[SOLVED] Lady Atenean Scandal.vbs (I need your help.. -_-)

[What's Your Antivirus]

What's Your Antivirus
Symantec
	10 (7%)
Mcafee
	11 (8%)
AVG
	30 (22%)
Nod32
	35 (26%)
Avira
	15 (11%)
Kaspersky
	17 (12%)
ZoneAlarm
	2 (1%)
F-Secure
	0 (0%)
Others
	13 (9%)
Total Voters: 106

[Sylpher`Silverthorn]

1. What Operating System are you using?
    Windows XP

2. What Anti-virus are you using?
    McAfee OAS
 
3. Have you installed any software before the problem occurred?
    Not Applicalbe
    What's the name and version of the software?
    Not Applicable

4. What was the last thing you did before the problem occurred?
    Plugged in my USB

3. What troubleshooting have you done so far?
    Installed Noob_Killer.by.Leerz and WormBuster

4. Is there an error message? What's the error said?
    None..

5. When did the error message appear?
    Not Applicable

7. Did you plug any storage device to your computer?
    Yes

8. What are the symptoms once your computer infected with this particular malware?
    Locks my Windows Task Manager
    Locks my Internet Explorer home page to www.redtube.com -_-
    Places a "Sowar? Pagsure oi?! Guba pc nimo oi!!" at the window title bar

----------

Tried to fix it with Noob_Killer and WormBuster.. After running those programs the problem seemed to be fixed.. But when I turn off the computer and turn it back on, the file "Lady Atenean Scandal.vbs" pops up again.. The file is located in C:\, D:\, F:\

Please help..

LogMe Log:

========================================================================

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         16 K
System                         4 Console                 0        228 K
smss.exe                     588 Console                 0        400 K
csrss.exe                    644 Console                 0      3,696 K
winlogon.exe                 672 Console                 0      4,052 K
services.exe                 716 Console                 0      5,112 K
lsass.exe                    728 Console                 0      5,872 K
ati2evxx.exe                 884 Console                 0      2,984 K
svchost.exe                  900 Console                 0      4,664 K
svchost.exe                  968 Console                 0      4,092 K
svchost.exe                 1040 Console                 0     26,212 K
svchost.exe                 1112 Console                 0      3,336 K
svchost.exe                 1176 Console                 0      2,980 K
spoolsv.exe                 1272 Console                 0      4,816 K
ati2evxx.exe                1364 Console                 0      3,120 K
explorer.exe                 392 Console                 0     30,648 K
shstat.exe                   528 Console                 0        772 K
TrueImageMonitor.exe         540 Console                 0      4,544 K
TimounterMonitor.exe         580 Console                 0      5,432 K
schedhlp.exe                 604 Console                 0      2,504 K
hpwuSchd2.exe                624 Console                 0      2,200 K
hpcmpmgr.exe                 620 Console                 0      5,796 K
UdaterUI.exe                 636 Console                 0      3,100 K
Mctray.exe                   848 Console                 0      2,496 K
wscript.exe                 1008 Console                 0      5,124 K
btdna.exe                   1032 Console                 0      6,976 K
MemOptimizer.exe            1088 Console                 0     13,780 K
ctfmon.exe                  1072 Console                 0      3,204 K
svchost.exe                 1668 Console                 0      3,268 K
schedul2.exe                1704 Console                 0      2,348 K
FrameworkService.exe        1788 Console                 0      6,436 K
Mcshield.exe                1828 Console                 0    132,560 K
naPrdMgr.exe                1896 Console                 0        448 K
VsTskMgr.exe                1992 Console                 0        480 K
RichVideo.exe               2112 Console                 0      2,752 K
TrueImageTryStartService.   2176 Console                 0      4,788 K
wmiprvse.exe                2804 Console                 0      6,676 K
alg.exe                     2928 Console                 0      3,424 K
WinRAR.exe                  3416 Console                 0      7,356 K
wuauclt.exe                 3572 Console                 0      7,060 K
LogMe.exe                   3808 Console                 0      2,008 K
cmd.exe                     3816 Console                 0      1,608 K
tasklist.exe                3844 Console                 0      4,424 K
========================================================================

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell   REG_SZ   Explorer.exe


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit   REG_SZ   C:\WINDOWS\system32\userinit.exe,

