Remove VBS.Runauto.H
Posted on: February 1st, 2010
| Discovered: | January 19, 2010 |
| Updated: | January 19, 2010 2:32:59 PM |
| Type: | Worm |
| Systems Affected: | Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000 |
| Recommended Action: | |
 In order to Remove VBS.Runauto.H you need to Download the ‘No Adware’ remover software. Based on our testing this was the best peforming remover of VBS.Runauto.H. Read our full No Adware Review |
|
| Technical Details: |
| When the worm is executed, it creates the following file:
%System%\n.vbe The worm creates the following registry entry, so that it starts when Windows starts: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”dpzProtect” = “%System%\n.vbe” It them modifies the following registry entry, so that it starts when Windows starts: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\”Userinit” = “%System%\userinit.exe,%System%\wscript. exe %System%\n.vbe” The worm also modifies the following registry entries: * HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\” Window Title” = “Protected by DespoterZ” * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\”NoSMHelp” = “0″ * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\”NoStartMenuMFUprogramsList” = “0″ * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\”NoSMMyDocs” = “0″ * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\”NoRecentDocsMenu” = “0″ * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\”NoSMMyPictures” = “0″ * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\”NoStartMenuMyMusic” = “0″ * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\”NoFolderOptions” = “0″ * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\System\”DisableTaskMgr” = “0″ * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\System\”DisableRegistryTools” = “0″ * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\”RegisteredOwner” = “Microsoft” * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\”RegisteredOrganization” = “.” * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\”LegalNoticeCaption” = “” * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\”LegalNoticeText” = “” * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Explorer\Advanced\Folder\Hidden\SHOWALL\”CheckedValue” = “0″ * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Explorer\Advanced\Folder\SuperHidden\”UncheckedValue” = “0″ * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\”Shell” = “explorer.exe” The worm deletes the following files: * %System%\VirusRemoval.vbs * %System%\neo.vbe * %System%\amvo.exe * %System%\avpo.exe * %System%\winlogons.exe * %System%\ssvichosst.exe * %System%\tmp.exe * %System%\scvhost.exe * %System%\explorer.exe * %System%\service.exe * %System%\soundmix.exe * %System%\regsvr.exe * %DriveLetter%\ravmon.exe * %DriveLetter%\sxs.exe * %DriveLetter%\winfile.exe * %DriveLetter%\run.wsh The worm then deletes all files with file names that start with “autorun” in the root folder of all removable drives, all .inf and .scr files in the root folder of all fixed drives, and all .vbe files in the root and %Windir% folder of all drives except drive A. It then copies the following files to all available removable drives except A: * %DriveLetter%\n.vbe * %DriveLetter%\autorun.inf |
| Action Steps: |
| FREE SCAN: NoAdware can Remove VBS.Runauto.H. Click the link below for your free download & scan your PC now.
Please click here for manual removal instructions. |
