annonymous setup.exe appears...

amirmsebe · Oct 10, 2006

hey guys ,

i have been watching for one month that a file named setup.exe appears in a folder (in a seperate logical drive) where i usually download all files from net. first i thought downloaded myself. when i try to run it nothing happens. so i deleted. two days later it again apeared. also it doesn't copy itself or didn't run any background process. i checked task manger. i scanned it with Free AVG7 Av. it showed nothing. wht to do ....?

47shailesh · Oct 10, 2006

hey most probally i think ur sys tem is infected by BUGBEAR virus it can be any other virus too....AVG is not a god anti virus go for kaspersky and upgrade ur OS... otherwise any antivirus won't work

hemant_mathur · Oct 10, 2006

Scan ur system with a spyware detector like Spybots search and destroy .. also whats the file size?

satyamy · Oct 10, 2006

when u run that file once it copied some files to ur windows & windows system files
now even if u delete that file from its original path its copy do the work
normally it a small virus or adware......?
A Good Anti like Norton or Spybot can remove this.....

anandk · Oct 10, 2006

setup.exe is a setup application for many a programs. during the setup time, this process appears. if it continues to run later on n off, it could be malware (a malware can be named anything).

so do try the generic suggestions mentioned above (ie run ur av and anti-spy in safe mode); else pls post ur hijackthis logfile here or at www.hijackthis.de for analysis.

shashank4u · Oct 10, 2006

this virus will be detected by norton 2006 .. i ve fixed similar prob.. which
my friend is facing and norton has detected a lot of virus..
if not norton then use nod32 but norton will do ...

amirmsebe · Oct 12, 2006

thnx guys...here iam working on all your ideas... i'll reply soon...also i post the hijackthis log here....
__________
Here is the Hijackthis Log file.....
Logfile of HijackThis v1.99.1
Scan saved at 10:22:26 AM, on 12/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\4t Tray Minimizer\4t-min.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\AnalogX\Proxy\proxy.exe
C:\Program Files\Toddler Keys\Toddler Keys.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Tata Indicom Wireless Internet Service\TataIndicomDialer.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRA~1\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [TataIndicomStartUp] C:\Program Files\Tata Indicom Wireless Internet Service\TataIndicomStartUp.exe
O4 - HKLM\..\Run: [CG-USBPH02] C:\Program Files\corega\CG-USBPH02\USBPH02.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: 4t Tray Minimizer.lnk = C:\Program Files\4t Tray Minimizer\4t-min.exe
O4 - Startup: Proxy (2).lnk = C:\Program Files\AnalogX\Proxy\proxy.exe
O4 - Startup: Toddler Keys.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - *download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {FA740F50-9E7F-4EFF-A7BF-F77D6F68AEF8} (WebAgent Control) - *digitechpower.dyndns.tv/webagent/WebAgent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{90CEEFED-96B4-40D0-BFFC-8689EF7E39DA}: NameServer = 203.197.12.30 202.54.1.18
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: FXVFSAMG - Sysinternals - www.sysinternals.com - C:\DOCUME~1\general\LOCALS~1\Temp\FXVFSAMG.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: WCSvc - Unknown owner - C:\Program Files\GRT\WClient\WCSvc.exe (file missing)
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

anandk · Oct 12, 2006

a prelim examinations suggests that ur pc stl has a backdoor trojan infection
(nvsvcd.exe) There may be more...autoanalysing at www.hijackthis.de may show if any more exists.

i suggest u use any one of the following anti-trojans. the first 2 are freeware :
avg anti-spyware (formerly ewido anti-malware)
www.grisoft.com
or
a-squared anti-malware
*www.emsisoft.com/en/software/free/
or
trojan hunter
*www.misec.net/

scan in safe mode for best results

amirmsebe · Oct 17, 2006

ok anandk. iam already tried ewido. but not worked with this. i will try for the other two. as hemant_mathur told i tried spybot. it asked update and i put it on.the update process got going, seems never to end. i'll tell the file size later also the setup.exe is not appearing for now(i've deleted it yesterday only, i'm sure it will come again). now the setup.exe appears only in that folder and not anywhere else. i don't have nortron.

sorry guys... i had no time to reply for the last four days.... i try to be quick...

amirmsebe · Oct 18, 2006

the file size is 40.0kb and i used all the s/w suggested by you folks ...except norton2006 and spybot..... all are replying no suspicious thing found.... and i know i didn't download that file nor it belongs to any application setup..i checked its properties for summary details.. it's not visible there...

anandk · Oct 18, 2006

get this file checked at
*virusscan.jotti.org/
and
*www.virustotal.com/en/virustotalf.html

u have to click the browse button and then upload ur file. it will then be scanned with MULTIPLE av (u can c there which ones).

if no infection is detected. just forget about it.

but if a malware is dected, pls post here.
u can use 'delete doctor' utility from www.diskcleaners.com to clean it.

amirmsebe · Nov 1, 2006

Hellowa,

after a long time ..... doing all as you said (thanx people)...now i got the solution....
i used to download AVG 7.5 Free edition and scanned ....

it got "Trojan Horse proxy.HSK" and the file size is 37kb. also it created a ".ini" file last week and changed that logical drive icon to setup.exe (default setup files icon).

thank you guys .....a lot.

annonymous setup.exe appears...

amirmsebe

Broken In

47shailesh

Security Exp

hemant_mathur

-- No Easter Eggs here --

satyamy

Alive Again...

anandk

Distinguished Member

shashank4u

Youngling

amirmsebe

Broken In

anandk

Distinguished Member

amirmsebe

Broken In

amirmsebe

Broken In

anandk

Distinguished Member

amirmsebe

Broken In