Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

7 posts

Wannabe Geek

# 42156 29-Sep-2009 18:15
Send private message

Hey guys,

I seem to have a virus that won't go away and isn't detected by any of the scanners I have tried (AVG, Nod32, McAfee and a bunch of anti-malware things like S&D, AdAware etc)

What it seems to do is add a bunch of files to my Documents folder, add a locked Documents and Settings folder in C: and D: drives, replace or add shortcuts to all the usual places like (in the my documents folder):

My Music
My Pictures
My Documents
My Videos

etc etc.

By locked I mean it goes over each folder and applies an 'Everyone' security permission, not allowing or denying anything - so I have to go through manually and reset that.

It also adds the following files in this folder - *:\Documents and Settings\*USER*:


I'm not sure if this is something I particularly need to worry about, and a previous system restore did get rid of everything (for about an hour, I'm guessing either when Windows Search or Nod32 went over a file it did it's magic again)
Although, the reason I formatted this system in the first place was that it had come to a crawl and had a lot of popups appearing... Either this Virus is just a little bit annoying, or it downloads more files and hides itself everywhere.

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:45 p.m., on 29/09/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files\ASUS\EPU-6 Engine\SixEngine.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [QFan Help] "C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] "C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: ASUS System Control Service (AsSysCtrlService) - Unknown owner - C:\Program Files\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

End of file - 3546 bytes

I'm reasonably experienced with Windows systems and getting rid of malware, but this one I just can't track down - I don't want to wipe all my drives either. If anyone can let me know what the hell it is so I can start looking for ways to get rid of it that would? be awesome!

If theres any more information you need please let me know!


Create new topic
Infrastructure Geek
4058 posts

Uber Geek

Microsoft NZ

  # 259466 29-Sep-2009 19:18
Send private message

i think what you're seeing may be normal....

in vista and win7 the c:\documents and settings\%username% folder structure is redirected to c:\users\%username%... but a locked 'shortcut'is left in place, presumably for compatibility reasons.

win7 also adds a new 'libraries' linking structure and special folders like "my documents" can now contain the contents of multiple locations at once - e.g. \\myserver\users\me\my docs + c:\users\me\my docs + c:\users\public\my docs

Technical Evangelist
Microsoft NZ
Twitter: @nzregs

7 posts

Wannabe Geek

  # 259577 30-Sep-2009 01:10
Send private message

Hey Regs,

I know what you mean but this isn't normal, it replaces all the shortcuts (or the folders/shortcuts it creates point to the new, locked locations) and 'locks' the normal directories - My Documents / My Videos etc etc by adding the Everyone permission with nothing set.



8033 posts

Uber Geek


  # 259660 30-Sep-2009 11:22
Send private message

Tried scanning with MalwareBytes? I've found that to be the most effective in recent times.

7 posts

Wannabe Geek

  # 259895 30-Sep-2009 22:05
Send private message

Just tried, didn't pick up anything :(

Mad Scientist
20663 posts

Uber Geek

Lifetime subscriber

  # 259898 30-Sep-2009 22:09
Send private message

which version and where did you get the windows 7 from? if it's not gotten from microsoft it may have been infected by the time you got it?

Involuntary autocorrect in operation on mobile device. Apologies in advance.

7 posts

Wannabe Geek

  # 259919 30-Sep-2009 23:25
Send private message

joker, it is an MSDNAA image - a legit copy of Windows 7 Professional from Uni.
The virus was also on my Windows Vista system, I formatted that partition and shoved Win7 on there and it seems it was in some files on a different drive.

Create new topic

Twitter and LinkedIn »

Follow us to receive Twitter updates when new discussions are posted in our forums:

Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:

Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:

News »

Intel expands 10th Gen Intel Core Mobile processor family
Posted 23-Aug-2019 10:22

Digital innovation drives new investment provider
Posted 23-Aug-2019 08:29

Catalyst Cloud becomes a Kubernetes Certified Service Provider (KCSP)
Posted 23-Aug-2019 08:21

New AI legaltech product launched in New Zealand
Posted 21-Aug-2019 17:01

Yubico launches first Lightning-compatible security key, the YubiKey 5Ci
Posted 21-Aug-2019 16:46

Disney+ streaming service confirmed launch in New Zealand
Posted 20-Aug-2019 09:29

Industry plan could create a billion dollar interactive games sector
Posted 19-Aug-2019 20:41

Personal cyber insurance a New Zealand first
Posted 19-Aug-2019 20:26

University of Waikato launches space for esports
Posted 19-Aug-2019 20:20

D-Link ANZ expands mydlink ecosystem with new mydlink Mini Wi-Fi Smart Plug
Posted 19-Aug-2019 20:14

Kiwi workers still falling victim to old cyber tricks
Posted 12-Aug-2019 20:47

Lightning Lab GovTech launches 2019 programme
Posted 12-Aug-2019 20:41

Epson launches portable laser projector
Posted 12-Aug-2019 20:27

Huawei launches new distributed HarmonyOS
Posted 12-Aug-2019 20:20

Lenovo introduces single-socket servers for edge and data-intensive workloads
Posted 9-Aug-2019 21:26

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.