A group of dangerous trojans which uses autorun.inf file to infect computer called autorun.inf trojans. Once infected with autorun.inf trojan your computer will display many popups, Internet Explorer start page can to be change, TaskManager and Registry editor can be disabled. Also autorun.inf trojan configures itself to run automatically every time, when you start your computer. In addition the autorun.inf trojan creates a files with strange names, some examples:
ampfrb.cmd, hbs.exe, yfog8p.exe, as.bat, phwe.com, o0s.cmd, xa2c.exe, AutoStart.exe, ncyrf.bat, rcukd.cmd, 2u.com, q.com, RavMon.exe, x6.bat, rqq2v.bat, t.com, xp19.com, x0.cmd, yg.cmd, ntde1ect.com, tio8x6.cmd, d6fagcs8.cmd, gbiehbsb.dll, tio8x6.cmd, fooool.exe, 8ng8w.com, x.com, xn1i9x.com, invwft2h.com, selamat_berposa_dari_umt.js, ktnquo.exe, NewVirusRemoval.vbs, kinza.exe, rs.cmd, yssjnngm.cmd, h3.bat, 6fnlpetp.exe, boot.exe, winde32.exe, 6j2j.com, kjibu.com, fun.xls.exe, iqe68o.bat, boot.exe, killVBS.vbs, autorun.pif, lin32.exe, USB.exe, RisinG.exe. f.bat, uxdeiect.com, awda2.exe, clshsy.cmd, kongxsg.exe, autorunme.exe, x2tpc.cmd, winconfig.dll.vbs, w1hva13.exe, jun.exe, xpbkh.com, nfdmg.com, m9ma.exe, pbudsara.exe, herss.exe, cgaqyi.exe, dsoqq.exe, dsoqq0.dll
What is more, the trojans may drastically slow the performance of your computer. Read below how to remove them and any associated malware from your computer for free.
Step1: Remove malicious autorun.inf files from all your drives, include any usb/flash drives.
1. Manually:
- Reboot your PC in Safe mode.
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode. - Click Start -> Run.
- In the type box enter cmd and press Enter.
- In the command console type del /a:h /f c:\autorun.*
- Repeat previous step to all drives, make replacing “c” with the appropriate drive letter.
2. Automatically.
- Download Flash_Disinfector by sUBs and save it to your desktop.
- Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
- The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone.
- Please do so and allow the utility to clean up those drives as well.
- Wait until it has finished scanning and then exit the program.
- Reboot your computer when done.
Note: Flash_Disinfector will remove any autorun.inf files, create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder. It will help protect your drives from future infection.
Step 2: Remove autorun.inf trojan from the windows registry.
Download and install HijackThis.
Run HijackThis, click Do a system scan only button.
Put a checkmark next to the following items (if exists):
F2 – REG:system.ini: Shell=Explorer.exe csrcs.exe
O4 – HKLM\..\Run: [SystemDrive] c:\windows\system32\SVCH0ST.EXE
O4 – HKCU\..\Run: [avp] C:\WINDOWS\system32\avp.exe
O4 – HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 – HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 – HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 – HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe
O4 – HKCU\..\Run: [TaskMonitor] C:\WINDOWS\system32\TaskMonitor.exe
O4 – HKCU\..\Run: [Realshade] C:\WINDOWS\system32\realshade.exe
O4 – HKCU\..\Run: [cftmonn] C:\WINDOWS\system32\cftmonn.exe
O4 – HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\kamsoft.exe
O4 – HKCU\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe
O4 – HKCU\..\Run: [kmmsoft] C:\WINDOWS\system32\revo.exe
O4 – HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 – HKCU\..\Run: [cdoosoft] %Temp%\herss.exe
O4 – HKCU\..\Run: [dso32] %Temp%\dsoqq.exe
O4 – HKCU\..\Run: [cbvcs] C:\WINDOWS\system32\urretnd.exe
O4 – HKCU\..\Run: [jvsoft] C:\WINDOWS\system32\j3ewro.exe
O4 – HKCU\..\Run: [ckvo] c:\windows\system32\ckvo.exe
O4 – HKLM\..\Run: [winconfig] C:\WINDOWS\winconfig.dll.vbs
O4 – HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O4 – HKCU\..\Run: [WinUpdater AutoRun] C:\AutoProtect\DrvMonitor.exe
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.
Step 3: Remove autorun.inf trojans files
Download Avenger from here and unzip to your desktop.
Run Avenger, copy,then paste the following text in Input script Box:
Files to delete:
c:\0jbnlnu8.exe
C:\11rhbu.cmd
c:\1q8p0y.com
C:\2fiy.bat
c:\2g.com
C:\32agsg.exe
c:\39ysi89.com
c:\3jkka91.com
c:\6fnlpetp.exe
C:\6fnlpetp.exe
C:\6j2j.com
C:\8.bat
c:\80avp08.com
C:\8ng8w.com
c:\92j11sm.com
c:\9fo3ar0j.exe
c:\a.exe
C:\a2h2.com
c:\ampfrb.cmd
c:\as.bat
c:\AutoRun\autorun.pif
c:\AutoRun\AutoStart.exe
c:\AutoRun\AutoStart.exe
C:\AutoProtect\DrvMonitor.exe
c:\awda2.exe
c:\bo1dhu.bat
C:\bwpncb6.com
c:\boot.exe
c:\cgaqyi.exe
c:\cjrp8.com
c:\clshsy.cmd
C:\d1vmq.exe
C:\d6fagcs8.cmd
c:\dp.exe
C:\e.cmd
C:\eaywxx.cmd
C:\f9cvum.exe
C:\fooool.exe
c:\fun.xls.exe
C:\gbiehbsb.dll
C:\gfqgq.cmd
C:\gi2ky.exe
C:\gldegkby.cmd
c:\gumkrhf.bat
C:\qxty9be.cmd
C:\gy.exe
c:\h3.bat
c:\hbs.exe
c:\ioockw.bat
C:\ij.bat
C:\imo.exe
c:\invwft2h.com
C:\ioockw.bat
c:\iqe68o.bat
C:\j60osk9.cmd
C:\jeorels.cmd
c:\jg6w3yx.com
c:\killVBS.vbs
c:\kinza.exe
C:\kjibu.com
c:\ktnquo.exe
c:\m9ma.exe
c:\main.vbs
c:\MicrosoftPowerPoint.exe
c:\n0qls.exe
c:\NewVirusRemoval.vbs
c:\nfdmg.com
C:\ntde1ect.com
c:\ntnq.exe
c:\nw0t1l0d.exe
c:\o0s.cmd
c:\pbudsara.exe
c:\phwe.com
C:\pook.com
c:\q0rppr.exe
C:\qphdin.com
C:\rcukd.cmd
c:\Recycled\ctfmon.exe
c:\resycled\boot.com
c:\RECYCLED\appmgmt.exe
C:\rqq2v.bat
c:\rs.cmd
C:\sq.com
C:\system.exe
c:\System\DriveGuard\DriveProtect.exe
C:\t.com
C:\tio8x6.cmd
c:\tj8odymw.exe
C:\tjjqtejq.bat
C:\tvlx2fg.exe
c:\uh31.exe
c:\usbcash.exe
c:\USBFlash.exe
C:\uvsqfgwd.cmd
c:\uxdeiect.com
c:\vnkucvv.com
c:\VirusCleaner.vbe
c:\VirusRemoval.vbs
c:\w1hva13.exe
C:\x0.cmd
c:\x2tpc.cmd
c:\xa2c.exe
C:\x.com
C:\x.cmd
C:\x2csvg.exe
C:\xih9.cmd
C:\xn1i9x.com
C:\xp19.com
c:\xpq63xl.exe
c:\xwpehlv.com
c:\yfog8p.exe
C:\yg.cmd
c:\yssjnngm.cmd
C:\w98.com
%Temp%\cvasds0.dll
%Temp%\cvasds1.dll
%Temp%\dsoqq.exe
%Temp%\dsoqq0.dll
%Temp%\dsoqq1.dll
%Temp%\dsoqq2.dll
%Temp%\dwg3gngs.exe
%Temp%\herss.exe
%Temp%\kxvo.exe
%Temp%\new folder\ufjtre.exe
%Temp%\o2g.exe
%Temp%\ufjtre.exe
%Windir%\expiorer.exe
%windir%\system32\afmain0.dll
%Windir%\system32\amvo.exe
%Windir%\system32\avp.exe
%windir%\system32\avpo.exe
%Windir%\system32\Bitkv0.dll
%Windir%\system32\Bitkv1.dll
%Windir%\system32\cftmonn.exe
%Windir%\system32\ckvo0.dll
%Windir%\system32\ckvo.exe
%Windir%\system32\expiorer.exe
%Windir%\system32\fool0.dll
%Windir%\system32\fool1.dll
%Windir%\system32\fool2.dll
%Windir%\system32\gasretyw0.dll
%Windir%\system32\gasretyw1.dll
