Autorun virus detection and removal methods

Source: Internet
Author: User

The Autorun virus is hard to deal.

Let's take a look.

The USB flash drive uses autorun to spread viruses. for the help of the inf file, the virus first copies itself to the USB flash drive, and then creates an autorun. inf. When you double-click the USB flash drive. inf settings to run the virus in the USB flash drive, as long as we can block autorun. when the inf file is created, even if there is a virus on the USB flash drive, you can only lie down and sleep. You may also think of this, but it doesn't matter whether it is for autorun. if inf sets any attribute, the virus will change it. the method I mentioned is to delete autorun under the root directory. inf file. Then, create a folder under the root directory named autorun. inf. In this way, because the virus is in the same directory, you cannot create autorun. if the inf file is deleted, it will not generate a new virus in the future. It is not known to delete the folder automatically and create the file again, but at least this method is very effective at this stage. However, this folder can be renamed, so many new Trojans and viruses use the new name and then create the autorun. inf file to infect the USB flash drive. However, for users with high security awareness, using this method to determine whether their USB flash drives are infected is not a problem.

AUTORUN. INF virus information MVS.exe Dropper. VB. acd

LaunchCd.exe Trojan. VB. vwp

Tel.xls.exe Worm. VB. lv

Ghost.exe,conime.exe Trojan. DL. Agent. blr

Autorun.exe Trojan. Agent. xkt

Toy.exe Worm. Agent. av

Autorun.exe soundmix.exe Worm. Clive.

Printer.exe Trojan. VB. wio

BootIO.exe Trojan/Agent. Bui

Status Quo Analysis facts show that there are already new viruses capable of consciously detecting autorun. the existence of inf. Delete the objects that can be directly deleted, and rename the objects that cannot be deleted. At this time, you can go to autorun. under the inf folder, use the CMD command to create a malformed folder to prevent autorun. inf has been deleted by the virus.

There is also a long-known virus that tricks users into clicking by file name (for example, important file. exe, novel. EXE ). For the viruses in the preceding two transmission modes, creating the autorun. inf folder alone cannot resist them.

The virus AUTORUN. INF has obvious external characteristics, but is often overlooked. It is easy to ignore because it does not slow down the computer, so many people do not notice it. However, if we double-click to open the USB flash drive, instead of opening it in the current window, but in the new window, it may be poisoned. In this case, you can right-click the drive letter in "My Computer" to see what the top command is. If it is "Auto", rather than "open ", then the possibility of poisoning is further increased; but to confirm the poisoning, we also need to enter E: autorun.inf(edisk needs to be converted into a token in the address bar. If the openline file in the opened file is followed by a file such as sxs.xls.exe, then it is certainly poisoned.

Response Policy

1. Press the shift key on the keyboard when inserting the USB flash drive until the system prompts "the device can be used". Do not double-click the USB flash drive or use the right-click menu to open it, use the Resource Manager (open my computer, press the "folder" button above, or start-all programs-Attachments-windows Resource Manager) to open it, or use

After the shortcut key winkey + E opens the resource manager, you must use the tree directory on the Left bar to open the Removable device! (To develop such a good habit)

2. If there are files with unknown paths in the disk, especially files with more attractive file names, you must be careful. Note that if you do not see the icon as a folder, you must take it for granted as a folder, if you don't see the icon as Notepad, you can take it for granted. disguising the icon as a virus is a common trick.

3. You must have the habit of displaying file extensions. Method: Open "my computer", tool -- folder option -- View, and remove the "Hide extensions of known file types" check box. We recommend that you select "Show Hidden Files" as the display extension ", remove the "Do Not Display System Files" check box to make it clearer about the virus. Attractive graphic virus files are basically executable files. After the file extension is displayed ". exe "to identify an executable file, so that the disguised virus executable file is not mistaken as a normal file or folder.

4. In the end, no matter what method or software you use, insert a USB flash disk and use this method to check whether you are at risk of the Autorun. inf virus.

The following batch processing can check whether there is a risk of virus activation when you insert or open a USB flash drive. Run the batch and follow the prompts. Note: For batch processing, choose "start"> "attachment"> "Notepad", copy the batch processing content, and save "file" as ">" file name ": xxxxxxx. bat. Save type: All files-save. Find the location you saved, and a batch file will appear. Double-click to run it.

@ Echo off & setlocal enabledelayedexpansion

Echo insert a USB flash drive & set/p "d = enter the USB drive letter (for example, input H) if the USB flash drive and the computer do not have viruses ):"

Set "d =! D :~ 0, 1! "& Set" a = autorun. inf .! Random !. Tmp"

If exist! D! : Autorun. inf attrib.exe-s-h-r! D! : Autorun. inf & ren! D! : Autorun. inf! A!

(Echo [autorun] & echo open‑calc.exe & echo shellexecute‑calc.exe & echo shell = release E

Echo shellopencommand=calc.exe & echo shellexplorecommand=calc.exe)>! D! : Autorun. inf

Echo now deletes and re-inserts the USB flash drive & echo to open the USB flash drive. If "Calculator" & echo appears, it indicates you have the chance to launch the Autorun. inf virus.

After echo is complete, press any key to continue & pause> nul

Del! D! : Autorun. inf & if exist! D! :! A! Ren! D! :! A! Autorun. inf & goto: eof

Other recommended methods:

1. We recommend a method to completely reject the Autorun. inf type virus.

Run the following batch to ensure insertion and opening


When the disk is not infected with viruses (it does not occupy computer resources. It takes effect for the current user name after one operation ):

@ ECHO off

REG.exe DELETE hkcusoftwaremicrosoftwindowscurrentversionpolicermountpoints2/f

REG.exe ADD hkcusoftwaremicrosoftwindowscurrentversionjavasermountpoints2

ECHO hkey_current_usersoftwaremicrosoftwindowscurrentversionpolicermountpoints2 []> %temp1_emp.txt

REGINI.exe cute temp1_emp.txt

GOTO: eof

If you want to resume the Autorun. inf function, run this batch:

@ ECHO off

ECHO hkey_current_usersoftwaremicrosoftwindowscurrentversionpolicermountpoints2 [7]> %temp1_emp.txt

REGINI.exe cute temp1_emp.txt

REG.exe DELETE hkcusoftwaremicrosoftwindowscurrentversionpolicermountpoints2/f

REG.exe ADD hkcusoftwaremicrosoftwindowscurrentversionjavasermountpoints2

GOTO: eof

2. For a disguised virus, you can determine its executable attributes.

In addition to selecting the folder option "Do not hide extension", users who do not like to display all file extensions can also use this method to extract the features of executable files --". exe "the extension is displayed, so there will be one more file or folder disguised as a virus ". exe ".

Run the following batch as an administrator:

@ ECHO off

REG.exe ADD HKCRexefile/v AlwaysShowExt/t REG_SZ/f

TASKKILL.exe/im assumer.exe/f

START %windir%explorer.exe

GOTO: eof

To restore, run the batch without displaying the exe extension:

@ ECHO off

REG.exe DELETE HKCRexefile/v AlwaysShowExt/f

TASKKILL.exe/im assumer.exe/f

START %windir%explorer.exe

GOTO: eof

Another simple Prevention Method

Group Policy-disable automatic playback

The operation procedure is: Click Start → run → enter gpedit. msc, open the Group Policy Editor, browse to Computer Configuration → manage template → system, double-click "Disable automatic playback" in the right pane, select all the drives in the dialog box, and click OK.

Another simpler immune Solution

Create a txt text file named "flash memory immune" and enter the following code:

Md c: Autorun. inf

Md c: Autorun. inf1234...

Md x: Autorun. inf

Md x: Autorun. inf1234... (X indicates the drive letter. You can enter a few disks if you have a few disks)

Save and exit, convert the TXT file to the BAT batch file, and double-click it to run. Autorun appears under the root directory of each drive letter. inf folder, and the folder cannot be deleted because there are files in the folder that cannot be deleted. In this way, immune flash is made. It feels great.

Create a file named Autorun. inf on the desktop

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.