Thursday, July 5, 2007

Unable to Open Hard or USB Flash Drive with Windows Script Host Cannot Find Script File autorun.vbs Error

In some situation especially when anti-virus program has cleaned, healed, disinfected or removed a worm, trojan horse or virus from computer, there may be error happening whenever users try to open or access the drive by double clicking on the disk drive icon in Explorer or My Computer window to try to enter the drive’s folder. The problem or symptom happens in hard disk drive, portable hard disk drive or USB Flash Drive, and Windows will prompt a dialog box with the following message:
Windows Script Host
Can not find script file autorun.vbs.
Sometimes you will be asked to debug the VBScript with error code of 800A041F - Unexpected ‘Next’.
or
Choose the program you want to use to open this file with:
In this case, the “Always use the selected program to open this kind of file” option is grayed out.
The symptom occurs because when autorun.vbs is created by trojan horse or virus. The virus normally loads autorun.inf file to root folder of all hard drive or USB drive, and then execute autorun.bat file which contains script to apply and merge autorun.reg into the registry, with possible change to the following registry key to ensure that virus is loaded when system starts:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

Userinit=userinit.exe,autorun.exe
Finally, autorun.bat will call wscript.exe to run autorun.vbs.
When antivirus or security software detected the autorun.vbs file as infected, the file will be deleted or removed or quarantined. However, other files (autorun.*) and registry value still referring to autorun.vbs, and this document no longer exists, hence the error when users double click to open a drive folder.
To correct and solve this error, follow this steps:
Run Task Manager (Ctrl-Alt-Del or right click on Taskbar)
Stop wscript.exe process if available by highlighting the process name and clicking End Process.
Then terminate explorer.exe process.
In Task Manager, click on File ->
New Task (Run…).
Type “cmd” (without quotes) into the Open text box and click OK.
Type the following command one by one followed by hitting Enter key:

del c:\autorun.* /f /s /q /a
del d:\autorun.* /f /s /q /a
del e:\autorun.* /f /s /q /a
c, d, e each represents drive letters on Windows system. If there are more drives or partitions available, continue to command by altering to other drive letter. Note that you must also clean the autorun files from USB flash drive or portable hard disk as the external drive may also be infected.
In Task Manager, click on File -> New Task (Run…).
Type “regedit” (without quotes) into the Open text box and click OK.
Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Check if the value name and value data for the key is correct (the value data of userint.exe include the path which may be different than C drive, which is also valid, note also the comma which is also needed):

“Userinit”=”C:\WINDOWS\system32\userinit.exe,”
If the value is incorrent, modify it to the valid value data.

1 comment:

Anonymous said...

Well said.