W32/Autorun.worm.gen.h!7ec2eb2a

25 January 2010 Popup 1 Comment

W32/Autorun.worm.gen.h!7ec2eb2a is a worm that will drop multiple malicious files on compromised computer. On some instances, W32/Autorun.worm.gen.h!7ec2eb2a is a threat that will appear on false detection by rogue security program Desktop Security 2010.

W32/Autorun.worm.gen.h!7ec2eb2a As A Virus

This virus was discovered by McAfee on October 2009. It often propagates via email messages and instant messaging application. Additionally, W32/Autorun.worm.gen.h!7ec2eb2a utilized Internet Relay Chat (IRC), file-sharing networks and newsgroups as conduit to infect systems.

Alias: Trojan.Win32.Nosok.bk

Damage Level: Low

Systems Affected: Windows 9x, 2000, XP

How to Remove W32/Autorun.worm.gen.h!7ec2eb2a:

MANUAL REMOVAL OF W32/Autorun.worm.gen.h!7ec2eb2a:
1. Update installed anti-virus application to have the latest definition file.
2. Reboot Windows in Safe Mode
- After turning on the power, press F8 on the keyboard.
- Select Safe Mode from the menu.

3. Thoroughly scan the system and clean/delete all infected file(s). Please see below.
4. Delete/Modify any values added to the registry if present. Refer to associated Windows Registry Entries.
- Click on Start. Search or Run regedit.exe to begin registry editor.

Note: You may refer to links on sidebar for a complete tutorial on Safe Mode and Registry Editor.

5. Exit registry editor and restart Windows.

Scan with McAfee Stinger Portable Antivirus:
Most of the time, Trojan associated with a rogue program will disable Windows functionalities and prevent the compromised computer from executing any application including antivirus program locally installed. If this happens, you can try using a McAfee Portable Antivirus called Stinger. You can download it for free.

Technical Details and Additional Information:

Malicious Files Added by W32/Autorun.worm.gen.h!7ec2eb2a:
%WinDir%\system32\drivers\services.exe
%USERPROFILE%\Start Menu\Programs\Startup\userinit.exe
%USERPROFILE%\svchost.exe

File Location for Windows Versions:

• %UserProfile% for Vista/7 user is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.
• %Windir% refers to the installation folder of the operating system.

Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\[system]: “%WinDir%\system32\drivers\services.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\winlogon: “%USERPROFILE%\svchost.exe”

W32/Autorun.worm.gen.h!7ec2eb2a As Fake Pop Up

This misleading pop-up is issued in the presence of Trojan that aims to promote counterfeit anti-virus application. Alert will disguise as part of Windows security. It instantly detects security risks and repeatedly prompt to remove it using the paid version of Desktop Security 2010. The fake message will contain this text:

Warning! System Under Attack
Threat detected: Worm
Threat name: W32/Autorun.worm.gen.h!7ec2eb2a
File at risk of infection: C:\DOCUME~1\ADMINI~1\Temp\
Description: W32/Autorun.worm.gen.h!7ec2eb2a is Trojan, or Trojan horse, is a seemingly, legitimate program which secretly performs other, usually malicious function. It is usually user-initiated and does not replicate.

Damage Level: Low

Systems Affected: Windows

Screenshot Image:

How to remove W32/Autorun.worm.gen.h!7ec2eb2a

1. Click here to download removal tool. Save it on your Desktop.
2. After downloading, double-click on the file to install the application.
3. Follow the prompts and install as “default” only
4. If it prompts to update the database after installation, please proceed.

5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart the computer.

Note: Associated Trojan may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.