How to remove AutoRun virus

By Techblissonline Staff Updated on 31st July 2014 Filed Under: Windows Tips

Loading...

AutoRun is a traditional feature in windows operating systems that enables media like the CD ROMs, USB Devices, Memory Sticks, DVDs, etc. to automatically launch the programs stored in them. This happens through an autorun.inf file present in the root directory of the USB Device or CD ROM and it contains a list of commands that get executed as soon as the media is inserted into the appropriates drives of the PC. You will typically find autorun.inf on installation CDs and DVDs.

AutoRun is often confused with AutoPlay, a feature introduced in Windows XP. Though Microsoft intended it to be a useful feature, there are several viruses and malware that abuse the autorun.inf to spread itself.

How to delete AutoRun Virus?

  • First disable System Restore on all drives. To do this go to Control Panel -> System and choose the System Restore tab. Check the option “Turn Off system Restore on all Drives”
  • Clear all temporary internet files in your browser
  • Do a Disk Cleanup of all the drives on your PC. To do this, navigate to Start ->All Program ->Accessories ->System Tool ->Disk cleanup, choose the drive that you want to clean up and click OK.Once the drive is cleaned, proceed to cleanup the remaining drives

AutoRun Viruses spread themselves through removable media like USB drive, etc. They contain three executable files namely “autorun.inf“, “kavo.exe” and “ntdelect.com“. These are hidden files and they usually disable the Show hidden files and folders option, so that you can never see them.The only way to find these files is through the DOS command prompt.

Delete autorun.inf and ntdelect.com :

  • Click Start, enter cmd and press Enter
  • Check all the drives for the above three files.For eg: to check the files in C:, type dir c:\ /a/w in cmd prompt and press Enter. This will list all the system and exe files. Look out for autorun.inf and ntdelect.com files.Disable ‘hidden’, ‘system’ and ‘read only’ attributes for these files by typing
attrib -s -h -r c:\autorun.inf
attrib -s -h -r c:\ntdelect.com
  • Then delete the files by typing
del c:\autorun.inf
del c:\ntdelect.com
  • Make sure that you delete ntdelect.com and not ntdetect.com which is a system file
  • Repeat from step 2 for all other drives

Delete kavo.exe :

  • Search for kavo.exe in C:\windows\system32\
  • If you find it, type
 attrib -s -h -r c:\windows\system32\kavo.exe 
  • to disable ‘hidden’,’system’ and ‘read only’ attributes
  • Delete kavo.exe by entering the command
 del c:\windows\system32\kavo.exe 
  • Click Start, type regedit and press Enter. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\Run,and
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows \CurrentVersion\Run. Delete kavo and c:\windows\system32\kavo.exe value.

Enable ‘Show hidden files and folders’ option:

Open Notepad,copy and paste the following and save it as a “showhidden.reg” file.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"

Double click on the saved file to modify the registry.

That is all! You have now cleaned up autorun virus on your PC. But isn’t prevention better than cure?

View ratings
Rate this article

3 Responses to “How to remove AutoRun virus”

  1. How can I thank you ?

  2. There is a much simple way to remove the Autorun.inf file. Genreally when you refresh the windows explorer view a bounded virus process recreates this file. This file is attached to many events of windows explorer including OPEN, REFRESH, etc. Simple stept to remove the virus activation:
    You must close opened explorer windows.

    1. open up a command prompt (i.e. cmd.exe) >> to load it go to Run, type cmd, enter.
    2. Now to remove virus’s attributes (in order to delete it type following line by line and execute them pressing enter.
    e.g.
    F:
    F:attrib -s -r -h *.* If there are any malicious EXE files those are now visible so if unnecessary delete them too.
    F:del autorun.inf

    3. After finishing above, quickly remove the pen as soon as posible (just after executing del command).
    4. Now your pen is without virus activation config. file. Now you can safely delete unnecessary EXE files on it.

  3. System says it could not find c:autorun.inf but it is there.

Leave a Reply

Go to Top