Might have part of the answer posted previously here ??

strange files in my shared folders "setup.exe" & "autorun.inf"

Above is a thread i came accross when browsing for my PC problem. It sounds exactly the same.

I assume i can almost follw the same rules as this thread. But if you woudl be so kind as to look over this and advise accordingly incase anythign is seperate.

This seemed to come about when i tried limeware, morpheous and bearshare. I did not even use the prgrammes as i noticed this change and uninstalled straight away. However somethign still very present. All the above came from the official site.

Did it arrise from any of these perhaps?

Thank you very much.

Q

PC one (first infected)

PC Two - not infected until recently



Thanks.....Q

[B]Hello and welcome to Techspot.[/B]

PC1.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

[b]Turn off system restore.(XP/ME only)[/b] See how here.> [url]http://www.bleepingcomputer.com/forums/tutorial56.html[/url]

[b]Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT).[/b] See how here.> [url]http://www.bleepingcomputer.com/forums/tutorial61.html[/url]

[b]In Windows Explorer, turn on "Show all files and folders, including hidden and system".[/b] See how here.> [url]http://www.bleepingcomputer.com/forums/tutorial62.html[/url]

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

PowerReg Scheduler V3.exe
gdnFR2332.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

O4 - Startup: PowerReg Scheduler V3.exe

O16 - DPF: {35E15453-5611-0A13-7ED6-39700B9F0018} - [url]http://85.255.113.214/1/gdnFR2332.exe[/url]

O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - [url]https://ve.ukie.capgemini.com/dana-c...terisSetup.cab[/url]

O16 - DPF: {6D936E93-7C77-6C31-9012-2ADD7642E03F} - [url]http://85.255.113.214/1/gdnFR2332.exe[/url]

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - [url]https://ve.ukie.capgemini.com/dana-c...niperSetup.cab[/url]

Click on the fix checked button.

Close HJT.

Locate and delete the following [b]bold[/b] files and/or directories(if there).

C:\WINDOWS\system\[b]smss.exe /w[/b]
[b]PowerReg Scheduler V3.exe[/b]

Reboot into normal mode and turn system restore back on.

Go [URL="http://www.techspot.com/vb/topic30213.html"]HERE[/URL] and follow the instructions for running Ewido.


Regards Howard

PC2.

The HJT log is clean. However, you`re not running any antivirus or firewall programmes. You should get some asap.

Follow the above instructions for running Ewido.

Regards Howard

[color=red][b]This thread is for the use of[/color] QfanatiQ [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color][/b]

Thanks Howard. I will indeed be going through this tonight.

I will get AVG on there, a very bad oversight. Firewall is provided by my router.

But i am concerned about the same .exe and .inf files in every shared folder on the other PC, any other ideas?

Cheers....Q

Have you got the hide protected system files turned off? If you have, just reverse the procedure in these instructions.

[b]In Windows Explorer, turn on "Show all files and folders, including hidden and system".[/b] See how here.> [url]http://www.bleepingcomputer.com/forums/tutorial62.html[/url]

Regards Howard

Howard Thanks.
HJT Log posted below after clean and following the instructions above.


Is it all clean now?

Cheers.....Q

Your HJT log is clean.

If you ever need to post a HJT log again, see [URL="http://www.techspot.com/vb/topic19133.html"]HERE[/URL] for instructions.

If you have any further virus/spyware porblems, please post in this thread.

Regards Howard

[color=red][b]This thread is for the use of[/color] QfanatiQ [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color][/b]