========================================================================
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="\"C:\\Documents and Settings\\Log-in\\Application Data\\mjusbsp\\cdloader2.exe\" MAGICJACK"
"BitTorrent DNA"="\"C:\\Program Files\\DNA\\btdna.exe\""
"TuneUp MemOptimizer"="\"C:\\Program Files\\TuneUp Utilities 2008\\MemOptimizer.exe\" autostart"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="\"C:\\Program Files\\McAfee\\VirusScan Enterprise\\SHSTAT.EXE\" /STANDALONE"
"TrueImageMonitor.exe"="C:\\Program Files\\Acronis\\TrueImageHome\\TrueImageMonitor.exe"
"AcronisTimounterMonitor"="C:\\Program Files\\Acronis\\TrueImageHome\\TimounterMonitor.exe"
"Acronis Scheduler2 Service"="\"C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"McAfeeUpdaterUI"="\"C:\\Program Files\\McAfee\\Common Framework\\UdaterUI.exe\" /StartedFromRunKey"
"YouTubeDownloader_upgrade"="\"C:\\Program Files\\E-Zsoft\\YouTubeDownloader\\YouTubeDownloader.exe\" /upgrade"
"Microsoft System Info"="wscript.exe \"C:\\WINDOWS\\SysInfo.vbs\""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000080
"NoDriveAutoRun"=dword:03ffffff
"NoDrives"=dword:00000000
"NoFolderOptions"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableTaskMgr"=dword:00000001
"DisableRegistryTools"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutoRunSetting"=dword:00000001
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:00000143
"NoDrives"=dword:00000000
"NoFolderOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate]

========================================================================
 Volume in drive C has no label.
 Volume Serial Number is 14FA-1D0F

 Directory of C:\DOCUME~1\Log-in\LOCALS~1\Temp\Rar$EX01.125


 Directory of C:\DOCUME~1\Log-in\LOCALS~1\Temp\Rar$EX01.125

08/03/2009  09:09 PM    <DIR>          .
08/03/2009  09:09 PM    <DIR>          ..
08/03/2009  09:09 PM             7,938 Log.txt
02/10/2008  02:29 AM           131,206 LogMe.exe
               2 File(s)        139,144 bytes
               2 Dir(s)  165,686,165,504 bytes free
 Volume in drive C has no label.
 Volume Serial Number is 14FA-1D0F

