Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




7 posts

Wannabe Geek


# 42156 29-Sep-2009 18:15
Send private message

Hey guys,

I seem to have a virus that won't go away and isn't detected by any of the scanners I have tried (AVG, Nod32, McAfee and a bunch of anti-malware things like S&D, AdAware etc)

What it seems to do is add a bunch of files to my Documents folder, add a locked Documents and Settings folder in C: and D: drives, replace or add shortcuts to all the usual places like (in the my documents folder):

My Music
My Pictures
My Documents
My Videos

etc etc.

By locked I mean it goes over each folder and applies an 'Everyone' security permission, not allowing or denying anything - so I have to go through manually and reset that.

It also adds the following files in this folder - *:\Documents and Settings\*USER*:

ntuser.dat
ntuser.dat.LOG1
ntuser.dat.LOG2
ntuser.dat{4eb2ce50-ab28-11de-9e5c-00221599bc5d}.TM.blf
ntuser.dat{4eb2ce50-ab28-11de-9e5c-00221599bc5d}.TMContainer00000000000000000001.regtrans-ms
ntuser.dat{4eb2ce50-ab28-11de-9e5c-00221599bc5d}.TMContainer00000000000000000002.regtrans-ms
ntuser.ini

I'm not sure if this is something I particularly need to worry about, and a previous system restore did get rid of everything (for about an hour, I'm guessing either when Windows Search or Nod32 went over a file it did it's magic again)
Although, the reason I formatted this system in the first place was that it had come to a crawl and had a lot of popups appearing... Either this Virus is just a little bit annoying, or it downloads more files and hides itself everywhere.


HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:45 p.m., on 29/09/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\ASUS\EPU-6 Engine\SixEngine.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [QFan Help] "C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] "C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: ASUS System Control Service (AsSysCtrlService) - Unknown owner - C:\Program Files\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

--
End of file - 3546 bytes



I'm reasonably experienced with Windows systems and getting rid of malware, but this one I just can't track down - I don't want to wipe all my drives either. If anyone can let me know what the hell it is so I can start looking for ways to get rid of it that would? be awesome!

If theres any more information you need please let me know!

Regards,
JC

Create new topic
Cloud Guru
4060 posts

Uber Geek

Trusted
Snowflake
Subscriber

  # 259466 29-Sep-2009 19:18
Send private message

i think what you're seeing may be normal....

in vista and win7 the c:\documents and settings\%username% folder structure is redirected to c:\users\%username%... but a locked 'shortcut'is left in place, presumably for compatibility reasons.

win7 also adds a new 'libraries' linking structure and special folders like "my documents" can now contain the contents of multiple locations at once - e.g. \\myserver\users\me\my docs + c:\users\me\my docs + c:\users\public\my docs






7 posts

Wannabe Geek


  # 259577 30-Sep-2009 01:10
Send private message

Hey Regs,

I know what you mean but this isn't normal, it replaces all the shortcuts (or the folders/shortcuts it creates point to the new, locked locations) and 'locks' the normal directories - My Documents / My Videos etc etc by adding the Everyone permission with nothing set.

Cheers,
JC

 
 
 
 


8035 posts

Uber Geek

Trusted

  # 259660 30-Sep-2009 11:22
Send private message

Tried scanning with MalwareBytes? I've found that to be the most effective in recent times.



7 posts

Wannabe Geek


  # 259895 30-Sep-2009 22:05
Send private message

Just tried, didn't pick up anything :(

Mad Scientist
21323 posts

Uber Geek

Trusted
Lifetime subscriber

  # 259898 30-Sep-2009 22:09
Send private message

which version and where did you get the windows 7 from? if it's not gotten from microsoft it may have been infected by the time you got it?




Involuntary autocorrect in operation on mobile device. Apologies in advance.




7 posts

Wannabe Geek


  # 259919 30-Sep-2009 23:25
Send private message

joker, it is an MSDNAA image - a legit copy of Windows 7 Professional from Uni.
The virus was also on my Windows Vista system, I formatted that partition and shoved Win7 on there and it seems it was in some files on a different drive.

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Vodafone integrates eSIM into device and wearable roadmap
Posted 17-Jan-2020 09:45


Do you need this camera app? Group investigates privacy implications
Posted 16-Jan-2020 03:30


JBL launches headphones range designed for gaming
Posted 13-Jan-2020 09:59


Withings introduces ScanWatch wearable combining ECG and sleep apnea detection
Posted 9-Jan-2020 18:34


NZ Police releases public app
Posted 8-Jan-2020 11:43


Suunto 7 combine sports and smart features on new smartwatch generation
Posted 7-Jan-2020 16:06


Intel brings innovation with technology spanning the cloud, network, edge and PC
Posted 7-Jan-2020 15:54


AMD announces high performance desktop and ultrathin laptop processors
Posted 7-Jan-2020 15:42


AMD unveils four new desktop and mobile GPUs including AMD Radeon RX 5600
Posted 7-Jan-2020 15:32


Consolidation in video streaming market with Spark selling Lightbox to Sky
Posted 19-Dec-2019 09:09


Intel introduces cryogenic control chip to enable quantum computers
Posted 10-Dec-2019 21:32


Vodafone 5G service live in four cities
Posted 10-Dec-2019 08:30


Samsung Galaxy Fold now available in New Zealand
Posted 6-Dec-2019 00:01


NZ company oDocs awarded US$ 100,000 Dubai World Expo grant
Posted 5-Dec-2019 16:00


New Zealand Rugby Selects AWS-Powered Analytics for Deeper Game Insights
Posted 5-Dec-2019 11:33



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.