Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


zerobit

7 posts

Wannabe Geek


#42156 29-Sep-2009 18:15
Send private message

Hey guys,

I seem to have a virus that won't go away and isn't detected by any of the scanners I have tried (AVG, Nod32, McAfee and a bunch of anti-malware things like S&D, AdAware etc)

What it seems to do is add a bunch of files to my Documents folder, add a locked Documents and Settings folder in C: and D: drives, replace or add shortcuts to all the usual places like (in the my documents folder):

My Music
My Pictures
My Documents
My Videos

etc etc.

By locked I mean it goes over each folder and applies an 'Everyone' security permission, not allowing or denying anything - so I have to go through manually and reset that.

It also adds the following files in this folder - *:\Documents and Settings\*USER*:

ntuser.dat
ntuser.dat.LOG1
ntuser.dat.LOG2
ntuser.dat{4eb2ce50-ab28-11de-9e5c-00221599bc5d}.TM.blf
ntuser.dat{4eb2ce50-ab28-11de-9e5c-00221599bc5d}.TMContainer00000000000000000001.regtrans-ms
ntuser.dat{4eb2ce50-ab28-11de-9e5c-00221599bc5d}.TMContainer00000000000000000002.regtrans-ms
ntuser.ini

I'm not sure if this is something I particularly need to worry about, and a previous system restore did get rid of everything (for about an hour, I'm guessing either when Windows Search or Nod32 went over a file it did it's magic again)
Although, the reason I formatted this system in the first place was that it had come to a crawl and had a lot of popups appearing... Either this Virus is just a little bit annoying, or it downloads more files and hides itself everywhere.


HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:45 p.m., on 29/09/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\ASUS\EPU-6 Engine\SixEngine.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [QFan Help] "C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] "C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: ASUS System Control Service (AsSysCtrlService) - Unknown owner - C:\Program Files\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

--
End of file - 3546 bytes



I'm reasonably experienced with Windows systems and getting rid of malware, but this one I just can't track down - I don't want to wipe all my drives either. If anyone can let me know what the hell it is so I can start looking for ways to get rid of it that would? be awesome!

If theres any more information you need please let me know!

Regards,
JC

Create new topic
Regs
4064 posts

Uber Geek

Trusted
Snowflake

  #259466 29-Sep-2009 19:18
Send private message

i think what you're seeing may be normal....

in vista and win7 the c:\documents and settings\%username% folder structure is redirected to c:\users\%username%... but a locked 'shortcut'is left in place, presumably for compatibility reasons.

win7 also adds a new 'libraries' linking structure and special folders like "my documents" can now contain the contents of multiple locations at once - e.g. \\myserver\users\me\my docs + c:\users\me\my docs + c:\users\public\my docs




 
 
 

Backblaze Unlimited Backup. World’s easiest cloud backup. Get peace of mind knowing your files are backed up securely in the cloud (affiliate link).
zerobit

7 posts

Wannabe Geek


  #259577 30-Sep-2009 01:10
Send private message

Hey Regs,

I know what you mean but this isn't normal, it replaces all the shortcuts (or the folders/shortcuts it creates point to the new, locked locations) and 'locks' the normal directories - My Documents / My Videos etc etc by adding the Everyone permission with nothing set.

Cheers,
JC

Ragnor
8196 posts

Uber Geek

Trusted

  #259660 30-Sep-2009 11:22
Send private message

Tried scanning with MalwareBytes? I've found that to be the most effective in recent times.



zerobit

7 posts

Wannabe Geek


  #259895 30-Sep-2009 22:05
Send private message

Just tried, didn't pick up anything :(

Batman
Mad Scientist
29712 posts

Uber Geek

Trusted
Lifetime subscriber

  #259898 30-Sep-2009 22:09
Send private message

which version and where did you get the windows 7 from? if it's not gotten from microsoft it may have been infected by the time you got it?

zerobit

7 posts

Wannabe Geek


  #259919 30-Sep-2009 23:25
Send private message

joker, it is an MSDNAA image - a legit copy of Windows 7 Professional from Uni.
The virus was also on my Windows Vista system, I formatted that partition and shoved Win7 on there and it seems it was in some files on a different drive.

Create new topic





News and reviews »

Bolt Launches in New Zealand
Posted 11-Jun-2025 00:00


Suunto Run Review
Posted 10-Jun-2025 10:44


Freeview Satellite TV Brings HD Viewing to More New Zealanders
Posted 5-Jun-2025 11:50


HP OmniBook Ultra Flip 14-inch Review
Posted 3-Jun-2025 14:40


Flip Phones Are Back as HMD Reimagines an Iconic Style
Posted 30-May-2025 17:06


Hundreds of School Students Receive Laptops Through Spark Partnership With Quadrent's Green Lease
Posted 30-May-2025 16:57


AI Report Reveals Trust Is Key to Unlocking Its Potential in Aotearoa
Posted 30-May-2025 16:55


Galaxy Tab S10 FE Series Brings Intelligent Experiences to the Forefront with Premium, Versatile Design
Posted 30-May-2025 16:14


New OPPO Watch X2 Launches in New Zealand
Posted 29-May-2025 16:08


Synology Premiers a New Lineup of Advanced Data Management Solutions
Posted 29-May-2025 16:04


Dyson Launches Its Slimmest Vaccum Cleaner PencilVac
Posted 29-May-2025 15:50


OPPO Reno13 Pro 5G Review 
Posted 29-May-2025 15:33


Logitech Introduces New G522 Gaming Headset
Posted 21-May-2025 19:01


LG Announces New Ultragear OLED Range for 2025
Posted 20-May-2025 16:35


Sandisk Raises the Bar With WD_BLACK SN8100 NVME SSD
Posted 20-May-2025 16:29









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







GoodSync is the easiest file sync and backup for Windows and Mac