[Crustyoldbloke]

I am wondering why you feel that these files are malware and not legitimate?

[Advertisements]

Well... the strange thing is that when I used to scan them with AVG anti virus the setup.exe file would show up as a Trojan Horse Proxy 28.AI or AO.. However, when I just tried to scan one of the setup.exe files that just appeared this time AVG is showing it as not a virus..???

However, I'm assuming its malware or a virus because A) it just appears in all the root folders of the drives with an autorun.inf file that is pointing at it B) it is 38Kb in size so its obviously designed to do something C) AVG used to point it out as a virus

I'm going to run an online scan tonight like Trend or Panda as I know that certain virii can disable certain anti virus programs... I'm wondering if these are somehow blanking themselves to AVG??

My main worry is how they keep reappearing despite me deleting them and my HJT log apparently being clean.. there must be something on my system that is either creating them or allowing someone to remotely create them when I connect to the internet??

[johnnyt]

Well... the strange thing is that when I used to scan them with AVG anti virus the setup.exe file would show up as a Trojan Horse Proxy 28.AI or AO.. However, when I just tried to scan one of the setup.exe files that just appeared this time AVG is showing it as not a virus..???

However, I'm assuming its malware or a virus because A) it just appears in all the root folders of the drives with an autorun.inf file that is pointing at it B) it is 38Kb in size so its obviously designed to do something C) AVG used to point it out as a virus

I'm going to run an online scan tonight like Trend or Panda as I know that certain virii can disable certain anti virus programs... I'm wondering if these are somehow blanking themselves to AVG??

My main worry is how they keep reappearing despite me deleting them and my HJT log apparently being clean.. there must be something on my system that is either creating them or allowing someone to remotely create them when I connect to the internet??

[Crustyoldbloke]

OK, thanks for your logic. You could be right but let's check. I don't have any favours owing to me right now to get someone to reverse-engineer the files.

Can I suggest that we give these to Jotti to have a look at?

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

C:\setup.exe
C:\autorun.inf

(I am assuming their paths)

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.

[johnnyt]

Here are the results from the scan...


AntiVir Found Heuristic/Malware (probable variant)
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found DeepScan:Generic.Horst.03C37E7B
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found W32/Methodbod.gen2
F-Secure Anti-Virus Found Trojan-Proxy.Win32.Horst.pp
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Proxy.Win32.Horst.pp
NOD32 Found probably a variant of Win32/Medbot.DC (probable variant)
Norman Virus Control Found Sandbox: W32/Malware; [ General information ]

* Decompressing UPX.
* File length: 38400 bytes.

[ Process/window information ]
* Modifies other process memory.
* Modifies execution flow of a remote process.
VirusBuster Found nothing
VBA32 Found MalwareScope.Trojan-Proxy.Horst.1

Scanner  Malware name  
AntiVir  Trojan/Crypt.NSPM.Gen  
ArcaVir  Trojan.Psw.Nilage.Aui  
Avast  X  
AVG Antivirus  X  
BitDefender  X  
ClamAV  X  
Dr.Web  Win32.HLLW.Gavir.54  
F-Prot Antivirus  Possibly a new variant of W32/PWStealer.gen1  
F-Secure Anti-Virus  Trojan-PSW.Win32.Nilage.aui  
Fortinet  W32/Nilage.AUI!tr.pws  
Kaspersky Anti-Virus  Trojan-PSW.Win32.Nilage.aui  
NOD32  X  
Norman Virus Control  W32/Lineage.AONT  
VirusBuster  X  
VBA32  Win32.HLLW.Gavir.54  

I'm going to download a trial of Norman Virus Control and see if that can shift it... whaddya reckon?

[Crustyoldbloke]

Hello again

I see the report but it is unclear which is which.

Can you provide a path for all instances please and we can just delete the lot?

WE can go to the lengths of a MWAV scan, takes about 3 hours, if you wish, but I'd rather try the deletion method first of all. I will be using a very powerful tool.

[johnnyt]

I see the report but it is unclear which is which.

