Malware (WinXP)

Topic

New Reply

Two files (autorun.inf & install.exe) keep appearing in “My Documents”. I’d imagine they’re some sort of malware or trojan so obviously I delete them but I can’t find out what is behind this.

I’m running updated latest versions of Norton Anti-Virus, AdWare & Spybot but they don’t pick up anything. Nothing unusual is in start up.

The files don’t immediately reappear after I delete them nor on reboot but they have kept reappearing for the past week or so and I haven’t been able to establish any sort of pattern.

As I work in “My Documents” all the time I’m afraid I’m going to accidently click one of them so I’m keen to get to the bottom of this.

Any ideas?

Thanks

Reply | Quote

Replies

Examine the autorun.inf file in Notepad. See if there is a name which you can then Google. Look at the properties of install.exe to see if there is any information to search on.

Joe

--Joe

Reply | Quote

I’ve already tried that. the .inf is just open=install.exe. I also tried examining the .exe in wordpad to see if there were any clues.

Reply | Quote

Check the Properties of the .exe file. There might be some clues about whose file it is (what program it installs or the company that made it). The .inf file (autorun) is pointing to the .exe file in an attempt to install or run something.

Reply | Quote

I’ve checked that and properties are all blank

Reply | Quote

That’s what I suspected. Is there any particular time or program you run that you notice these 2 files being generated in conjunction with ?? Are you online or working offline when you notice them ?? What about dates created or modified in the porperties dialogue ??

Reply | Quote

You could download the an evaluation copy of PE Explorer: Delphi Disassembler, EXE file editor, DLL Scan Tool for 32 bit Windows PE files. and use it to examine install.exe. Also, do you have XP SP-2 installed? Have you installed any software that ‘phones home’ regularly to check for updates?

Joe

--Joe

Reply | Quote

Thanks. I’ll use this program to take a look next time the files reappear (it happens several times a day so shouldn’t be too long).

I’m on a broadband connection and there’s no phone line connected to this PC

Reply | Quote

‘Phone home’ is just a term meaning a program that contacts the original vendor for any reason one of which might be to check for updates.

Joe

--Joe

Reply | Quote

I have quite a few programs which automatically update but it’s all standard legit stuff (Adobe, Norton etc) I wouldn’t have thought anything like that would deliver an unsigned unannounced exe

Reply | Quote

If you are unhappy about them, why not just rename both to be .TXT files (ignoring the Awful Warning), and see what does (or doesn’t!) happen?

After several weeks of no problems, you could then probably just delete them…

John

Reply | Quote

You may be infected with Backdoor.Win32.Robobot.r. Go to The Kapersky site for a free scan that should detect it if you have it.

The information that lead me to this conclusion can be found here HTH

Reply | Quote

You’re right. Kaspersky identifies it as Backdoor.Win32.Robobot.y

Any idea I get rid of it?

Reply | Quote

Take a look here for some help. I’ll see if I can find something more encouraging, but this is all I can come up with right now.

Reply | Quote

Thanks. I tried the trial version of the Kaspersky A-V which (of course) found it and deleted it but it didn’t deal with the underlying nasty as the files immediately reappeared. I assume there’s got to be a registry entry somehwere that I’ve got to find and delete. After installing the Kaspersky package both WMP and IE stopped working (They both would shut down straight away after opening) and my PC slowed to a crawl. I’ve uninstalled it now and everything seems back to normal. What I find surprising is, as this appears to be a known trojan I’ve picked up, that a major vendor like Norton doesn’t (or can’t or won’t) deal with it. Actually I think it’s quite shocking that I have to rely on the kindness of strangers to help when I pay these guys supposedly to sort out these problems for me (when I checked I found I’ve paid Symantec nearly $500 in three years for two PCs and a laptop). In ten years on the internet, this is actually the first time I’ve had a problem like this (I even never ever get any spam, my ISP – blueyonder.co.uk – must have some pretty good filters in place).

Again many thanks for your kind assistance

Reply | Quote

I don’t believe that it’s a case of Symantec not wanting or caring enough to do something about this particular variant of another Trojan so much as it is that they just can’t keep ahead of the creeps that create this junk. That said, let’s see if we can’t get this bug out of your system.

Before you do anything else, you might want to take a look at this post and follow the links to the tutorials for the different tools to stop and remove this garbage. I’m pretty sure you’re going to need to download and run HijackThis to create a log file you can post to their forum as per the instructions on the Bleeping Computer site I linked to earlier. Then you should post it to the new online parsing site for a quick analysis and recommendation of what the trouble might be here. Go back to the Hijack this forum and bump your posted log back to the top of the list at least once a day. Things are pretty busy there and you’ll be pushed down the list quite quickly. Just keep bumping your post to the top and eventually one of their experts will pick it up and assist you in cleaning up your system. They employ many unusual tools and will ask you to download and run some utilities that will give you the willies. Do all that they ask and follow their instructions and you should be rewarded in the end. I know it seems like a lot of work, but if you want to get this thing out, this is the only way I know, short of a format and reinstall.

Good Luck !! HTH

Reply | Quote

Many thanks. I shall give this a go.

Reply | Quote