vbs.autorun trojan removal instruction


when a new technology or convenience is sticking on to our industry ,it is quite natural that the virus makers use it to exploit our machines. Flash drives are now a common data storage and transfer medium for even laymans. so now most of the virus are focusing on virus spreading through flash drives. I am going to dicuss a common trojan known as autorun virus

once infected on a specific machine , the virus first disables the folder option in that system.

when u plug a flash drive in to ur system the virus copies itself in to the flash drive, make an autorun.inf in the root driectory of the flash drive and create a link on that autorun file to the executable files of the virus

it is creating the autorun.inf because when u insert this flash drive in to another computer the autorun is executed and the virus copies itself in to the next computer.

When the flash memory is plugged in to the affected PC, the virus hides all your document's folder with the attribute (S & h). then copies the copy of virus's executable file in the name of your file's folder and change its icon same as a foLder icon. any one open the flash memory Will double click those executable virus file thinking it as his file's folder.

your trusty antivirus will remove the executable files of this virus but normally will not remove the autorun files ot modify the registry values . so u have to do it manually. here is how to do it

Run Task Manager (Ctrl-Alt-Del or right click on Taskbar)

Stop wscript.exe process if available by highlighting the process name and clicking End Process.

Then terminate explorer.exe process.

In Task Manager, click on File -> New Task (Run…).

Type "cmd" (without quotes) into the Open text box and click OK.

Type the following command one by one followed by hitting Enter key:

del c:\autorun.* /f /s /q /a

del d:\autorun.* /f /s /q /a

del e:\autorun.* /f /s /q /a

c, d, e each represents drive letters on Windows system. If there are more drives or partitions available, continue to command by altering to other drive letter. Note that you must also clean the autorun files from USB flash drive or portable hard disk as the external drive may also be infected.

In Task Manager, click on File -> New Task (Run…).

Type "regedit" (without quotes) into the Open text box and click OK.

Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Check if the value name and value data for the key is correct (the value data of userint.exe include the path which may be different than C drive, which is also valid, note also the comma which is also needed):


If the value is incorrent, modify it to the valid value data.

0 Responses to "vbs.autorun trojan removal instruction"

Post a Comment