Weird files keep installing

[Mikkel Z. Herold]

I have recently noticed that three unknown exe-files have popped up in
various places on my hard drive.

The files are named "install.exe", "setup.exe" and "update32.exe"
respectively, and they are placed in the root of each of my partitions
(i.e. C:, D: and E and in the folder "C:\Documents and Settings\All
Users\Documents".

Furthermore, there is an "autorun.inf" file in each of the locations
that opens the "install.exe" file (the content is "open=install.exe").

I have deleted these files several times, but they keep coming back.

To make matters worse (or weirder!), my Norton 2005 has told me one time
that the "update32.exe" was infected with a virus (W32.Pinfi). It kept
giving me the alert until I deleted the file. The strange thing is that
it has not alerted me since, despite the fact that the files have come back.

Should I worry about these files? I have tried searching google for an
answer, but the filenames are obviously too common to yield any usable
result.

Any info on this will be greatly appreciated!

Mikkel

--
"At first just a rustle of canvas
And the gentlest breath on my face
But a galloping line of white horses
Said that soon we were in for a race"
Sting - The Wild Wild Sea

http://www.mzh.dk

 

[Tom Pepper Willett]

update32.exe appears to be a worm:
http://www.sysinfo.org/startuplist.php?filter=&letter=U

Tom
| I have recently noticed that three unknown exe-files have popped up in
| various places on my hard drive.
|
| The files are named "install.exe", "setup.exe" and "update32.exe"
| respectively, and they are placed in the root of each of my partitions
| (i.e. C:, D: and E and in the folder "C:\Documents and Settings\All
| Users\Documents".
|
| Furthermore, there is an "autorun.inf" file in each of the locations
| that opens the "install.exe" file (the content is "open=install.exe").
|
| I have deleted these files several times, but they keep coming back.
|
| To make matters worse (or weirder!), my Norton 2005 has told me one time
| that the "update32.exe" was infected with a virus (W32.Pinfi). It kept
| giving me the alert until I deleted the file. The strange thing is that
| it has not alerted me since, despite the fact that the files have come
back.
|
| Should I worry about these files? I have tried searching google for an
| answer, but the filenames are obviously too common to yield any usable
| result.
|
| Any info on this will be greatly appreciated!
|
| Mikkel
|
| --
| "At first just a rustle of canvas
| And the gentlest breath on my face
| But a galloping line of white horses
| Said that soon we were in for a race"
| Sting - The Wild Wild Sea
|
| http://www.mzh.dk

 

[Mikkel Z. Herold]

update32.exe appears to be a worm:
http://www.sysinfo.org/startuplist.php?filter=&letter=U

So it does. But what to do about it? I haven't been able to find
anything on google...

Mikkel

--
"At first just a rustle of canvas
And the gentlest breath on my face
But a galloping line of white horses
Said that soon we were in for a race"
Sting - The Wild Wild Sea

http://www.mzh.dk

 

[Malke]

So it does. But what to do about it? I haven't been able to find
anything on google...

Do the normal malware removal steps. If you don't have a full-featured
av installed (version not earlier than 2003 and using updated
definitions), start by running Sysclean in Safe Mode.

TrendMicro's Sysclean is an extensive antivirus tool which has the
advantage of not needing to be installed. It requires two parts - the
scanning engine and the virus pattern files.

1. Create a new folder on your Desktop or the C: drive named something
useful like "Sysclean".
2. Go here and download the two parts of the program to that folder:

http://www.trendmicro.com/download/dcs.asp - Sysclean
http://www.trendmicro.com/download/pattern.asp - virus pattern files

The pattern files will be zipped - extract them with your unzipper (like
WinZip) or if you have XP, you can just open the folder. You need to
put the extracted files in the Sysclean folder you made.

3. Restart your computer in Safe Mode. Get into Safe Mode by repeatedly
tapping the F8 key as the computer is starting up to get to the proper
menu.
4. Go to the Sysclean folder you made and double-click on sysclean.com.
Start the scan. After the scan is finished, look at the log. You may
need to make a note of where any viruses were found if they were not
able to be removed so you can manually delete them.

