I'm getting two strange files (setup.exe & autorun.inf) in the root directory of the hdd (C:\). I'm always deleting them but they reappear at a random time. I've also scanned with S&D, BitDefender and Panda Active Scan(see below).

I've attached the setup.exe file if someone can analyze what is it.

Thanks.


Logfile of HijackThis v1.99.1
Scan saved at 02:54:16, on 14/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
C:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe
C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Documents and Settings\User\My Documents\procexp.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\Program Files\Opera 9\Opera.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E31CCB4-9988-4FA1-8A10-2DF88CBB245D}: NameServer = 194.158.37.177
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4F168BA-E08A-4F25-B61C-3F0F6EAA612C}: NameServer = 194.158.37.196,194.158.37.211
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bandwidth Monitor Pro - Pro²soft - C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


Panda Active Scan

Incident
Status
Location

Potentially unwanted tool:Application/MyWebSearch
Not disinfected
C:\WINDOWS\system32\f3PSSavr.scr

Adware:adware/fastvideoplayer
Not disinfected
C:\WINDOWS\inf\fastvideoplayer.inf

Spyware:Cookie/Tribalfusion
Not disinfected
C:\WINDOWS\Temp\Cookies\user@tribalfusion[2].txt

Potentially unwanted tool:Application/ServUBased.A
Not disinfected
C:\Documents and Settings\User\My Documents\My Received Files\susetup.exe

Spyware:Cookie/YieldManager
Not disinfected
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[1].txt

Please do not attach infected files, if a helper wishes to analyse a file they will give you a link to submit.

My own anti-virus program flagged it immediately.

Thank you. ;)

I don't know what is it because S&D, BitDefender, Panda Activescan and Windows Defender didn't dedect anything.

So whats the name of the infection that your anti-virus dedected?

Thanks

Thanks to pskelly for the links, I've scanned the file online.

These are the jotti results:


AntiVir
Found Heuristic/Trojan.Downloader (probable variant)

NOD32
Found probably a variant of Win32/Medbot.BH (probable variant)

All Others
Found Nothing


These are the virustotal results:


McAfee
BackDoor-CMQ.dldr

NOD32v2
probably a variant of Win32/Medbot.BH

Panda
Suspicious file

All others
Found Nothing

So is there a clue how to remove this malware? pls.

Thanks

How can I remove the above mentioned Medbot or BackDoor-CMQ.dldr according to McAfee?

Any suggestions pls?

Welcome

Start Hijackthis and place a check next to these items If there.

O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
====================================
Hit fix checked and close Hijackthis.

Delete these three files if you havent already
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\inf\fastvideoplayer.inf
C:\Documents and Settings\User\My Documents\My Received Files\susetup.exe


Post a report from a differant online, such as
Computer Associates eTrust AV Web Scanner: http://www3.ca.com/virusinfo/virusscan.aspx
select all drives, scan, Try to cure/repair, if it cannot choose delete! If it cannot delete tell us the files names and locations.

eTrust AV found 2 infected files with Java/ByteVerify!exploit in the java cache dir and deleted them.

Now I'll post as soon as the files (setup.exe & autorun.inf) reappear.

Thanks LonnyRJones for your help.

NO luck, setup.exe and autorun.inf have returned :mad:

Any other suggestions? pls.

Attach the files here
http://www.thespykiller.co.uk/forum/index.php?board=1.0
then do go get that etrust scan and let us know the results

I've attached the file here (http://www.thespykiller.co.uk/forum/index.php?PHPSESSID=6ce62b15253daf617e46ada5f76aa469&topic=2402.0) (if I've understood you correctly)

and etrust didn't find any infections.

Thanks for your assistance

Set windows to show hidden extensions file's and folder's.
click for> instructions. (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
save these instructions to a text for later referance
Reboot into safe mode Click here if needed (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx) For instructions.
go start run copy then paste in the bolded line below and press enter

C:\Documents and Settings\All Users\Documents
delete setup.exe and autorun.inf if present
go start run type in
%temp%
delete the entire contents, its safe.
Delete these files if present
c:\autorun.inf
c:\setup.exe
c:\WINDOWS\system\smss.exe (carefull of spelling and location)
c:\WINDOWS\system32\nvsvcd.exe
restart back to a normal windows session. let me know of any problems.

Where else have you asked for help ?
http://www.geekstogo.com/forum/Potentially_Medbot-t126777.html

07-19-2006
http://www.techspot.com/vb/showthread.php?t=54511

Go HERE and follow the instructions at the bottom of the page for Newnet removal.

Is this the same computer with on-going problems since 2005-11-12 when you asked for assistance but did not follow up?

http://forums.spybot.info/showthread.php?p=1356#post1356

newnet on the system.

07-19-2006
Is this the same computer with on-going problems since 2005-11-12 when you asked for assistance but did not follow up?

http://forums.spybot.info/showthread.php?p=1356#post1356
Yes, but the problem was resolved or at least Spybot is not reporting any threats so it can be closed.

Sorry for not following up and THANKS for your help.

Where else have you asked for help ?
http://www.geekstogo.com/forum/Potentially_Medbot-t126777.html

I've started a thread at GeeksToGo after 3 days with no reply from SpyBot so I had to find help somewhere else.

BTW I've started only these two Threads.

C:\Documents and Settings\All Users\Documents
delete setup.exe and autorun.inf if present
go start run type in
%temp%
delete the entire contents, its safe.
Delete these files if present
c:\autorun.inf
c:\setup.exe
c:\WINDOWS\system\smss.exe (carefull of spelling and location)
c:\WINDOWS\system32\nvsvcd.exe
restart back to a normal windows session. let me know of any problems.

The following files were not found:
c:\WINDOWS\system\smss.exe
c:\WINDOWS\system32\nvsvcd.exe

and in the %temp% folder there was a file (tmp1) which could not be deleted.

Error cannot delete tmp1: it is being used by another user or program (not the exect wording)

and I cannot find it in normal mode.

THANKS