What is runauto.. folder in root directory

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
After a recent virus infection (self-inflicted wound caused by allowing
somebody to attach a portable USB hard disk to my computer), I notice a
new folder in the root directory of all my hard disks on my Win2K-based
computer.

The folder name is 'runauto..' and it appears to be hidden, based on the
appearance of the icon. But when I view the properties it shows the
folder as being not-read-only and not-hidden.

Checking the folder with the most up-to-date Norton virus signatures
finds a 'Backdoor.Trojan' and removes an associated pif from the folder.
But all attempts to browse or remove the folder result in the error
'Error deleting file or folder. Cannot delete file: cannot read from the
source file or disk'.

What is the folder for and how do I remove it?

Re: What is runauto.. folder in root directory

On 07/16/2007 12:12 PM, x-eyed-bear wrote:
Quoted text here. Click to load it

I have a question. How is it possible for a USB hard disk that is simply
*connected* to infect the main hard disk?

Did someone execute a program on the USB disk?


Re: What is runauto.. folder in root directory

Mumia W. wrote:
[snip]
Quoted text here. Click to load it

never heard of autorun.inf? works for cd's, dvd's, usb drives, etc...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: What is runauto.. folder in root directory

On Mon, 16 Jul 2007 20:08:57 GMT, "Mumia W."

Quoted text here. Click to load it

The Windows autorun feature can easily be used to run one or more
programs when the USB drive is inserted, just as it does for a CD.
There is no requirement for human intervention beyond simply plugging
in the drive.


Re: What is runauto.. folder in root directory


Quoted text here. Click to load it

<snip>

Quoted text here. Click to load it

With Windows XP Pro SP2 you get a dialog asking what to do.

Re: What is runauto.. folder in root directory

On Tue, 17 Jul 2007 10:05:56 +0200, hlexa@hotmail.com (Axel
Hammerschmidt) wrote:

Quoted text here. Click to load it

And one of the options is 'do this, and don't ask me again', so no
dialog in that case.


Re: What is runauto.. folder in root directory


Quoted text here. Click to load it

One to avoid.

Re: What is runauto.. folder in root directory

On 07/16/2007 06:49 PM, Char Jackson wrote:
Quoted text here. Click to load it

That's unsettling, but thank you.





Re: What is runauto.. folder in root directory

On Jul 17, 6:27 am, "Mumia W." <paduille.4061.mumia.w
+nos...@earthlink.net> wrote:
Quoted text here. Click to load it

Some USB devices are "smart drives" - according to Wikipedia,"The U3
Launchpad is a program manager that is preinstalled on every U3 smart
drive, and is set to autoplay on insertion. A partition with the U3
Launchpad pretends to be a CD/DVD-ROM device in order to add USB mass
storage device autoplay functionality on pre-Windows XP SP2 systems,
or systems whose USB autoplay has been intentionally disabled."





Re: What is runauto.. folder in root directory

Geeeezzzzz.... could somebody answer the poor guy's question??

MB
Quoted text here. Click to load it



Re: What is runauto.. folder in root directory

On 07/18/2007 08:51 AM, MZB wrote:
Quoted text here. Click to load it

A cursory search suggests that runauto is a worm written in VB script.

http://search.yahoo.com/search?p=runauto&ei=UTF-8&fr=moz2


Re: What is runauto.. folder in root directory

Mumia W. wrote:
Quoted text here. Click to load it

OK, Thanks for this pointer (following what was clearly a stimulating
discussion by others). I did do a Google search but did not find any of
the references your search has uncovered. Sadly I searched on the string
'runauto..'

More sadly, NONE of the searches have given me information that is
effective in removing this root directory entry - and I have followed a
lot of the actions that are suggested. Specifically the advice from
Symantec on removal of this VB script malware  refer to registry entries
in HKLM\Software\Microsoft\Windows\Current Version\Explorer\Advanced
which do NOT exist on any of my 3 Win2k computers or any of my 2 WinXP
computers. I suspect there may be an error in the advice from Symantec
and this is replicated at the precisesecurity.com web-site.

http://www.precisesecurity.com/computer-virus/vbsra-mar0713.htm

The directory still exists and still cannot be deleted.

Any further advice?

Re: What is runauto.. folder in root directory

On 07/20/2007 10:03 AM, x-eyed-bear wrote:
Quoted text here. Click to load it

Try to rename it instead.

I would create a script to remove its hidden attribute, rename it and
create a new, empty folder in its place with the same name.

You might then be able to examine the malware folder. If you can find
malware samples in it, please send them to one of the anti-virus companies.

It sounds like the trojan downloader has been changed since the earlier
reports came out.


Re: What is runauto.. folder in root directory

tobiasaf had written this in response to
http://secure-gear.com/alt.comp.anti-virus/6/What-is-runauto-folder-in-root-directory-article23464-.htm
 :
Hi, I was having this same issue where my USB key got infected after a
trip to China and figured out how to delete the folder, so I just wanted
to share.  There's this program Delete FXP Files, they have a free edition
you can download here:

http://www.jrtwine.com/Products/DelFXPFiles/DeleteFXPFilesInstall.zip

If you install and run that program, you can go into the runauto.. folder,
delete the contents, and then delete the folder itself (the free version
doesn't allow you to delete it all at once).  Good luck!


##-----------------------------------------------##
Delivered via http://www.secure-gear.com
The Internet Knowledge Base for the security industry
no-spam access to your favorite newsgroup -
alt.comp.anti-virus - 23302 messages and counting!
##-----------------------------------------------##

Re: What is runauto.. folder in root directory

tobiasaf_at_hotmail_dot_com@foo.com (tobiasaf) wrote:

Quoted text here. Click to load it

Thanks for that link and the tip, but the arxhive won't open. The
following link is recommended in that case...

http://www.jrtwine.com/Products/DelFXPFiles/DeleteFXPFilesInstall.exe

Larry

Site Timeline