Autorun.inf and setup.exe self replicating

LoLyfe · Nov 27, 2006

These two files seem to just appear out of nowhere in various locations of all my hard drives. They originally came up highlighted on AntiVir as TR/dldr.horst.g.1 and then various other types of 'horst' that I'm afraid I've emptied from the quarantine now.
After running the READ & RUN ME FIRST instructions, the errors are not appearing as virus/trojans anymore - but the files are still replicating and no amount of deleting seems to get rid of them.
Any help?

LoLyfe · Nov 27, 2006

Here are more files

LoLyfe · Nov 27, 2006

and the last one...

chaslang · Nov 28, 2006

Your logs are not showing any problems and those file names (which are typical of when software is installed) are not showing anywhere in the logs either. Exactly where are they showing up and how frequently and are you installing or deleting any software in between. Put copies of the two files into a ZIP file and upload the ZIP here as an attachment.

I do recommend that you do the below!

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 9
Now install the current version of Sun Java from: Sun Java Runtime Environment

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\Lo\Local Settings\Temp

LoLyfe · Nov 28, 2006

Thanks for the response.
I can't help thinking it's attached to explorer. The ap has become extremely unstable since running the scans.
The two files appear in the following locations without fail, and I've tested that it's not just after a reboot either. Today they've appeared and now I can't seem to run another session of Windows Explorer at all. I'd say they appear after about 6 hours of deletion, and I haven't installed or uninstalled anything in the last few days.
Here is the zip file as requested, thanks in advance for your help. I'll uninstall java now...

LoLyfe · Nov 28, 2006

Sorry, I forgot to mention where these files were appearing:

c:/documents and settings/user/my documents
c:/documents and settings/all users windows/documents
d:/
h:/
c:/program files/collectorz.com
c:/documents and settings/user/local settings/application data/microsoft/outlook

It's the same files every time in the same locations.

chaslang · Nov 28, 2006

What is collectorz.com for? Is this something you installed and use. It looks like something for comic book collectors. Is it trust worthy?

Are D:\ and H:\ other hard disks? Partitions on the same hard disk?

LoLyfe · Nov 28, 2006

Collectorz.com is a database that I've used for years. It's a DVD database and as far as I'm aware is widely used and trusted.
D:/ and H:/ are seperate disks, D:/ is an internal disk and H:/ is an external USB drive. These drives are used purely for storage, although I have a program called Recover My Files on D as well, which I can't uninstall. It doesn't appear in the Add/Remove programs and doesn't have an uninstaller. I've only used it once to restore some files I deleted by mistake and it worked perfectly. No issues with it since...
Did the zip file show anything up?

chaslang · Nov 29, 2006

An online scan of the setup.exe file yields some mixed results. Some tools report it to be infected and some so no infection found. These files may be a problem or it could be related to something you are running. Let's try something else. Please run the below and attach the log:

Using Sophos Anti-Rootkit

Also tell me if the below file exists. If it does, then delete it. You may need to boot into safe mode to do this.
C:\windows\system\smss.exe

DO NOT CONFUSE this with C:\windows\system32\smss.exe which is valid.

Use HijackThis to fix the below line too:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

LoLyfe · Nov 30, 2006

The scan didn't bring anything up apart from a .tmp file, which I'll get rid of tomorrow unless I hear anything different. Attached the log anyway.

The smss.exe file is not in the system folder, so nothing done there.

Fixed the line mentioned in HJT.

Thanks for your continuing help with this...

chaslang · Dec 1, 2006

I'm not seeing anything that could be causing these files to show up. I still suspect something that you run/use like collectorz.com. Delete all of the files including the ones in the collectorz.com folder. Then make sure that you DO NOT run collectorz.com and see what happens. Does collectorz.com have anything that runs automatically? If it does, then try uninstalling it so we can be sure these are unrelated problems.

Log in or Sign up

Autorun.inf and setup.exe self replicating

LoLyfe Private E-2

Attached Files:

Activescan.txt

Activescan2.txt

bdscan.txt

LoLyfe Private E-2

Attached Files:

bdscan2.txt

hijackthis.log

runkeys.txt

LoLyfe Private E-2

Attached Files:

newfiles.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

LoLyfe Private E-2

Attached Files:

Zipfile.zip

LoLyfe Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

LoLyfe Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

LoLyfe Private E-2

Attached Files:

sarscan.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Autorun.inf and setup.exe self replicating

LoLyfe Private E-2

Attached Files:

LoLyfe Private E-2

Attached Files:

LoLyfe Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

LoLyfe Private E-2

Attached Files:

LoLyfe Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

LoLyfe Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

LoLyfe Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches