Trojan:AutoRun-A is a legacy malware family that exploits Windows AutoRun functionality to spread across removable media and network shares. First identified in the mid-2000s, this trojan persists primarily on systems that haven't disabled AutoRun features or remain unpatched against older vulnerabilities. While modern Windows versions have significantly restricted AutoRun capabilities, variants of this threat still circulate in environments with legacy configurations, shared USB drives in industrial settings, or systems running older versions of Windows without current security updates.

Trojan:AutoRun-A — cybersecurity illustration
Photo by Tima Miroshnichenko on Pexels

This trojan typically arrives via infected USB drives, external hard drives, or mapped network locations. Once executed, it modifies system settings to automatically launch itself whenever new media is inserted or accessed. Beyond self-replication, Trojan:AutoRun-A variants commonly download additional payloads, create backdoors for remote access, or harvest credentials and system information for transmission to command-and-control servers.

Think you're infected right now? Disconnect from your network immediately and remove any USB drives or external storage. Do not insert the suspect USB into another computer. Boot into Safe Mode with Networking (instructions below) and run a full system scan with updated antivirus software. If you're uncertain about the removal process or need immediate assistance, call Computer Repair Roswell at (770) 856-1555 — we handle AutoRun trojans and their aftermath daily.

Threat Profile

Attribute Details
Malware Family Trojan:Win32/AutoRun (multiple variants including A, B, C, etc.)
Common Aliases Worm:AutoRun, VBS/Autorun, Trojan.Autorun, Win32/Autorun.worm
Platform Windows XP/Vista/7 (primarily); some variants affect Windows 8/10 with legacy AutoRun settings enabled
First Discovered 2005-2006 (peak prevalence 2008-2010)
Distribution Method Removable media exploitation (USB drives, external HDDs), network shares, malicious autorun.inf files
Persistence Mechanism Registry Run keys, autorun.inf files on all available drives, scheduled tasks, system service creation (variant-dependent)
Primary Capabilities Self-replication to removable media, backdoor installation, payload downloading, system information theft, disabling security software
Typical File Size 15-250 KB (the dropper itself); downloaded payloads vary significantly
Network Behavior HTTP/HTTPS connections to C2 servers for command retrieval and data exfiltration; some variants use IRC channels or FTP
Common Artifacts autorun.inf files on drives, hidden executable files in drive root directories, registry modifications to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Data at Risk Stored credentials, browser history/cookies, email credentials, FTP passwords, system configuration details
Removal Difficulty Moderate — requires manual cleanup of multiple drives and careful registry editing; reinfection risk is high if all infected media aren't cleaned

How It Spreads

Trojan:AutoRun-A exploits the Windows AutoRun feature that was designed to automatically launch programs when removable media is inserted. When you plug in an infected USB drive, the operating system reads an autorun.inf file placed by the malware in the root directory of that drive. This file instructs Windows to execute the trojan's binary automatically — often without any visible prompt on systems with AutoRun fully enabled. The malware then copies itself to the local hard drive and immediately begins scanning for other connected drives and accessible network shares to infect.

The infection chain doesn't stop with one machine. Once Trojan:AutoRun-A establishes itself on your computer, it monitors for newly connected removable media. The moment you insert a clean USB drive, the malware writes its files and autorun.inf configuration to that drive. When you or a colleague then uses that USB drive on another computer, the cycle repeats. This makes AutoRun trojans particularly problematic in office environments, educational institutions, and industrial facilities where USB drives frequently move between workstations.

Beyond removable media, this trojan family also spreads through:

  • Network share exploitation — The malware writes itself to accessible network folders (particularly those with write permissions), infecting workstations that browse or map those shares
  • Email attachments — Some variants arrive as ZIP files containing both the executable and a crafted autorun.inf, disguised as legitimate documents or software
  • Drive-by downloads — Compromised websites or malicious advertisements can drop AutoRun trojan components onto systems, which then propagate to removable media
  • Peer-to-peer networks — The malware has been found bundled with pirated software, key generators, and "cracked" applications distributed through file-sharing platforms
  • Social engineering — Attackers deliberately leave infected USB drives in parking lots, lobbies, or public spaces, relying on curiosity to prompt someone to insert the drive

What It Does On Your Machine

Upon execution, Trojan:AutoRun-A immediately establishes multiple persistence mechanisms to survive system reboots. The malware copies its main executable to a system directory — typically a randomly named folder within %APPDATA%, %LOCALAPPDATA%, or %PROGRAMFILES% — and creates Windows Registry entries that launch this file every time the system starts. Common registry locations include the Run and RunOnce keys under both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER, ensuring the trojan loads regardless of which user account logs in.

