1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

setup and autorun in my shared folders

By radaan · 10 replies
Aug 28, 2006
  1. i have a problem...two files, setup and autorun show in my shared folders, and my antivirus kaspersky tells me i have this trojan Trojan-Proxy.Win32.Horst.av and despite i delete the files, they keep apearing...can someone help me?? thanks..[[]]
  2. Peddant

    Peddant TS Rookie Posts: 1,446

    Hello radaan.Welcome to Techspot.

    Go HERE follow the instructions,then post an HJT log as a .txt attachment into this thread.
  3. radaan

    radaan TS Rookie Topic Starter

    first of all i can tell you the specific trojan thats infecting my pc.. his name is Trojan-Proxy.Win32.Horst.av.. the hijack file is in the attachment [[]]

    Attached Files:

  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações

    Click on the fix checked button.

    Close HJT.

    Other than the above, your HJT log is clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :wave: :wave:

    This thread is for the use of radaan only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. radaan

    radaan TS Rookie Topic Starter

    thanks for the help..but the problem is still here..i made what you asked me but when i shared my documents folder the problem appeared in a matter of minutes..im going to send you the picture of the two files setup and autorun...

    Attached Files:

  6. N3051M

    N3051M TS Evangelist Posts: 2,115

    Ah.. i ran into this problem..

    I believe that the setup file is about a few kb's? if you open the autorun.inf files with notepad it has a command that points to the setup.exe file

    It hides itself as a Generic Host Process for Win32 Services when you double click on that file and it also copy itself to your other HDDs/partitions so do check for them. My firewall picked them up as "launched by program **exd**" (can't recall what it was exactly, but the first two are numbers).

    Download Process Explorer, end the tasks on the bottom of the list, usualy a fake svchost.exe (not under the winlogon tree, which is genuine, but listed as a seperate app) or boot into safe mode. Also note that this file tries to load on startup as well, so unless you've let your firewall let it through than you cant disable it (as in finding the app launching it) from starting up.

    Go and locate all those setup/autorun files on your HDDs and partitions (sometimes also found in the root folder eg C:\ ) and delete them all, and see if they reapear after a while.

    Scan with Trendmicro Housecall and follow instructions as linked in Peddant's post. I believe there is a file you have to manualy delete depending on what trendmicro picks up but i forgot what or where.. so maybe howard can help you..
  7. Peddant

    Peddant TS Rookie Posts: 1,446

    It could be this one HERE
  8. N3051M

    N3051M TS Evangelist Posts: 2,115

    Yep.. that looks like the one.. thanks for the link peddant :)
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).


    Close task manager.

    Run a full system scan with your antivirus programme and delete whatever it finds.

    Try and manually delete the setup.exe and autorun.inf files(if there).

    Reboot into normal mode and turn system restore back on and rehide your protected OS files.

    Please let us know the results.

    Regards Howard :)
  10. radaan

    radaan TS Rookie Topic Starter

    i have done what you said..the antivirus scan didnt find nothing...i erased all the files...but when i restarted the pc...it came back...
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The next time your antivirus programme finds it, please post your antivirus log as an attachment.

    We need to find out where it`s respawning from.

    In the meantime, download the Ccleaner programme from HERE. Run the programme several times. also run the issues scan and fix whatever it finds. Do this until it no longer finds anything.

    Regards Howard :)
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...