What is autorun? What is an autorun virus? Basics of creating an autorun USB device
The CD autorun function, provided in almost all operating systems, can make the user's life much easier. A simple text file autorun.inf is responsible for managing autorun, which can be created either using one of the many special utilities, or independently - you would need a text editor and a minimum set of knowledge.
Method one
This idea was spotted on the forum http://www.cyberforum.ru/html/: since the autorun.inf file of the basic configuration determines which program should be launched when a CD is inserted into the drive and which icon should be displayed when viewing the disc using Windows Explorer ( Windows Explorer) or any other file manager. Then the text file should be placed in the root directory of the disk and contain the following lines:
open=program_name.exe
icon=icon_name.ico
The icon file should also be stored in the root directory of the disk.
Another variant
If the autorun program is not stored in the root directory of the disk, you should specify the path to it in the autorun.inf file:
open=folder1\folder1A\program_name.exe
icon=icon_name.ico
Sometimes to run a program automatically it is necessary to specify an argument:
open=program_name.exe /argument
icon=icon_name.ico
Autorun without program
If the disk contains presentations, PDFs, or HTML documents for clients, investors, and employees, the autorun.inf file should look slightly different, and a DOS batch file should be stored in the root directory of the disk. In this configuration, the autorun.inf file runs a batch file, which opens the files written to disk using the default application selected for that file type. For example:
open=autorun.bat index.htm
icon=icon_name.ico
And the autorun.bat file should contain the following code:
echo off
@start %1 %2 %3 %4 %5 %6 %7 %8 %9
@exit
Another variation of the same scenario involves using the ShellExecute command:
ShellExecute=index.htm
icon=training.ico
Using the autorun.inf file to autorun self-burned CDs will save users unnecessary headaches and increase the likelihood that important information will reach recipients. And since this is a simple text file, it can be created using any text editor and simply written to disk.
Method two
The autorun.inf file created using the first method will work on any computer - with the exception of those in which the autorun function does not work at all for one reason or another. The batch file used in the first case does not provide for the possibility of errors, and therefore simply does not work if errors do occur.
In this case, a shell utility from one of the third-party manufacturers will come in handy. Such utilities contain mechanisms for resolving common errors, which allows you to complete the autorun process even if a failure occurs. Our example uses the autorun.exe utility, which can be downloaded from the Tarma Software Research website. The Tarma utility can be used freely and freely for both individual and commercial purposes without any licenses or user agreements.
To use the utility, you simply need to replace autorun.bat with autorun.exe in the autorun.inf file. Then a simple autorun.inf file will look like this.
There is a lot of information on the Internet about what a file is Autorun.inf and what harm it does.
In this article we will try to conquer and even, moreover, use this “beast” for useful purposes.
So, what you need to know about the file Autorun.inf and where are its habitats??
First of all, its power lies in the fact that it must be located in the root of the disk, only then can it turn on its “magic” capabilities.
operating system Windows configured so that every time we open a disk, flash drive, floppy disk..., double-clicking, the system looks: is there, by chance, the same one in the root of the disk? file Autorun.inf
. And if it is found then operating system launches for execution all the code that is written in this file.
Autorun.inf there is nothing supernatural about it, it’s simple Text Document, which has the extension " .inf" and includes some commands.
I think everyone has seen such a file work. An example of its work can be any licensed disk with a program or game, when connecting it we see a window for launching a program that started as a result of the presence of the file Autorun.inf. His initial mission, or one of the missions, was to launch programs available on disks to start installing games, installing programs, and so on.
How to make this file work for us?
What's inside?
So every file Autorun.inf To work properly it should have approximately the following structure:
open=MyProgProgram.exe
Parameter open contains a command or path to a program file that will be launched when a disk is connected or when opened by double-clicking. This is one of the main parameters of this file.
After writing the file Autorun.inf to the root of the disk or removable media information, as well as the program that it will launch, you can automate some processes during operation.
In the autorun menu you can display any startup text and this is done using the parameter action:
open=MyProgProgram.exe
action=Program For a more impressive visual display in Explorer, you can use the parameter icon, which in the disk browsing window (My Computer) will make it possible to display our media with some kind of picture (icon).
By specifying the parameter icon, after the sign " =
"specify the path to the icon file:
open=MyProgProgram.exe
action=Program
icon=MyProgIcon.ico If you want, for example, instead of the inscription “ Removable drive"there was another inscription - this can be done using the parameter label in file Autorun.inf:
open=MyProgProgram.exe
action=Program
icon=MyProgIcon.ico
label=Stoppp File Autorun.inf has many other parameters, but for us this is enough for now.