The trojan's primary observable behavior is its aggressive drive infection routine. It continuously monitors for new drive letters appearing in the system, whether from USB drives, SD cards, external hard drives, or mapped network locations. When a new drive is detected, the malware writes two files: an autorun.inf configuration file and a copy of its executable (often with a system or hidden file attribute to avoid casual detection). The autorun.inf file contains instructions like open=malware.exe or uses shell command hooks to trigger execution when the drive is accessed.

Beyond self-replication, Trojan:AutoRun-A variants serve as downloaders or droppers for additional malicious payloads. After establishing itself on your system, the trojan typically connects to a remote server to report the successful infection and download secondary components. These payloads vary but commonly include keyloggers to capture passwords and sensitive data, information stealers that harvest browser credentials and email account details, backdoor trojans that grant attackers remote access to your machine, and cryptocurrency miners that consume system resources for the attacker's profit.

The malware also attempts to disable security measures that might interfere with its operation. Many variants modify Windows Registry settings to prevent Task Manager from launching, disable Windows Defender or other antivirus software, block access to registry editing tools (regedit.exe), and hide file extensions and hidden files in Windows Explorer to make their presence less obvious. Some versions also terminate processes associated with security software or monitoring tools, actively fighting against cleanup attempts.

Typical Filesystem and Registry Artifacts
C:\Users\\AppData\Roaming\Microsoft\Windows\svchost.exe // Hidden/System attributes set C:\Users\\AppData\Local\Temp\{random-GUID}\winlogon.exe D:\autorun.inf // Root of removable drives D:\Recycler\{SID}\system32.exe E:\autorun.inf // Propagates to all accessible drives
Registry Keys (common locations)
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"SystemCheck" = "C:\Users\...\svchost.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows Update Service" = "%APPDATA%\winlogon.exe" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "explorer.exe malware.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = 1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = 0x00000091

Manual Removal — Step by Step

01

Disconnect All Removable Media and Network Connections

Before beginning removal, unplug all USB drives, external hard drives, SD cards, and any other removable storage from your computer. Disconnect from your network (unplug the Ethernet cable or disable WiFi). This prevents the trojan from reinfecting cleaned drives or spreading to network shares during the removal process. Keep all removable media disconnected until you've completed cleanup and verified the system is clean.

02

Boot Into Safe Mode with Networking

Restart your computer and repeatedly press F8 (Windows 7/Vista/XP) or hold Shift while clicking Restart (Windows 8/10/11) to access the boot options menu. Select "Safe Mode with Networking" from the list. This loads Windows with minimal drivers and services, preventing most malware from automatically starting. Safe Mode also makes it easier to delete files that would otherwise be locked by running processes.

03

Show Hidden Files and System Files

Open Windows Explorer, click on "Organize" (or "View" in Windows 10/11), then "Folder and search options." Under the View tab, select "Show hidden files, folders, and drives" and uncheck "Hide protected operating system files." Click Apply. This reveals the autorun.inf files and hidden executables that the trojan uses to propagate. The malware specifically relies on these files being invisible to casual users.

04

Terminate Malicious Processes

Press Ctrl+Shift+Esc to open Task Manager (if the trojan has disabled it, you'll need to re-enable it via Registry or use a third-party process manager). Look for suspicious processes with names like svchost.exe, winlogon.exe, or csrss.exe running from user directories rather than System32. Right-click and select "End Process Tree." Note the full file path shown in the properties before terminating, as you'll need to delete these files in subsequent steps.

05

Clean Registry Persistence Entries

Press Windows+R, type regedit and press Enter. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Look for unfamiliar entries pointing to executables in AppData, Temp, or other non-standard locations. Right-click suspicious entries and delete them. Also check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon — the "Shell" value should only contain "explorer.exe" and nothing else.

06

Delete the Malware Files and Folders

Using Windows Explorer, navigate to the locations you identified in Task Manager. Common locations include C:\Users\[YourName]\AppData\Roaming\, AppData\Local\, and AppData\Local\Temp\. Delete any folders containing the malicious executables. Check the Recycle Bin folder on each drive (including the root directory) as some variants hide there. Empty the Windows Recycle Bin when finished to ensure the files are permanently removed.

