ok so i have three computers running in my wi-fi home network
on each computer there are a number of folders shared
my network is properly secured by WPA-PSK
(and i'm the only who knows pass & log)

yesterday however i found these two strange files in EVERY shared folder on EVERY pc:
"setup.exe"
"autorun.inf"

(and only the shared folders are affected, no sign of these files in any other map)

when i deleted them, they popped back up a few hours later.

i ran adaware, spybot s&d and norton antivirus
found a few spyware and fixed it

however the two files keep reappearing!

does anyone have any idea what these could be?
is this some trojan attack, virus, spyware ?
i haven't dared to open the setup.exe yet
i tried searching the internet but hardly found anything to go with

i'll post the hijack logs from my three pc's in attach. i can't figure out which pc is affected? i have tried to clean out every pc but as of yet, nothing helps stopping these files from reappearing.

i hope someone can help me out, it'd be very much appreciated
thanks so much in advance!!

Attached Files

	hijackthis_PC1.log (6.8 KB, 50 views)
	hijackthis_PC2.log (8.2 KB, 10 views)
	hijackthis_PC3.log (3.1 KB, 10 views)

[B]Hello and welcome to Techspot.[/B]

I`ll analyse the logs in order and post the results in separate posts.

Log pc1.

Disconnect pc 1 from the network.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

[b]Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT).[/b] See how here.> [url]http://www.bleepingcomputer.com/forums/tutorial61.html[/url]

[b]Turn off system restore.(XP/ME only)[/b] See how here.> [url]http://www.bleepingcomputer.com/forums/tutorial56.html[/url]

[b]In Windows Explorer, turn on "Show all files and folders, including hidden and system".[/b] See how here.> [url]http://www.bleepingcomputer.com/forums/tutorial62.html[/url]

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

smss.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

Click on the fix checked button.

Close HJT.

Locate and delete the following [b]bold[/b] files and/or directories(if there).

C:\WINDOWS\system\smss.exe

Reboot into normal mode and turn system restore back on.
Post a fresh HJT log for pc1.

Regards Howard

Disconnect pc2 from the network.

Have HJT fix the following.

O15 - Trusted IP range: 193.58.81.70[b]<Fix this, if you don`t know what it is.[/b]

O17 - HKLM\System\CCS\Services\Tcpip\..\{4678E4EE-A15B-4B51-8BAE-DFA55F3D12AB}: NameServer = 195.130.131.9,195.130.130.4[b]<Only fix this, if it doesn`t belong to your ISP.[/b]

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

Other than the above, this HJT log is clean.

Regards Howard

Pc3.

Have HJT fix this entry, if you don`t know what it is.

O15 - Trusted IP range: 193.58.81.70

Other than that, this HJT log is clean.

Let me know how things are running.

Regards Howard

[color=red][b]This thread is for the use of[/color] rainyhands [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color][/b]

howard, first of all thanks so much for yr help, you're doing a great job here

however:
i followed your instructions re: PC1 but couldn't end the process smss.exe in safe mode
it said "this is a critical process and task manager cannot end this process"

any way around this?

in the meanwhile though, thx to these forums, i also scanned my pc1 with the AVG program (http://free.grisoft.com/doc/1)
and it found a trojan horse: Trojan Horse Proxy.EJo !
(undetected by crappy norton!)

could this be the villain?

i await further advice on how to terminate the smss process
thank you!

The legit version of smss.exe is supposed to be in C:\windows\system32\smss.exe

Yours is in C:\windows\system\smss.exe

Search your computer and see if you have more than one version of smss.exe. I.E one in the system32 folder and one in the system folder.

Let me know what you find.

Regards Howard

yes you're right

in fact i found four smss.exe in my windows

c:\Windows\$NTservicePackUninstall$
c:\Windows\system
c:\Windows\system32
c:\Windows\ServicePackFiles\i386

so i should remove the one in system and i assume i was probably trying to end the process smss.exe from the system32 folder

how bout the others, remove them too?

thx again!

Delete this file from safe mode.

C:\windows\system\smss.exe I`m pretty sure this is a trojan.

Regards Howard

Edit: I forgot to add. You should scan every computer with AVG(make sure AVG is fully updated), while in safe mode with system restore turned off. Delete whatever if found, then reboot into normal mode and turn system restore back on.

yesss i'm now scanning the other two PC's as well with AVG, thx!

i deleted the smss.exe in PC1 (edit: well the one in system\smss.exe)

these are now my (clean?) hijack logs (well pc3 seemed clean, so didn't include that anymore, now scanning with AVG too though)

i'm hoping the two files won't pop anymore
i'll keep this board updated

thanks so much again

Attached Files

	hijackthis_PC1_clean.log (5.2 KB, 4 views)
	hijackthis_PC2_clean.log (8.1 KB, 3 views)

As far as I`m concerned, both those HJT logs are clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

[color=red][b]This thread is for the use of[/color] rainyhands [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color][/b]

ok thanks for all the help!!!!!!!
if it reappears, i'll come knocking again

i have the same problem before, but after i installed Trend Micro Internet Security Pro, Trend Micro detected it and deleted it. Besides, i also suggest you use Norton AntiBot for an additional layer of protection added to your computer