Monday, February 07, 2011

USB drive becomes 'PENDRIVE' - Remove AUTORUN.INF virus

Ag IT Support has received several reports of College staff with Dell Enterprise machines with Windows XP becoming infected with an AUTORUN.INF virus recently.

Computers have become infected via the use of USB drives at conferences in particular. If your USB is placed into an infected machine, the drive name will be listed as PENDRIVE. If you place this drive into another Windows machine, the virus will be implanted there, ready to infect the next USB drive attached to the computer. This will continue to spread the virus via other USB drives to other computers.

NOTE: You should not insert an infected USB drive (e.g. memory stick) into any other computers until the virus is cleaned.

Malwarebytes' Anti-Malware can detect and remove most Malware with no further actions required for free. You should install it first to be sure you can scan and double check for the AUTORUN.INF virus.

Download Malwarebytes' Anti-Malware
  1. Go to this link, click the Download Latest Version. Save the file to your desktop.

  2. Double-click on the mbam-setup.exe (where the x represent numbers) to install the application.

  3. When the installation begins, follow the prompts and do not make any changes to default settings.

  4. When installation has finished, make sure you leave the first choice checked but un-check the 2nd.

    [check] Update Malwarebytes' Anti-Malware
    [uncheck] Launch Malwarebytes' Anti-Malware

  5. Click Finish. Wait for the program to update. Click OK.

Block the AUTORUN.INF virus

These steps will tell Windows to not execute the information in any AUTORUN.INF file that may be present. This is a great method to prevent Windows from being infected by virus through autorun.inf method. The only downside of this is that if you insert a USB Drive, CD or DVD with software on it, you have to open it by manually.
  1. Click Start, choose All Programs, and open Notepad.
  2. Copy the text below and paste it into the blank Notepad window.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

  3. Save the file with this name to the desktop (be sure the extension is .reg and not .txt):


  4. Close Notepad.
  5. Double click on NoAutoRun.REG and click Yes if you're asked "Are you sure you want to add the information in C:\NoAutoRun.reg to the registry?"
Clean the AUTORUN.INF virus
  1. Insert the USB drive.
  2. Open My Computer. Make a note of the Drive Letter assigned to the USB drive (for example Drive letter E).
  3. Click Start, choose Run.
  4. Type cmd into the Open box. Press Enter.

    Note: This will open a command prompt window. Within the command prompt window type the following text in bold and then press Enter.

  5. Type cd\ and press Enter.

    Note: In step 5, you will type the drive letter

  6. Type the drive letter followed by a colon (for example E: or F:). Press Enter.

    Note: In step 7 there is no space between the dashes and the letters but there is a space after the letters.

  7. Type attrib -r -h -s autorun.inf and press Enter.

  8. Type del autorun.inf and press Enter.

    Note: If you see a "file not found" message, double check the spelling for Step 8. You may repeat. But the file may not be present on the drive (so it is not infected).

  9. If you have a second USB drive, insert and repeat steps 1 through 8.

  10. Final Step: Open Malwarebytes, choose to do a Full Scan. Scan both the C drive and the USB drive (s). If anything is found, click Show Results. Remove any infections.

No comments: