A group of dangerous trojans which uses autorun.inf file to infect computer called autorun.inf trojans. Once infected with autorun.inf trojan your computer will display many popups, Internet Explorer start page can to be change, TaskManager and Registry editor can be disabled. Also autorun.inf trojan configures itself to run automatically every time, when you start your computer. In addition the autorun.inf trojan creates a files with strange names, some examples:
ampfrb.cmd, hbs.exe, yfog8p.exe, as.bat, phwe.com, o0s.cmd, xa2c.exe, AutoStart.exe, ncyrf.bat, rcukd.cmd, 2u.com, q.com, RavMon.exe, x6.bat, rqq2v.bat, t.com, xp19.com, x0.cmd, yg.cmd, ntde1ect.com, tio8x6.cmd, d6fagcs8.cmd, gbiehbsb.dll, tio8x6.cmd, fooool.exe, 8ng8w.com, x.com, xn1i9x.com, invwft2h.com, selamat_berposa_dari_umt.js, ktnquo.exe, NewVirusRemoval.vbs, kinza.exe, rs.cmd, yssjnngm.cmd, h3.bat, 6fnlpetp.exe, boot.exe, winde32.exe, 6j2j.com, kjibu.com, fun.xls.exe, iqe68o.bat, boot.exe, killVBS.vbs, autorun.pif, lin32.exe, USB.exe, RisinG.exe. f.bat, uxdeiect.com, awda2.exe, clshsy.cmd, kongxsg.exe, autorunme.exe, x2tpc.cmd, winconfig.dll.vbs, w1hva13.exe, jun.exe, xpbkh.com, nfdmg.com, m9ma.exe, pbudsara.exe, herss.exe, cgaqyi.exe, dsoqq.exe, dsoqq0.dll
What is more, the trojans may drastically slow the performance of your computer. Read below how to remove them and any associated malware from your computer for free.
Step1: Remove malicious autorun.inf files from all your drives, include any usb/flash drives.
1. Manually:
- Reboot your PC in Safe mode.
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode. - Click Start -> Run.
- In the type box enter cmd and press Enter.
- In the command console type del /a:h /f c:\autorun.*
- Repeat previous step to all drives, make replacing “c” with the appropriate drive letter.
2. Automatically.
- Download Flash_Disinfector by sUBs and save it to your desktop.
- Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
- The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone.
- Please do so and allow the utility to clean up those drives as well.
- Wait until it has finished scanning and then exit the program.
- Reboot your computer when done.
Note: Flash_Disinfector will remove any autorun.inf files, create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder. It will help protect your drives from future infection.
Step 2: Remove autorun.inf trojan from the windows registry.
Download and install HijackThis.
Run HijackThis, click Do a system scan only button.
Put a checkmark next to the following items (if exists):
F2 – REG:system.ini: Shell=Explorer.exe csrcs.exe
O4 – HKLM\..\Run: [SystemDrive] c:\windows\system32\SVCH0ST.EXE
O4 – HKCU\..\Run: [avp] C:\WINDOWS\system32\avp.exe
O4 – HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 – HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 – HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 – HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe
O4 – HKCU\..\Run: [TaskMonitor] C:\WINDOWS\system32\TaskMonitor.exe
O4 – HKCU\..\Run: [Realshade] C:\WINDOWS\system32\realshade.exe
O4 – HKCU\..\Run: [cftmonn] C:\WINDOWS\system32\cftmonn.exe
O4 – HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\kamsoft.exe
O4 – HKCU\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe
O4 – HKCU\..\Run: [kmmsoft] C:\WINDOWS\system32\revo.exe
O4 – HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 – HKCU\..\Run: [cdoosoft] %Temp%\herss.exe
O4 – HKCU\..\Run: [dso32] %Temp%\dsoqq.exe
O4 – HKCU\..\Run: [cbvcs] C:\WINDOWS\system32\urretnd.exe
O4 – HKCU\..\Run: [jvsoft] C:\WINDOWS\system32\j3ewro.exe
O4 – HKCU\..\Run: [ckvo] c:\windows\system32\ckvo.exe
O4 – HKLM\..\Run: [winconfig] C:\WINDOWS\winconfig.dll.vbs
O4 – HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O4 – HKCU\..\Run: [WinUpdater AutoRun] C:\AutoProtect\DrvMonitor.exe
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.
Step 3: Remove autorun.inf trojans files
Download Avenger from here and unzip to your desktop.
