Setup.exe in all my winrar files

Hey guys,

I have been infected with some virus which has added a “setup.exe” file to all my winrar files. Avast didnt pick it up!!! any idea how to solve this?

How do you know it is a virus, what detected it ?

Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here in the topic, the URL in the Address bar of the VT results page. This should give some malware names and could help in removal, otherwise it could be manual removal from your .rar files, but most inmportantly finding what infected them.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

To get clean, I suggest a full computer on-line scanning:
BitDefender
ESET NOD32
F-Secure

Also: use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.

Thaks for the replies…

I know its a malware because it has infected all my rar files.

Here is the analysis:

https://www.virustotal.com/reanalisis.html?831b393a1d4a728c8489d7976022b0a2

File has already been analysed:
MD5: 5936f3cd9071bd1c1598fbe2dd9acbce 
First received: 05.01.2009 16:16:50 (CET) 
Date: 05.06.2009 19:32:15 (CET) [<1D] 
Results: 15/40 
Permalink: analisis/a6ed928de064ad69e4edbc0012da294b 

https://www.virustotal.com/analisis/a6ed928de064ad69e4edbc0012da294b

File rundll52.exe received on 05.06.2009 19:32:15 (CET)
Current status: finished 

Result: 15/40 (37.50%)
 Compact Print results  
Antivirus Version Last Update Result 
a-squared - - Trojan.Win32.Buzus!IK 
AhnLab-V3 - - - 
AntiVir - - TR/Agent.mcv.16 
Antiy-AVL - - Trojan/Win32.Buzus 
Authentium - - - 
Avast - - - 
AVG - - Generic13.AHNS 
BitDefender - - - 
CAT-QuickHeal - - - 
ClamAV - - - 
Comodo - - - 
DrWeb - - - 
eSafe - - Win32.TRAgent.Mcv 
eTrust-Vet - - - 
F-Prot - - - 
F-Secure - - Trojan.Win32.Buzus.axfr 
Fortinet - - W32/Buzus.AXFR!tr 
GData - - - 
Ikarus - - Trojan.Win32.Buzus 
Jiangmin - - - 
K7AntiVirus - - - 
Kaspersky - - Trojan.Win32.Buzus.axfr 
McAfee - - - 
McAfee+Artemis - - Artemis!5936F3CD9071 
McAfee-GW-Edition - - Trojan.Agent.mcv.16 
Microsoft - - - 
NOD32 - - Win32/Injector.NY 
Norman - - - 
nProtect - - - 
Panda - - Suspicious file 
PCTools - - - 
Rising - - - 
Sophos - - - 
Sunbelt - - - 
Symantec - - - 
TheHacker - - Trojan/Buzus.axfr 
TrendMicro - - - 
VBA32 - - Trojan.Win32.Buzus.axfr 
ViRobot - - - 
VirusBuster - - - 
Additional information 
MD5: 5936f3cd9071bd1c1598fbe2dd9acbce 
SHA1: ca8e27fc368b1bd0de1e1edf0706b728e01ac498 
SHA256: cccd78e6633a70d4400e1b19a847c9b6167285533433273b4933b144491074f1 
SHA512: 80b2778f732808931661928a5bbfe9a2ec7f760f6e54392ad753f8300f79e3a375048f53e41cfdcfb729e16820bae3e69cb7f56d7344d0f5b0f3d03236983045 


 ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware. 

I sent the file according to the instructions you provided.

OK now to find the infecter, using the links that Tech gave.

I am having exactly the same issue here. Any ideas on how to fix this?

Did you try on-line scanning as I’ve posted before?