virus thread folder.htt

it's long time i back to here i hope u will help me out recently my computer infecting virus name folder.htt it disable the view folder option in windows 2000 explorer because folder.htt are hidden or system files i delete it manually but it comes every time temporay i just delete the values nofolderoption in regedit.
but after few hours it comes to back position when i scan online mscafee it detects many virus name folder.htt n whole hard drive k another thing problem with internet explorer startup page when i open it appears is about.error page and link goes unvaible yahoo geocities webpage..
here is log file n it always apperar this values in starup folder.htt n global starup folder.htt n then tc ip values also create 3 times suppose only one time plz can u help me out from this problem thanx.. i m using windows 2000
here is log file...
Logfile of HijackThis v1.99.1
Scan saved at 6:36:07 PM, on 8/7/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\taskmgr.exe
C:\Documents and Settings\PRINTER\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:error
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: Folder.htt >>>>>>>>>>>>>>>>>>>>>>strange values
O4 - Global Startup: Folder.htt >>>>>>>>>>>>>>>>>>>>>(strange values can't be fix even i fixed in safefood it comes back)
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O17 -

here create duplicates of tcp ip also suspicious
HKLM\System\CCS\Services\Tcpip\..\{103C0C5C-81EE-4CA5-B432-EC57103EEE82}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{103C0C5C-81EE-4CA5-B432-EC57103EEE82}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{103C0C5C-81EE-4CA5-B432-EC57103EEE82}: NameServer = 192.168.0.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

 

OK, it's possible there is something on your system making those return when fixing, lets look a little bit deeper.

Please generate a startup list using HJT. And please check the 2 boxes next to the 'Generate Startuplist' button:
List also minor sections (full)
List empty sections (complete)

 

k here is startup list

hi temerc can't paste whole text here because character are too big so i m making in 2 part 1st is here of startup hijack
StartupList report, 8/8/2006, 9:28:47 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\PRINTER\Desktop\hijackthis\HijackThis.EXE
Detected: Windows 2000 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\PRINTER\Desktop\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\PRINTER\Start Menu\Programs\Startup]
Folder.htt

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Folder.htt

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Synchronization Manager = mobsync.exe /logon

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

 

conton part

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry key not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\services.exe (manual start)
Application Management: %SystemRoot%\system32\services.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Resident Driver NT: \SystemRoot\System32\Drivers\avg7rsnt.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
D-Link DFE-538TX 10/100 Adapter NT Driver: System32\DRIVERS\DLKRTS.SYS (manual start)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
Event Log: %SystemRoot%\system32\services.exe (disabled)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Fax Service: %systemroot%\system32\faxsvc.exe (disabled)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
Messenger: %SystemRoot%\System32\services.exe (disabled)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
BDA MPE Filter: System32\DRIVERS\MPE.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Microsoft USB Open Host Controller Driver: System32\DRIVERS\openhci.sys (manual start)
Creative WebCam Vista: System32\DRIVERS\P1100bVd.sys (manual start)
Creative PD1100B HAL Service: System32\DRIVERS\P1100bCd.sys (autostart)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (disabled)
s3m: System32\DRIVERS\s3m.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (disabled)
RunAs Service: %SystemRoot%\system32\services.exe (disabled)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Serial Mouse Driver: System32\DRIVERS\sermouse.sys (manual start)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Service for AC'97 Sample Driver (WDM): system32\drivers\sis7012.sys (manual start)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSI: system32\Drivers\SSI.SYS (system)
Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Webroot Spy Sweeper Engine: C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Telnet: %SystemRoot%\system32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (disabled)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Windows Time: %SystemRoot%\System32\services.exe (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
WMDM PMSP Service: C:\WINNT\System32\mspmspsv.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: *Registry key not found*
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

{982E3A1F-064E-1033-1111-030415970001} = "C:\Program Files\Common Files\{982E3A1F-064E-1033-1111-030415970001}\Update.exe" mc-110-12-0000651

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

UpdateManager = C:\Program Files\Common Files\Microsoft Shared\Web Components\LicenseMan32.exe

--------------------------------------------------

End of report, 26,075 bytes
Report generated in 0.469 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

OK, we need to do some registry hacking but we must first back up the registry as described here

Click the 'Start' button, seleect 'Run', hit 'Enter'.

