I have an updated article on this autorun.inf virus which can be found at http://www.bleuken.com/2008/07/01/preventing-and-removing-autoruninf-virus/. Please read it instead!
There are several viruses that uses the autorun.inf to spread itself such as the Bacalid (hides itself in ctfmon.exe) and the RavMon.EXE. These viruses set its file attributes to System+Hidden+Read-Only attributes so some anti-viruses will have a hard time detecting or finding them. These viruses save itself in the root directory of every available drives of the current infected computer and runs itself every time you Double-Click the drive. In USB Sticks and CDs that are infected by the virus runs automatically especially if drive autorun is enabled for the current drives (which is usually by default, autorun for drives are enabled).
Autorun.INF is usually used by CD Installers to autoplay their installations but Hard disks by default should not have AUTORUN.INF in the drive.
Now, it is possible that your computer is infected by those viruses if you try to display the content of the your computer through command prompt, using the dir /ah command. You will see the following window if you try this:
You will see from this window that drive C contains a hidden file autorun.inf, this is a possibility that the computer is infected. Now to erase this, restart your window to Safe Mode Command Prompt. (Do this by rebooting your computer and pressing F8 before windows go out and select from the boot menu). On drive C and other drives type the following commands: 1. attrib -h -r -s autorun.inf 2. del autorun.inf
Do this steps to other drives to disable the autorun.inf .
Disable AUTORUN from Registry
Now you can disable the AUTORUN for all drives by configuring the registry. Open the registry by typing regedit.exe to the command prompt (if your still at the command prompt) or execute it in Run. Look for the HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Policies\Explorer as shown below:
Double-click the NoDriveAutorun DWORD entry and type the value HEX: FF (255 in Decimal). (If the NoDriveAutorun does not exists, you can creat it by right-clicking the right side area of the regedit window, then click New->DWord Value -> type NoDriveAutorun) Close the registry and restart the computer. This procedure will disable all the autorun for all drives of your computer and at least will prevent the autorun function of infected USB drives or CDs and avoid the infection of viruses like the Bacalid and RavMon.exe.
Update:
If you want to prevent viruses that uses autorun.inf to infect your USB flash drive, try to do this:
1. Open your flash drive via Command Prompt (do this via Start->Run->cmd.exe)
2. Change your logged drive to your USB flash drive (e.g. if your drive is at drive E: then type E: on the command prompt then press enter)
3. Create a folder named: AUTORUN.INF on the root directory of your flash drive. (to do this type the command: MD\AUTORUN.INF). If an error: a subdirectory already exists… shows, try to follow the instruction above to remove existing autorun.inf before doing this instruction.
The reason why this will avoid future infection is that autorun.inf viruses usually generates a file autorun.inf. Having an AUTORUN.INF folder on the root directory of your drives will make virus programs unable to create their own autorun.inf file, virus can’t even overwrite it because it’s a folder and not a file. See my point? 
Read also my current post on free tools on removing autorun.inf virus and other malware.
If this post helps you on your PC problem, please link back to this blog: http://bleuken.i.ph as a sign of your gratitude. Thank you!
Please verify if the content of autorun.inf if it contains a line that opens an executable program. Try opening the autorun.inf with notepad or any text editor and post it here so i can check it. Note: not all autorun.inf is a virus carrier!
Oye yaar It’s working.
My godness that a genius like u is there to resolve this porblem.
Thanking you!
thank god! na hanap ko din ung sagot sa makulit na autorun.inf at talaga pinoy pa ngbigay ng malinaw na sagot.
Posted by Peppers at February 3, 2008, 4:56 amhi
i tried to follow the path u have suggested but it hasn’t solved the problem
in my autorun.inf i find the following lines
[autorun]
Shellexecute=copy.exe
there is one more file which says recycler inside that there is a file named ctfmon & desktop.ini, &, info.
more over my system volume information is greyed out i’m not using any system restore points how do i empty that also
eagerly waiting for ue response
thank you
Ramkumar,
try to start your computer in Safemode. Download a copy of HijackThis, then send to me log generated by the program then send it to my email so i can check the infections on your computer. Good day!
Posted by bleuken at February 12, 2008, 6:50 amnice!!! galing nito… astig ka tol.. or ate ba.. hehehe
Posted by hackted at February 13, 2008, 11:14 pmthanx a lot, 8s solv d problem… good day!