Run Avenger, copy,then paste the following text in Input script Box:
Files to delete:
c:\0jbnlnu8.exe
C:\11rhbu.cmd
c:\1q8p0y.com
C:\2fiy.bat
c:\2g.com
C:\32agsg.exe
c:\39ysi89.com
c:\3jkka91.com
c:\6fnlpetp.exe
C:\6fnlpetp.exe
C:\6j2j.com
C:\8.bat
c:\80avp08.com
C:\8ng8w.com
c:\92j11sm.com
c:\9fo3ar0j.exe
c:\a.exe
C:\a2h2.com
c:\ampfrb.cmd
c:\as.bat
c:\AutoRun\autorun.pif
c:\AutoRun\AutoStart.exe
c:\AutoRun\AutoStart.exe
C:\AutoProtect\DrvMonitor.exe
c:\awda2.exe
c:\bo1dhu.bat
C:\bwpncb6.com
c:\boot.exe
c:\cgaqyi.exe
c:\cjrp8.com
c:\clshsy.cmd
C:\d1vmq.exe
C:\d6fagcs8.cmd
c:\dp.exe
C:\e.cmd
C:\eaywxx.cmd
C:\f9cvum.exe
C:\fooool.exe
c:\fun.xls.exe
C:\gbiehbsb.dll
C:\gfqgq.cmd
C:\gi2ky.exe
C:\gldegkby.cmd
c:\gumkrhf.bat
C:\qxty9be.cmd
C:\gy.exe
c:\h3.bat
c:\hbs.exe
c:\ioockw.bat
C:\ij.bat
C:\imo.exe
c:\invwft2h.com
C:\ioockw.bat
c:\iqe68o.bat
C:\j60osk9.cmd
C:\jeorels.cmd
c:\jg6w3yx.com
c:\killVBS.vbs
c:\kinza.exe
C:\kjibu.com
c:\ktnquo.exe
c:\m9ma.exe
c:\main.vbs
c:\MicrosoftPowerPoint.exe
c:\n0qls.exe
c:\NewVirusRemoval.vbs
c:\nfdmg.com
C:\ntde1ect.com
c:\ntnq.exe
c:\nw0t1l0d.exe
c:\o0s.cmd
c:\pbudsara.exe
c:\phwe.com
C:\pook.com
c:\q0rppr.exe
C:\qphdin.com
C:\rcukd.cmd
c:\Recycled\ctfmon.exe
c:\resycled\boot.com
c:\RECYCLED\appmgmt.exe
C:\rqq2v.bat
c:\rs.cmd
C:\sq.com
C:\system.exe
c:\System\DriveGuard\DriveProtect.exe
C:\t.com
C:\tio8x6.cmd
c:\tj8odymw.exe
C:\tjjqtejq.bat
C:\tvlx2fg.exe
c:\uh31.exe
c:\usbcash.exe
c:\USBFlash.exe
C:\uvsqfgwd.cmd
c:\uxdeiect.com
c:\vnkucvv.com
c:\VirusCleaner.vbe
c:\VirusRemoval.vbs
c:\w1hva13.exe
C:\x0.cmd
c:\x2tpc.cmd
c:\xa2c.exe
C:\x.com
C:\x.cmd
C:\x2csvg.exe
C:\xih9.cmd
C:\xn1i9x.com
C:\xp19.com
c:\xpq63xl.exe
c:\xwpehlv.com
c:\yfog8p.exe
C:\yg.cmd
c:\yssjnngm.cmd
C:\w98.com
%Temp%\cvasds0.dll
%Temp%\cvasds1.dll
%Temp%\dsoqq.exe
%Temp%\dsoqq0.dll
%Temp%\dsoqq1.dll
%Temp%\dsoqq2.dll
%Temp%\dwg3gngs.exe
%Temp%\herss.exe
%Temp%\kxvo.exe
%Temp%\new folder\ufjtre.exe
%Temp%\o2g.exe
%Temp%\ufjtre.exe
%Windir%\expiorer.exe
%windir%\system32\afmain0.dll
%Windir%\system32\amvo.exe
%Windir%\system32\avp.exe
%windir%\system32\avpo.exe
%Windir%\system32\Bitkv0.dll
%Windir%\system32\Bitkv1.dll
%Windir%\system32\cftmonn.exe
%Windir%\system32\ckvo0.dll
%Windir%\system32\ckvo.exe
%Windir%\system32\expiorer.exe
%Windir%\system32\fool0.dll
%Windir%\system32\fool1.dll
%Windir%\system32\fool2.dll
%Windir%\system32\gasretyw0.dll
%Windir%\system32\gasretyw1.dll
%Windir%\system32\haozs0.dll
%Windir%\system32\ieso0.dll
%Windir%\system32\j3ewro.exe
%Windir%\system32\jwedsfdo0.dll
%Windir%\system32\kamsoft.exe
%Windir%\system32\kavo0.dll
%Windir%\system32\kavo1.dll
%Windir%\system32\kavo.exe
%Windir%\system32\kxvo.exe
%windir%\system32\locale.exe
%windir%\system32\nmdfgds1.dll
%windir%\system32\nmdfgds0.dll
%windir%\system32\olhrwef.exe
%windir%\system32\optyhww0.dll
%windir%\system32\optyhww1.dll
%Windir%\system32\RavMon.exe
%Windir%\system32\realshade.exe
%Windir%\system32\revo.exe
%Windir%\system32\revo1.dll
%Windir%\system32\revo2.dll
%Windir%\system32\revo6.dll
%Windir%\system32\revo5.dll
%Windir%\system32\revo4.dll
%Windir%\system32\revo3.dll
%Windir%\system32\SCVVHSOT.exe
%Windir%\System32\taskmagr.exe
%Windir%\system32\TaskMonitor.exe
%Windir%\system32\tavo0.dll
%Windir%\system32\tavo1.dll
%Windir%\system32\tavo.exe
%Windir%\system32\urretnd.exe
%Windir%\system32\usbmons.exe
%Windir%\system32\usbmons.dll
%Windir%\system32\vamsoft.exe
%Windir%\system32\vbsdfe0.dll
%Windir%\system32\vbsdfe1.dll
%Windir%\system32\wincab.sys
%Windir%\winconfig.dll.vbs
Then click on ‘Execute’. Your computer will be reloaded.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Related articles: How to disable the autorun feature to prevent malware from spreading, Cannot open C Drive – How to fix it using Flash Disinfector.
Looks like your computer still have a virus. Read and follow these steps.
hey guys i got a prob w/ autorun.inf i cant remove it every time i plug in a flash drive it keeps always alerting.. aim using avast 4.8 i did what you guys post but noting happens.. even flash disinfector noting happens.. i also try autorun eater.. same noting happen.. help me guys thanx
Bien, please read and follow these steps.
Thank you very much for such helpful information.
ok hope it will help tnx patrik…
I have downloaded Avenger and pasted a list of virus’ name. After executing, it ended up with the following message INVALID SCRIPT. A VALID SCRIPT MUST BEGIN WITH A COMMAND DIRECTIVE. ABORTING EXECUTION.
Loeky, check whats you have pasted into “Input script Box”, maybe you have made a mistake.
Hello for all , one way for disable autorun.inf without any anti virus is : create on folder who names is (auturun.inf) in all hard drive and flash drive , it make your drive for prevent create autorun.inf file who any virus create it .
also we can use a program name’s is (ninja pendisk ) for create automatic autorun.inf folder .
tanks for your help …
Hi guys i am using zone labs as my antivirus.whenever I tried to open my C: drive its always showing this message:
gfqgq.cmd is trying to load driver:\Registry\Machine\System\CurrentControlSet\Services\KAVsys
I do no how to remove it.I also used avenger but nothing happened.Pls help me to get out from this.
Regards,
Sabari
Sabari, please follow these steps.
Hey thnx alot buddy … i owe u big time ..it took me 10hrs to look for the solution to remove this (olhrwef.exe)bloody virus but nuthing worked till i get to yr website .. u ROCKSSSSS man…..
Thanx a ton
btw its still showing in my msconfig on startup but i have disabled it .. i can open my hidden folders now which wernt accessible earlier …
so u think is it still harmful if its disabled in startup ???
The best way is remove all harmful registry entries and malware files. Please follow these steps, i will help you 🙂
I have a problem, whenever i start the computer in the safe mode, it does not start at all. i formatted the disk, then again the virus is there only… is there any virus removal tool from which i can remove the virus from my system.
Thanks
Sheikh Pervez
Sheikh, please follow these steps.
Thanks alot 🙂
A new one was found today, the filename is vncjmy.exe but i can’t find it anywhere on the web. any ideas?
PataPata, please follow these steps.
hi, patrik, I hope u can solve my problem.
My computer is severely affected by pook.com, i have fully formatted by all drives then also it still affecting PC, plz help.
Manish, ask help at our forum.
Adam önce ingilizce bilicek sonra bu sayfaları okumaya gayret gösterecek böyle bişi olmuyo… Değişmiyo… Kütük hep kütükdür…
thank you very much.. it worked a lot for me..
oh u r an angel in disguise! thank u so very much! please continue doing good for mankind! hahaha! thanks again.. 🙂
heii becox of that 2u.com virus i cant open my safemode!!! the blue screencomes and shuts down!!
ishern, then run Flash Disinfector.
Hi. My LG Cookie is having problems. I plug my USB connection into my phone & the USB logos show up as folders. It won’t even AutoPlay either. Is this an autorun.inf file in my phone?
Cameron, open a new topic in our Spyware removal forum.
thank you so much !!
thank ! please can you update this list ?!
Thank you for this valuable information. My antivirus has detected Foool.exe. USB contained autorun.inf file and tried to run it. Thanks to my BitDefender my system is ok 🙂
Thanks a bunch for sharing this with all of us you really
realize what you are talking approximately! Bookmarked. Kindly also consult
with my web site =). We may have a hyperlink exchange agreement
among us