Jump to content

Some strange software trying to download and run "Setup.exe" file...


anupam_luv

Recommended Posts

Its been started 3-4 months back when i was windows 10 ent and now after upgrading to windows 11  the same problem.... after login to my PC, after 10-20 minutes Norton detects a file "setup.exe" being downloaded via link "http://updateme.solutions/download/setup.exe"

It is download to Path C:\Windows\Performance\setup.exe

and Norton then removes it as threat "Heur.AdvML.B" .... But I want to know who's triggering it...

 

I have tried many anti-malwares etc but I couldnt find which software/extension is triggering this ... Plz help me find this ... i want to know the source ...

 

Following are Norton Threat screenshots about the details of the Threat ... 

 

image.thumb.png.b894fb644af5f6d3f6d5a22a2b4c3337.png

 

image.thumb.png.776558c6b9312dc94bff05e308d96848.png

 

 

image.thumb.png.454730b099f0034d56cc75f85f08e105.png

Link to comment
Share on other sites


  • Replies 29
  • Views 3.6k
  • Created
  • Last Reply

your PC has some strange unwanted program running on startup, the best to find this is Autoruns by Sysinternals

 

 

regards

Link to comment
Share on other sites


1 download autoruns,exe and run it.. its portable.. it will tell you everything that runs... and you can safely disable any apps without the need to uninstall them.

2. take a screenshot of autoruns screens.. and post here so we can tell you what you remove..

3. go through the tabs.. LOGON and schedule tasks and boot excute,  < look under the imagepath aka the directory.. to look for setup.exe.. this should tell you which app is calling it. if it seems to be called at the same time

Link to comment
Share on other sites


On 11/24/2021 at 9:44 PM, andy2004 said:

1 download autoruns,exe and run it.. its portable.. it will tell you everything that runs... and you can safely disable any apps without the need to uninstall them.

2. take a screenshot of autoruns screens.. and post here so we can tell you what you remove..

3. go through the tabs.. LOGON and schedule tasks and boot excute,  < look under the imagepath aka the directory.. to look for setup.exe.. this should tell you which app is calling it. if it seems to be called at the same time

Hi thanks for the solution but Where can I find autorun.exe ? Is it some tool or what? have searched this forum cant find any....

EDIT: Ohk srry, I found it by googling, hehe... thanks

Link to comment
Share on other sites


https://github.com/sausagenoods/bittex-unpacked 

 

As this page clearly suggest that I can be a target of "Bittex Core Malware/Scam"   .... even Autoruns.exe cant find anything dubious .... Actually this setup file download after 15-20 minutes of PC boot so I dnt think it has anythng to do with autorun....

 

And yes I am invested in Crypto and I use Telegram for Crypto chat in binance group and but dont chat with unknown users ...   IDK how can they transmit a command via telegram ...

Link to comment
Share on other sites


45 minutes ago, anupam_luv said:

Can u suggest me some better tool for deep cleaning ... can i use free version of malwarebytes?

Malwarebytes is good but use paid versions. Try AdwCleaner too. Check with their forums on the same. However, I'd recommend the below instead of messing with your troubled OS:

  • Check your Telegam and harden privacy & security settings & configs, remove unwanted contacts, remove unwanted channels & groups & check logged in with telegram, active devices, bots...
  • Backup wanted stuff incl, complete registry from the troubled OS partition.
  • Install OS in a different partition and configure.
  • Check if the new OS have similar issue.
  • If safe, migrate stuff / copy / install same programs from troubled OS to the new OS partition. Make sure whatever you do on new OS is a safer one and then proceed.
  • Once all settled - after few weeks, delete the troubled OS partition completely.

NOTE: Also, I'd suggest you to limit network connectivity & mostly disable on troubled OS.

 

FYI: Maybe your Govt. trying to push the new crypto bill to users by troubling crypto in the name of Chinese - similar blame game as done by US/EU for decades.

Link to comment
Share on other sites


1 hour ago, vissha said:

Malwarebytes is good but use paid versions. Try AdwCleaner too. Check with their forums on the same. However, I'd recommend the below instead of messing with your troubled OS:

  • Check your Telegam and harden privacy & security settings & configs, remove unwanted contacts, remove unwanted channels & groups & check logged in with telegram, active devices, bots...
  • Backup wanted stuff incl, complete registry from the troubled OS partition.
  • Install OS in a different partition and configure.
  • Check if the new OS have similar issue.
  • If safe, migrate stuff / copy / install same programs from troubled OS to the new OS partition. Make sure whatever you do on new OS is a safer one and then proceed.
  • Once all settled - after few weeks, delete the troubled OS partition completely.