Posted by Jimbo at February 14, 2008, 11:04 amhi ask ko lng ok nman natangal pero pag nilagay ko ulit ung flash drive ko meron ulit. autorun.inf saka notepad.exe ano kaya problem nun???
Posted by psymon at February 15, 2008, 11:07 ampsymon, it’s because ur USB flash drive is still infected with the virus. try removing the virus again on your computer and make sure to remove the virus from your flash drive.
try this,
create a folder on your flash drive named:
AUTORUN.INF
this will prevent future infections. Good luck!
Posted by bleuken at February 15, 2008, 11:44 amis it only applicable for removable media or does it also work if i put an autorun.inf folder on the drives(C:,D:) of my computer? thanks.
Posted by deidre at February 15, 2008, 4:34 pmdeidre, the AUTORUN.INF folder creation to prevent viruses that uses autorun.inf is applicaple to other drives (C:, D:).
Posted by bleuken at February 15, 2008, 10:57 pmDear Author,
I can’t thank you enough for sharing such a great skill. I have used your techniques and it works like a dime. It took me forever to find for a solution until I discovered this entry. Thanks again.
Posted by Sam at February 24, 2008, 11:25 amhi there,
this solution works well. but wat is the final solution for the virus infection.
removal of this virus can be done KGR via cleaning it using an antivirus program or removing it manually. Read my post on
http://bleuken.i.ph/blogs/bleuken/2007/11/05/removing-scvhostexe-or-w32yahloverwormgen/
for removing a virus i.e. using autorun.inf.
you are such an angel. thank you very much.
i have a question, though. are mma.vbs, mma.rar, mma.reg, boot.ini a bunch of viruses, too? i dont know yet coz i havent searched the net. thanks again!
jbb, boot.ini is a system file, u should not delete it usually it’s located on drive C:\, well mma.vbs, mma.rar, mma.reg are possibly viruses.
Posted by bleuken at March 21, 2008, 7:25 pmhi,
i would like to know that my system is also affected by this autoruninf virus. Now when i run cmd command in ‘run’ it shows an error.if i run command prompt in run then it gives but only c> comes instead of c:\> and when i try to do what u posted ,but it doesnt work. what to do?
ru using winxp? try to start your computer in SAFE MODE Command Prompt. the command ATTRIB is an external DOS command, it is located at C:\WINDOWS\SYSTEM32, try running it as C:\WINDOWS\SYSTEM32\ATTRIB
See my other post for detail on ATTRIB.
Good luck!
Posted by bleuken at March 21, 2008, 10:31 pmcan mma.vbs, mma.rar, mma.reg, be removed the same way as removing the autorun.inf?
Posted by jbb at March 23, 2008, 5:09 pmThanks dude..this really helped me remove that virus..now my system works fine..thanks a lot..keep sharing this kind of info with us..
Posted by sridhar at March 25, 2008, 4:08 pmOMG you are freakin amazing! i’ve done pretty much everything. antivirus, anti spyware (both results came up clean), i even joined an online forum just to post my hijackthis log and posted my problem on yahooanswers and no one was able to give me a clear solution to my problem until i stumbled upon your page.
thanks… keep it up!
Posted by Jeremy Davis at April 1, 2008, 12:37 amhi,
i was following the procedure u suggested above for deleting the autorun.inf & another virus called as ntde1ect.com.But by starting the PC again it is still in my PC,i mean once i restart the computer & check for the any virus by typing dir /ah in command prompt,i always found autorun.inf & ntde1ect.com in my PC.
Will u plz suggest me how i can delete PERMANENTLY from my PC
plzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
waiting for ur rply
byeeeeeeeeeeee
can u remove it in command prompt safemode? try to remove it on the root directory of your computer then try to look for it on the C:\WINDOWS, C:\WINDOWS\SYSTEM, C:\WINDOWS\SYSTEM32, virus usually make copy of their codes on this folders. Try using an antivirus that scans on command prompt like AVAST.
Posted by bleuken at April 7, 2008, 9:57 pmi already tried to remove it by safe mode with CMD
prompt & i gets removed every time but when i later starts comp. it gets restore as it is.
Plz give me appropriate commands & procedure.
I tried these files in CMD pmpt & there is no file named as autorun.inf &ntde1ect.com by this Command: dir /ah in all these roots
C:\WINDOWS, C:\WINDOWS\SYSTEM, C:\WINDOWS\SYSTEM32
THANKS FOR YOUR PREVIOUS REPLY
Posted by varsha at April 8, 2008, 12:06 amThanks!!! It was a great help to delete autorun.inf file
Posted by Grishin at April 8, 2008, 4:12 pmvarsha, i’ve just send an email to ur email address re: ur request.
