Hi I'm having a hard time with this situation: I have some files being automatically created on my disk: autorun.inf e install.exe autorun.inf points to install.exe, so when i open the folder they're in.. install.exe executes.. and what he does.. i dont know! They're created at least in the following dir's: C:\ ; D:\ ; H:\ ; H:\Games\ ; D:\Programas ; Z:\ The antivirus is up to date (kaspersky) and ad-ware too.. and when i scan the files they get nothing! Sometimes kaspersky tells me: INSTALL.EXE IS trying to be created, DELETE, and points me to a virus site that doesnt exist.. I deleted all the files related to them from disk, regedit strings, i booted only with the options i trust, and they still replicate!! Im asking for help before i format my disk, so if any of u had this problem and knows how to solve it, i appreciate it! Thanks in advance!
Logfile of HijackThis v1.99.1 Scan saved at 20:14:45, on 22-08-2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe D:\WINDOWS\system32\spoolsv.exe D:\Program Files\Executive Software\Diskeeper\DkService.exe D:\Program Files\No-IP\DUC20.exe D:\WINDOWS\system32\nvsvc32.exe D:\PROGRA~1\Serv-U\SERVUD~1.EXE D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\svchost.exe D:\Program Files\RealVNC\VNC4\WinVNC4.exe D:\Program Files\MessengerPlus! 3\MsgPlus.exe D:\Program Files\Motherboard Monitor 5\MBM5.EXE D:\Program Files\Microsoft IntelliPoint\point32.exe D:\Program Files\D-Tools\daemon.exe D:\WINDOWS\system32\ctfmon.exe D:\Program Files\Serv-U\ServUTray.exe D:\WINDOWS\System32\svchost.exe C:\Programas\mIRC\mirc.exe D:\Program Files\MSN Messenger\msnmsgr.exe D:\Program Files\nbpro\nbpro.exe D:\Program Files\Opera\Opera.exe D:\Program Files\teamspeak2_RC2\TeamSpeak.exe D:\Program Files\The All-Seeing Eye\eye.exe D:\WINDOWS\system32\mmc.exe D:\WINDOWS\system32\RUNDLL32.EXE D:\Program Files\Executive Software\Diskeeper\DfrgNTFS.exe D:\Program Files\Executive Software\Diskeeper\DfrgNTFS.exe D:\Program Files\Executive Software\Diskeeper\DkIcon.exe D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe G:\Rar$EX00.703\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Program Files\Executive Software\Diskeeper\DkIcon.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [MBM 5] "D:\Program Files\Motherboard Monitor 5\MBM5.EXE" O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ServUTrayIcon] D:\Program Files\Serv-U\ServUTray.exe O4 - Startup: Speedtouch Connection.lnk = D:\Program Files\Thomson\SpeedTouch USB\stdialup.exe O8 - Extra context menu item: &Search - http://kc.bar.need2find.com/KC/menusearch.html?p=KC O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_44.cab O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{257D37CD-973A-4042-84DF-8AB9326B3D02}: NameServer = 194.65.100.117 O20 - AppInit_DLLs: MsgPlusLoader.dll,wbsys.dll O20 - Winlogon Notify: WB - D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dl l O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe O23 - Service: NoIPDUCService - Vitalwerks LLC - D:\Program Files\No-IP\DUC20.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe O23 - Service: Serv-U FTP Server (Serv-U) - Cat Soft - D:\PROGRA~1\Serv-U\SERVUD~1.EXE O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe O23 - Service: Task Manager (TskMan) - Unknown owner - D:\WINDOWS\system32\TskMan.exe (file missing) O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\TightVNC\WinVNC.exe" -service (file missing) O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - D:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
And you have tried scanning it with Spybot Search and Destroy and Adaware SE to see if its Spyware? Make sure they are updated and try again.