 Directory of C:\DOCUME~1\Log-in\LOCALS~1\Temp\Rar$EX01.125


 Directory of C:\windows

08/03/2009  08:27 PM    <DIR>          .
08/03/2009  08:27 PM    <DIR>          ..
08/01/2009  05:22 PM    <DIR>          $hf_mig$
10/04/2008  01:48 AM    <DIR>          $MSI31Uninstall_KB893803v2$
04/27/2009  06:33 PM    <DIR>          $NtServicePackUninstallIDNMitigationAPIs$
04/27/2009  06:33 PM    <DIR>          $NtServicePackUninstallNLSDownlevelMapping$
04/01/2009  12:39 PM    <DIR>          $NtUninstallKB898461$
04/27/2009  06:53 PM    <DIR>          $NtUninstallKB904942$
04/27/2009  06:53 PM    <DIR>          $NtUninstallKB914440$
04/27/2009  06:32 PM    <DIR>          $NtUninstallKB915865$
04/16/2009  03:19 PM    <DIR>          $NtUninstallKB923561$
08/01/2009  05:13 PM    <DIR>          $NtUninstallKB932823-v3$
04/01/2009  04:49 PM    <DIR>          $NtUninstallKB938464-v2$
04/08/2009  09:55 AM    <DIR>          $NtUninstallKB944338-v2$
04/08/2009  09:56 AM    <DIR>          $NtUninstallKB946648$
04/01/2009  04:48 PM    <DIR>          $NtUninstallKB950760$
04/08/2009  09:55 AM    <DIR>          $NtUninstallKB950762$
04/08/2009  09:56 AM    <DIR>          $NtUninstallKB950974$
04/01/2009  12:39 PM    <DIR>          $NtUninstallKB951066$
04/01/2009  04:50 PM    <DIR>          $NtUninstallKB951376-v2$
04/08/2009  09:56 AM    <DIR>          $NtUninstallKB951698$
04/08/2009  09:55 AM    <DIR>          $NtUninstallKB951748$
04/16/2009  03:20 PM    <DIR>          $NtUninstallKB952004$
04/08/2009  09:55 AM    <DIR>          $NtUninstallKB952069_WM9$
04/08/2009  09:55 AM    <DIR>          $NtUninstallKB952287$
04/08/2009  09:56 AM    <DIR>          $NtUninstallKB952954$
04/08/2009  09:55 AM    <DIR>          $NtUninstallKB954600$
04/08/2009  09:55 AM    <DIR>          $NtUninstallKB955069$
04/01/2009  04:49 PM    <DIR>          $NtUninstallKB955839$
04/16/2009  03:20 PM    <DIR>          $NtUninstallKB956572$
04/08/2009  09:55 AM    <DIR>          $NtUninstallKB956802$
04/08/2009  09:56 AM    <DIR>          $NtUninstallKB956803$
04/08/2009  09:56 AM    <DIR>          $NtUninstallKB956841$
04/08/2009  09:55 AM    <DIR>          $NtUninstallKB957097$
04/01/2009  12:39 PM    <DIR>          $NtUninstallKB958215$
04/08/2009  09:55 AM    <DIR>          $NtUninstallKB958644$
04/08/2009  09:55 AM    <DIR>          $NtUninstallKB958687$
04/08/2009  09:55 AM    <DIR>          $NtUninstallKB958690$
04/16/2009  03:20 PM    <DIR>          $NtUninstallKB959426$
04/08/2009  09:56 AM    <DIR>          $NtUninstallKB960225$
04/08/2009  09:38 AM    <DIR>          $NtUninstallKB960714$
04/01/2009  04:48 PM    <DIR>          $NtUninstallKB960715$
04/16/2009  03:20 PM    <DIR>          $NtUninstallKB960803$
07/15/2009  06:53 PM    <DIR>          $NtUninstallKB961371$
04/16/2009  03:20 PM    <DIR>          $NtUninstallKB961373$
07/03/2009  01:12 AM    <DIR>          $NtUninstallKB961501$
04/16/2009  03:19 PM    <DIR>          $NtUninstallKB963027$
04/08/2009  09:38 AM    <DIR>          $NtUninstallKB967715$
07/03/2009  01:12 AM    <DIR>          $NtUninstallKB968537$
07/03/2009  01:12 AM    <DIR>          $NtUninstallKB969897$
06/12/2009  11:36 PM    <DIR>          $NtUninstallKB969898$
07/03/2009  01:12 AM    <DIR>          $NtUninstallKB970238$
07/15/2009  06:54 PM    <DIR>          $NtUninstallKB971633$
07/29/2009  06:35 PM    <DIR>          $NtUninstallKB972260$
07/15/2009  06:54 PM    <DIR>          $NtUninstallKB973346$
08/03/2009  09:09 PM                 0 0.log
10/02/2008  08:04 PM    <DIR>          addins
02/27/2002  03:48 AM            16,859 ADDINS.HLP
11/18/2005  11:20 AM           217,088 Alcrmv.exe
03/20/2006  11:48 AM           315,392 alcupd.exe
08/03/2009  08:24 PM    <DIR>          AppPatch
04/08/2009  09:36 AM    <DIR>          assembly
07/06/2001  12:19 AM               164 avrack.ini