Posted by bleuken at April 8, 2008, 7:09 pmhey it does works, but since i use vista , i could not edit the registry because the registry is different in it so i created a autorun.inf folder in my hard drive after removing the file autorun.inf , after that it did not restore
Posted by Neal at April 11, 2008, 1:36 pmvarsha, i did reply to you a week ago, maybe my email go to ur spam mail or junk mail check it first. based on ur hijackthis log, ur pc is infected by a AVPO.EXE malware, try to remove it. if you can’t remove it manually, try to use AVAST and scan your system on boot time. my advice b4 doing this try updating the virus definition of ur AVAST.
Posted by bleuken at April 14, 2008, 7:09 amhi,i didn’t get ur mail,i check it in both spam & junk mail….how can i remove AVPO.EXE manually,plz let me inform about it…….
thank u
varsha, i’m not recommending you to remove it manually, i did not personally experience this malware so i don’t know what will be the behavior of ur pc after the manual removal. Try using AVAST or AVIRA to remove this malware.
Posted by bleuken at April 20, 2008, 8:22 amHi, I’ve got a worm from a USB. Mcafee detected something but didn’t manage to remove everything. I have created a folder in my c:\ and d:\ called autorun.inf. Nevertheless, the faizal.js file keeps getting created. I have deleted it numerous times by now. I am working on my office computer and it has McAfee installed. I couldn’t boot into safe mode because windows demand a domain. I appreciate any help.
Posted by hop at April 22, 2008, 2:52 pmate o kuya may problem nmn is ng duplicate un mga folder..pano kya mwla un?thanks for the answer…
Posted by yfcakoh at April 22, 2008, 4:18 pmfaizal.js is a different virus, I did not personally encounter it. try to use HijackThis.log to see where it is installed. Lately I encountered a virus that uses Desktop.INI & Folder.HTT like the redlof virus. It uses VBS and JS on folder.htt to run itself during folder or drive access.
yfcakoh, its kuya, nd pwedeng mag-duplicate ang mga folder maybe ur infected by a certain virus. try 2 right click the duplicate file then properties. If u find it as an application and not a folder, well it means it’s a virus.
Posted by bleuken at April 22, 2008, 4:59 pmthnks bleuken, but i think i got the same prob as varsha, but, mine is amvo.exe and not avpo.exe. i removed all of its components via registry and my only problem now is the autorun.inf at c:\.
hope this works bleuken since all of the components of amvo.exe and t.com are now removed on my registry. will give u a comment ryt away.
yo dude, it worked!!!! thanks dude… the only thing i did prior to deleting autorun.inf is to remove amvo.exe files and t.com at the registry. then after that, i opened msconfig to disable knight and another blank application at the startup. then i rebooted the pc. after that, i removed knight at the registry(got lots of it) and rebooted the pc again. finally i deleted the autorun.inf at cmd at c:\ and rebooted the pc one last time.
btw, i did what u have to make autorun.inf folder to removable disks.
and all’s fine now. this kind of malware disables your yahoo messenger to sign in that’s why i wanted to remove the virus immediately. thanks!!!!
What could be the possible virus infects my pc during the start up of windows there will be a pop-up window labelled SSCIVIHOST.exe error. Anyone can help me pls….
Posted by sniperflip at May 2, 2008, 1:21 pmHi Guys,
I do experience this problem, try registry crawler program, its like antivirus utility tool, it helps (registry crawler 4.5) its very easy to get. make sure you remember what file to delete. effective…
Regards & God Bless,
Mark del Mundo Solis
I thought i have removed this virus that i had that seemed to be utilising the autorun.inf file. after trying several things (links can be found on my blog post here: http://clutters.blogs.friendster.com/blag/2008/05/removing_usb_vi.html), i still find the virus on my usb stick. it was not until i executed the steps as your instructions above (regarding deleting the virus-infected ‘autorun.inf’ in safe mode) that it is totally healed. thank you for that! and thank you for the explanations about how the autorun.inf viruses work. Regards, Ernest.
Posted by Ernest at May 4, 2008, 7:22 pmHi I want removal tool or antivirus tool for desktop.ini. Plz sent me.