Now you will should be able to install a full-featured av, update its
definitions and do the following:

1) Scan in Safe Mode with current version (not earlier than 2003)
antivirus using updated definitions.

2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
programs are free, so use them both since they complement each other.
There is a new version of CWShredder from Intermute. I would not
install the other Intermute programs, however. Alternately, there are
CoolWebSearch malware removal steps at SilentRunners.

Be sure to update these programs before running, and it is a good idea
to do virus/spyware scans in Safe Mode. Make sure you are able to see
all hidden files and extensions (View tab in Folder Options).

HijackThis is an excellent tool to discover and disable hijackers, but
it requires expert skill. See below for HijackThis links. A combination
of HijackThis and About:Buster works well in removing the About:Blank
homepage hijacker. Again, this is an expert tool and novices should get
help with it.

3) If you are running Windows ME or XP, you should disable/enable System
Restore because malware will be in the Restore Points. With ME, you
must disable System Restore completely. With XP, you can delete all but
the most recent (presumably clean) System Restore point from the More
Options section of Disk Cleanup (Run>cleanmgr).

4) Make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update.

5) Run a firewall.

Links to help with malware:

Software/Methods:
http://www.safer-networking.org - Spybot Search & Destroy
http://www.lavasoftusa.com - Ad-aware
http://www.majorgeeks.com - good download site
http://www.intermute.com/spysubtract/cwshredder_download.html
http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners

HijackThis:
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/
http://www.spywareinfo.com/forums/

General:
http://forum.aumha.org/ - look under "Security" for various forums
http://rgharper.mvps.org/cleanit.htm
http://mvps.org/winhelp2002/unwanted.htm
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Malke

 

[Mikkel Z. Herold]

On 15-12-2004 01:38 Malke wrote:

Hi Malke.

Thanks for all your suggestions - it didn't work (see below).

4. Go to the Sysclean folder you made and double-click on sysclean.com.
Start the scan. After the scan is finished, look at the log. You may
need to make a note of where any viruses were found if they were not
able to be removed so you can manually delete them.

I have now done a scan in safe mode (took about 10 hours!) - it found a
few "Netsky"-vira in some old temporary internet files.

1) Scan in Safe Mode with current version (not earlier than 2003)
antivirus using updated definitions.

Did a full system scan with NAV 2005 - nothing found!

2) Remove spyware with Spybot Search & Destroy and Ad-aware.

Ran these two in safe mode as well. Ad-Aware found one cookie and a
registry entry for Alexa. Spybot found four "DSO Exploits" in the
registry (under
"HKEY_USERS\[SOMETHING_HERE]\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3") - I didn't know how to interpret the last
part ("1004!=W=3"), so I deleted all the "1004"-keys in the four places.
A subsequent Spybot scan found nothing.

I decided to delete the suspicious files from the different locations
once again and then keep an eye out to see if (when) they would reappear
- and now it gets weird:

I checked for the files before I shut down my computer for the night at
about 23:30 on Dec. 15, and they were *not* there. Now, this morning I
start up the machine again and - you guessed it - the files are back.
Not only are they back, they also claim to have been installed on
December 15 at 22:23 - that is one hour *before* I checked and did not
find them.

I am at a loss here. What makes these files keep coming back, and when
is it triggered?

Hoping that someone can help me out.

Mikkel

--
"At first just a rustle of canvas
And the gentlest breath on my face
But a galloping line of white horses
Said that soon we were in for a race"
Sting - The Wild Wild Sea

http://www.mzh.dk

 

[Malke]

On 15-12-2004 01:38 Malke wrote:

Hi Malke.

Thanks for all your suggestions - it didn't work (see below).

4. Go to the Sysclean folder you made and double-click on
sysclean.com. Start the scan. After the scan is finished, look at the
log. You may need to make a note of where any viruses were found if
they were not able to be removed so you can manually delete them.

