What is runauto.. folder in root directory

x-eyed-bear · External Since: Jul 16, 2007 Posts: 2

After a recent virus infection (self-inflicted wound caused by allowing
somebody to attach a portable USB hard disk to my computer), I notice a
new folder in the root directory of all my hard disks on my Win2K-based
computer.

The folder name is 'runauto..' and it appears to be hidden, based on the
appearance of the icon. But when I view the properties it shows the
folder as being not-read-only and not-hidden.

Checking the folder with the most up-to-date Norton virus signatures
finds a 'Backdoor.Trojan' and removes an associated pif from the folder.
But all attempts to browse or remove the folder result in the error
'Error deleting file or folder. Cannot delete file: cannot read from the
source file or disk'.

What is the folder for and how do I remove it?

Mumia W. · External Since: Jul 08, 2007 Posts: 5

On 07/16/2007 12:12 PM, x-eyed-bear wrote:
> After a recent virus infection (self-inflicted wound caused by allowing
> somebody to attach a portable USB hard disk to my computer), I notice a
> new folder in the root directory of all my hard disks on my Win2K-based
> computer.
>
> The folder name is 'runauto..' and it appears to be hidden, based on the
> appearance of the icon. But when I view the properties it shows the
> folder as being not-read-only and not-hidden.
>
> Checking the folder with the most up-to-date Norton virus signatures
> finds a 'Backdoor.Trojan' and removes an associated pif from the folder.
> But all attempts to browse or remove the folder result in the error
> 'Error deleting file or folder. Cannot delete file: cannot read from the
> source file or disk'.
>
> What is the folder for and how do I remove it?

I have a question. How is it possible for a USB hard disk that is simply
*connected* to infect the main hard disk?

Did someone execute a program on the USB disk?

kurt wismer · External Since: Jul 04, 2003 Posts: 1496

Mumia W. wrote:
[snip]
> I have a question. How is it possible for a USB hard disk that is simply
> *connected* to infect the main hard disk?
>
> Did someone execute a program on the USB disk?

never heard of autorun.inf? works for cd's, dvd's, usb drives, etc...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Char Jackson · External Since: Jun 15, 2007 Posts: 21

This message is not archived

dolorite · External Since: Jul 17, 2007 Posts: 1

On Jul 17, 6:27 am, "Mumia W." <paduille.4061.mumia.w
+nos...@earthlink.net> wrote:
> On 07/16/2007 06:49 PM, Char Jackson wrote:
>
>
>
> > The Windows autorun feature can easily be used to run one or more
> > programs when the USB drive is inserted, just as it does for a CD.
> > There is no requirement for human intervention beyond simply plugging
> > in the drive.
>
> That's unsettling, but thank you.

Some USB devices are "smart drives" - according to Wikipedia,"The U3
Launchpad is a program manager that is preinstalled on every U3 smart
drive, and is set to autoplay on insertion. A partition with the U3
Launchpad pretends to be a CD/DVD-ROM device in order to add USB mass
storage device autoplay functionality on pre-Windows XP SP2 systems,
or systems whose USB autoplay has been intentionally disabled."

Axel Hammerschmidt · External Since: Dec 14, 2004 Posts: 19

Char Jackson <none.DeleteThis@none.invalid> wrote:

> On Mon, 16 Jul 2007 20:08:57 GMT, "Mumia W."
> <paduille.4061.mumia.w+nospam@earthlink.net> wrote:

<snip>

> >I have a question. How is it possible for a USB hard disk that is simply
> >*connected* to infect the main hard disk?
> >
> >Did someone execute a program on the USB disk?
>
> The Windows autorun feature can easily be used to run one or more
> programs when the USB drive is inserted, just as it does for a CD.
> There is no requirement for human intervention beyond simply plugging
> in the drive.

With Windows XP Pro SP2 you get a dialog asking what to do.

Mumia W. · External Since: Jul 08, 2007 Posts: 5

On 07/16/2007 06:49 PM, Char Jackson wrote:
>
> The Windows autorun feature can easily be used to run one or more
> programs when the USB drive is inserted, just as it does for a CD.
> There is no requirement for human intervention beyond simply plugging
> in the drive.
>

That's unsettling, but thank you.

Char Jackson · External Since: Jun 15, 2007 Posts: 21

This message is not archived

Axel Hammerschmidt · External Since: Dec 14, 2004 Posts: 19

Char Jackson <none DeleteThis @none.invalid> wrote:

> On Tue, 17 Jul 2007 10:05:56 +0200, hlexa DeleteThis @hotmail.com (Axel
> Hammerschmidt) wrote:
>
> >Char Jackson <none DeleteThis @none.invalid> wrote:
> >
> >> On Mon, 16 Jul 2007 20:08:57 GMT, "Mumia W."
> >> <paduille.4061.mumia.w+nospam@earthlink.net> wrote:
> >
> ><snip>
> >
> >> >I have a question. How is it possible for a USB hard disk that is simply
> >> >*connected* to infect the main hard disk?
> >> >
> >> >Did someone execute a program on the USB disk?
> >>
> >> The Windows autorun feature can easily be used to run one or more
> >> programs when the USB drive is inserted, just as it does for a CD.
> >> There is no requirement for human intervention beyond simply plugging
> >> in the drive.
>
> >With Windows XP Pro SP2 you get a dialog asking what to do.
>
> And one of the options is 'do this, and don't ask me again', so no
> dialog in that case.

One to avoid.

MZB · External Since: Oct 29, 2005 Posts: 35

Geeeezzzzz.... could somebody answer the poor guy's question??

MB
<dolorite RemoveThis @yahoo.com> wrote in message
news:1184687929.608754.51250@i13g2000prf.googlegroups.com...
> On Jul 17, 6:27 am, "Mumia W." <paduille.4061.mumia.w
> +nos...@earthlink.net> wrote:
>> On 07/16/2007 06:49 PM, Char Jackson wrote:
>>
>>
>>
>> > The Windows autorun feature can easily be used to run one or more
>> > programs when the USB drive is inserted, just as it does for a CD.
>> > There is no requirement for human intervention beyond simply plugging
>> > in the drive.
>>
>> That's unsettling, but thank you.
>
> Some USB devices are "smart drives" - according to Wikipedia,"The U3
> Launchpad is a program manager that is preinstalled on every U3 smart
> drive, and is set to autoplay on insertion. A partition with the U3
> Launchpad pretends to be a CD/DVD-ROM device in order to add USB mass
> storage device autoplay functionality on pre-Windows XP SP2 systems,
> or systems whose USB autoplay has been intentionally disabled."
>
>
>
>

Mumia W. · External Since: Jul 08, 2007 Posts: 5

On 07/18/2007 08:51 AM, MZB wrote:
> <dolorite.DeleteThis@yahoo.com> wrote in message
> news:1184687929.608754.51250@i13g2000prf.googlegroups.com...
>> On Jul 17, 6:27 am, "Mumia W." <paduille.4061.mumia.w
>> +nos...@earthlink.net> wrote:
>>> On 07/16/2007 06:49 PM, Char Jackson wrote:
>>>
>>>> The Windows autorun feature can easily be used to run one or more
>>>> programs when the USB drive is inserted, just as it does for a CD.
>>>> There is no requirement for human intervention beyond simply plugging
>>>> in the drive.
>>> That's unsettling, but thank you.
>> Some USB devices are "smart drives" - according to Wikipedia,"The U3
>> Launchpad is a program manager that is preinstalled on every U3 smart
>> drive, and is set to autoplay on insertion. A partition with the U3
>> Launchpad pretends to be a CD/DVD-ROM device in order to add USB mass
>> storage device autoplay functionality on pre-Windows XP SP2 systems,
>> or systems whose USB autoplay has been intentionally disabled."
>>
>
> Geeeezzzzz.... could somebody answer the poor guy's question??
>
> MB

A cursory search suggests that runauto is a worm written in VB script.

http://search.yahoo.com/search?p=runauto&ei=UTF-8&fr=moz2

x-eyed-bear · External Since: Jul 16, 2007 Posts: 2

Mumia W. wrote:
> On 07/18/2007 08:51 AM, MZB wrote:
>> <dolorite DeleteThis @yahoo.com> wrote in message
>> news:1184687929.608754.51250@i13g2000prf.googlegroups.com...
>>> On Jul 17, 6:27 am, "Mumia W." <paduille.4061.mumia.w
>>> +nos...@earthlink.net> wrote:
>>>> On 07/16/2007 06:49 PM, Char Jackson wrote:
>>>>
>>>>> The Windows autorun feature can easily be used to run one or more
>>>>> programs when the USB drive is inserted, just as it does for a CD.
>>>>> There is no requirement for human intervention beyond simply plugging
>>>>> in the drive.
>>>> That's unsettling, but thank you.
>>> Some USB devices are "smart drives" - according to Wikipedia,"The U3
>>> Launchpad is a program manager that is preinstalled on every U3 smart
>>> drive, and is set to autoplay on insertion. A partition with the U3
>>> Launchpad pretends to be a CD/DVD-ROM device in order to add USB mass
>>> storage device autoplay functionality on pre-Windows XP SP2 systems,
>>> or systems whose USB autoplay has been intentionally disabled."
>>>
>>
>> Geeeezzzzz.... could somebody answer the poor guy's question??
>>
>> MB
>
> A cursory search suggests that runauto is a worm written in VB script.
>
> http://search.yahoo.com/search?p=runauto&ei=UTF-8&fr=moz2
>

OK, Thanks for this pointer (following what was clearly a stimulating
discussion by others). I did do a Google search but did not find any of
the references your search has uncovered. Sadly I searched on the string
'runauto..'

