Autorun.inf Malware Threat: Protect and Remove it from your Computer and USB Drives

Autorun.inf flash drives malwares spread these days through various portable USB portable devices like iPod, external drives, pen drives.

While autorun.inf malwares are not specifically destructive to your computers, there are nasty and annoying. They cause various types of computer malfunctions, like your hard drive fails to open on double click, or double clicking on drive opens search or even your computer restarts when you try to open USB drive, infected by autorun.inf malware.

The autorun.inf virus is a common kind of virus that infects most computer systems. Tips on how to detect and remove the virus are of essence. Computer users should note that most of the times, this type of virus is spread through the mostly used removable storage devices like Memory Sticks, External HDD’s and USB drives. The spreading of this virus can be clearly illustrated in the steps it usually takes. Firstly, the virus infects the removable drive and as a following step places an autorun.inf file that contains a number of DLL files. In addition, in a few instances the autorun.inf makes a copy onto each and every partition that is on the hard disk of the user. Then, any time that the drive is plugged on a particular system, the autorun file goes on to execute itself and then copy the dlls. In actuality, it makes changes on the registry and then edits a number of startup entries. The next time a user goes to their computer; the activities of the virus will be shown when they restart their PC.

The files usually stay on the PC of the user as hidden files and the user is not in a position to enable the option of the Show Hidden File if the virus has infected the system. At the same, the virus goes on to disable other computer components as well. Such components that are likely to be disabled as well are the Registry Editor and Task Manager.

How to Protect Computer from Autorun.inf malware?

One popular way of protecting removable drives is by creating a folder or file and renaming it as AUTORUN.INF. It could enable the malware to automatically run on the system even without the users executing it. By creating this file beforehand, ideally, worms would not be able to run in this way.

However, this method is not perfect. Worms can delete the existing AUTORUN.INF file or folder, and then replace it with a malicious version. This would negate any protection placed by the user on the said file. However, by using file permissions to restrict changes, the AUTORUN.INF file can be protected more effectively.

Note: Make sure that your external drive is formatted using NTFS, as this procedure uses a specific feature of NTFS. If your removable drive is formatted using either FAT or FAT32, back up any data on the said drive first and reformat using NTFS. This may require Windows Vista or Windows 7.

1. Create a new folder in the root directory of the removable disk and rename it as “AUTORUN.INF.”
2. Create four more folders in the same location and named it as “recycle,” “recycler,” “recycled,” and “setup” respectively.

Note: The folders recycle, recycler, recycled and setup are optional but it is recommended for users to create these as malware often use these names/titles.

3. Open a command prompt (cmd.exe) and go to the root directory of your removable drive.
4. Set the folder attributes using the following DOS command:
   attrib autorun.inf /s /d –a +s +r
5. Set the privilege level of the folder using the following DOS command:
   cacls autorun.inf /c /d administrators
6. Select ‘Y’ and press enter when the message, “Are you sure (Y/N)?” is prompted.
7. To test it, try to delete, modify, rename, copy, or open the created folder. If you cannot perform any of these functions, then the procedure is successful.

In addition to the above procedure, users may also choose to use hardware means of protection. Certain removable drives have an external switch that prevents the device from being written to. This would prevent malware from making any modifications to the drive, including the AUTORUN.INF file. However, as this may prove to be somewhat inconvenient, it is still a good idea to use the procedure shown above.

How to Remove Autorun.INF malware with Autorun Eater?

Autorun Eater is a tool to scan and remove suspicious ‘autorun.inf’ files found in the root directory of all drives, A-Z, in real-time. Autorun Eater will remove any suspicious ‘autorun.inf’ files even before the user attempts to open the drive.

Note: It will remove all the suspicious ‘autorun.inf‘ files from the virusinfected pen drives but will not remove any other virus files so you would have to remove them manually or with some anti-virus tools.

It also fixes the three common problems caused by the viruses (as shown in the image below).

1. Task Manager disabled.
2. Registry editing disabled.
3. Hidden Folder Options.

If you have removed all the suspicious ‘autorun.inf’ files from all your drives, you will be able to open all your drives easily including your pen drive with double click.

Note: Some antivirus and antispyware programs flag Autorun Eater as being infected / malware, although the application is perfectly safe and does not pose a threat to your system. This is called a 'false positive'. The term false positive is used when antivirus software wrongly classifies an innocuous (inoffensive) file as a virus. The incorrect detection may be due to heuristics or to an incorrect virus signature in a database. Similar problems can occur with antitrojan or antispyware software.

Download Autorun Eater: http://download.softpedia.com/dl/fffb57bedbb3f5b9482304b8235e4106/4ae5ce1a/100085585/software/security/aesetup2.4.exe

How to Remove Autorun.INF malware with Flash Disinfector?