08/23/2001  07:00 PM             1,272 Blue Lace 16.bmp
08/03/2009  09:08 PM             2,048 bootstat.dat
08/23/2001  07:00 PM            82,944 clock.avi
08/23/2001  07:00 PM            17,062 Coffee Bean.bmp
08/01/2009  10:35 PM           149,528 comsetup.log
10/02/2008  08:04 PM    <DIR>          Config
10/02/2008  08:04 PM    <DIR>          Connection Wizard
10/03/2008  06:39 AM                 0 control.ini
10/03/2008  06:35 AM    <DIR>          Cursors
04/01/2009  12:32 PM    <DIR>          Debug
08/23/2001  07:00 PM                 2 desktop.ini
07/22/2009  11:35 PM            16,585 DirectX.log
04/04/2009  05:58 PM    <DIR>          Downloaded Program Files
10/02/2008  08:04 PM    <DIR>          Driver Cache
10/02/2008  11:28 PM    <DIR>          ehome
08/03/2009  08:19 PM    <DIR>          ERDNT
08/04/2004  06:56 AM         1,032,192 explorer.exe
08/23/2001  07:00 PM                80 explorer.scf
08/01/2009  10:34 PM           413,445 FaxSetup.log
08/23/2001  07:00 PM            16,730 FeatherTexture.bmp
10/03/2008  09:41 AM    <DIR>          Fonts
08/23/2001  07:00 PM            17,336 Gone Fishing.bmp
08/23/2001  07:00 PM            26,582 Greenstone.bmp
08/31/2000  08:00 AM            80,412 grep.exe
08/01/2009  11:54 PM    <DIR>          Help
08/04/2004  06:56 AM            10,752 hh.exe
05/03/2009  05:58 AM               414 hpbvspst.bu1
05/03/2009  05:58 AM             2,615 hpbvspst.hi1
05/03/2009  06:09 AM             2,615 hpbvspst.his
05/03/2009  06:05 AM             4,266 hpdj3740.bu1
05/03/2009  06:00 AM             7,266 hpdj3740.bu2
05/03/2009  06:05 AM            32,892 hpdj3740.hi1
05/03/2009  06:00 AM            71,328 hpdj3740.hi2
05/03/2009  06:13 AM            71,524 hpdj3740.his
04/12/2009  02:39 PM               784 hpdj3740.ini
03/17/2004  09:12 PM               362 hpfins_s04_main.dat
03/17/2004  09:11 PM             5,428 hpfmdl_s04_main.dat
04/27/2009  06:33 PM             8,168 IDNMitigationAPIs.log
04/27/2009  06:53 PM    <DIR>          ie7
04/27/2009  06:34 PM            57,556 ie7.log
04/27/2009  06:35 PM    <DIR>          ie7updates
04/27/2009  06:35 PM            39,673 ie7_main.log
08/01/2009  10:15 PM           169,163 ie8.log
08/01/2009  10:35 PM            57,964 ie8Uninst.log
08/01/2009  10:35 PM    <DIR>          ie8updates
08/01/2009  10:26 PM           352,366 ie8_main.log
08/01/2009  10:35 PM           479,630 iis6.log
10/03/2008  06:39 AM    <DIR>          ime
08/01/2009  10:16 PM             1,355 imsins.BAK
08/01/2009  10:35 PM             1,355 imsins.log
05/08/2009  10:29 AM                29 Index.ini
08/01/2009  11:54 PM    <DIR>          inf
08/03/2009  08:25 PM    <DIR>          Installer
10/02/2008  08:04 PM    <DIR>          java
04/27/2009  06:31 PM            10,774 KB904942.log
04/27/2009  06:31 PM             5,087 KB914440.log
04/27/2009  06:32 PM             6,413 KB915865.log
04/16/2009  03:19 PM            10,390 KB923561.log
08/01/2009  05:13 PM            31,090 KB932823-v3.log
04/01/2009  04:49 PM            17,277 KB938464-v2.log
04/08/2009  09:42 AM            12,710 KB944338-v2.log
04/01/2009  04:49 PM            15,883 KB946648.log
04/01/2009  04:48 PM            13,438 KB950760.log
04/01/2009  04:48 PM            15,472 KB950762.log
04/08/2009  09:44 AM            21,769 KB950974.log
04/01/2009  04:50 PM            15,898 KB951376-v2.log
04/08/2009  09:44 AM            21,055 KB951698.log
04/08/2009  09:42 AM            20,945 KB951748.log
04/16/2009  03:20 PM            18,979 KB952004.log
04/01/2009  04:48 PM            15,229 KB952069.log
04/01/2009  04:48 PM            15,158 KB952287.log
04/08/2009  09:44 AM            20,745 KB952954.log
04/01/2009  04:47 PM             9,473 KB954600.log
04/01/2009  04:47 PM             9,261 KB955069.log
04/08/2009  09:44 AM            35,006 KB955839.log
