What is runauto.. folder in root directory
x-eyed-bear
somebody to attach a portable USB hard disk to my computer), I notice a
new folder in the root directory of all my hard disks on my Win2K-based
computer.
The folder name is 'runauto..' and it appears to be hidden, based on the
appearance of the icon. But when I view the properties it shows the
folder as being not-read-only and not-hidden.
Checking the folder with the most up-to-date Norton virus signatures
finds a 'Backdoor.Trojan' and removes an associated pif from the folder.
But all attempts to browse or remove the folder result in the error
'Error deleting file or folder. Cannot delete file: cannot read from the
source file or disk'.
What is the folder for and how do I remove it?
Mumia W.
I have a question. How is it possible for a USB hard disk that is simply
*connected* to infect the main hard disk?
Did someone execute a program on the USB disk?
Axel Hammerschmidt
> On Mon, 16 Jul 2007 20:08:57 GMT, "Mumia W."
> <paduille.4061....@earthlink.net> wrote:
<snip>
> >I have a question. How is it possible for a USB hard disk that is simply
> >*connected* to infect the main hard disk?
> >
> >Did someone execute a program on the USB disk?
>
> The Windows autorun feature can easily be used to run one or more
> programs when the USB drive is inserted, just as it does for a CD.
> There is no requirement for human intervention beyond simply plugging
> in the drive.
With Windows XP Pro SP2 you get a dialog asking what to do.
Mumia W.
>
> The Windows autorun feature can easily be used to run one or more
> programs when the USB drive is inserted, just as it does for a CD.
> There is no requirement for human intervention beyond simply plugging
> in the drive.
>
That's unsettling, but thank you.
Axel Hammerschmidt
> And one of the options is 'do this, and don't ask me again', so no
> dialog in that case.
One to avoid.
dolo...@yahoo.com
Some USB devices are "smart drives" - according to Wikipedia,"The U3
Launchpad is a program manager that is preinstalled on every U3 smart
drive, and is set to autoplay on insertion. A partition with the U3
Launchpad pretends to be a CD/DVD-ROM device in order to add USB mass
storage device autoplay functionality on pre-Windows XP SP2 systems,
or systems whose USB autoplay has been intentionally disabled."
kurt wismer
[snip]
> I have a question. How is it possible for a USB hard disk that is simply
> *connected* to infect the main hard disk?
>
> Did someone execute a program on the USB disk?
never heard of autorun.inf? works for cd's, dvd's, usb drives, etc...
--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
MZB
MB
<dolo...@yahoo.com> wrote in message
news:1184687929....@i13g2000prf.googlegroups.com...
Mumia W.
A cursory search suggests that runauto is a worm written in VB script.
x-eyed-bear
OK, Thanks for this pointer (following what was clearly a stimulating
discussion by others). I did do a Google search but did not find any of
the references your search has uncovered. Sadly I searched on the string
'runauto..'
More sadly, NONE of the searches have given me information that is
effective in removing this root directory entry - and I have followed a
lot of the actions that are suggested. Specifically the advice from
Symantec on removal of this VB script malware refer to registry entries
in HKLM\Software\Microsoft\Windows\Current Version\Explorer\Advanced
which do NOT exist on any of my 3 Win2k computers or any of my 2 WinXP
computers. I suspect there may be an error in the advice from Symantec
and this is replicated at the precisesecurity.com web-site.
http://www.precisesecurity.com/computer-virus/vbsra-mar0713.htm
The directory still exists and still cannot be deleted.
Any further advice?
Mumia W.
> Mumia W. wrote:
>> [...]
>> http://search.yahoo.com/search?p=runauto&ei=UTF-8&fr=moz2
>>
>
> OK, Thanks for this pointer (following what was clearly a stimulating
> discussion by others). I did do a Google search but did not find any of
> the references your search has uncovered. Sadly I searched on the string
> 'runauto..'
>
> More sadly, NONE of the searches have given me information that is
> effective in removing this root directory entry - and I have followed a
> lot of the actions that are suggested. Specifically the advice from
> Symantec on removal of this VB script malware refer to registry entries
> in HKLM\Software\Microsoft\Windows\Current Version\Explorer\Advanced
> which do NOT exist on any of my 3 Win2k computers or any of my 2 WinXP
> computers. I suspect there may be an error in the advice from Symantec
> and this is replicated at the precisesecurity.com web-site.
>
> http://www.precisesecurity.com/computer-virus/vbsra-mar0713.htm
>
> The directory still exists and still cannot be deleted.
>
> Any further advice?
Try to rename it instead.
I would create a script to remove its hidden attribute, rename it and
create a new, empty folder in its place with the same name.
You might then be able to examine the malware folder. If you can find
malware samples in it, please send them to one of the anti-virus companies.
It sounds like the trojan downloader has been changed since the earlier
reports came out.
tobiasaf
http://secure-gear.com/alt.comp.anti-virus/6/What-is-runauto-folder-in-root-directory-article23464-.htm
:
Hi, I was having this same issue where my USB key got infected after a
trip to China and figured out how to delete the folder, so I just wanted
to share. There's this program Delete FXP Files, they have a free edition
you can download here:
http://www.jrtwine.com/Products/DelFXPFiles/DeleteFXPFilesInstall.zip
If you install and run that program, you can go into the runauto.. folder,
delete the contents, and then delete the folder itself (the free version
doesn't allow you to delete it all at once). Good luck!
##-----------------------------------------------##
Delivered via http://www.secure-gear.com
The Internet Knowledge Base for the security industry
no-spam access to your favorite newsgroup -
alt.comp.anti-virus - 23302 messages and counting!
##-----------------------------------------------##
Larry Sabo
>tobiasaf had written this in response to
>http://secure-gear.com/alt.comp.anti-virus/6/What-is-runauto-folder-in-root-directory-article23464-.htm
> :
>Hi, I was having this same issue where my USB key got infected after a
>trip to China and figured out how to delete the folder, so I just wanted
>to share. There's this program Delete FXP Files, they have a free edition
>you can download here:
>
>http://www.jrtwine.com/Products/DelFXPFiles/DeleteFXPFilesInstall.zip
>
>If you install and run that program, you can go into the runauto.. folder,
>delete the contents, and then delete the folder itself (the free version
>doesn't allow you to delete it all at once). Good luck!
Thanks for that link and the tip, but the arxhive won't open. The
following link is recommended in that case...
http://www.jrtwine.com/Products/DelFXPFiles/DeleteFXPFilesInstall.exe
Larry