What is runauto.. folder in root directory

  • Thread starter Thread starter x-eyed-bear
  • Start date Start date
X

x-eyed-bear

After a recent virus infection (self-inflicted wound caused by allowing
somebody to attach a portable USB hard disk to my computer), I notice a
new folder in the root directory of all my hard disks on my Win2K-based
computer.

The folder name is 'runauto..' and it appears to be hidden, based on the
appearance of the icon. But when I view the properties it shows the
folder as being not-read-only and not-hidden.

Checking the folder with the most up-to-date Norton virus signatures
finds a 'Backdoor.Trojan' and removes an associated pif from the folder.
But all attempts to browse or remove the folder result in the error
'Error deleting file or folder. Cannot delete file: cannot read from the
source file or disk'.

What is the folder for and how do I remove it?
 
After a recent virus infection (self-inflicted wound caused by allowing
somebody to attach a portable USB hard disk to my computer), I notice a
new folder in the root directory of all my hard disks on my Win2K-based
computer.

The folder name is 'runauto..' and it appears to be hidden, based on the
appearance of the icon. But when I view the properties it shows the
folder as being not-read-only and not-hidden.

Checking the folder with the most up-to-date Norton virus signatures
finds a 'Backdoor.Trojan' and removes an associated pif from the folder.
But all attempts to browse or remove the folder result in the error
'Error deleting file or folder. Cannot delete file: cannot read from the
source file or disk'.

What is the folder for and how do I remove it?
Click to expand...

I have a question. How is it possible for a USB hard disk that is simply
*connected* to infect the main hard disk?

Did someone execute a program on the USB disk?
 
Mumia W. wrote:
[snip]
I have a question. How is it possible for a USB hard disk that is simply
*connected* to infect the main hard disk?

Did someone execute a program on the USB disk?
Click to expand...

never heard of autorun.inf? works for cd's, dvd's, usb drives, etc...
 
I have a question. How is it possible for a USB hard disk that is simply
*connected* to infect the main hard disk?

Did someone execute a program on the USB disk?
Click to expand...

The Windows autorun feature can easily be used to run one or more
programs when the USB drive is inserted, just as it does for a CD.
There is no requirement for human intervention beyond simply plugging
in the drive.
 
Char Jackson said:
On Mon, 16 Jul 2007 20:08:57 GMT, "Mumia W."


The Windows autorun feature can easily be used to run one or more
programs when the USB drive is inserted, just as it does for a CD.
There is no requirement for human intervention beyond simply plugging
in the drive.
Click to expand...

With Windows XP Pro SP2 you get a dialog asking what to do.
 
The Windows autorun feature can easily be used to run one or more
programs when the USB drive is inserted, just as it does for a CD.
There is no requirement for human intervention beyond simply plugging
in the drive.
Click to expand...

That's unsettling, but thank you.
 
That's unsettling, but thank you.
Click to expand...

Some USB devices are "smart drives" - according to Wikipedia,"The U3
Launchpad is a program manager that is preinstalled on every U3 smart
drive, and is set to autoplay on insertion. A partition with the U3
Launchpad pretends to be a CD/DVD-ROM device in order to add USB mass
storage device autoplay functionality on pre-Windows XP SP2 systems,
or systems whose USB autoplay has been intentionally disabled."
 
Mumia said:
A cursory search suggests that runauto is a worm written in VB script.

http://search.yahoo.com/search?p=runauto&ei=UTF-8&fr=moz2
Click to expand...

OK, Thanks for this pointer (following what was clearly a stimulating
discussion by others). I did do a Google search but did not find any of
the references your search has uncovered. Sadly I searched on the string
'runauto..'

More sadly, NONE of the searches have given me information that is
effective in removing this root directory entry - and I have followed a
lot of the actions that are suggested. Specifically the advice from
Symantec on removal of this VB script malware refer to registry entries
in HKLM\Software\Microsoft\Windows\Current Version\Explorer\Advanced
which do NOT exist on any of my 3 Win2k computers or any of my 2 WinXP
computers. I suspect there may be an error in the advice from Symantec
and this is replicated at the precisesecurity.com web-site.

http://www.precisesecurity.com/computer-virus/vbsra-mar0713.htm

The directory still exists and still cannot be deleted.

Any further advice?
 
Mumia said:
[...]
http://search.yahoo.com/search?p=runauto&ei=UTF-8&fr=moz2
Click to expand...

OK, Thanks for this pointer (following what was clearly a stimulating
discussion by others). I did do a Google search but did not find any of
the references your search has uncovered. Sadly I searched on the string
'runauto..'

More sadly, NONE of the searches have given me information that is
effective in removing this root directory entry - and I have followed a
lot of the actions that are suggested. Specifically the advice from
Symantec on removal of this VB script malware refer to registry entries
in HKLM\Software\Microsoft\Windows\Current Version\Explorer\Advanced
which do NOT exist on any of my 3 Win2k computers or any of my 2 WinXP
computers. I suspect there may be an error in the advice from Symantec
and this is replicated at the precisesecurity.com web-site.

http://www.precisesecurity.com/computer-virus/vbsra-mar0713.htm

The directory still exists and still cannot be deleted.

Any further advice?
Click to expand...

Try to rename it instead.

I would create a script to remove its hidden attribute, rename it and
create a new, empty folder in its place with the same name.

You might then be able to examine the malware folder. If you can find
malware samples in it, please send them to one of the anti-virus companies.

It sounds like the trojan downloader has been changed since the earlier
reports came out.
 
tobiasaf had written this in response to
http://secure-gear.com/alt.comp.ant...to-folder-in-root-directory-article23464-.htm
:
Hi, I was having this same issue where my USB key got infected after a
trip to China and figured out how to delete the folder, so I just wanted
to share. There's this program Delete FXP Files, they have a free edition
you can download here:

http://www.jrtwine.com/Products/DelFXPFiles/DeleteFXPFilesInstall.zip

If you install and run that program, you can go into the runauto.. folder,
delete the contents, and then delete the folder itself (the free version
doesn't allow you to delete it all at once). Good luck!

##-----------------------------------------------#
Delivered via http://www.secure-gear.co
The Internet Knowledge Base for the security industr
no-spam access to your favorite newsgroup -
alt.comp.anti-virus - 23302 messages and counting
##-----------------------------------------------##
 
tobiasaf had written this in response to
http://secure-gear.com/alt.comp.ant...to-folder-in-root-directory-article23464-.htm
:
Hi, I was having this same issue where my USB key got infected after a
trip to China and figured out how to delete the folder, so I just wanted
to share. There's this program Delete FXP Files, they have a free edition
you can download here:

http://www.jrtwine.com/Products/DelFXPFiles/DeleteFXPFilesInstall.zip

If you install and run that program, you can go into the runauto.. folder,
delete the contents, and then delete the folder itself (the free version
doesn't allow you to delete it all at once). Good luck!
Click to expand...

Thanks for that link and the tip, but the arxhive won't open. The
following link is recommended in that case...

http://www.jrtwine.com/Products/DelFXPFiles/DeleteFXPFilesInstall.exe

Larry
 
Back
Top