TechSpot

strange files in my shared folders "setup.exe" & "autorun.inf"

By rainyhands
Aug 16, 2006
Topic Status:
Not open for further replies.
  1. ok so i have three computers running in my wi-fi home network
    on each computer there are a number of folders shared
    my network is properly secured by WPA-PSK
    (and i'm the only who knows pass & log)

    yesterday however i found these two strange files in EVERY shared folder on EVERY pc:
    "setup.exe"
    "autorun.inf"

    (and only the shared folders are affected, no sign of these files in any other map)

    when i deleted them, they popped back up a few hours later.

    i ran adaware, spybot s&d and norton antivirus
    found a few spyware and fixed it

    however the two files keep reappearing!

    does anyone have any idea what these could be?
    is this some trojan attack, virus, spyware ?
    i haven't dared to open the setup.exe yet
    i tried searching the internet but hardly found anything to go with

    i'll post the hijack logs from my three pc's in attach. i can't figure out which pc is affected? i have tried to clean out every pc but as of yet, nothing helps stopping these files from reappearing.

    i hope someone can help me out, it'd be very much appreciated
    thanks so much in advance!!

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    I`ll analyse the logs in order and post the results in separate posts.

    Log pc1.

    Disconnect pc 1 from the network.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    smss.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system\smss.exe

    Reboot into normal mode and turn system restore back on.
    Post a fresh HJT log for pc1.

    Regards Howard :wave: :wave:
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Disconnect pc2 from the network.

    Have HJT fix the following.

    O15 - Trusted IP range: 193.58.81.70<Fix this, if you don`t know what it is.

    O17 - HKLM\System\CCS\Services\Tcpip\..\{4678E4EE-A15B-4B51-8BAE-DFA55F3D12AB}: NameServer = 195.130.131.9,195.130.130.4<Only fix this, if it doesn`t belong to your ISP.

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    Other than the above, this HJT log is clean.

    Regards Howard :)
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Pc3.

    Have HJT fix this entry, if you don`t know what it is.

    O15 - Trusted IP range: 193.58.81.70

    Other than that, this HJT log is clean.

    Let me know how things are running.

    Regards Howard :)

    This thread is for the use of rainyhands only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. rainyhands

    rainyhands TS Rookie Topic Starter

    howard, first of all thanks so much for yr help, you're doing a great job here

    however:
    i followed your instructions re: PC1 but couldn't end the process smss.exe in safe mode
    it said "this is a critical process and task manager cannot end this process"

    any way around this?

    in the meanwhile though, thx to these forums, i also scanned my pc1 with the AVG program (http://free.grisoft.com/doc/1)
    and it found a trojan horse: Trojan Horse Proxy.EJo !
    (undetected by crappy norton!)

    could this be the villain?

    i await further advice on how to terminate the smss process
    thank you!
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    The legit version of smss.exe is supposed to be in C:\windows\system32\smss.exe

    Yours is in C:\windows\system\smss.exe

    Search your computer and see if you have more than one version of smss.exe. I.E one in the system32 folder and one in the system folder.

    Let me know what you find.

    Regards Howard :)
  7. rainyhands

    rainyhands TS Rookie Topic Starter

    yes you're right

    in fact i found four smss.exe in my windows

    c:\Windows\$NTservicePackUninstall$
    c:\Windows\system
    c:\Windows\system32
    c:\Windows\ServicePackFiles\i386

    so i should remove the one in system and i assume i was probably trying to end the process smss.exe from the system32 folder

    how bout the others, remove them too?

    thx again!
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Delete this file from safe mode.

    C:\windows\system\smss.exe I`m pretty sure this is a trojan.

    Regards Howard :)

    Edit: I forgot to add. You should scan every computer with AVG(make sure AVG is fully updated), while in safe mode with system restore turned off. Delete whatever if found, then reboot into normal mode and turn system restore back on.
  9. rainyhands

    rainyhands TS Rookie Topic Starter

    yesss i'm now scanning the other two PC's as well with AVG, thx!

    i deleted the smss.exe in PC1 (edit: well the one in system\smss.exe)

    these are now my (clean?) hijack logs (well pc3 seemed clean, so didn't include that anymore, now scanning with AVG too though)

    i'm hoping the two files won't pop anymore
    i'll keep this board updated

    thanks so much again
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    As far as I`m concerned, both those HJT logs are clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of rainyhands only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. rainyhands

    rainyhands TS Rookie Topic Starter

    ok thanks for all the help!!!!!!!
    if it reappears, i'll come knocking again :)
     
  12. Theophilus23

    Theophilus23 TS Rookie

    i have the same problem before, but after i installed Trend Micro Internet Security Pro, Trend Micro detected it and deleted it. Besides, i also suggest you use Norton AntiBot for an additional layer of protection added to your computer
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.