annonymous setup.exe appears...

Discussion in 'Software Q&A' started by amirmsebe, Oct 10, 2006.

Thread Status:
Not open for further replies.
  1. amirmsebe

    amirmsebe New Member

    Joined:
    Feb 5, 2006
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    0
    hey guys ,

    i have been watching for one month that a file named setup.exe appears in a folder (in a seperate logical drive) where i usually download all files from net. first i thought downloaded myself. when i try to run it nothing happens. so i deleted. two days later it again apeared. also it doesn't copy itself or didn't run any background process. i checked task manger. i scanned it with Free AVG7 Av. it showed nothing. wht to do ....?
     
  2. 47shailesh

    47shailesh Security Exp

    Joined:
    Apr 28, 2006
    Messages:
    733
    Likes Received:
    6
    Trophy Points:
    0
    hey most probally i think ur sys tem is infected by BUGBEAR virus it can be any other virus too....AVG is not a god anti virus go for kaspersky and upgrade ur OS... otherwise any antivirus won't work
     
  3. hemant_mathur

    hemant_mathur -- No Easter Eggs here --

    Joined:
    Apr 14, 2006
    Messages:
    945
    Likes Received:
    3
    Trophy Points:
    0
    Location:
    Front of my pc
    Scan ur system with a spyware detector like Spybots search and destroy .. also whats the file size?
     
  4. satyamy

    satyamy Alive Again...

    Joined:
    May 20, 2005
    Messages:
    1,665
    Likes Received:
    1
    Trophy Points:
    0
    Location:
    Mumbai
    when u run that file once it copied some files to ur windows & windows system files
    now even if u delete that file from its original path its copy do the work
    normally it a small virus or adware......?
    A Good Anti like Norton or Spybot can remove this.....
     
  5. anandk

    anandk Distinguished Member

    Joined:
    Mar 8, 2005
    Messages:
    3,786
    Likes Received:
    106
    Trophy Points:
    0
    Location:
    Pune
    setup.exe is a setup application for many a programs. during the setup time, this process appears. if it continues to run later on n off, it could be malware (a malware can be named anything).

    so do try the generic suggestions mentioned above (ie run ur av and anti-spy in safe mode); else pls post ur hijackthis logfile here or at www.hijackthis.de for analysis.
     
  6. shashank4u

    shashank4u Member

    Joined:
    Jan 9, 2006
    Messages:
    678
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Online
    this virus will be detected by norton 2006 .. i ve fixed similar prob.. which
    my friend is facing and norton has detected a lot of virus..
    if not norton then use nod32 but norton will do ...
     
  7. OP
    OP
    amirmsebe

    amirmsebe New Member

    Joined:
    Feb 5, 2006
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    0
    thnx guys...here iam working on all your ideas... i'll reply soon...also i post the hijackthis log here....
    __________
    Here is the Hijackthis Log file.....
    Logfile of HijackThis v1.99.1
    Scan saved at 10:22:26 AM, on 12/10/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\LClock\LClock.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\4t Tray Minimizer\4t-min.exe
    C:\Program Files\NDAS\System\ndassvc.exe
    C:\Program Files\AnalogX\Proxy\proxy.exe
    C:\Program Files\Toddler Keys\Toddler Keys.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Tata Indicom Wireless Internet Service\TataIndicomDialer.exe
    C:\Program Files\DAP\DAP.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRA~1\DAP\DAPIEBar.dll
    O4 - HKLM\..\Run: [TataIndicomStartUp] C:\Program Files\Tata Indicom Wireless Internet Service\TataIndicomStartUp.exe
    O4 - HKLM\..\Run: [CG-USBPH02] C:\Program Files\corega\CG-USBPH02\USBPH02.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Startup: 4t Tray Minimizer.lnk = C:\Program Files\4t Tray Minimizer\4t-min.exe
    O4 - Startup: Proxy (2).lnk = C:\Program Files\AnalogX\Proxy\proxy.exe
    O4 - Startup: Toddler Keys.lnk = ?
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {FA740F50-9E7F-4EFF-A7BF-F77D6F68AEF8} (WebAgent Control) - http://digitechpower.dyndns.tv/webagent/WebAgent.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{90CEEFED-96B4-40D0-BFFC-8689EF7E39DA}: NameServer = 203.197.12.30 202.54.1.18
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: FXVFSAMG - Sysinternals - www.sysinternals.com - C:\DOCUME~1\general\LOCALS~1\Temp\FXVFSAMG.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
    O23 - Service: WCSvc - Unknown owner - C:\Program Files\GRT\WClient\WCSvc.exe (file missing)
    O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
     
    Last edited: Oct 12, 2006
  8. anandk

    anandk Distinguished Member

    Joined:
    Mar 8, 2005
    Messages:
    3,786
    Likes Received:
    106
    Trophy Points:
    0
    Location:
    Pune
  9. OP
    OP
    amirmsebe

    amirmsebe New Member

    Joined:
    Feb 5, 2006
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    0
    ok anandk. iam already tried ewido. but not worked with this. i will try for the other two. as hemant_mathur told i tried spybot. it asked update and i put it on.the update process got going, seems never to end. i'll tell the file size later also the setup.exe is not appearing for now(i've deleted it yesterday only, i'm sure it will come again). now the setup.exe appears only in that folder and not anywhere else. i don't have nortron.

    sorry guys... i had no time to reply for the last four days.... i try to be quick...
     
  10. OP
    OP
    amirmsebe

    amirmsebe New Member

    Joined:
    Feb 5, 2006
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    0
    the file size is 40.0kb and i used all the s/w suggested by you folks ...except norton2006 and spybot..... all are replying no suspicious thing found.... and i know i didn't download that file nor it belongs to any application setup..i checked its properties for summary details.. it's not visible there...
     
  11. anandk

    anandk Distinguished Member

    Joined:
    Mar 8, 2005
    Messages:
    3,786
    Likes Received:
    106
    Trophy Points:
    0
    Location:
    Pune
  12. OP
    OP
    amirmsebe

    amirmsebe New Member

    Joined:
    Feb 5, 2006
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    0
    Hellowa,

    after a long time ..... doing all as you said (thanx people)...now i got the solution....
    i used to download AVG 7.5 Free edition and scanned ....

    it got "Trojan Horse proxy.HSK" and the file size is 37kb. also it created a ".ini" file last week and changed that logical drive icon to setup.exe (default setup files icon).

    thank you guys .....a lot.
     
Thread Status:
Not open for further replies.

Share This Page