I have now done a scan in safe mode (took about 10 hours!) - it found
a few "Netsky"-vira in some old temporary internet files.

1) Scan in Safe Mode with current version (not earlier than 2003)
antivirus using updated definitions.

Did a full system scan with NAV 2005 - nothing found!

2) Remove spyware with Spybot Search & Destroy and Ad-aware.

Ran these two in safe mode as well. Ad-Aware found one cookie and a
registry entry for Alexa. Spybot found four "DSO Exploits" in the
registry (under
"HKEY_USERS\[SOMETHING_HERE]\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3") - I didn't know how to interpret the last
part ("1004!=W=3"), so I deleted all the "1004"-keys in the four
places. A subsequent Spybot scan found nothing.

I decided to delete the suspicious files from the different locations
once again and then keep an eye out to see if (when) they would
reappear - and now it gets weird:

I checked for the files before I shut down my computer for the night
at about 23:30 on Dec. 15, and they were *not* there. Now, this
morning I start up the machine again and - you guessed it - the files
are back. Not only are they back, they also claim to have been
installed on December 15 at 22:23 - that is one hour *before* I
checked and did not find them.

I am at a loss here. What makes these files keep coming back, and when
is it triggered?

Well, Mikkel, I don't know. From your description, you must have
something on the computer that is spawning these files. Do you have a
firewall in place? I would delete the files in Safe Mode and then not
connect to the Internet again until a third-party firewall such as
ZoneAlarm or Sygate was installed. That way when you do get online, the
firewall should alert you (you will of course block whatever is doing
this) and hopefully give you more information to track this down.

I would also run HijackThis. Here are the HijackThis links again:

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/
http://www.spywareinfo.com/forums/

Malke

 

[Mikkel Z. Herold]

Well, Mikkel, I don't know. From your description, you must have
something on the computer that is spawning these files.

I think I found it - at least I found something else!

When I googled for the file "update32.exe" that was some sort of malware
I noticed that the only site that seemed to have any real info on that
particular worm was www.sophos.com - most other hits were just
references to Sophos or copied directly from them.

So, as a last resort I decided to get rid of Norton and download the 30
day trial of Sophos Antivirus SBE and do a scan - I had hardly installed
the product before it popped a warning saying that one of the running
processes was a trojan (a file called "scvchost.exe" in the Windows
system folder).

I checked the registry and, sure enough, that file was in my startup
list (I had been through that list a zillion times, but somehow I must
have missed it...).

A full scan revealed a few more trojans in files that were downloaded
from, let's just call them "creative reverse engineering sites", but all
were removed.

Now I will keep my fingers crossed and hope that the problem is solved -
now all I have to do is find out how to purchase Sophos so I can stay
protected!

Mikkel

--
"At first just a rustle of canvas
And the gentlest breath on my face
But a galloping line of white horses
Said that soon we were in for a race"
Sting - The Wild Wild Sea

http://www.mzh.dk

 

[Malke]

I think I found it - at least I found something else!

When I googled for the file "update32.exe" that was some sort of
malware I noticed that the only site that seemed to have any real info
on that particular worm was www.sophos.com - most other hits were just
references to Sophos or copied directly from them.

So, as a last resort I decided to get rid of Norton and download the
30 day trial of Sophos Antivirus SBE and do a scan - I had hardly
installed the product before it popped a warning saying that one of
the running processes was a trojan (a file called "scvchost.exe" in
the Windows system folder).

I checked the registry and, sure enough, that file was in my startup
list (I had been through that list a zillion times, but somehow I must
have missed it...).

A full scan revealed a few more trojans in files that were downloaded
from, let's just call them "creative reverse engineering sites", but
all were removed.

Now I will keep my fingers crossed and hope that the problem is solved
- now all I have to do is find out how to purchase Sophos so I can
stay protected!

Mikkel

Fabulous! Yes, viruses like to pretend to be the legitimate "svchost" -
note the subtle spelling difference - which makes it easy to miss. I'm
delighted you solved the problem, and I appreciate you letting us know
the resolution. Stay safe!

Cheers,

Malke