strange setup.exe in C:\

[ellulbrian]

I noticed that two files, setup.exe & autorun.inf, are automatically created in C:\ after a restart (WinXP Home). I've checked if its a maleware but the results were negative. I cannot figure out from where they're poping out because its annoying due to the fact that the autorun.inf is changing the icon of the harddisk.


Any help to identify from where they're poping out? pls.

PS. I've attached the files so that someone analyses them (if they can be analyised).

 

[howard_hopkinso]

Mmm strange.

Go and read this thread HERE.

Then post a HJT log as a .txt attachment into this thread and I`ll check for anything out of the ordinary.

Regards Howard

 

[ellulbrian]

HJT log

Here is the HJT log

thanks for your help

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Boonty Games - BOONTY

close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

Boonty.exe

Close task manager.

Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: ICOOExternal Class - {0519A9C9-064A-4cbc-BC47-D0EACD581477} - C:\Program Files\ICOO Loader\addons\icooue.dll (file missing)

O2 - BHO: ICOODManager Class - {465A59EC-20E5-4fca-A38A-E5EC3C480218} - C:\Program Files\ICOO Loader\addons\icoou.dll (file missing)

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll

O16 - DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} (DownLoadStub Class) - http://www.hpphoto.com/downloads/DownloadPhotos.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7E31CCB4-9988-4FA1-8A10-2DF88CBB245D}: NameServer = 194.158.37.177

O17 - HKLM\System\CCS\Services\Tcpip\..\{A4F168BA-E08A-4F25-B61C-3F0F6EAA612C}: NameServer = 194.158.37.196,194.158.37.211

Only fix the above 017 entries, if they don`t belong to your ISP.

O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log and let us know how your system is running.


Regards Howard

 

[ellulbrian]

O17 - HKLM\System\CCS\Services\Tcpip\..\{7E31CCB4-9988-4FA1-8A10-2DF88CBB245D}: NameServer = 194.158.37.177

O17 - HKLM\System\CCS\Services\Tcpip\..\{A4F168BA-E08A-4F25-B61C-3F0F6EAA612C}: NameServer = 194.158.37.196,194.158.37.211

Only fix the above 017 entries, if they don`t belong to your ISP.

I've read the post but before I begin I have a question about entries O17. I know that 194.158.37.196 & 194.158.37.211 are the DNS of my ISP so I souldn't fix them but I don't know what 194.158.37.177 is for.

Should I leave it or fix it?

 

[howard_hopkinso]

The entry is resolved to cachedns.maltanet.net

If this is your isp don`t fix it.

Regards Howard

 

[ellulbrian]

Problem Solved

No more setup.exe in C:\ :bounce:

[center]THANKS
howard_hopkinso [/center]

PS. New HJT log attached.

 

[howard_hopkinso]

That`s excellent news.

Your HJT log is now clean.

Regards Howard

 

[LNCPapa]

Wow - awesome job Howard.

 

[howard_hopkinso]

Wow - awesome job Howard.

Hey thanks mate.

It wasn`t that much really.

Hell I see that many HJT logs, it`s kind of become second nature by now lol.

Regards Howard

 

[ellulbrian]

Problem Reappeared

BAD NEWS

The setup.exe & autorun.inf have reappeared. Now, I've noticed that it didn't reappear after a restart but it appeared when the PC was used by my bro so currently I cannot say how or what make it reappear.

Any help or suggestions? pls.

PS. A new HJT log is attached.

 

[howard_hopkinso]

I can find nothing nasty in your HJT log.

However, you should reinstall your antivirus programme as HJT is saying files are missing. You should also install a software firewall such as Zonealarm free or the free Kerio firewall(Google for these), if your antivirus programme doesnt have one built in.

Try just deleting the files you mention.

Let us know the results.


Regards Howard

 

[ellulbrian]

Problem appeares to be solved

I've repaired BitDefender (it includes a firewall) and until now the files haven't appeared.

BIG THANKS howard :wave:

PS. Here's a HJT log, just in case.

 

[howard_hopkinso]

Your HJT log is clean.

Regards Howard