Can you provide a path for all instances please and we can just delete the lot?

I'm sorry I don't understand the bit about "delete the lot".

The report (I'm sorry that it is unclear I've posted a hopefully clearer version below) details what each antivirus program had to say about the setup.exe file. It shows that some AV progs don't think its a virus at all and others show it as being various types of virus. Here's the list again and I've tried to format it better... hope it works!...

Scanner -------------------- Malware name  
AntiVir   -------------------- Trojan/Crypt.NSPM.Gen  
ArcaVir  -------------------- Trojan.Psw.Nilage.Aui  
Avast	 -------------------- X  
AVG Antivirus -------------- X  
BitDefender ---------------- X  
ClamAV  -------------------- X  
Dr.Web -------------------- Win32.HLLW.Gavir.54  
F-Prot Antivirus ----------- Possibly a new variant of W32/PWStealer.gen1  
F-Secure Anti-Virus ------ Trojan-PSW.Win32.Nilage.aui  
Fortinet -------------------- W32/Nilage.AUI!tr.pws  
Kaspersky Anti-Virus ---- Trojan-PSW.Win32.Nilage.aui  
NOD32   -------------------- X  
Norman Virus Control ---- W32/Lineage.AONT  
VirusBuster ----------------- X  
VBA32   -------------------- Win32.HLLW.Gavir.54  

Hope that's a little clearer... I'm not sure how to preserve formatting when posting on these forums...

By the way, I ran the online scan of F-Secure AV last night and it didn't find anything. It even quoted in the list of files skipped "D/Setup.exe"!!!!!! Not sure why it would skip it??

It also skipped a file called PageFile.sys... this got me wondering whether this file could be infected...?

Many thanks for your continued efforts

[Crustyoldbloke]

Hello again

You would think at my age I should have a good command of the English language, but I didn't make my earlier comments very clear, I apologise.

I read the two reports but I didn't know which report went with which file.

I was under the impression that these two files are on the root of all HDD or partitions, is that not the case?

The PageFile.sys is a legitimate file and should be about 1.5 times the size of your RAM.

Setup.exe is a file name used by many software writers, so identifying it correctly is paramount, hence the request for the path of all instances of it.

I must admit that this is quite strange when combined with the result of the scan: F-Secure Anti-Virus ------ Trojan-PSW.Win32.Nilage.aui Where it skipped that file and made reference to it.

I think the way forward here is either to do the MWAV scan and accept its conclusion, or remove the files.

I await your decision.

[johnnyt]

I think we got our wires crossed then in the last post.. the two sets of results I posted were both referring to the setup.exe file that keeps appearing in the root folder of all my partitions. I don't know why there were two sets of results but that's what appeared so I just posted them both as I wasn't sure which set you'd want to look at.

Now....

At the time of this going to press the setup.exe files haven't returned yet.... I've been online for an hour and a half and at the moment all is well. However I'm intrigued by this MWAV scan... what's involved? It sounds quite ominous the way you have written ".. do a MWAV scan and accept its conclusion..." does this mean it could conclude that there's nothing for my computer apart from dragging it down the vets and putting it down???

I would be happy to do the MWAV scan if these files reappear again sometime today... I'm using the computer for work all day today but later on this evening I'll shut down and reboot a few times to see if the files come back. Could you let me know the procedure for doing a MWAV scan in case I need to do one.

Many thanks

[Crustyoldbloke]

Allow me to introduce you to Microworld Antivirus or MWAV as it is known. It is commonly accepted as being the most intensive of all scanners (3 hours plus is not unheard of). The reports are the size of a football pitch, so it is best to only keep the bit/s we want to see. What I mean by accepting its conclusion is that, if MWAV says clean, you should accept it.

The slight misunderstanding arose because I was expecting to see two reports from Jotti on the two files mentioned. There was nothing to tell me that the two reports were for the same file, or even which file.

This begs the question, what is the other file; legitimate or malware? Did you let Jotti scan C:\autorun.inf ?