%Windir%\system32\haozs0.dll
%Windir%\system32\ieso0.dll
%Windir%\system32\j3ewro.exe
%Windir%\system32\jwedsfdo0.dll
%Windir%\system32\kamsoft.exe
%Windir%\system32\kavo0.dll
%Windir%\system32\kavo1.dll
%Windir%\system32\kavo.exe
%Windir%\system32\kxvo.exe
%windir%\system32\locale.exe
%windir%\system32\nmdfgds1.dll
%windir%\system32\nmdfgds0.dll
%windir%\system32\olhrwef.exe
%windir%\system32\optyhww0.dll
%windir%\system32\optyhww1.dll
%Windir%\system32\RavMon.exe
%Windir%\system32\realshade.exe
%Windir%\system32\revo.exe
%Windir%\system32\revo1.dll
%Windir%\system32\revo2.dll
%Windir%\system32\revo6.dll
%Windir%\system32\revo5.dll
%Windir%\system32\revo4.dll
%Windir%\system32\revo3.dll
%Windir%\system32\SCVVHSOT.exe
%Windir%\System32\taskmagr.exe
%Windir%\system32\TaskMonitor.exe
%Windir%\system32\tavo0.dll
%Windir%\system32\tavo1.dll
%Windir%\system32\tavo.exe
%Windir%\system32\urretnd.exe
%Windir%\system32\usbmons.exe
%Windir%\system32\usbmons.dll
%Windir%\system32\vamsoft.exe
%Windir%\system32\vbsdfe0.dll
%Windir%\system32\vbsdfe1.dll
%Windir%\system32\wincab.sys
%Windir%\winconfig.dll.vbs
Then click on ‘Execute’. Your computer will be reloaded.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Related articles: How to disable the autorun feature to prevent malware from spreading, Cannot open C Drive – How to fix it using Flash Disinfector.
It is very much pleasing that you have floated free virus removal tools which are very much effective. God may bless you and give more opportinuties to serve the humenity in a more better way. Thanks.
Iam very great thankful to you fro providing these
virus removal tools,it is working perfectly for my
problem,Thanks a lot .
this is helpful alright but got virus ….detected: virus Heur.Invader (modification) URL: download.bleepingcomputer.com/sUBs/ComboFix.exe//PE_Patch.UPX//327882R2FWJFW/catchme.cfexe//PE_Patch.UPX
..
it`s false alert
if the problem is just to get rid of autorun.inf worm, do I have to do steps 1 to 4 or can i just do step 1. thanks.
If the problem of my pc and flashdrive is the presence of autorun.inf do I still need to do steps 1 to 4 or can I just do steps 1 and 4. Thanks.
When I had the autorun.inf worm in the PC system, I could no longer use Yahoo Messenger. Will it help if I uninstall Yahoo MS and download another Yahoo MS? Thanks.
Minimum do steps: 1,2 and 4.
Yes, uninstall, donwload a fresh Yahoo MS and install it.
it worked well for me buddy. Thnx for the valuble service. I appreciate it.