When box appears, type 'regedit', hit 'Enter'.

Navigate to the following key, by unticking the '+' next to each subkey:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

In the right hand side of the window, look for:
{982E3A1F-064E-1033-1111-030415970001}

Right-click it, select 'delete' and close the registry.

Next we want o go here:
C:\Documents and Settings\PRINTER\Start Menu\Programs\Startup<<<--look here for folder.htt and delete it.

Reboot your machine, run HJT and see if the entries are gone

 

K I have deleted both entries
In the right hand side of the window, look for:
{982E3A1F-064E-1033-1111-030415970001}
C:\Documents and Settings\PRINTER\Start Menu\Programs\Startup<<<--look

but still about.error page appearing and folder.htt file showing infected another thing tcip values making duplicates 3 times n startup and global startup folder values folder.htt also appearing..n folder option also disabled after i delete entries nofolderoption and restart theni can view folder option then i find folder.htt files and delte it but after few mint again folder option become disabled
this is hijacklog
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\taskmgr.exe
C:\Documents and Settings\PRINTER\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.my/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: Folder.htt
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O17 - HKLM\System\CS2\Services\Tcpip\..\{103C0C5C-81EE-4CA5-B432-EC57103EEE82}: NameServer = 192.168.0.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

 

This may have been a result of not having Spy Sweeper disabled when we fixed things, if you have the resident shileds on, it will ask about any changes and revert back.

I should have had you disable it.

Open it, click the Options tab, then the Program Options tab and uncheck load at windows startup.
Then click the shields tab and uncheck home page shield and automatically restore default without notification

Then re-do my previous instructions, reboot, see if those come back again.

 

tq Temerc helping to solve this problems i use webroot manually and it doesn't on after statup but these values i have alrady unchecked " "
pen it, click the Options tab, then the Program Options tab and uncheck load at windows startup.
Then click the shields tab and uncheck home page shield and automatically restore default without notification " "
i restart it works fine for a while n then now it's back one more thing i m worry it change the tcip ip dns values into 127.0.0.1 and statup page also open about:error here i upload screen of statup page in internet explore u can view here.
http://img80.imageshack.us/img80/7818/1ku1.jpg
and here is log statup global startup values again is back
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\PRINTER\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:error
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: Folder.htt
O4 - Global Startup: Folder.htt
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{103C0C5C-81EE-4CA5-B432-EC57103EEE82}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{103C0C5C-81EE-4CA5-B432-EC57103EEE82}: NameServer = 192.168.0.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
another it disbales the folder view option i go into registry and delte nofolderoption and restat then i can view i serach all files folder.htt and delete so again folder option become disables because when i scan mscafee it detect all folder.htt virus which is hidden files.

 

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:
C:\Program Files\Common Files\Microsoft Shared\Web Components\LicenseMan32.exe<<<--this file

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

Be patient as this site is usually very busy.

Can you also delte this folder:
C:\Program Files\Common Files\{982E3A1F-064E-1033-1111-030415970001}<<<--this folder

 

n other my 2 pc all in network also infected with this problem...
there is no folder name {982E3A1F-064E-1033-1111-030415970001} to delete
C:\Program Files\Common Files\{982E3A1F-064E-1033-1111-030415970001}<<<--this folder
n result of http://virusscan.jotti.org is following

File: LicenseMan32.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: b0216054eb2bfa91f3a7c4537293b678
Packers detected: UPX
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

 

OK, we're going to go with a stand alone scanner. You will need to disconnect from your network until all machines are cleaned. The clean up need so to be done on each infected machine.