Please extract and run HijackThis from a program folder. Reboot and close all running programs before you run HijackThis. Now post the new log. Run ActiveScan if any infection is found save the log and post it here. http://www.pandasoftware.com/activescan/
Make sure your Serv-U program is not a modified version. Edit: Looking at some info and this might be your problem as it seems related to the (missing) TskMan.exe process. Troj/ServU-BC (sophos name) http://www.sophos.com/virusinfo/analyses/trojservubc.html http://www.sophos.com/support/disinfection/trojan.html O23 - Service: Task Manager (TskMan) - Unknown owner - D:\WINDOWS\system32\TskMan.exe (file missing) Have you have any worm or virus problems ?. --- I can't see any ref. to autorun.inf or install.exe in the log. They are often use for CD's (auto run) and as you have DAEMON Tools installed may not be impossible that it is related to a game ?.
thanks for the replys A while ago i had the modified "with trojan" serv U, but then i downloaded the official from the website, and the anti virus warnings stopped. and this symptoms are from now. And im pretty sure this aint related to any game install. I play Medal of Honor online, with anti-cheat, and i noticed this two days ago when the anti cheat found CHEATS/install.exe on my game folder, thats when i found they were "replicating" If you're interested and you can do anything with them, i can post the files here /edit install.rar I used kaspersky, avast! ad-aware and spysweeper with the lateste definitions and found nothing.
You are infected with a trojan !! NOD32 detects it !! This is what happens when I try to download it !!
thank you, ill download that program and post the results edit I installed it, it scanned the computer and "FOUND and Deleted" the install.exe 's that i have.. but nothing more.. so whatever is causing them to replicate.. must still be INSIDE!!! /edit
Well, at least its detected as a virus. It finds the virus, Win32/Robobot, it quarantines it, but it keeps on coming! i can't seem to find the info or the site to tell me what to do to prevent this from happening! Even if i do format the pc, and install windows again, it might happen again, because i don't know how it happens and how to stop it! If anybody sees info about this, tell me please, and thanks for the help so far
You MUST start by updating your OS fully even if you reinstall XP you must update and keep the OS updated. AV's are often no match for worms on unpatch systems keep you OS updated. Also install a firewall or install SP2 and enable the firewall. You MUST follow the instructions of disabling System Restore, booting in safe mode AND unplugging from the net. This trojan is a trojan that executes other malware. You will want to copy the text from this post and save it as a text file (*.txt) or print it because you will be working offline (in safemode) to resolve your problem and not have access to this forum. Follow these STEPS. STEP 1 You must turn off System Restore during this process. You will keep it off until we are done fixing your system. STEP 2 In NOD32 under the NOD32 on demand scanner press "Run NOD32". Go to the Profile tab and in the drop down menu pick the "Controle Center Profile - Local" Go to the Action tab and set it to delete. Go to the Setup and make sure all scanning is enabled. Now press the Quite button, NOD32 will inform you that the profile is changed press "Yes" to save the changes. STEP 3 1. Now turn off your computer and remove the network cable/phone line from your machine. 2. Reboot your computer in Safe Mode STEP 4 Run NOD32 and use the "Local" scan, let it delete any infested files. STEP 5 1. Reconnect your network cable/phone line 2. Reboot your system into normal mode. STEP 6 Run Hijackthis again and post a new log file. Run activescan and post any infestion found http://www.pandasoftware.com/activescan/com/activescan_principal.htm Online Trojanscanners http://scan.sygate.com/pretrojanscan.html http://www.windowsecurity.com/trojanscan/ Online AV http://www.pandasoftware.com/activescan/com/activescan_principal.htm http://www.ravantivirus.com/scan/
Yes, reboot in safemode, but why run nod32? He has Kaspersky. It's the highest rated AV prog. 99% effective.
You did not read all of the thread...did you. bakuryu's NOD32 found the worm. HoT-DoG then downloaded NOD32 and that's why he should use it.
lol Well.. Since i use NOD32, the install.exe files are being stopped from replicating themselves, and it solves part of the problem, but i still don't know where it comes from. I installed the autopatcher, with all the updates for windows xp, but i didn't reboot the pc yet... im a 24h downloader :S When i do ill tell you if it worked tnxs for the help
Yes I read enough to know why he couldn't find it. Those worms get into everything. He had system restore running and he didn't boot into safemode when he ran Kas. I know what your saying. Go with whatever works to get rid of it.
NO!! one thing i must say! The first thing i do after installing windows is to turn of the EVIL SYSTEM RESTORE OF DEATH, House of many slowdowns and viruses!! Just to make my soul a bit brighter
No im not saying "go with whatever works to get rid of it.". Im saying if you have NOD32 installed (which he did when i wrote the instructions) you should use it, period.