Now let's run the program " Notebook", we write there:
open=MyProgProgram.exe
action=Program
icon=MyProgIcon.ico
label=Stoppp
inserting after the sign " = » our own paths and data, which should be launched and displayed every time we connect a flash drive or disk.
Now click “Save”, select “File type” → “All files”, enter a name Autorun.inf, select a storage location and click the save button.
After that we write our file together with program and icon to disk or other media. The only condition is that the file Autorun.inf was at the root of the disk.
Tweet
(not to be confused with autorun - the function of automatically opening programs from a connected disk or flash drive) is needed so that after turning on the computer, both programs necessary for Windows and third-party programs are launched. For example, an antivirus must be one of the first to launch in order to get ahead of possible threats. The desktop (explorer.exe) is also a program, part of the operating system, and launches almost the very first, even before antiviruses.There are many ways to automatically launch programs; they can be tracked using special programs. About the best one later, but first about which programs are most often registered in Windows startup.
What happens in startup
Antiviruses. These are the most common programs that sit in the startup of most computers. Of course, provided that you care about the security of your computer.
Driver components. For example, Intel video card drivers prescribe programs with obscure names hkcmd And igfxtray, designed to operate hotkeys and display the settings icon in the tray (near the clock). AMD and nVidia also have similar programs.
Drivers for digital cameras like to include programs in startup that monitor the fact that the camera is connected and offer to do something with the photos.
The Realtek sound card driver gives registration to the RAVCpl64.exe program - this is the Realtek HD Manager, without which the sound in some cases will not be sent to the connected headphones.
The usefulness of a lot of software that comes with drivers is questionable, but you need to be careful. Fortunately, everything can be turned back on.
Programs for the correct operation of the laptop from the manufacturer. If Windows is installed on a laptop, then the startup will contain the nth number of programs for managing Wi-Fi, hot keys, energy saving, and so on. Some things can be given up, some things are necessary.
If, after reinstalling Windows on a laptop, half of the functions do not work even after installing the necessary drivers, the problem is precisely the missing auxiliary software. Go to the manufacturer's website and download what you need from the page for your laptop model.
Programs for the correct operation of a desktop PC. Owners of PC builds from renowned manufacturers Acer, Dell and others can find software similar to laptop support. Most often, these are programs for encrypting and backing up information, the removal of which will not interfere with the operation of the computer.
Toolbars, adware, viruses. Frequent guests on the computers of even advanced users. Do ads pop up when you launch your browser? Does the computer promise profit from investing money in the next pyramid in a sugary voice? Is your VKontakte password constantly stolen? These are all Trojans and advertising crap.
They stand apart services. Programs we don't see doing important (and not so important) work. It’s better not to disable standard Windows services, because third-party ones can. For example, the popular PowerDVD player installs the PowerDVD RC Service (PDVDServ.exe). It is needed to control video playback from the control panel. But it’s not always there; the service can be disabled.
System programs. Without them, your computer will not work as it should. This includes the Explorer program (explorer.exe), which is also the Desktop, services and drivers that are part of the system. They are easy to distinguish from strangers and should not be disabled.
Why clean startup?
Maybe we should leave everything as it is?
If you are lazy, afraid, or are happy with everything, close the tab and move on with your life. But if you have a rebellious spirit in you that wants your computer to boot faster, so that strange programs stop appearing, cleaning your startup will be the right step. Just be careful and do it with a fresh mind.
By learning how to clean startup, you can make the work of any computer (or laptop) that comes into your hands easier. This requires a little of your time, as well as a program like or Autoruns.
Autoruns program
The free Autoruns program will allow you to find out about all the programs that start after you turn on your computer.
You may be confused by the large number of tabs and rows. Fortunately, you can and should filter out “unnecessary” items. Not by unchecking the box (this is excluding the program from autorun), but by using the settings, which I will discuss later. When most of the items disappear, it’s easier to figure it out.
Enabling virus scanning
We need to remove Windows components and isolate possible viruses. To do this, click menu Options - Scan Options - check the boxes, as in the screenshot below, click Rescan:
So that you better understand what you are doing, I will tell you about the points:
- Scan only per-user locations- only programs located in the user's folder are scanned. A useless item, because viruses can be in any folder on the disk.
- Verify code signatures- each program, including the system one, has a digital signature that proves that this program is from such and such a publisher and that the file has not been modified (virus code has not been introduced). A checkmark on this item is needed to detect the substitution of system files, which many malware do.
- Check VirusTotal.com- checking for viruses each startup element using the VirusTotal online service. In fact, this is a check with several dozen antiviruses. It does not provide a 100% guarantee of detection, because autorun may contain a harmless program that in turn launches a virus; this cannot be identified. Requires a working internet connection. If you get a window “You must agree...” (“You must agree to the license agreement of the VirusTotal.com site”), press Yes/Yes.
- Submit Unknown Images- sends for scanning those programs that are not found in antivirus databases. If you have a slow Internet, the autorun check may slow down greatly (up to 10-15 minutes), but you can be sure that everything will be checked.
After clicking Rescan the program will update the list for a long time, checking each program for its “harmfulness”.
If you don’t have the Internet, I advise you to download any and test your computer with it. Unfortunately, because of this, it will not be possible to find out whether there were viruses in startup: the antivirus will remove them without notifying you whether they started automatically.
Removing viruses from startup - what do the different colors mean?
At this point we need a tab Everything to see all the ways to launch programs.
After updating the list, some items will be colored yellow and pink, and some will have red numbers next to them.
Items highlighted in yellow should not be touched. Yellow color indicates that there is no program, but there is an option in startup. Unfortunately, Autoruns does not always correctly determine whether the driver files are in place and highlights them in yellow; disabling them leads to glitches, including the inability to start the operating system, so it’s better not to touch them until you figure out what’s what.
Pink points and numbers indicate problems:
If you see inscriptions like 16/57, then most likely this entry triggers virus. The number on the left (16) tells you how many antiviruses detected the malware, and on the right (57) how many scanned it in total. Clicking on the inscription opens a page with details: which antiviruses worked, what the name of the infiltrating evil was, when it was first discovered. If you see one or two antiviruses trigger (1/57), then in 99% of cases this is a false positive and this item can be ignored.
If you want, you can Google the name and find out the details, but the most important thing is to do the following:
1. Uncheck from such a point. This disables the autorun of the program, which is equivalent to deleting it, only you can later return everything back (in case of a false alarm).
2. Think about changing your antivirus because it was silent. I talked about free antiviruses that can compete with their “big” brothers back in 2012. The advice is still relevant today.
3. Reboot computer and run Autoruns again. If time is precious, just click F5 on the keyboard - this will update the list. It will help to identify viruses that return themselves to startup. If there are any, I advise you to check your computer using a free one, which removes threats more aggressively. There is also a free program that is used by many specialists, but it is difficult for beginners to learn. Next, I will talk about how to remove such programs manually.
Items highlighted in pink require attention. They mean that the program does not have a digital signature. Even viruses can have a digital signature if the creators have forked out money, so you should pay attention to the absence only when programs from Microsoft - the authors of Windows - do not have it.
An example that everything is fine with the file is below:
If it were (Not verified) Microsoft Corporation, it would be worthwhile to figure out what kind of program it is or whose component it is. But this is for advanced people; to begin with, you should uncheck the box only if there is a red inscription on the right.
Result: we go through the list on the “Everything” tab, disabling detected viruses, and reboot the computer.
Cleaning startup - Logon tab
After removing the evil spirits, many items will probably remain. Your hands are itching to turn them off, right? You feel that the computer will turn on even faster.
I’ll tell you a secret - you can disable everything on the tab Logon and the computer will even work. But it's better to be safe.
On the menu Options programs Autoruns check the first three items:
Then go to the tab Logon(“Login”) and uncheck all items in the list, except those in the column Publisher There is (Verified) Microsoft Windows(usually the first item), as well as from the list in the next chapter.
What should not be disabled
You should not disable programs coming from the driver of the sound card, video cards, and so on. Reason: glitches that arise. The sound output to the headphones will not switch when they are connected, additional keyboard buttons will not work, there may be problems with launching games, and so on.
Look at the column Publisher("Publisher"). If there is something from the list, do not touch the item:
- Microsoft Windows;
- Microsoft Corporation;
- Adobe Systems;
- Google Inc;
- Intel Corporation;
- Advanced Micro Devices;
- nVidia;
- ESET;
- Realtek;
- Kaspersky;
- Comodo;
- Broadcom;
- ...as well as items with the brand name of your laptop/PC. For example, Acer.