[johnnyt]

The "autorun.inf" file is simply pointing at the setup.exe file in an attempt to run it when you open that partition. The same way as the autorun.inf file runs the contents of a CD when you put it into your computer. I've scanned the autorun.inf file and it isn't a nasty... the nasty stuff is held within setup.exe.

By the way... since that last post the files are back... setup.exe and autorun.inf so lets go with this Microworld AV scan and see what happens....

Thanks

[Crustyoldbloke]

Please download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
Please run MWav by double-clicking on mwav.exe.
Put a check next to the following items before scanning:

• Memory
• Startup Folders
• Drive - All Local Drives
• Folder - then click "browse" to change the directory to C: (default is C:\Windows)
• System Folders
• Services
• Include Sub-Directory
• Scan All Files

Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.

[johnnyt]

Right.. I started running that MWAV (it would only run in Safe mode for some reason??) Anyways.. it said that it wouldn't fix anything unless I bought it.

I still let it run for 3 hours or so but then I needed to get on the computer so had to stop it.

Here's a list of what it found in those 3 hours. If you need me to let it run more then just say, I thought you might have enough info with this list....

Here you go....

Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "casinoonnet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "yoursitebar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "downloadware Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cws.loadadv.400 Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cws.loadadv.400 Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula toptext Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula toptext Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "flashenhancer adware Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object ""C:\Program Files\Java\jre1.5.0_02\bin\javaws.exe"". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Shared Tools\DAO" refers to invalid object "C:\Program Files\Common Files\Microsoft Shared\DAO". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".DELETE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "WGA". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{032B93E8-D9A1-48D2-AA51-D057ABBA9E52}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{0496D9E8-224B-4AFA-8F37-23B98D52F1EB}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{106E7A1C-22DA-42D7-8E74-37772A9C89FB}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{2959B9F6-2D49-4E0D-96F4-D684106FE48D}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{6A6A5A40-FB6D-402C-8516-CC61E6DFE524}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{8110D4AF-439E-4F17-8C9C-E54B3F4006F7}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{9C5A5A6D-4B86-4315-8ED0-BACB86686F0A}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{A36A310A-D72B-44D2-BBDB-91315850AB1D}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AA0370C1-BEB2-4C8E-ADFD-B7AFE85F0FBE}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{B945219C-C51C-4BD0-BAD5-A3FED95B555F}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{C602034B-0E04-4A4C-994B-9BE7AEFF5931}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{CEB1A88D-195D-4350-A550-C6807B1BBB17}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{DA256408-A2E7-41A5-8AD6-62ACB86A0FD7}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{E91D32E5-904E-44E3-90CD-2983B5246BEE}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{F5001920-E94E-4287-80C6-158FBC1D7035}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{F891AAF3-DE9F-4445-85CF-6E41261A7F5A}". Action Taken: No Action Taken.

[Crustyoldbloke]

Well that was a waste of time and effort.

Kaspersky is my next preferred.

You have to use MSIE for it.

Please visit Kaspersky using Microsoft Internet Explorer, for an online scan. Please select extended in the scan settings option; you will find it to be the second option from the top. Please post the Kaspersky log in your reply

[johnnyt]

Phil,

I did the extended scan (8 and a half hours...) and it identified a few virii. On each of them though the last action was "skipped".

It said that the "setup.exe" files were "Object Locked" and therefore "Skipped".


I can't post the log because the formatting goes funny but I've attached it as a RTF file for your perusal...

Many thanks

Attached Files

•  kapersky_log.rtf   38.88KB   215 downloads

[Crustyoldbloke]

Hello again Cathy

Most of what Kaspersky advises requires no attention and many are files in use and therefore locked, but none of them looked wrong, they were all mostly familiar to me. The 3 setup.exe files can be deleted and for good measure, I have added F drive also as I notice you have one. This tool is very powerful.

Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

Copy ALL THE TEXT contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\setup.exe
D:\setup.exe
E:\setup.exe
F:\setup.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger programme by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• Upon reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy & paste the content of c:\avenger.txt into your reply along with a fresh HJT log from normal mode, by using Add Reply