your help
please help
Hello Kysid,
personally I haven't tried the fichier.bat but according to you it works, at least for a test file, but it must be noted that the virus has already placed its KEYS in your registry so your PC remains infected and the autorun.inf file will be regenerated ...
result: method + or - effective !!!
On the other hand, formatting solves the problem for the first use of your FLASH but the autorun.inf file is automatically regenerated the next time you plug in your drive.
It's true that antivirus software is paid, but you can try free antivirus like:
Avira Antivir FREE
AVG Antivirus FREE
---
otherwise there is the software I already mentioned: Flash Desinfector
which works wonderfully for you (by creating an autorun.inf folder that cannot be overwritten)
otherwise, otherwise, otherwise...
Q: have you tried the manual method? (already explained above)
it works for me both for FLASH DISKS and for my hard drive PARTITIONS.
Good luck
--
Viva JSK, The Lions of Africa.
personally I haven't tried the fichier.bat but according to you it works, at least for a test file, but it must be noted that the virus has already placed its KEYS in your registry so your PC remains infected and the autorun.inf file will be regenerated ...
result: method + or - effective !!!
On the other hand, formatting solves the problem for the first use of your FLASH but the autorun.inf file is automatically regenerated the next time you plug in your drive.
It's true that antivirus software is paid, but you can try free antivirus like:
Avira Antivir FREE
AVG Antivirus FREE
---
otherwise there is the software I already mentioned: Flash Desinfector
which works wonderfully for you (by creating an autorun.inf folder that cannot be overwritten)
otherwise, otherwise, otherwise...
Q: have you tried the manual method? (already explained above)
it works for me both for FLASH DISKS and for my hard drive PARTITIONS.
Good luck
--
Viva JSK, The Lions of Africa.
here is a good tool to remove this virus with a single click
http://www.boxinformatique.com/2009/08/comment-supprimer-definitivement.html
http://www.boxinformatique.com/2009/08/comment-supprimer-definitivement.html
Hello, I have the same problem, but there's one thing that bothers me... it's all nice and well to play around with our USB drives so that the virus doesn't get on them, but if I understand correctly, it's our computer that's putting it there, so the virus is on our computer. How can we remove the virus (from our computer) that spreads to peripherals?
But why do people keep using that sieve of Avast!... it's impossible... all this just because it's free... I mean...
Let me explain one thing to you, I have Avast okay, actually the virus is easily removable, you need to remove it from the devices either using Unlocker (software that can be found via Google) or by formatting, and then you use ComboFix and you won't have any problems anymore. By the way, a friend using Kaspersky had the same issue and Kaspersky did nothing more than Avast. I've been using Avast for 4 years and it's the only problem I've had, so I don't think there's any reason to criticize it.
So the solution is to make sure to properly remove the virus from USB drives or other removable disks and to use ComboFix. ComboFix is very effective but you must follow the instructions to the letter, otherwise you could run into troubles.
Good luck to everyone
So the solution is to make sure to properly remove the virus from USB drives or other removable disks and to use ComboFix. ComboFix is very effective but you must follow the instructions to the letter, otherwise you could run into troubles.
Good luck to everyone
Paid antivirus software can also be sieve-like. McAfee, to name just one, used by my client, has lamentably allowed numerous machines to get infected by the Sality virus. Worse: it lets the virus install itself, then indicates that the machine is infected, but does nothing to disinfect it.
For your information: Sality (the virus we've been battling since June with my client) generates a hidden system file Autorun.inf with malicious code and also executes another file .bat or .cmd or .exe or .com or .pif (also hidden system)
Symptoms: it infects all .exe files and all removable media, disables the task manager, registry editing (regedit), prevents viewing hidden files. Depending on the variant, it disables Wi-Fi and/or USB. And this continues until the system is destroyed.
Thanks, McAfee :( !!!
It turns out that free antivirus software, like Avast and AVG, fight this virus very well, which the paid antivirus of my client allows to pass with ease.
For your information: Sality (the virus we've been battling since June with my client) generates a hidden system file Autorun.inf with malicious code and also executes another file .bat or .cmd or .exe or .com or .pif (also hidden system)
Symptoms: it infects all .exe files and all removable media, disables the task manager, registry editing (regedit), prevents viewing hidden files. Depending on the variant, it disables Wi-Fi and/or USB. And this continues until the system is destroyed.
Thanks, McAfee :( !!!
It turns out that free antivirus software, like Avast and AVG, fight this virus very well, which the paid antivirus of my client allows to pass with ease.
I didn't know that WinRAR was used for that.
I finally removed my read-only hidden virus.
2 years later...
3 years later...