Flash Disinfector is free autorun.inf trojans and USB/Flash disks trojans remover. The program has been designed by sUBs (author of famous utility combofix) to clean autorun.inf trojans that are running on the system.

Flash Disinfector will perform the following operations on your computer:

* Clean up the junk files spread by flash malwares.

* Delete the suspicious autorun.inf files from the root directory.

* Fix the damages done by the virus.

* Create an autorun.inf folder in root directory of your system drives.

Flash Disinfector will target the following Flash malwares (in general):

• W32/Perlovga (copy.exe | host.exe)
• VBS_RESULOWS.A (Hacked by Godzilla, Hacked by Moozilla)
• Bha.dll.vbs
• w32automa worm (Autorun.vbs)
• Trojan.Win32.VB.atg | Win32/Dzan | Worm_vb.bnr (tel.xls.exe | mmc.exe)
• W32/RJump.worm (RavMonE)
• Worm.Win32.Delf.bf | W32.Fujacks (spoclsv.exe)
• W32.Fujacks.BH (Fucker.vbs)
• WORM_AGENT.PGV (soundmix.exe)
• W32/Hakaglan.worm (RVHost.exe)
• Trojan.Win32.VB.ayo [AVP] (Macromedia_Setup.exe)
• Trojan.VBS.DeltreeY.b#1 (Destrukto!!! | destrukto.vbs)

How to use Flash Disinfector?

Download Flash Disinfector from the link below and save it to your Desktop. When Flash Disinfector has finished downloading you will now see a new icon on your desktop. Double-click Flash_Disinfector.exe icon to run it and insert your flash drive and/or other removable drives including your mobile phone and click OK button. Wait until it has finished scanning. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder. It will help protect your drives from future infection.

Download: http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

Trojan Hunting in Svchost.exe with Svchost Process Analyzer

"Svchost.exe" (Generic Host Process for Win32 Services) is an integral part of Windows OS. It cannot be stopped or restarted manually. This process manages 32-bit DLLs and other services. At startup, Svchost.exe checks the services portion of the registry and constructs a list of services that it needs to load.


Under normal conditions, multiple instances of Svchost.exe will be running simultaneously. Each Svchost.exe session can contain a grouping of services, so that many services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost


Each value under this key represents a separate Svchost group and appears as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service


To view the list of services those are running in Svchost:

1. Click Start on the Windows taskbar, and then click Run.
2. In the Open box, type CMD, and then press ENTER.
3. Type Tasklist /SVC, and then press ENTER.

Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For more information about a process, type the following command, and then press ENTER:

Tasklist /FI "PID eq processID" (with the quotation marks)

The svchost.exe file is physically located in the folder C:\Windows\System32. However, one of the most important services organizers can also be used as a driving vehicle and a hiding mechanism for viruses, spyware, Trojans, or worms.

The possible symptoms of the infections are:

• Your system becomes sluggish and you find that something called svchost or dllhost is taking nearly 100% of your CPU.
• Your system reports that svchost has performed an illegal operation and will be terminated. After that, various things fail to work properly, if at all.
• After you log in, your system automatically reboots in one minute.

Note that you should not be confused from the small difference in the svchost.exe and scvhost.exe (which is called svchost virus). So, the svchost virus is actually a process named scvhost.exe (notice on the “c” and “v” are switched) which is designed to confuse people with the harmless svchost. Scvhost.exe will go into your system and completely shut it down. The virus is actually a Trojan Horse, named W30/Agobot-S virus. This virus will also allow hackers to access your computer and steal passwords and personal data.

The approach of hiding dangerous content in svchost is understandable, since you need to have pretty advanced computer skills for its troubleshooting. The free Svchost Process Analyzer free utility is letting anybody analyze and troubleshoot the system in terms of the presence of the dangerous files and processes. The software lists all svchost instances and checks the services they contain. This makes it easy to uncover Svchost worms like the infamous Conficker worm.

While Svchost Process Analyzer does not provide the details that popular process managers like Process Explorer provide, it does list the information in a comprehensible manner. The process analyzer will scan all svchost processes that are running on the Windows operating system upon startup. A click on details will open the main application window, that lists every svchost process in the top window and details about the selected process in the window at the bottom.

Each entry in the lower window is displayed by name, service name and file. Svchost Process Analyzer is compatible with 32-bit and 64-bit editions of Microsoft Windows XP, Windows Vista, Windows 2000, Windows 2003 and Windows 2008.

Main Features:

• 100% freeware.
• Doesn't require runtimes.
• Doesn't require installation (absolutely portable).
• Doesn't write to the registry.
• Doesn't modify files outside of its own directories.
• Does not contain adware / malware / spyware.
• Small, single executable file, does not require significant computer resources.

Developer: Neuber Software.

Website and Downloading Link: http://www.neuber.com/free/svchost-analyzer/index.html