Posted by Indrajeet at May 5, 2008, 5:27 pmHi, I’ve reformatted whole pc and also followed your instructions on creating autorun.inf folder so as to prevent autorun.inf from creating itself and YET, the faizal.js file is still around. I would greatly appreciate if you can advise me how to REMOVE faizal.js permanently. Thanks much.
Posted by Lawrence at May 6, 2008, 11:37 pmTo bleuken,
I would like to ask for the detailed steps in creating a folder “autorun.inf” at Drive C: that would prevent the autorun.inf virus effect that you can’t double-click the drive…and my operating system is winxp
Thanks in advance
Posted by Marco at May 10, 2008, 10:08 pmhai
how can remove autorun.inf, it contain following command
open =winamp6_full_emusic.exe
shell execute = winamp6_full_emusic.exe
shell\auto\command= winamp6_full_emusic.exev
please help
Hi wanted to know if I can remove the autorun.inf virus from my command menu while my pc is not in safe mode.
Can I remove the virus using
run>cmd
cd\
dir /ah
attrib -r -a -s -h autorun.inf
del autorun.inf
Can I deleted the virus using this method whilst my pc is NOT in safemode.
Thank you
Posted by Mudathir at May 20, 2008, 4:46 pmMudathir, the answer is yes but u need 2 make sure that u end the virus processes. It’s more advisable that u do this on safemode. 
²¡¶¾ÃâÒßĿ¼£¡.
I started with the autorun virus and then ended with folders with the name ²¡¶¾ÃâÒßĿ¼£¡.
These folders have “rashd” attributes and I am unable to get rid of them becasue of the unusual name.
It all started wiht the autorun.inf problem.
Any help would be appreciated.
BB
Posted by BB at June 10, 2008, 3:41 pmi haven’t encountered an autorun.inf virus but i took the precaution of protecting my PC. thanks for the info
Posted by takuyaki at June 15, 2008, 12:24 amhi my pc has got file named Recycler and recycled created in each drive.
is that due to a virus
please reply me
Posted by deependra at June 17, 2008, 5:24 pmHi bleuken,
i hav this same autorun.inf virus problem…i got it through a USB flash drive..i deleted the virus autorun.inf using AVG antivirus and then only i double clicked but still now i hav the virus in both my drives C AND E!!i try deleting it with my antivirus but it keeps on comin back!!!And my PC is intel pentium 3 processor can u tell me how to start in safe mode because F8 is not the key to access safe mode option in my computer…please help me i would reallly appreciate if you send me an EMAIL please..waiting for your reply thanks in advance….
please if you have any problem on autorun.inf virus, send me a copy of the hijackthis.log on my email so i can analyze ur current system.
Posted by bleuken at June 24, 2008, 2:50 pmHello!
Could I make the AUTORUN.INF folder that I created “hidden” so as avoid being accidentally deleted by users of my computer?
Thanks and more power to you!
Posted by Juck at July 2, 2008, 9:15 pmhi,
i follow ur advice in safe mode deleting autorun.inf in cmd, but everytime i command attrib autorun.inf -s -h -r, the autorun.inf will show on my drive c but suddenly its gone, and when i type del autorun.inf in cmd, it state could not find autorun.inf, but when i type autorun.inf in cmd, a notepad stating what it contains, so obviously, its still there…
pls help…
thankz..
Hi bleuken,
good day.. my problem starts when i inserted my usb to another computer and i found out that, that computer has a “autorun.inf” and “recycler” virus which the anti-virus of that computer detects.. Now my pboblem is that when i access my usb through my computer then i double click it.. i cant access it anymore.. a message “E: is not accessible” will appear.. i can only access it through run then E:..
my question is.. is this because of that virus? and if so, is the procedures you indicated above are the remedy?
waiting for your reply..
thanks and appreciated very much..
For online storing of receipts, organizing and managing your expenses, use an Expense Management Software with their system to help you quickly prepare your expense report, what you could ask for?
Hi, i’d just like to ask. My brother just had a brand new ipod video. He had already added some songs to it and it played just fine. Then he downloaded some videos from the internet (i don’t know from where) and put them on his ipod. When he came home and tried to open it, it could no longer be opened. So I opened it as a portable media device and found two suspicious files that were not supposed to be there. the first one is autorun.inf and the second is a folder named RECYCLER with another file inside named desktop.ini I want to know how to delete these files since i think these are viruses. I’d appreciate some info. thnx!
Posted by bloodmaiden at August 3, 2007, 6:41 am