Autorun.inf and setup.exe

There is some kind of virus on my home network that keeps on creating setup.ini and autorun.inf on all shared folders. If setup.exe gets executed strange files start appearing in the c:\temp folder such as 70.exym.c.exe - avast does tell me that this file has virus and I choose to delete it but it does not trigger anything on the setup.exe thats there in the shared folders.

Some time later tons of spam emails start generating from my computer - avast does notify me of the spam going out but I just have to click on stop… stop… stop but I cant get the source program out of my computer. I have even scheduled a boot time scan and nothing happens.

Can anyone please help me out here

Regards

Fahad

If a virus is replicant (coming and coming again), you should:

  1. Enable/Disable System restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k.

  2. Clean your temporary files. You can use the Windows Advanced Care features for that.

  3. Schedule a boot time scanning with avast, again. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

  4. It will be good if you download, install, update and run other trojan remover tools: a-squared, Free AVG Antispyware or SUPERantispyware (trojan removers). Some users recommend Spyware Terminator.

  5. Use the immunization of [url=SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

If avast can’t detect it in normal mode it may not to detect it on a boot-time scan either as the same signatures are used. It should get rid of the 70.exym.c.exe but as you say setup.exe if run will restore it, you could also try a registry search for setup.exe and see if it is run. Or Start, Run, type msconfig and click OK, Startup Tab, check for an entry for startup.exe.

Do you have a firewall, if so what ?
That should block unauthorised outbound connections the windows XP firewall doesn’t provide outbound protection. Firewall logs should also be able to pinpoint the program responsible for sending them. TCPView should also be able to identify programs establishing connections.

Where is this setup.exe located ?
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.

You can stop the

AVG, McAfee both have been able to detect the infection in setup.exe as ‘Trojan.agent.aao’ and ‘Downloader.agent.aii’. The temporary files that were being created have been detected as Proxy.Horst.

Thank you for the suggestion for firewall and msconfig. I was using XP firewall but will not use someother.

Fahad

Send the sample to virus@avast.com zipped and password protected with password in email body and undetected malware in the subject.

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.