Then do as instructed below:

Download: SysClean from TrendMicro:
http://www.trendmicro.com/download/dcs.asp
-Scroll down the page to: SysClean Package 3.0 MB
-Save, creating a new folder for the program (call it SysClean)

Next, get the latest pattern file from here:
http://www.trendmicro.com/download/viruspattern.asp
-Select: lpt967.zip (Windows) 10.4MB)
-Unzip and copy the downloaded pattern file to the SysClean folder!!
Do not run SysClean yet

Make sure you download and place the latest pattern file in the same folder as the SysClean package. The lpt$vpn.967 file and the SysClean MS-DOS Application file must be in the same folder!!

Next, go to Start >Run and enter: cleanmgr
Check the following boxes and then press OK to remove:
Temporary Files
Temporary Internet Files
Recycle Bin

Also,go to Start>Control Panel>Internet Options
In the General tab, Temporary Internet Files, click: Delete Files
When prompted, check: Delete all offline content
Click: OK

Now, temporarily disable your Anti Virus, as it may interfere with the process.

Then, reboot into Safe Mode as follows:
-Restart your computer.
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

In Safe Mode run SysClean by double-clicking the SysClean MS-DOS Application file
In the TrendMicro SysClean Package screen, check: Automatically clean or delete detected files
Click the Scan button

SysClean first executes all the virus pattern files, and then scans the hard drive.
The process takes a while!

When the scan is done, select: View Log
A SysClean text document is produced in the same folder the program was downloaded to.

Provide the SysClean text log in your reply along with a new HijackThis log.

 

hi i have uninstalled avg n install antivir antivirus it detecting virus redlof.k virus as folder.htt and i delet it but whenever i open explere or any folder it detec the virus in that same directory n i delete it using antivir..n
i follow what u mentioned in post here is log file result .

/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2006-08-10, 20:34:07, Auto-clean mode specified.
2006-08-10, 20:34:07, Running scanner "C:\Documents and Settings\PRINTER\Desktop\sysclean\TSC.BIN "...
2006-08-10, 20:34:16, Scanner "C:\Documents and Settings\PRINTER\Desktop\sysclean\TSC.BIN" has finished running.
2006-08-10, 20:34:16, TSC Log:

2006-08-10, 20:36:16, An error occurred while scanning file "C:\WINNT\system32\config\software.LOG ": Access is denied.
2006-08-10, 20:36:16, An error occurred while scanning file "C:\WINNT\system32\config\default.LOG ": Access is denied.
2006-08-10, 20:36:16, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY ": Access is denied.
2006-08-10, 20:36:16, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY.LOG ": Access is denied.
2006-08-10, 20:36:16, An error occurred while scanning file "C:\WINNT\system32\config\SYSTEM.ALT ": Access is denied.
2006-08-10, 20:36:16, An error occurred while scanning file "C:\WINNT\system32\config\SAM ": Access is denied.
2006-08-10, 20:36:16, An error occurred while scanning file "C:\WINNT\system32\config\SAM.LOG ": Access is denied.
2006-08-10, 20:36:16, An error occurred while scanning file "C:\WINNT\system32\config\SYSTEM ": Access is denied.
2006-08-10, 20:36:16, An error occurred while scanning file "C:\WINNT\system32\config\SOFTWARE ": Access is denied.
2006-08-10, 20:36:16, An error occurred while scanning file "C:\WINNT\system32\config\DEFAULT ": Access is denied.
2006-08-10, 20:41:26, An error occurred while scanning file "C:\Documents and Settings\PRINTER\NTUSER.DAT ": Access is denied.
2006-08-10, 20:41:26, An error occurred while scanning file "C:\Documents and Settings\PRINTER\ntuser.dat.LOG ": Access is denied.
2006-08-10, 20:41:27, An error occurred while scanning file "C:\Documents and Settings\PRINTER\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat ": Access is denied.
2006-08-10, 20:41:27, An error occurred while scanning file "C:\Documents and Settings\PRINTER\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG ": Access is denied.
2006-08-10, 20:53:01, Running scanner "C:\Documents and Settings\PRINTER\Desktop\sysclean\VSCANTM.BIN "...
2006-08-10, 21:07:31, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/10/2006 20:53:02
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 647 (124255 Patterns) (2006/08/09) (364700)
Command Line: C:\Documents and Settings\PRINTER\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\PRINTER\Desktop\sysclean

