Published Mar 31, 2011 | Updated Sep 15, 2017


Detected by Microsoft Defender Antivirus

Aliases: Worm/AutoIt.xl.157 (Avira) Win32.HLLW.Autoruner.based (Dr.Web) Worm.Win32.Autoit.xl (Kaspersky) W32/Autorun.worm.zf.gen (McAfee) W32.Harakit (Symantec)


Worm:Win32/Renocide.gen!H is the detection for a worm that spreads via removable drives and mapped network shares. It attempts to download additional files from a remote server.

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
For more information on antivirus software, see
Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
  1. Ensure that an antivirus product is installed on ALL computers connected to the network that can access or host shares.
  2. Ensure that all available network shares are scanned with an up-to-date antivirus product.
  3. Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see:
  4. Remove any unnecessary network shares or mapped drives.
Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.
Additional remediation instructions for Win32/Renocide
This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat. Registry data may require manual correction after the malware is removed.
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, refer to the following articles:
  • 256986 Description of the Microsoft Windows Registry
  • 322756 How to back up and restore the registry in Windows
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To remove/modify the changes that Win32/Renocide has made to your computer, follow these steps:
  1. Click Start and then click Run.
  2. In the Open box, type regedit and then click OK.
  3. Locate and then click on the following registry key:
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  4. On the right panel, right-click on the following registry entry:
  5. Select Modify and then click OK.
  6. In the "Value data:" entry box, edit the data such that it only contains the following:
  7. Close Registry Editor.
Follow us