More sadly, NONE of the searches have given me information that is
effective in removing this root directory entry - and I have followed a
lot of the actions that are suggested. Specifically the advice from
Symantec on removal of this VB script malware refer to registry entries
in HKLM\Software\Microsoft\Windows\Current Version\Explorer\Advanced
which do NOT exist on any of my 3 Win2k computers or any of my 2 WinXP
computers. I suspect there may be an error in the advice from Symantec
and this is replicated at the precisesecurity.com web-site.

http://www.precisesecurity.com/computer-virus/vbsra-mar0713.htm

The directory still exists and still cannot be deleted.

Any further advice?

Mumia W. · External Since: Jul 08, 2007 Posts: 5

On 07/20/2007 10:03 AM, x-eyed-bear wrote:
> Mumia W. wrote:
>> [...]
>> http://search.yahoo.com/search?p=runauto&ei=UTF-8&fr=moz2
>>
>
> OK, Thanks for this pointer (following what was clearly a stimulating
> discussion by others). I did do a Google search but did not find any of
> the references your search has uncovered. Sadly I searched on the string
> 'runauto..'
>
> More sadly, NONE of the searches have given me information that is
> effective in removing this root directory entry - and I have followed a
> lot of the actions that are suggested. Specifically the advice from
> Symantec on removal of this VB script malware refer to registry entries
> in HKLM\Software\Microsoft\Windows\Current Version\Explorer\Advanced
> which do NOT exist on any of my 3 Win2k computers or any of my 2 WinXP
> computers. I suspect there may be an error in the advice from Symantec
> and this is replicated at the precisesecurity.com web-site.
>
> http://www.precisesecurity.com/computer-virus/vbsra-mar0713.htm
>
> The directory still exists and still cannot be deleted.
>
> Any further advice?

Try to rename it instead.

I would create a script to remove its hidden attribute, rename it and
create a new, empty folder in its place with the same name.

You might then be able to examine the malware folder. If you can find
malware samples in it, please send them to one of the anti-virus companies.

It sounds like the trojan downloader has been changed since the earlier
reports came out.

RikQLD4163 · Joined: Oct 10, 2007 Posts: 1

We had this from a trojan (CA call it Liphew) installed from an autorun on a USB stick. The AV needed updating but then removed the trojan, but left a hidden folder on C: and D: drives called "autorun..". The Trojan had stopped us opening Registry and command prompts etc, so it took a while to figure it out (for fixing the registry we used Funduc's Registry Toolkit to delete the Trojan installed subkeys, the Merge tool wouldn't work...).
Eventually worked out that Windows explorer was seeing the folder as "autorun.." but a command prompt would not see it until using the short filename format. RD autoru~1 removed it from both drives. Also cleaned up the registry for all of the autorun entries under "MountPoint2" - there shouldn't be any for C and D! HTH.

Charles · Joined: Oct 12, 2007 Posts: 1

Thanks for the info. One way to delete that "runauto.." folder is with a little free prog called "Unlocker": http://ccollomb.free.fr/unlocker/

Use the unlocker program to rename the folder, and then you can simply delete it normally. When I tried deleting with unlocker it didn't work, but renaming it with unlocker first, and then deleting works.

Of course, if your anti-vir prog automatically deletes it, then you don't need unlocker.

readysetgo · Joined: Dec 09, 2007 Posts: 1 Location: Cotonou, Benin

Just want to let the contributors to this thread know that someone else has benefited! Thanks!

~readysetgo

dirko · Joined: Aug 03, 2008 Posts: 1

The unlock program did not work for me BUT here is an alternative solution.

1st delete the contents (if any) of the folder, then the folder itslef with the program off this link.

Good luck

http://groups.google.com/group/alt.comp.anti-virus/msg/56a8a4daf619449c

basen · Joined: Jan 24, 2009 Posts: 1

Actually I don't have a solution for x-eyed-bear, but I have a problem on my computer I need an advice for....

My computer runs slower than it used to.
And my web browser keep redirecting to different pages.

Sometimes the computer shuts down by itself.
I have KIS---I have ran full system scan but it didn't solve it.
I have deleted temporally internet files, but didn't solve it either.
I have tried other antivirus softwares but didn't solve it either...

I'm just wondering if anyone out there is more genius than I!

If it's possible that there's actually someone out there who is more genius than I am... can you give me some advice to fix my comp.?

Thanks!
respec

yeah...and i'm new on this thing...