autorun.inf + setup.exe

[parisisalvo]

Ciaooo
ho cercato su google, e alcuni forum hanno questo thread, pero' non riesco a capire se c'e' soluzione.
Nelle cartelle condivise, si creano questi due files :
autorun.inf e setup.exe
di dimensioni, rispettivametne 1kb e 40kb!
li cancello in massa, e poi al riavvio, o dopo qualche ora si ripresentano puntali!!!
Ogni tanto, ma non sempre, AVAST! segnala i setup.exe come ifnetti da un << Win32:Tenga >>.

Come rimuovo?

[juninho85]

leggi qui

[parisisalvo]

Riasssssumo per chi incappasse nello stesso problema :
basta scaricare il Windows Worms Doors Cleaner!!!
Questo MALEDETTO virus, entra dalle porta 135!!
Chiudendo questa porta, tutto risolto!!!
Tutto questo è accaduto perchè non sono piu' dietro al router, fulminato e in assistenza!!! Col modem senza FIREWALL adsl si è soggetti a troppi rischi!!

[fefochip]

purtroppo ho due pc infettati e con Windows Worms Doors Cleaner non si risolve nulla
dopo un po setup.exe e il file .inf riappaiono dal nulla per magia ogni tanto
due antivirus (antivir e nod 32) li rilevano subito e eliminano setup.exe ma non il fil autorun.inf

non so come fare ...

[_ManiAc_]

stesso problema anche a me, ho letto quel topic da 40+ messaggi, cercato di risolvere in tutti i modi consigliati, installando WWDC ecc, ma nulla.

E sono gia 2 mesi, ho anche io il router rotto e mi ritrovo con quello adsl senza firewall, ecco il log di hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 15.21.27, on 21/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ManiAc\Desktop\startuplist\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [CTSysVol] C:\Programmi\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [kis] "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Programmi\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Aggiungi a Kaspersky Anti-Banner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1159724887375
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9721C909-15C7-411F-BC27-CB862A91E40E}: NameServer = 85.37.17.46 85.38.28.84
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe

aiutatemi per favore...

[haruana]

avete delle cartelle condivise oltre a quelle "amministrative" tipo C$ D$ ecc....?
Se si postatele e postate dove vi ritrovate i file setup.exe e autorun.inf

[fabioxp]

ciao, c'entra qualcosa il file setup.exe che da ieri mi rileva kaspersky (deleted: Trojan program Trojan-Proxy.Win32.Horst.ky - File: C:\Documents and Settings\All Users\Documenti\setup.exe/UPX
) e riesco a cancellarlo, ma ad ogni avvio si ripresenta e le icone dei 2 hard disk, che erano condivisi, sono senza immagine, tipo icona sconosciuta

EDIT - ho cambiato nome hai dischi e l'icona è ricomparsa.

Ieri un mio amico mi ha chiamato e lui con avast ha cancellato il notepad.exe, io non ero al corrente di tale problema, ma con questo volevo dire che in sti giorni c'è proprio un attacco brutale, mi sembrava di averne sentito parlare, solo che credevo di essere apposto con antivirus + firewall ben configurati come ho fatto.
Ciao.

[Zimmemme]

Quote:

Originariamente inviato da _ManiAc_

stesso problema anche a me, ho letto quel topic da 40+ messaggi, cercato di risolvere in tutti i modi consigliati, installando WWDC ecc, ma nulla.

E sono gia 2 mesi, ho anche io il router rotto e mi ritrovo con quello adsl senza firewall, ecco il log di hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 15.21.27, on 21/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ManiAc\Desktop\startuplist\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [CTSysVol] C:\Programmi\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [kis] "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Programmi\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Aggiungi a Kaspersky Anti-Banner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1159724887375
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9721C909-15C7-411F-BC27-CB862A91E40E}: NameServer = 85.37.17.46 85.38.28.84
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe

aiutatemi per favore...

Ciao...

C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

Hai il server Apache installato sotto la directory Nvidia?
Se no controlla questo file.

Anzi, controlla tutta la directory Nvidia corporation anche perchè mi pare che tu abbia una scheda video Ati quindi la cosa è ancora più sospetta.

Aspè... forse ho capito, hai una scheda video Ati ma il chipset Nvidia Nforce, giusto?

Hai un sacco di queste voci:
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
che sono dovute al firewall di Nvidia Nforce.

Io ho l'Nforce4 e questo firewall maledetto mi ha creato più fastidi che altro.
Se provi a disabilitarlo scoprirai che tutte le suddette voci scompariranno.
Ti consiglio un firewall alternativo del tipo Zone Alarm.

O17 - HKLM\System\CCS\Services\Tcpip\..\{9721C909-15C7-411F-BC27-CB862A91E40E}: NameServer = 85.37.17.46 85.38.28.84

Conosci questo dominio?
Appartiene a questi signori:
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 85.0.0.0 - 85.255.255.255
CIDR: 85.0.0.0/8
NetName: 85-RIPE
NetHandle: NET-85-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2004-04-01
Updated: 2004-04-06

# ARIN WHOIS database, last updated 2006-10-26 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.



Deferred to specific whois server: whois.ripe.net...


% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-pr...-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag

% Information related to '85.37.17.0 - 85.37.17.255'

inetnum: 85.37.17.0 - 85.37.17.255
netname: INTERBUSINESS
remarks: INFRA-AW
descr: Telecom Italia SPA
descr: Provider Local Registry
descr: BB IBS
country: IT
admin-c: INAS1-RIPE
tech-c: INAS1-RIPE
status: ASSIGNED PA
mnt-by: INTERB-MNT
source: RIPE # Filtered

%ERROR:202: access control limit reached for 213.251.189.201
%
% You have reached the limit of returned contact information objects.
% This connection will be terminated now.
% Continued attempts to return excessive amounts of contact
% information will result in permanent denial of service.
% Please do not try to use CONTACT information in
% the RIPE database for non-operational purposes.
% Refer to http://www.ripe.net/db/copyright.html
% for more information.

Se non li conosci allora fixa questa voce!!!

-------------------
Per il resto dovrebbe essere tutto apposto.

[formeapo]

Sono nella stessa condizione, non so come fare. Ho già formattato e subito si è ripresentato!

[Autorunner]

BESTIA BESTIAAA BESTIAAAAAAAA!!!!!!

POSSIBILE CHE NON SI ESCE DA QUESTA SITUAZIONE!!!!!

NOD32, AVAST, HJT, FORMATTAZIONI, AGGIORNAMENTI MICROSOFT!!!

STE DUE C...ZO DI ICONE CHE RICOMPAIONO ALLA PRIMA CONDIVISIONE!!!!


AIUTOOOOOOOOOOOO

[juninho85]

magari dico una banalità,magari l'ho giò detto e non ricordo o semplicemente ci avete già provato ma invano....in molti hanno risolti facendo una scan con bitdefender 9 aggiornato,non ricordo se da modalità provvisoria o meno,provate...
in ogni caso una volta disinfettati tappate le porte con WWDC