Possible virus problems.

Status
Not open for further replies.

totomk

Posts: 6   +0
Hi all,

I have a huge problem and this is the only place that seems like a possible solution. I have some kind of trojan that creates Setup.exe and autorun.inf files in my local HDD roots. At the begining it only changes the icons of my HDD, but eventualy, it prevents me from booting windows. I have already re-instaled windows 5 times, but it keeps hapenning. I tried all your suggested steps, but nothing helps. I made the hijackthis log.

Thanks in advance
 

Attachments

  • hijackthis.log
    3 KB · Views: 5
Hello and welcome to Techspot.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

CommTraffic

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

CommTraffic Service

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

CTserv.exe
CommTraffic.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKCU\..\Run: [CommTraffic Console] "C:\Program Files\CommTraffic\CommTraffic.exe"

O4 - Startup: On.Net.lnk = ?

O17 - HKLM\System\CCS\Services\Tcpip\..\{C4E13917-7DA0-486D-9C56-B588ED579166}: NameServer = 217.16.69.3,217.16.86.1

O17 - HKLM\System\CCS\Services\Tcpip\..\{D0E3532F-69A0-43F7-848C-E11592F2C058}: NameServer = 85.30.126.1 217.16.69.3

Only fix the above 017 entries, if they don`t belong to your ISP.

O23 - Service: CommTraffic Service (CTsvc) - Unknown owner - C:\PROGRA~1\COMMTR~1\CTserv.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\CommTraffic

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard :wave: :wave:

This thread is for the use of totomk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
The solution

Hi,
Thanks for the prompt reply. I tried all that, but the problem wasn't gone. So, again I re-installed windows and discovered that only when I set sharing to my HDD roots both files apear. I disabled File Sharing and they dont apear any more. Funy indeed, but I checked one of your earlier posts and the guy had the same problem. However, I am sending youanother Hijackthis log, but the problem is still only temporary solved.
 
Your HJT log is clean.

Download the Pocket Killbox programme from HERE.

Extract it to your desktop.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

See if Killbox will delete the setup.exe and autorun.inf files.

Please let me know the results.

If that doesn`t work, please can you give me the full filepaths to the files concerned.

Regards Howard :)

This thread is for the use of totomk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I tried that too, it only erases the files but after a while, they re-apear. The paths to the files is W:\setup.exe and W:\autorun.inf, V:\setup.exe and V:\autorun.inf and D:\setup.exe and D:\autorun.inf. They apear in my HDD root firectly, but not in C:\, at least not for a while. When they apear in C:\, I can't run windows no more. Just to remind you, this only happens when I set sharing to my HDD. The other 2 computers on the network I haven't even started.
I wish I could give you any other info, so If you need anything else...
Thanks for your assistance

Short Update: I can easily erase them with Delete, but they keep on coming back

[autorun]
open=setup.exe
icon=setup.exe,0

this is what is listed in the autorun.inf file?Maybe that will help
 
Please post HJT logs from each computer on your network.

Regards Howard :)

This thread is for the use of totomk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
All your HJT logs are clean.

Give this a try.

1. Click Start > Run.
2. Type regedit, then click OK.
3. Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete the value:

"svchost"="[Path to file]\SETUP.EXE"

5. Exit the Registry Editor.

You should do this on all machines.

Then run the Ccleaner programme on each machine as per the instructions HERE.

See if that helps.

Regards Howard :)

This thread is for the use of only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Give this a try.

1. Click Start > Run.
2. Type regedit, then click OK.
3. Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete the value:

"svchost"="[Path to file]\SETUP.EXE"???? Such value didn't exist???
 
Go and delete the following files, do this on all hard drives/machines.

C:\Documents and Settings\All Users\Documents
delete setup.exe and autorun.inf if present
go start run type in
%temp%
delete the entire contents, its safe.
Delete these files if present
c:\autorun.inf
c:\setup.exe

If that doesn`t help, I`m afraid I don`t know what else to suggest.

I have no idea where those files are respawning from. The only thing I have left to suggest is a reformat and reinstall.

Regards Howard :(

This thread is for the use of totomk only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I tried all of that, and nothing helps. It seems like one partition on the networkis somehow infected with some new trojan not identified yet and is creating those files an all shared hard disks. I wiil now try to share a folder, not an entire HDD and hopoefully it will confuse the trojan.
 
i have a theory about that annoying setup.exe and autorun.inf.. you have to get rid of it on the one sitting..

A wipe and reinstall could work if its only one PC but since its on a network, these files duplicate itself on every other HDDs/partitions it can find.. and if another PC on that network has that process active, the fresh install on the first PC would be pointless... which i gather from this thread that you have a small network running?

Isolate all the PCs if you can (disconnect them from the network). Go to Trend Micro's Housecall website and run its online scanner. Clean up anything it finds. download Ewido and run it (basicaly go through the steps in the "Remove trojan pakes...." thread). Do this for every PC on the network. Then go to Start>Search and look for Setup.exe and Autorun.inf on all drives available (including network drives) on each PC. Delete them if you do find the pair with the code in the autorun file. Reboot after you've done this to all three PCs at the one time and cross your fingers.

If it comes back, try the following....

When this particular annoyance once popped up, the firewall started going crazy and comes up with those "This program has launched application... Allow/Deny etc" me some random words (but in a pattern - two letters, three numbers, three letters if i remember) under a name of svchost - Generic Host process for Windows. Note there is also the legit svchost running in the C:\Windows\System32 folder. You need to block the dodgy one.

Download Process Explorer and look through the process list for any odd entries. Scroll all the way down to the bottom and if you find a svchost not running under the winlogon.exe tree then investigate it. You can right click it and go properties to see where its originating from under the Image tab. Terminate if its the dodgy one. run another scan if you need to and search for the files and delete.. it should work this time.. otherwise, i can only think of isolation and then attempting removal if possible..
 
Status
Not open for further replies.
Back