The name may not be completely identical. For example, for some reason Intel has a different publisher:
Stands apart antivirus. In autorun it can be represented by one item or several. Theoretically, it is impossible to disable the autorun of modern antiviruses using the Autoruns program, because antiviruses continuously monitor their startup entries; in practice, this happens. In any case, you can always return the checkbox.
After rebooting, the computer will turn on much faster. The tray will also be clean (the area with icons near the clock):
This means that most programs no longer turn on when Windows starts. There is no Skype, no pop-up panels, nothing extraneous. Lapota!
Cleaning further - Scheduled Tasks and Services
Simply unchecking the box does not always remove the program from startup. For example, you can’t just turn off the blatant Ask Toolbar advertising module. After restarting the computer, the item will be added again:
What to do in this case? Beyond the tab Logon programs can be launched in many ways. Again, turn off the option that appears, look carefully at the line and go around the tabs one by one Scheduled Tasks(“Scheduled Tasks”) and Services(“Services”). Somewhere there will be entries for programs similar to those previously disabled:
We uncheck them too. The above-mentioned Ask Toolbar, by the way, will still appear again; more about such tenacious programs later.
Be careful with the tab Drivers!
It is tempting to disable all items in other tabs, for example, Drivers. Disabling drivers may cause your operating system to become unbootable. How to restore the computer’s operation, I’m not sure, but this activity is for the patient and only if you have a second computer at hand. Disable on this tab only those items whose publisher (Publisher column) matches the disabled tab item Logon. Better yet, don’t touch anything there until you encounter programs that cannot be disabled.
Bottom line: first disable everything on Logon, then similar ones on the Scheduled Tasks and Services tabs.
If programs are added again
After a reboot, do enabled items still appear in the Autoruns list? There are two reasons:
1. The program (virus?) was launched at this moment. It constantly checks itself in autoload and, if the entry is deleted, returns it. Autoruns removes an entry from the Windows registry as soon as you uncheck the list, but does not check to see if the entry has been added again. You can see this by refreshing the list (by clicking F5 on keyboard).
2. When the program closes, it checks the record again. When you restart your computer and receive a shutdown signal, the malware adds itself again.
The bastard needs to be removed.
On the tab Logon right-click on the item that is added again - Jump to Image. The folder with the desired program will open. Her exact name can be found in the column " Image path«:
Right-click on the file (in our case it is tbnotifier) and rename it to, for example, tbnotifierblablabla:
Sometimes renaming fails due to the “File blah blah blah open in the program blablabla2". In this case, press Ctrl+Shift+Esc, will start Task Manager. On the tab Details look for the programs mentioned. In my case this is one program, you may have several:
Mouse click on a line - Cancel task - End process.
Then return to Autoruns and go to the tab Services. Again Jump to image on the item on which the checkbox appeared again and rename it the same way as before. If it doesn’t work because of the same error (“The file is open in...”), look at the name of the service (first column), run Task Manager, go to the tab Services, look for such an item, right-click on it - Stop:
Try renaming the file again. Surely everything will work out.
Don't forget to look in the folder Scheduled Tasks and see if suddenly a jackdaw appears on something again? Take it off - the malware won't bother you now.
You can see the tab Drivers, because There may be a malware driver there. If you see something on this tab that looks a lot like an item appearing again and again on the tab Logon, it means that you have “ran into” a serious virus from developers who know their stuff. The “virus-driver” + “virus in startup” scheme is rare, I advise you to google the names of the programs being launched - suddenly there will be tips on how to properly remove such villains.
Close Autoruns, Task Manager and restart your computer. If the jackdaws do return (what an ambush!), do the same thing again, but instead of turning off the computer through the Start menu, restart the computer using the button on the system unit or unplug the battery and power cord from the laptop. Such a hard reboot will prevent the malware from knowing that the computer is shutting down and needs to add entries again. Unfortunately, there is a very small chance of damage to the disk file system, so... only at your own peril and risk! My experience is that it works. There are other methods, this one is the fastest at the expense of reliability.
In Windows 8 and 10, Task Manager has its own Startup tab. You can try to disable a stubbornly running program there.
What else can you turn off?
You can go further and disable even more programs. The computer will start up even faster, and delays when launching programs and opening folders will disappear. To do this, you will have to explain what the other tabs are for and how Windows autorun works in general. This extensive topic is destined for its own article. I'll add a link as soon as it appears.