NOTE: Also, I'd suggest you to limit network connectivity & mostly disable on troubled OS.

 

FYI: Maybe your Govt. trying to push the new crypto bill to users by troubling crypto in the name of Chinese - similar blame game as done by US/EU for decades.

Already have strict security on Telegram ....

Just did the follwing :

Installed and run Free Malwarebytes, removed many clutters... then uninstalled it...

Now purchased the paid version of Advanced SystemCare Pro ... which removed many more system clutter/files/registry items etc... restarted the system ... looked it wont happen again... but after 10 minutes it again tried to download and run setup.exe from "http://updateme.solutions/download/setup.exe" ..... which is caught by Norton and removed...

 

I dont want reinstall the OS again.... it has been setup 4 years back and has loads of softwares, emails configured etc , i cant afford to setup it again bec it will take a month to setup again and I usually keep it clean 

 

I just want to know which software is trying to run this script.... where it is hidden? I myself is a software engg, but this time even i am clueless...

Link to comment
Share on other sites


maybe Process Explorer could help you if you use it when the download attempt occurs

Link to comment
Share on other sites


On 11/26/2021 at 6:13 AM, anupam_luv said:

This link has something that is exactly happening with me....  it is trying to download and run setup.exe, a Chinese remote access tool to control my PC.

 

Visit the "Virus, Trojan, Spyware, and Malware Removal Help" section of www.bleepingcomputer.com and ask for help there cleaning the computer.

Link to comment
Share on other sites


Ugh, I am literally fed up of this problem now.... I ran almost 4-5 anti-malwares incl norton powereraser, adv syscare etc ...ran full system scan.... checked all my autorun entries using autoruns.exe .... checked all processes carefully but still after rebooting "setup.exe" file is downloaded and quarantined by Norton  ... (Happens only once after reboot)

After checking Norton History I found that the problem started from 19th July 2021 when I first installed bittex core on my PC .... but now I dont have any trace of bittex core on my PC... dont know how its evading all the scans...  anyway im now deeply searching for its origins

 

image.thumb.png.903e77dd9c6a81bb0835a9d4aeddef4f.png

Link to comment
Share on other sites


35 minutes ago, anupam_luv said:

Ugh, I am literally fed up of this problem now.... I ran almost 4-5 anti-malwares incl norton powereraser, adv syscare etc ...ran full system scan.... checked all my autorun entries using autoruns.exe .... checked all processes carefully but still after rebooting "setup.exe" file is downloaded and quarantined by Norton  ... (Happens only once after reboot)

After checking Norton History I found that the problem started from 19th July 2021 when I first installed bittex core on my PC .... but now I dont have any trace of bittex core on my PC... dont know how its evading all the scans...  anyway im now deeply searching for its origins

 

image.thumb.png.903e77dd9c6a81bb0835a9d4aeddef4f.png

Sure, your device is under a malware attack with bittex core, which is a scam - https://github.com/sausagenoods/bittex-unpacked / https://bitcointalk.org/index.php?topic=1423584.msg20494257

 

You might have installed from alternate sources with fake application. It seems, you are trying to remove fake application and looking for traces of original one.

 

If you have backup before that date, better make new backup and restore old. Otherwise, the only option is which I mentioned earlier - Clean install OS in another partition:

 

Link to comment
Share on other sites


19 minutes ago, leapinlizards said:

this has been going on for months?

maybe backup your important stuff, then do a clean install.

good luck.

Not easy for me , i will hv to setup many emails in thunderbirds, many genuine apps/softwares activated, so many custom configuration in apps etc,  ....  Im on a mission, i will find some way out ...

Link to comment
Share on other sites


leapinlizards

lol.. "on a mission"

I completely understand. I hate that stuff.

If you do a clean install, be careful what further apps etc you install.

cheers and good luck.

Link to comment
Share on other sites


9 minutes ago, vissha said:

Sure, your device is under a malware attack with bittex core, which is a scam - https://github.com/sausagenoods/bittex-unpacked / https://bitcointalk.org/index.php?topic=1423584.msg20494257

 

You might have installed from alternate sources with fake application. It seems, you are trying to remove fake application and looking for traces of original one.