04/16/2009  03:20 PM            21,937 KB956572.log
04/08/2009  09:42 AM            14,238 KB956802.log
04/01/2009  04:49 PM            16,600 KB956803.log
04/01/2009  04:49 PM            17,491 KB956841.log
04/01/2009  04:48 PM            15,533 KB957097.log
04/01/2009  04:47 PM             9,781 KB958644.log
04/01/2009  04:48 PM            15,452 KB958687.log
04/08/2009  09:43 AM            20,224 KB958690.log
04/16/2009  03:20 PM            22,654 KB959426.log
04/08/2009  09:44 AM            21,287 KB960225.log
04/01/2009  04:49 PM            16,145 KB960714.log
04/01/2009  04:48 PM            13,872 KB960715.log
04/16/2009  03:20 PM            16,804 KB960803.log
07/15/2009  06:53 PM            15,201 KB961371.log
04/16/2009  03:20 PM            21,203 KB961373.log
07/03/2009  06:14 AM            31,208 KB961501.log
04/27/2009  06:35 PM            94,469 KB963027-IE7.log
04/16/2009  03:20 PM            21,062 KB963027.log
04/08/2009  09:43 AM            20,783 KB967715.log
04/27/2009  12:22 AM            53,843 KB968220-IE8.log
07/03/2009  01:55 AM            28,556 KB968537.log
07/03/2009  01:56 AM            44,947 KB969897.log
06/12/2009  11:36 PM             8,998 KB969898.log
07/03/2009  01:55 AM            29,516 KB970238.log
07/15/2009  06:54 PM            14,807 KB971633.log
08/01/2009  10:16 PM           126,370 KB972260-IE8.log
07/29/2009  06:35 PM            21,430 KB972260.log
08/01/2009  10:16 PM           112,029 KB972636-IE8.log
07/15/2009  06:54 PM             7,684 KB973346.log
08/01/2009  10:34 PM            26,350 MedCtrOC.log
08/01/2009  11:54 PM    <DIR>          Media
04/12/2006  09:47 AM           217,073 meta4.exe
04/07/2009  09:00 PM    <DIR>          Microsoft.NET
04/05/2006  08:09 AM            66,560 MOTA113.exe
10/02/2008  11:28 PM    <DIR>          msagent
10/02/2008  08:04 PM    <DIR>          msapps
08/23/2001  07:00 PM             1,405 msdfmap.ini
08/01/2009  10:34 PM            19,158 msgsocm.log
08/01/2009  10:33 PM           115,842 msmqinst.log
04/01/2009  07:38 PM           315,188 msxml4-KB954430-enu.LOG
10/02/2008  11:28 PM    <DIR>          mui
07/30/2009  01:20 PM                69 NeroDigital.ini
08/01/2009  10:34 PM            67,146 netfxocm.log
04/27/2009  06:53 PM    <DIR>          network diagnostic
04/20/2009  12:56 PM            31,232 NIRCMD.exe
04/27/2009  06:33 PM             7,105 NLSDownlevelMapping.log
08/04/2004  06:56 AM            69,120 NOTEPAD.EXE
04/03/2009  12:13 PM                 0 nsreg.dat
08/01/2009  10:35 PM            88,986 ntdtcsetup.log
08/01/2009  10:34 PM           204,272 ocgen.log
08/01/2009  10:35 PM            21,204 ocmsn.log
10/03/2008  09:42 AM               376 ODBC.INI
10/03/2008  06:39 AM             4,161 ODBCINST.INI
10/03/2008  06:47 AM               833 OEWABLog.txt
10/03/2008  06:38 AM    <DIR>          Offline Web Pages
10/03/2008  06:37 AM    <DIR>          pchealth
10/02/2008  11:28 PM    <DIR>          PeerNet
07/13/2009  05:48 AM           219,648 PEV.exe
07/21/2009  10:52 AM               151 PhotoSnapViewer.INI
06/04/2009  03:17 PM                14 popcinfo.dat
08/23/2001  07:00 PM            65,954 Prairie Wind.bmp
08/03/2009  08:27 PM    <DIR>          Prefetch
10/02/2008  08:04 PM    <DIR>          Provisioning
10/04/2008  02:01 AM    <DIR>          pss
08/04/2004  06:56 AM           146,432 regedit.exe
08/01/2009  04:53 PM    <DIR>          Registration
10/03/2008  06:46 AM             8,192 REGLOCS.OLD
10/02/2008  03:31 PM             1,052 regopt.log
10/03/2008  06:39 AM    <DIR>          repair
10/02/2008  08:04 PM    <DIR>          Resources
08/23/2001  07:00 PM            17,362 Rhododendron.bmp
08/23/2001  07:00 PM            26,680 River Sumida.bmp
08/23/2001  07:00 PM            65,832 Santa Fe Stucco.bmp
08/03/2009  08:31 PM            32,632 SchedLgU.Txt
10/03/2008  09:28 AM    <DIR>          security