Autorun.inf- this is usually a hidden file that is used to automatically launch programs on storage media (in our case, autorun.inf for usb).
This article will tell you how to PERMANENTLY get rid of such problems as:
autorun.inf virus
how to remove autorun.inf virus from a flash drive
how to protect a flash drive from viruses without using antivirus programs.
And it will help you:
how to create autorun inf folder
how to get rid of autorun.inf
Make protection against autorun.inf
Before moving on to practical applications, I would like to give a little theoretical part. When you insert a flash drive into someone's computer, if that computer is infected with a virus, it will write files to your flash drive (almost always they are hidden), and also remember to write the file autorun.inf. And when you insert this flash drive into someone’s computer, when you insert the flash drive, the file is launched autorun.inf. And these viruses begin to penetrate another computer. Of course, antivirus programs try to prevent this. But there is a much better solution to this problem.
This means that all files or folders on a computer are of two types: hidden or unhidden. In order to make a file or folder hidden, you must:
enter “File or Folder Properties” in most cases this is achieved by clicking the right mouse button.
Check the “Hidden” attribute and if you click “OK”, the file or folder will be hidden.
Let's move on. If we insert a USB flash drive into the computer, the result will be something similar to this:
But if you click on the “Hidden Files” button. Or go to the menu "Configurations-Settings-Panel Contents" and check the box "Show hidden / system files"
We can see the picture:
Files appeared that we had not seen before. These are: the RECYCLER folder, the autorun.exe and autorun.inf files, etc. that’s where the viruses live.
How to protect a flash drive from viruses?
Now let's move on to the answer
All viruses enter your computer via a USB flash drive, using the autorun.inf file. Therefore, to prevent viruses from penetrating your computer, you need to create an autorun.inf folder on your media. I think you can do this without any problems by right-clicking:
Now, no matter how viruses try to write the autorun.inf file to the flash drive, they will not be able to do this. Because autorun.inf already exists. You can say, but it’s a folder, not a file? Yes, for us this is a big difference, but for the Operating System the difference is only one bit.
But there is a problem. Some viruses are more intelligent. So before they write, they will delete your folder and then write their autorun.inf file.
Therefore, you need to not only create the autorun.inf folder, but create it in such a way that it cannot be deleted, then no viruses will be able to delete your autorun.inf folder.
Now let's move on to how to implement this:
1st method:
1. Create a folder or directory autorun.inf.
2. Go to Start-Run:
and enter cmd (for Wista OS you need to go to Start and at the very bottom you need to enter cmd). Press Enter.
After this a window opens:
Enter there: the disk name and a colon. In my case, the removable drive is drive J
Pressing Enter takes you to your drive. After that, enter the command: cd autorun.inf
If everything is fine, then when you press Enter, the following should happen:
You are now in the autorun.inf folder.
And the last stage. Enter the following text: md name..\
And press Enter. In principle, where the word name you could substitute any word. Ready! You have created an autorun.inf folder with a non-deletable name folder.
2nd method:(more simple)
1.Create a “Text document.txt” (right mouse button-->New or New-->Text document.txt). We change the name and extension: for example, this: " USB.bat"
2.Right-click or select edit or in Total Commander press F4.
3.Copy the following text:
attrib -s -h -r autorun.*
del autorun.*
mkdir "\\?\%~d0\autorun.inf\name..\"
attrib +s +h %~d0\autorun.inf
4.Save and close
5.Copy the file USB.bat to the root of the flash drive and just run it (an undeletable hidden folder will appear).
In this case, the file USB.bat first deletes the existing autorun.inf, and then creates a non-deletable autorun.inf folder, in other words, the second method does what I said in the first method, only all you need to do is create USB.bat and run it, so the second method is much more convenient.
Note: when you make the non-deletable autorun.inf folder hidden, it acts as an indicator. Because if there are viruses on the flash drive, it means they have already tried to delete this folder, and when deleted, the hidden attribute goes away. Therefore, if you insert a flash drive and see it unhidden, then there are viruses on the flash drive, and you can clean it of viruses, and the file USB.bat restart, with the folder hidden again.
This autorun.inf folder cannot be deleted by anything. The only way you can remove it is to format the flash drive.
Now if you insert a flash drive, then even if there are viruses on your computer and they can write program code to your flash drive, they will not be able to run or transfer to the computer. Unless you want to run them manually)))