 

If you have backup before that date, better make new backup and restore old. Otherwise, the only option is which I mentioned earlier - Clean install OS in another partition:

 

Just checked my macrium reflect backups.... I have first full backup made on 26-April-2021 .... so much updates since then .... anyway i still do some more research and if not found anythng feasible then this will be my last resort...

Link to comment
Share on other sites


18 minutes ago, anupam_luv said:

Not easy for me , i will hv to setup many emails in thunderbirds, many genuine apps/softwares activated, so many custom configuration in apps etc,  ....  Im on a mission, i will find some way out ...

It's easy to backup & restore those since you are using the same device IP but only different partition.

Just backup the installation, registry, AppData, ProgramData and use within the program backups/exports.

I'm not asking you to remove the buggy OS partition. Keep it & use new one in parallel. Try to make new OS partition as your main use/regular usage.

You are not gonna remove from buggy OS partition until it is working fine on good OS.

For genuine apps, check their license terms, ask the support/forums about this migration to new OS partition on the same device.

 

@anupam_luvPlease follow this topic. You won't get notified if nsaners doesn't tag/quote you in their replies.

Link to comment
Share on other sites


1 hour ago, vissha said:

It's easy to backup & restore those since you are using the same device IP but only different partition.

Just backup the installation, registry, AppData, ProgramData and use within the program backups/exports.

I'm not asking you to remove the buggy OS partition. Keep it & use new one in parallel. Try to make new OS partition as your main use/regular usage.

You are not gonna remove from buggy OS partition until it is working fine on good OS.

For genuine apps, check their license terms, ask the support/forums about this migration to new OS partition on the same device.

 

@anupam_luvPlease follow this topic. You won't get notified if nsaners doesn't tag/quote you in their replies.

are u talkin abt manual backing up of these directories or there is some software to export/import it ? Btw I have 3 backups of my OS in macrium reflect starting from April to November 25..... this problem started in July... so thinking to restore the April copy... ofcourse  i will have to update all my OS, Softwares etc again... 

Link to comment
Share on other sites


@anupam_luvFirst check if there is any task scheduled for the malware download & locate the traces & remove/disable all. If this didn't fix, then try the below.

 

3 hours ago, anupam_luv said:

are u talkin abt manual backing up of these directories or there is some software to export/import it ? Btw I have 3 backups of my OS in macrium reflect starting from April to November 25..... this problem started in July... so thinking to restore the April copy... ofcourse  i will have to update all my OS, Softwares etc again... 

Yes, don't worry. Complete backup may sometime fail or get corrupted. However, it is also recommended to take regular whole backups as it'd be handy as you .

 

You are going to do it gradually & after being successful for couple of days to a week, then you are gonna uninstall/logout in buggy OS partition. However, in some cases, uninstall the program in buggy OS then install in new OS partition.

 

OS updates, don't worry. Just do it gradually by checking with the installed updates in buggy OS. If you are using auto-update for Windows updates, don't worry. It'll take care.

 

Make sure you do these before doing any changes to buggy OS partition.

  1. Complete backup using any reliable backup software
  2. export complete registry from regedit / registry editor
  3. backup individual registry(if able to locate all necessary registry for the respective application)
  4. backup all individual application installations, their folders in Program Files / Program Files (x86), their traces in AppData & ProgramData folders.

Usually manual backups or (login after install) or (inbuilt backup & restore / export & import) would work. All depend on the application.

Hence, you need to create a complete checklist, sort the checklist, proceed. Start with installing new OS, drivers, security configs, OS updates(won't be too may since new OS). Then VPNs, Browsers, Office - LibreOffice/MS/...., Email clients, then do the other applications/tools.

 

If restore from backup, then make it in different partition, then backup & install only the additional tools and if made changes to any configs/customization in OS/applications, do it in the restored OS.

If inbuilt export/import option available, you could use it for the necessary applications instead of manual settings config changes.

Link to comment
Share on other sites


6 hours ago, anupam_luv said:

Not easy for me , i will hv to setup many emails in thunderbirds, many genuine apps/softwares activated, so many custom configuration in apps etc,  ....  Im on a mission, i will find some way out ...

 

As I posted the guys at bleepingcomputer can help you cleaning the computer only in very bad cases you have to do a clean install...

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...