I guess you are running XP Home, not XP Pro
Yes, WinXP Home.
--------------------------------------
When the Tomtom setup.exe appears, is it still accompanied by autorun.inf?
Yes, but it may be that they aren't created at the same time, whereas the malware
setup.exe is created exactly at the same time as the
autorun.inf. Next time, I'll try to check if the tomtom
setup.exe is created at the same time as the
autorun.inf.
--------------------------------------
Please enter this:
"C:\\setup.exe"
I'didn't know whether to include the
"" or not so I've done two seraches one with
C:\\setup.exe and the other with
"C:\\setup.exe".
Search for C:\\setup.exeREGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "C:\\setup.exe" 22/09/2006 22:06:54
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\S-1-5-21-507921405-362288127-682003330-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c59af793-37eb-11d9-b5b6-806d6172696f}\Shell\AutoRun\command]
@="C:\\setup.exe"
[HKEY_USERS\S-1-5-21-507921405-362288127-682003330-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c59af793-37eb-11d9-b5b6-806d6172696f}\_Autorun\DefaultIcon]
@="C:\\setup.exe,0"--------------------------------------
Search for "C:\\setup.exe"REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string ""C:\\setup.exe"" 22/09/2006 22:14:25
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\S-1-5-21-507921405-362288127-682003330-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c59af793-37eb-11d9-b5b6-806d6172696f}\Shell\AutoRun\command]
@="C:\\setup.exe"--------------------------------------
Scan Report for choice.exeStatus:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 2e5832d56dcc6dc7ecb1cbe9ea350b9b
Packers detected: UPX
Results: ALL AntiViruses FOUND NOTHING
Note: In
Post #19 Vikes told me to install
IE-SPYAD and in the
README.txt of the progie, there is mentioned (Quoted below) that it uses
choice.exe and if it doesn't find it, ie-spyad will create it.
~~~~~~~~~~~~~~~~~~~~~
CHOICE.COM/CHOICE.EXE
~~~~~~~~~~~~~~~~~~~~~
The new IE-SPYAD Installer/Uninstaller, INSTALL.BAT, makes use of CHOICE.COM, a DOS utility which shipped with every version of MS DOS 6.0 and above as well as all versions of Win9x, including Windows 95, Windows 98, and Windows Me. Windows NT 4.0, Windows 2000, and Windows XP do not, however, include a copy of this file. Moreover, CHOICE.COM apparently has compatibility issues with the Windows XP command shell interpreter.
This distribution includes a copy of both CHOICE.COM (from Windows 95 B - OSR2) and CHOICE.EXE (from the Windows 2000 Professional Resource Kit), which has equivalent functionality to CHOICE.COM.
If INSTALL.BAT detects that you're running Windows NT/2000/XP, it will automatically install CHOICE.EXE to your Windows directory (usually \WINNT). (If you're running Windows 95/98*Guest and CHOICE.COM seems to be missing, INSTALL.BAT will instead install CHOICE.COM to \WINDOWS.)
If you're running Windows XP and INSTALL.BAT gives you errors every time you reach one of the menus, the problem is likely that a straight DOS version of CHOICE.COM is somewhere on your path. Even when CHOICE.EXE is installed in the Windows directory (\WINNT), if INSTALL.BAT finds CHOICE.COM, it will use CHOICE.COM instead of CHOICE.EXE. We want INSTALL.BAT to use CHOICE.EXE, which is compatible with Windows XP.
Check your Windows directory (usually \WINNT) as well as your System directory (\WINNT\SYSTEM32). If you find CHOICE.COM (as opposed to CHOICE.EXE), remove it. Also, if you downloaded an earlier version of this utility that included only CHOICE.COM, make sure that CHOICE.COM is not located in the top level installation directory (a copy is included in the \CHOICE sub-directory, but that's OK). In other words, make sure that there is no chance that CHOICE.COM will be used. On Windows XP, you should be using CHOICE.EXE instead.
Note: if you're running Windows 2003 Server, then INSTALL.BAT will not work with the version of CHOICE that is installed on your PC. See the "Windows 2003" section above in "Installation and Uninstallation" for tips on using IE-SPYAD with Windows 2003.
--------------------------------------
Scan Report for deposit.dllStatus:
OKMD5: 0046df045e2ff8e3a513b24ce762d72d
Packers detected: -
Results: ALL AntiViruses FOUND NOTHING