08/31/2000  08:00 AM            98,816 sed.exe
08/04/2004  08:03 AM         1,042,903 SET3.tmp
08/04/2004  07:57 AM         1,086,058 SET4.tmp
08/04/2004  07:58 AM            13,753 SET8.tmp
08/02/2009  12:52 PM           278,528 Setup1.exe
04/01/2009  04:47 PM                 0 setupact.log
07/24/2009  08:01 AM           151,525 setupapi.log
10/02/2008  11:30 PM                 0 setuperr.log
10/03/2008  09:41 AM    <DIR>          SHELLNEW
08/23/2001  07:00 PM            65,978 Soap Bubbles.bmp
04/01/2009  07:17 AM    <DIR>          SoftwareDistribution
01/22/2001  04:45 PM             1,548 SOS.BAT
03/02/2006  07:22 AM           577,536 soundman.exe
08/01/2009  10:29 PM            30,317 spupdsvc.log
03/13/2001  06:50 PM            42,496 src.dat
10/03/2008  06:38 AM    <DIR>          srchasst
08/02/2009  12:52 PM            73,216 ST6UNST.EXE
10/02/2008  11:33 PM                 0 Sti_Trace.log
04/01/2009  05:01 PM             8,219 svcpack.log
08/31/2000  08:00 AM           161,792 SWREG.exe
08/31/2000  08:00 AM           136,704 SWSC.exe
08/31/2000  08:00 AM           212,480 SWXCACLS.exe
12/31/2008  12:53 PM             3,359 SysInfo.vbs
10/03/2008  09:41 AM    <DIR>          system
08/03/2009  08:26 PM               227 system.ini
08/03/2009  08:27 PM    <DIR>          system32
04/27/2009  06:55 PM    <DIR>          system32ÿ
08/01/2009  10:35 PM            19,282 tabletoc.log
08/23/2001  07:00 PM            15,360 TASKMAN.EXE
07/03/2009  05:16 PM    <DIR>          Tasks
08/03/2009  09:09 PM    <DIR>          temp
08/02/2009  12:57 PM            26,259 TmComm.log
08/02/2009  12:53 PM    <DIR>          Totalsec
08/01/2009  10:35 PM           174,902 tsoc.log
08/23/2001  07:00 PM            94,784 twain.dll
10/02/2008  11:26 PM    <DIR>          twain_32
08/04/2004  06:56 AM            50,688 twain_32.dll
08/23/2001  07:00 PM            49,680 twunk_16.exe
08/23/2001  07:00 PM            25,600 twunk_32.exe
08/31/2005  12:33 PM                50 UNNeroBackItUp.cfg
07/15/2006  08:29 AM           966,656 UNNeroBackItUp.exe
09/16/2005  05:35 AM                50 UNNeroMediaHome.cfg
07/15/2006  08:29 AM           966,656 UNNeroMediaHome.exe
08/31/2005  12:37 PM                50 UNNeroShowTime.cfg
07/15/2006  08:29 AM           966,656 UNNeroShowTime.exe
08/31/2005  12:37 PM                50 UNNeroVision.cfg
07/15/2006  08:29 AM           966,656 UNNeroVision.exe
08/31/2005  12:36 PM                50 UNRecode.cfg
07/15/2006  08:29 AM           966,656 UNRecode.exe
08/01/2009  10:34 PM           179,786 updspapi.log
10/03/2008  06:36 AM                36 vb.ini
10/03/2008  06:36 AM                37 vbaddin.ini
08/23/2001  07:00 PM            18,944 vmmreg32.dll
03/13/2001  07:08 PM            19,968 vrf.dat
08/01/2009  10:15 PM    <DIR>          WBEM
10/04/2008  01:47 AM    <DIR>          Web
07/21/2009  02:57 PM               216 wiadebug.log
07/21/2009  02:57 PM                49 wiaservc.log
10/04/2008  02:01 AM               646 win.ini
07/27/2009  12:58 PM               155 winamp.ini
10/03/2008  06:38 AM               749 WindowsShell.Manifest
08/03/2009  09:09 PM         1,100,000 WindowsUpdate.log
08/23/2001  07:00 PM           256,192 winhelp.exe
08/04/2004  06:56 AM           283,648 winhlp32.exe
08/23/2001  07:00 PM            48,680 winnt.bmp
08/23/2001  07:00 PM            48,680 winnt256.bmp
04/09/2009  02:32 PM    <DIR>          WinSxS
10/03/2008  06:39 AM           316,640 WMSysPr9.prx
05/11/2006  06:32 PM           502,784 x2.64.exe
08/23/2001  07:00 PM             9,522 Zapotec.bmp
08/31/2000  08:00 AM            68,096 zip.exe
08/23/2001  07:00 PM               707 _default.pif
             181 File(s)     18,970,506 bytes
             104 Dir(s)  165,686,153,216 bytes free
 Volume in drive C has no label.
 Volume Serial Number is 14FA-1D0F

 Directory of C:\DOCUME~1\Log-in\LOCALS~1\Temp\Rar$EX01.125


 Volume in drive D is back-up
 Volume Serial Number is 7040-B395

 Directory of D:\

08/03/2009  09:09 PM               167 Autorun.inf
04/01/2009  01:04 PM    <DIR>          back-up
12/24/2006  02:23 PM    <DIR>          encarta007
07/19/2009  12:29 AM            38,274 Final Fantasy VII - Tifa's Theme.zip
08/01/2009  03:28 PM    <DIR>          Iking'sFiles
03/17/2009  02:59 PM         4,847,325 KT Tunstall - Suddenly I See.mp3
12/31/2008  12:53 PM             3,359 Lady Atenean Scandal.vbs
06/15/2008  02:51 PM    <DIR>          Mcafee Enterprise Edition 8.5i 2007
03/03/2009  01:51 PM         2,554,190 MoonLight Engine 1236.4.0.14.rar
04/27/2009  08:50 AM    <DIR>          msdownld.tmp
02/28/2008  08:17 PM    <DIR>          NBA LIVE 08
04/01/2009  06:41 AM                 9 password.txt
06/05/2009  06:48 PM    <DIR>          Piano Score
03/03/2009  01:48 PM         9,225,616 PokerStarsInstallPM_1.exe
10/04/2008  02:49 AM     4,217,054,720 recovery.tib
08/03/2009  09:09 PM    <DIR>          Recycled
10/05/2008  09:29 AM    <DIR>          RECYCLER
11/28/2007  04:24 PM    <DIR>          removers for autoplay virus
04/02/2009  07:41 AM    <DIR>          System Volume Information
07/19/2009  12:27 AM           163,722 tifaac.zip
03/14/2009  12:34 PM    <DIR>          Trojan Remover v6.6.2 + Serial [h33t]
12/24/2006  02:15 PM    <DIR>          WALLPAPR
07/21/2009  10:57 PM               261 wew.txt
07/08/2009  09:46 PM    <DIR>          Xinox Software
              10 File(s)  4,233,887,643 bytes
              14 Dir(s)  28,211,838,976 bytes free
-
-
-
-
-
-
-
-
-
-
-
HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:17 PM, on 8/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Documents and Settings\Log-in\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.redtube.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redtube.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Sowar? PagSureOy!!! Guba gyud nang PC nimo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SPEEDBIT1 - {425E30F0-CCC6-4E24-BBEB-BCBD31720B37} - (no file)
O2 - BHO: E-Zsoft VideoDownloaderToolBar - {4322A444-92F8-4C3E-BD4C-013BA51E2871} - C:\Program Files\E-Zsoft\YouTubeDownloader\VDTB.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: E-Zsoft VideoDownloaderToolBar - {4322A444-92F8-4C3E-BD4C-013BA51E2871} - C:\Program Files\E-Zsoft\YouTubeDownloader\VDTB.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [trueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [YouTubeDownloader_upgrade] "C:\Program Files\E-Zsoft\YouTubeDownloader\YouTubeDownloader.exe" /upgrade
O4 - HKLM\..\Run: [Microsoft System Info] wscript.exe "C:\WINDOWS\SysInfo.vbs"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Log-in\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7731 bytes

[darkangel]

@ Sylpher`Silverthorn,


Thanks for the detailed post. Hope everyone posting for help could do the same.

You may have been infected by new strain of virus, more likely created by some sick and brilliant filipino. at first glance it looks like a modified sowar or heular virus but it might be a different one.

I saw you have installed Acronis. If you have made a restore points, both Incremental and Differential Backups, then by all means restore your system to the time before you plug your infectious USB.

Acronis is a very powerful tool for those who utilize it.

Threatfire will also be of great help if this infection is not yet included in your AVs' definition.

[froilan_1217]

mga kahinahinala dun sa hijackthis log

C:\WINDOWS\system32\wscript.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.redtube.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redtube.com/
O4 - HKLM\..\Run: [Microsoft System Info] wscript.exe "C:\WINDOWS\SysInfo.vbs"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Sowar? PagSureOy!!! Guba gyud nang PC nimo!
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

[Justin]

Hello Sylpher`Silverthorn, good morning.

Follow the procedure below:
1. Download the "Noob Killer" --> HERE

2. Go to "AutoFix" menu and Click the "Open File...For Analysis".

[SOLVED] Lady Atenean Scandal.vbs (I need your help.. -_-)

3. Click "Yes".

[SOLVED] Lady Atenean Scandal.vbs (I need your help.. -_-)

4. Click the Lady Atenean Scandal.vbs then click "Open".

[SOLVED] Lady Atenean Scandal.vbs (I need your help.. -_-)

5. Click "OK" button.

[SOLVED] Lady Atenean Scandal.vbs (I need your help.. -_-)

6. Click "Yes" to restart.

[SOLVED] Lady Atenean Scandal.vbs (I need your help.. -_-)

Take care and God bless.

[pcruztemp]

in general to get rid of a tough virus, scan in safe mode

[Sylpher`Silverthorn]

Good evening to everyone, sorry for the disturbance once again..

@Darkangel

Thank you for your advice, unfortunately no one made a back up using Acronis, go figure.. -_-
I tried using ThreatFire but it didn't detect the "Lady Atenean Scandal.vbs" file.. Weh.. =(

@Justin

Thank you for your advice, I followed your instructions to the letter.. It did remove all traces of the file, but when I hit the "Yes" to restart, the file was still there after the computer rebooted..

@pcruztemp

Thank you for your advice, I did that too but nothing seemed to happen, my McAfee couldn't detect the "Lady Atenean Scandal.vbs" file..


I'm really sorry for being such a bother.. It's just that the computer I am using is a family computer, so my mom, dad, and brother also uses it.. -_-
I'm really desperate to remove the virus without having to reformat the computer..

Thank you to everyone for your help thus far.. =)

[Justin]

Hello Sylpher`Silverthorn, good evening.

Ok, finally I removed the "Lady Atenean Scandal.vbs" using Avenger tool.

Follow the steps below:
1. Download the "Avenger" tool --> HERE
2. Press Ctrl+Alt+Del to open the Taskbar and in the "Process" tab end the "wscript.exe" by highlighting (or click) on it and click the "End Process" button.
3. Run the program and copy-paste the script below to the textbox of Avenger:

Files to delete:
C:\Lady Atenean Scandal.vbs
C:\Autorun.inf
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\SysInfo.vbs
D:\Lady Atenean Scandal.vbs
D:\Autorun.inf

4. Click the "Execute" button.
5. Click Yes to execute the script.
6. Click Yes to Restart.

Take care and God bless.

[balg]

teka teka, dont delete wscript.exe. its a legit system file. however, it is being used as a launchpad for viruses. just end the process wscript.exe do not delete it. delete the virus files instead (the other ones mentioned by justin)

you can delete those files manually if you want. you can also use other tools to delete them for you (i.e. icesword, killbox, even noobkiller)

[Justin]

Hello bro balg, good evening.

Thanks for reminding me that one. Post updated.

Take care and God bless.

[Sylpher`Silverthorn]

Good evening everyone..

@Justin

THANK YOU SO MUCH!!
SALAMAT!
Ang galing mo talaga..
YOU ROCK SO HARD!!
=)

 

@Blag

Thank you for the clarification..

Thank you everyone for helping me get rid of the virus..
More power and God bless..
=)

Problem resolved.. ^______^

[Justin]

Your welcome Sylpher`Silverthorn. Glad to help.

Take care and God bless.