There is some kind of virus on my home network that keeps on creating setup.ini and autorun.inf on all shared folders. If setup.exe gets executed strange files start appearing in the c:\temp folder such as 70.exym.c.exe - avast does tell me that this file has virus and I choose to delete it but it does not trigger anything on the setup.exe thats there in the shared folders.
Some time later tons of spam emails start generating from my computer - avast does notify me of the spam going out but I just have to click on stop… stop… stop but I cant get the source program out of my computer. I have even scheduled a boot time scan and nothing happens.
Schedule a boot time scanning with avast, again. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
If avast can’t detect it in normal mode it may not to detect it on a boot-time scan either as the same signatures are used. It should get rid of the 70.exym.c.exe but as you say setup.exe if run will restore it, you could also try a registry search for setup.exe and see if it is run. Or Start, Run, type msconfig and click OK, Startup Tab, check for an entry for startup.exe.
Do you have a firewall, if so what ?
That should block unauthorised outbound connections the windows XP firewall doesn’t provide outbound protection. Firewall logs should also be able to pinpoint the program responsible for sending them. TCPView should also be able to identify programs establishing connections.
AVG, McAfee both have been able to detect the infection in setup.exe as ‘Trojan.agent.aao’ and ‘Downloader.agent.aii’. The temporary files that were being created have been detected as Proxy.Horst.
Thank you for the suggestion for firewall and msconfig. I was using XP firewall but will not use someother.
Send the sample to virus@avast.com zipped and password protected with password in email body and undetected malware in the subject.
Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.