07

Remove AutoRun.inf Files from All Drives

Open Windows Explorer and check the root directory of your C: drive and any other internal drives. Delete any autorun.inf files you find. These files are the mechanism the trojan uses to auto-execute, so removing them breaks the infection chain. Before reconnecting any removable media, you'll need to clean those drives as well using the same process — ideally from a known-clean computer or using a bootable antivirus scanner.

08

Scan with Malwarebytes or Similar Tool

Download and install Malwarebytes Free (or another reputable anti-malware tool like HitmanPro) while still in Safe Mode. Update the definitions and run a full system scan. This catches any components you might have missed during manual removal and identifies related threats that may have been downloaded as secondary payloads. Quarantine or delete all detected items, then restart the computer normally.

09

Re-enable Security Settings and Verify AutoRun is Disabled

Check that Task Manager, Registry Editor, and other tools are accessible again. Press Windows+R, type gpedit.msc (on Pro/Enterprise editions) or modify the registry directly to ensure AutoRun is disabled for all drive types. Set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun to 0x000000FF (255 in decimal). This prevents autorun.inf files from executing automatically and protects against reinfection.

10

Clean All Removable Media Before Reconnecting

Do not reconnect any USB drives or external storage to your now-clean computer until you've verified they're free of infection. Use a bootable antivirus rescue disk or connect them to a Linux system to delete autorun.inf files and scan for executables. If you're uncertain about cleaning the drives yourself, bring them to our shop — we can scan and clean removable media safely without risking reinfection of your system.

Prevention

  1. Disable AutoRun/AutoPlay for all drive types — Windows 7 and later have significantly restricted AutoRun, but ensure it's completely disabled in your Group Policy or Registry settings. This single change eliminates the primary infection vector for this entire malware family.
  2. Keep your antivirus software updated and active — Modern security suites detect AutoRun trojans effectively when definition files are current. Enable real-time protection and schedule regular full-system scans, particularly after using removable media from untrusted sources.
  3. Show file extensions and hidden files by default — Malware frequently disguises itself as legitimate file types by using names like "document.pdf.exe" or setting hidden/system attributes. Configure Windows Explorer to always display extensions and reveal hidden items so you can spot suspicious files.
  4. Treat unknown USB drives as potentially infected — Never insert a USB drive from an untrusted source directly into your primary computer. If you must access such media, use a quarantined system, a Linux live environment, or scan the drive with an updated antivirus tool before opening any files.
  5. Maintain regular offline backups — AutoRun trojans can spread to backup drives that remain constantly connected. Keep critical backups on media that's only connected during the backup process, then physically disconnected and stored securely. This prevents malware from encrypting or corrupting your recovery options.
  6. Apply Windows updates promptly — Microsoft has patched numerous AutoRun-related vulnerabilities over the years. Keeping your system updated closes these security gaps and limits the malware's ability to exploit legacy features.
  7. Use standard user accounts for daily work — Running with administrative privileges gives malware broader system access. Create a standard user account for routine tasks and only elevate to administrator when necessary for software installation or system configuration.
  8. Implement application whitelisting in business environments — Tools like Windows AppLocker or third-party application control solutions prevent unauthorized executables from running, blocking AutoRun trojans even if AutoPlay is accidentally enabled or the malware attempts to execute through other means.
Our 90-Day Warranty — When Computer Repair Roswell removes malware from your system, that specific threat stays gone. We thoroughly clean all persistence mechanisms, remove associated files, and verify your system is infection-free before returning it. If the same malware returns within 90 days through no fault of your own (not from re-inserting an infected USB drive or clicking the same malicious link), we'll remediate it again at no charge. You're not just getting a cleanup — you're getting peace of mind.

Bring It In

AutoRun trojans are particularly frustrating because they can hide across multiple drives, network shares, and removable media — cleaning your computer without addressing infected USB drives just leads to immediate reinfection. At Computer Repair Roswell, we handle the complete remediation process: identifying all infected media, cleaning the registry and filesystem, verifying secondary payloads have been removed, and configuring your system to prevent AutoRun-based infections in the future. We've been removing these threats since they first appeared, and we know all the hiding spots and persistence tricks these trojans employ.

Located at 1735 Hembree Road in Roswell, we're open Monday through Saturday to handle infections, malware removal, and preventive security configuration. Call us at (770) 856-1555 or stop by the shop — bring any USB drives or external storage you've been using so we can check them for infection at the same time. Most AutoRun trojan removals are completed same-day, and we'll explain what happened, what we removed, and how to avoid similar infections going forward. Don't keep fighting reinfection cycles — let us break the chain permanently.