Welcome to the TechSpot OpenBoards. Please read the FAQ if you have any questions. Sign up or Login to participate.
Collaborate in the cloud with Office, Exchange, SharePoint, and Lync
|
|||||||
Collaborate in the cloud with Office, Exchange, SharePoint, and Lync
strange files in my shared folders "setup.exe" & "autorun.inf"
|
|
Thread Tools | Search this Thread |
|
#1
08-16-2006
|
|||
|
|||
|
strange files in my shared folders "setup.exe" & "autorun.inf"
ok so i have three computers running in my wi-fi home network
on each computer there are a number of folders shared my network is properly secured by WPA-PSK (and i'm the only who knows pass & log) yesterday however i found these two strange files in EVERY shared folder on EVERY pc: "setup.exe" "autorun.inf" (and only the shared folders are affected, no sign of these files in any other map) when i deleted them, they popped back up a few hours later. i ran adaware, spybot s&d and norton antivirus found a few spyware and fixed it however the two files keep reappearing! does anyone have any idea what these could be? is this some trojan attack, virus, spyware ? i haven't dared to open the setup.exe yet i tried searching the internet but hardly found anything to go with i'll post the hijack logs from my three pc's in attach. i can't figure out which pc is affected? i have tried to clean out every pc but as of yet, nothing helps stopping these files from reappearing. i hope someone can help me out, it'd be very much appreciated thanks so much in advance!! |
|
|
#2
08-16-2006
|
|||
|
|||
|
Hello and welcome to Techspot.
I`ll analyse the logs in order and post the results in separate posts. Log pc1. Disconnect pc 1 from the network. You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier. Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html Open your task manager, by holding down the ctrl and alt keys and pressing the delete key. Click on the processes tab and end process for(if there). smss.exe Close task manager. Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there). O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w Click on the fix checked button. Close HJT. Locate and delete the following bold files and/or directories(if there). C:\WINDOWS\system\smss.exe Reboot into normal mode and turn system restore back on. Post a fresh HJT log for pc1. Regards Howard 
|
|
#3
08-16-2006
|
|||
|
|||
|
Disconnect pc2 from the network.
Have HJT fix the following. O15 - Trusted IP range: 193.58.81.70<Fix this, if you don`t know what it is. O17 - HKLM\System\CCS\Services\Tcpip\..\{4678E4EE-A15B-4B51-8BAE-DFA55F3D12AB}: NameServer = 195.130.131.9,195.130.130.4<Only fix this, if it doesn`t belong to your ISP. O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) Other than the above, this HJT log is clean. Regards Howard 
|
|
#4
08-16-2006
|
|||
|
|||
|
Pc3.
Have HJT fix this entry, if you don`t know what it is. O15 - Trusted IP range: 193.58.81.70 Other than that, this HJT log is clean. Let me know how things are running. Regards Howard [color=red]This thread is for the use of[/color] rainyhands [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color] |
|
#5
08-16-2006
|
|||
|
|||
|
howard, first of all thanks so much for yr help, you're doing a great job here
however: i followed your instructions re: PC1 but couldn't end the process smss.exe in safe mode it said "this is a critical process and task manager cannot end this process" any way around this? in the meanwhile though, thx to these forums, i also scanned my pc1 with the AVG program (http://free.grisoft.com/doc/1) and it found a trojan horse: Trojan Horse Proxy.EJo ! (undetected by crappy norton!) could this be the villain? i await further advice on how to terminate the smss process thank you! |
|
|
#6
08-16-2006
|
|||
|
|||
|
The legit version of smss.exe is supposed to be in C:\windows\system32\smss.exe
Yours is in C:\windows\system\smss.exe Search your computer and see if you have more than one version of smss.exe. I.E one in the system32 folder and one in the system folder. Let me know what you find. Regards Howard
|
|
#7
08-16-2006
|
|||
|
|||
|
yes you're right
in fact i found four smss.exe in my windows c:\Windows\$NTservicePackUninstall$ c:\Windows\system c:\Windows\system32 c:\Windows\ServicePackFiles\i386 so i should remove the one in system and i assume i was probably trying to end the process smss.exe from the system32 folder how bout the others, remove them too? thx again! |
|
#8
08-16-2006
|
|||
|
|||
|
Delete this file from safe mode.
C:\windows\system\smss.exe I`m pretty sure this is a trojan. Regards Howard Edit: I forgot to add. You should scan every computer with AVG(make sure AVG is fully updated), while in safe mode with system restore turned off. Delete whatever if found, then reboot into normal mode and turn system restore back on. Last edited by howard_hopkinso; 08-16-2006 at 07:08 PM.. |
|
#9
08-16-2006
|
|||
|
|||
|
yesss i'm now scanning the other two PC's as well with AVG, thx!
i deleted the smss.exe in PC1 (edit: well the one in system\smss.exe) these are now my (clean?) hijack logs (well pc3 seemed clean, so didn't include that anymore, now scanning with AVG too though) i'm hoping the two files won't pop anymore i'll keep this board updated thanks so much again |
|
#10
08-16-2006
|
|||
|
|||
|
As far as I`m concerned, both those HJT logs are clean.
If you have any further virus/spyware problems, please post in this thread. Regards Howard [color=red]This thread is for the use of[/color] rainyhands [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color] |
|
#11
08-16-2006
|
|||
|
|||
|
ok thanks for all the help!!!!!!!
if it reappears, i'll come knocking again
|
|
#12
11-20-2007
|
|||
|
|||
|
i have the same problem before, but after i installed Trend Micro Internet Security Pro, Trend Micro detected it and deleted it. Besides, i also suggest you use Norton AntiBot for an additional layer of protection added to your computer
|
 |
| Similar Topics | ||||
| Topic | Replies | Forum | ||
 "My Computer", "Trash Bin", "Control Panel" etc will not open.
|
6 | Windows OS | ||
|
"Insecure Internet Activity" and "Security Center Alert" about Win32.zafi.B
|
1 | Virus and Malware Removal | ||
|
Viacom's "bass-ackwards" screw-up: issues takedown for video it "pirated"
|
0 | General Discussion | ||
|
What is the difference between an "2M shared L2 Cache" processor and a "2 x 4MB L2 C"
|
5 | Processors and Motherboards | ||
|
BSOD "Stop" and "page fault in non.paged area" w23k.sys and nv4_disp.sys
|
20 | Windows BSOD, Freezing, Restarting Help | ||
| Thread Tools | Search this Thread |
|
|
All times are GMT -4. The time now is 03:29 AM.