AutoRun is a traditional feature in windows operating systems that enables media like the CD ROMs, USB Devices, Memory Sticks, DVDs, etc. to automatically launch the programs stored in them. This happens through an autorun.inf file present in the root directory of the USB Device or CD ROM and it contains a list of commands that get executed as soon as the media is inserted into the appropriates drives of the PC. You will typically find autorun.inf on installation CDs and DVDs.
AutoRun is often confused with AutoPlay, a feature introduced in Windows XP. Though Microsoft intended it to be a useful feature, there are several viruses and malware that abuse the autorun.inf to spread itself.
How to delete AutoRun Virus?
- First disable System Restore on all drives. To do this go to Control Panel -> System and choose the System Restore tab. Check the option “Turn Off system Restore on all Drives”
- Clear all temporary internet files in your browser
- Do a Disk Cleanup of all the drives on your PC. To do this, navigate to Start ->All Program ->Accessories ->System Tool ->Disk cleanup, choose the drive that you want to clean up and click OK.Once the drive is cleaned, proceed to cleanup the remaining drives
AutoRun Viruses spread themselves through removable media like USB drive, etc. They contain three executable files namely “autorun.inf“, “kavo.exe” and “ntdelect.com“. These are hidden files and they usually disable the Show hidden files and folders option, so that you can never see them.The only way to find these files is through the DOS command prompt.
Delete autorun.inf and ntdelect.com :
- Click Start, enter cmd and press Enter
- Check all the drives for the above three files.For eg: to check the files in C:, type dir c:\ /a/w in cmd prompt and press Enter. This will list all the system and exe files. Look out for autorun.inf and ntdelect.com files.Disable ‘hidden’, ‘system’ and ‘read only’ attributes for these files by typing
attrib -s -h -r c:\autorun.inf attrib -s -h -r c:\ntdelect.com
- Then delete the files by typing
del c:\autorun.inf del c:\ntdelect.com
- Make sure that you delete ntdelect.com and not ntdetect.com which is a system file
- Repeat from step 2 for all other drives
Delete kavo.exe :
- Search for kavo.exe in C:\windows\system32\
- If you find it, type
attrib -s -h -r c:\windows\system32\kavo.exe
- to disable ‘hidden’,’system’ and ‘read only’ attributes
- Delete kavo.exe by entering the command
- Click Start, type regedit and press Enter. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\Run,and
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows \CurrentVersion\Run. Delete kavo and c:\windows\system32\kavo.exe value.
Enable ‘Show hidden files and folders’ option:
Open Notepad,copy and paste the following and save it as a “showhidden.reg” file.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" "Text"="@shell32.dll,-30500" "Type"="radio" "CheckedValue"=dword:00000001 "ValueName"="Hidden" "DefaultValue"=dword:00000002 "HKeyRoot"=dword:80000001 "HelpID"="shell.hlp#51105"
Double click on the saved file to modify the registry.
That is all! You have now cleaned up autorun virus on your PC. But isn’t prevention better than cure?