Hi again! My kids classmate used a flashdrive in our PC that has redtube virus. Now each time we used the Explorer we see the pornographic site redtube.com. How can we fix this problem without affecting our files? Thanks.
Please try Flash_Disinfector.exe by sUBs(read above, how to use it), if you are still having problems with your PC, I would recommend that you follow these instructions.
I have McAfee antivirus and I got the message from it that it had detected and deleted the c:\autorunif trojan (sorry if I typed it’s exact name wrong but u know wat I mean) the problem was that it kept on doing it it kept detecting it and deleting it like every 30 seconds so I looked for a way to delete it and found one before this one and it said to restart the pc I did that and what i was using didn’t work then I did a full scan using McAfee and didn’t find anything. then I tried your step 1 to manually remove it I put the computer in safe mode than start run and typed in del /a:h /f c:\autorun.* and it came back saying that it couldn’t find it I doubt I have gotten rid of it can you help?????????
John, yes i can help you. Please follow these instructions.
thank uuu verrry much.. it worked a lot for me..
Iwant to try but i have a problem with avenger…
http://swandog46.geekstogo.com/avenger2/avenger.zip\\avenger.exe
detected: Win32:Rootkit-gen [Rtk]
🙁
Gil, its false alert. Disable your antivirus and try again.
can you help me??? I do not know which file3s I should delete after launching the hijackthis….
here is the log
Logfile of Trend Micro HijackThis v2.0.2
…
pichu, yes your computer infected with autorun.inf trojan. Please follow these steps. I will help you.
How use the avenger it ask for a validate script
You should type a text from the step3 and click Execute button. If you need help, follow these steps.
when i pluged in the usb in my computer,
my antivirus AVAST gives alert about virus BV:AutoRun-G [Wrm]
i gives the antivirus to delete this file but after sometime this alert comes on again and again.
i don`t know what i have to do……….
please help me to solve this problem….
M Arshad Malik, please read the instructions above or follow these steps.
I Have Remove BV:AutoRun-G [Wrm] By Flash_Disinfector.exe Try it
If You Are Useing Avast !4.8 .Geting Warning Of Autorun.inf Found( BV:AutoRun-G [Wrm])
For Stop This Message Use ‘Flash_Disinfector.exe’
http://download.bleepingcomputer.com//sUBs/Flash_Disinfector.exe
Gday,
the command
del /a:h /f c:\\autorun.*
does not work when i type it into run.
And this is the problem.
LF to reply
Tim, you should run command console (Click Start -> Run, type cmd and press Enter) before enter “del /a:h /f c:\autorun.*”.
thanks, it worked, appreciate it
have you got anyidea how to get rid of Vamsoft.exe
apparantly its very similar to Kamsoft.exe which i waht highjack this picks up
Great help thanks HijackThis and Avenger got rid of autorun finally, I have avg antivirus that detected the virus but could not get rid of it. But it gave me the paths where it was it attacked all of my hard drives and with a little variance so after using hijack this use avenger and add:
G:\resycled\boot.com
E:\resycled\boot.com
C:\autorun.inf
E:\autorun.inf
C:\resycled\boot.com
G:\autorun.inf
F:\autorun.inf
J:\resycled\boot.com
J:\autorun.inf
I have 3 hard drives you get the picture. Hope this helps some out there thanks again. Finally my A: floppy drive stopped going on and off every couple of minutes
Hey I Picked Up a Trojan, My pc had to restart so i did so, and when i turned it on, it kept restarting itself everytime from a autorun, i managed to open command prompt when starting and disable the autorun, which was using cli.exe, i deleted that file but still it manages to close my computer when i turn it on, my anti virus deleted the trojan but i cant find the autorun, i have a external hardrive which i unplugged, now when i turn my pc on, it runs and then restarts over and over and its a bit annoying, is there anyway i can find how to delete the autorun so it stops restarting my pc, cheers.
Hey guys, does anybody know why i try to see the hidden folders and files and it doesnt appear when use the show hidden folders and files from the tools menu.
I used to had a virus, i use combofix and no more virus but i still want to see the hidden files.
Amny comments will be very appreciated.
Regads