C:\WINNT\system32\Folder.htt [VBS_REDLOF.S]
C:\WINNT\Fonts\Folder.htt [VBS_REDLOF.S]
C:\WINNT\Folder.htt [VBS_REDLOF.S]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Folder.htt [VBS_REDLOF.S]
C:\Documents and Settings\All Users\Start Menu\Programs\Folder.htt [VBS_REDLOF.S]
C:\Documents and Settings\All Users\Start Menu\Folder.htt [VBS_REDLOF.S]
C:\Documents and Settings\PRINTER\Templates\Folder.htt [VBS_REDLOF.S]
C:\Documents and Settings\PRINTER\Start Menu\Programs\Folder.htt [VBS_REDLOF.S]
C:\Documents and Settings\PRINTER\Start Menu\Programs\Startup\Folder.htt [VBS_REDLOF.S]
C:\Documents and Settings\PRINTER\Start Menu\Folder.htt [VBS_REDLOF.S]
C:\Documents and Settings\PRINTER\SendTo\Folder.htt [VBS_REDLOF.S]
C:\Documents and Settings\PRINTER\Recent\Folder.htt [VBS_REDLOF.S]
C:\Documents and Settings\PRINTER\PrintHood\Folder.htt [VBS_REDLOF.S]
C:\Documents and Settings\PRINTER\My Documents\My Received Files\Folder.htt [VBS_REDLOF.S]
C:\Documents and Settings\PRINTER\My Documents\Folder.htt [VBS_REDLOF.S]
C:\Documents and Settings\PRINTER\NetHood\Folder.htt [VBS_REDLOF.S]
C:\Documents and Settings\PRINTER\Favorites\Folder.htt [VBS_REDLOF.S]
C:\Documents and Settings\PRINTER\Application Data\Folder.htt [VBS_REDLOF.S]
C:\Documents and Settings\PRINTER\Folder.htt [VBS_REDLOF.S]
C:\Documents and Settings\Folder.htt [VBS_REDLOF.S]
C:\Program Files\CafeSuite\Folder.htt [VBS_REDLOF.S]
C:\Program Files\Ahead\Nero\Folder.htt [VBS_REDLOF.S]
C:\Program Files\Ahead\Folder.htt [VBS_REDLOF.S]
C:\Program Files\Folder.htt [VBS_REDLOF.S]
C:\Folder.htt [VBS_REDLOF.S]
C:\My Documents\Folder.htt [VBS_REDLOF.S]
28080 files have been read.
28080 files have been checked.
24947 files have been scanned.
133672 files have been scanned. (including files in archived)
26 files containing viruses.
Found 26 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/10/2006 21:07:31
---------*---------*---------*---------*---------*---------*---------*---------*
2006-08-10, 21:07:31, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/10/2006 20:53:01
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 647 (124255 Patterns) (2006/08/09) (364700)
Command Line: C:\Documents and Settings\PRINTER\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\PRINTER\Desktop\sysclean

Success Clean [ VBS_REDLOF.S]( 1) from C:\WINNT\system32\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\WINNT\Fonts\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\WINNT\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Documents and Settings\All Users\Start Menu\Programs\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Documents and Settings\All Users\Start Menu\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Documents and Settings\PRINTER\Templates\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Documents and Settings\PRINTER\Start Menu\Programs\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Documents and Settings\PRINTER\Start Menu\Programs\Startup\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Documents and Settings\PRINTER\Start Menu\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Documents and Settings\PRINTER\SendTo\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Documents and Settings\PRINTER\Recent\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Documents and Settings\PRINTER\PrintHood\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Documents and Settings\PRINTER\My Documents\My Received Files\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Documents and Settings\PRINTER\My Documents\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Documents and Settings\PRINTER\NetHood\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Documents and Settings\PRINTER\Favorites\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Documents and Settings\PRINTER\Application Data\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Documents and Settings\PRINTER\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Documents and Settings\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Program Files\CafeSuite\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Program Files\Ahead\Nero\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Program Files\Ahead\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Program Files\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\Folder.htt
Success Clean [ VBS_REDLOF.S]( 1) from C:\My Documents\Folder.htt
28080 files have been read.
28080 files have been checked.
24947 files have been scanned.
133672 files have been scanned. (including files in archived)
26 files containing viruses.
Found 26 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/10/2006 21:07:31 14 minutes 23 seconds (862.86 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-08-10, 21:07:31, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/10/2006 20:53:01
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 647 (124255 Patterns) (2006/08/09) (364700)
Command Line: C:\Documents and Settings\PRINTER\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\PRINTER\Desktop\sysclean

28080 files have been read.
28080 files have been checked.
24947 files have been scanned.
133672 files have been scanned. (including files in archived)
26 files containing viruses.
Found 26 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/10/2006 21:07:31 14 minutes 23 seconds (862.86 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-08-10, 21:07:31, Scanner "C:\Documents and Settings\PRINTER\Desktop\sysclean\VSCANTM.BIN" has finished running.
2006-08-10, 21:14:22, Running scanner "C:\Documents and Settings\PRINTER\Desktop\sysclean\VSCANTM.BIN "...
2006-08-10, 21:14:38, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/10/2006 21:14:23
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 647 (124255 Patterns) (2006/08/09) (364700)
Command Line: C:\Documents and Settings\PRINTER\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\PRINTER\Desktop\sysclean

D:\Folder.htt [VBS_REDLOF.S]
129 files have been read.
129 files have been checked.
119 files have been scanned.
251 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/10/2006 21:14:38
---------*---------*---------*---------*---------*---------*---------*---------*
2006-08-10, 21:14:38, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/10/2006 21:14:23
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 647 (124255 Patterns) (2006/08/09) (364700)
Command Line: C:\Documents and Settings\PRINTER\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\PRINTER\Desktop\sysclean

Success Clean [ VBS_REDLOF.S]( 1) from D:\Folder.htt
129 files have been read.
129 files have been checked.
119 files have been scanned.
251 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/10/2006 21:14:38 8 seconds (8.41 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-08-10, 21:14:38, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 8/10/2006 21:14:23
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 647 (124255 Patterns) (2006/08/09) (364700)
Command Line: C:\Documents and Settings\PRINTER\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\PRINTER\Desktop\sysclean

129 files have been read.
129 files have been checked.
119 files have been scanned.
251 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/10/2006 21:14:38 8 seconds (8.41 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-08-10, 21:14:38, Scanner "C:\Documents and Settings\PRINTER\Desktop\sysclean\VSCANTM.BIN" has finished running.
n here hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 9:36:13 PM, on 8/10/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\taskmgr.exe
C:\Documents and Settings\PRINTER\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.my/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{103C0C5C-81EE-4CA5-B432-EC57103EEE82}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{103C0C5C-81EE-4CA5-B432-EC57103EEE82}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{103C0C5C-81EE-4CA5-B432-EC57103EEE82}: NameServer = 192.168.0.1
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

 

Well it looks like the sysclean scans removed everything. What directory is the Antivir finding the virus in?

I got the solution from a fellow security researcher who has much more experience with these types of infections.

 

tq very much TeMerc u n ur fellow
i m hoping it is fixed now because now i can't see the files folder.htt so i m testing it even it comes again same position i will tell u n wana ask about the tcip values creating duplicates..even i fix using hijack log
suppose only one value see down
HKLM\System\CCS\Services\Tcpip\..\{103C0C5C-81EE-4CA5-B432-EC57103EEE82}: NameServer = 192.168.0.1
but it comes in 3 lines see here
17 - HKLM\System\CCS\Services\Tcpip\..\{103C0C5C-81EE-4CA5-B432-EC57103EEE82}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{103C0C5C-81EE-4CA5-B432-EC57103EEE82}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{103C0C5C-81EE-4CA5-B432-EC57103EEE82}: NameServer = 192.168.0.1
once again thanx

 

OK, glad to hear things are as they should be.

Those entries in HJT are of no concern, they merely are your router settings and can be ignored.

Due to resolution or the lack of feedback this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.