I'm using Windows XP SP2, and lately I've noticed my computer got extremely slow. My Windows partition got full out of nowhere. I found it weird, since I wasn't installing anything lately and my swap file is on other partition. I noticed my C:\Windows takes 3,29 Gb of space, which I found quite weird.
Apart from that, I've been getting weird errors out of nowhere, like some "fatal errors" and "exception blabla memory couldn't be read", related to iexplore.exe or explorer. exe. Found it even stranger, since I don't use IE.
I had been leaving my Kaspersky AV off for the last days. As soon as I turn it back on, it detected Win32.Agent.tym on some .exe with very strange names. "M1X6Wr04.exe", "mAThy0Jx.exe", "NALJ8YSL.exe" and such. According to Kaspersky, it eliminated all of them.
Only to have them back the next day.
I ran TuneUp's Reg Cleaner, Disk Cleaner, 1-Click Maintenance, Kaspersky full system scan, and Spybot S&D, to find a regdump.bat file at the Temp folder, which Kaspersky deleted. I searched on google for Win32.Agent.tym and found no info.
Then, my computer restarted out of nowhere. On the restart, Kaspersky started to warn me that services.exe and explorer.exe were trying to inject code. Plus, it found again Win32.Agent, now the Win32.Agent.yyy version, on the same weirded name exes it found the "tym" first time.
I then turned KAV off and ran Deckard System Scanner, which seemed to end abruptly. Still, it produced the main.txt on the dss folder. The log of it is here:
System Drive C: has 0.25 GiB (less than 15%) free.
-- HijackThis (run as Thiago.exe) ----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:09:32, on 13-07-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\alg.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Deckard System Scanner\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Thiago.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 202.84.17.42:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programas\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVP] "C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Programas\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [RK Launcher] C:\Programas\RK Launcher\RKLauncher.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide1] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202053288859
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer\MathMLMimer.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 7503 bytes
-- Files created between 2008-06-13 and 2008-07-13 -----------------------------
2008-07-12 11:28:23 0 d-------- C:\Programas\Windows Live Safety Center
2008-07-12 11:01:12 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-07-12 11:00:16 0 dr------- C:\Documents and Settings\NetworkService\Favoritos
2008-07-11 16:36:05 0 d-------- C:\Programas\Enigma Software Group
2008-07-10 22:15:44 0 d-------- C:\Programas\Windows Installer Clean Up
2008-07-10 22:15:30 0 d-------- C:\Programas\MSECACHE
2008-07-06 11:04:00 0 d-------- C:\Documents and Settings\Thiago\Application Data\FastStone
2008-07-06 11:03:58 0 d-------- C:\Programas\FastStone Capture
2008-07-02 17:39:49 0 d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-07-02 17:39:44 0 d-------- C:\Programas\TuneUp Utilities 2008
2008-07-02 08:07:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-01 23:54:03 0 dr-h----- C:\Documents and Settings\Thiago\Recent
2008-07-01 23:09:20 0 d-------- C:\Programas\Yahoo!
2008-06-28 16:11:43 0 d-------- C:\Documents and Settings\Thiago\amsn
2008-06-26 00:57:03 196608 --a------ C:\WINDOWS\system32\pdfcmnnt.dll <Not Verified; internet-support foehr.com; RedMon EE>
2008-06-26 00:57:02 23552 --a------ C:\WINDOWS\system32\MSMPIDE.DLL <Not Verified; Microsoft Corporation; MSMAPI-Steuerelementbibliothek>
2008-06-26 00:57:02 0 d-------- C:\Programas\PDFCreator
2008-06-24 22:04:13 0 d-------- C:\Programas\Hattrick Manager
2008-06-24 22:04:02 0 d-------- C:\Programas\Hattrick Coach Professional
2008-06-24 19:34:45 0 d-------- C:\Programas\HAM
2008-06-21 11:34:10 408576 --a------ C:\WINDOWS\system32\Smab.dll
2008-06-21 11:34:10 719872 --a------ C:\WINDOWS\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
2008-06-21 11:34:10 318976 --a------ C:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2008-06-21 11:34:09 70656 --a------ C:\WINDOWS\system32\i420vfw.dll <Not Verified; www.helixcommunity.org; Helix I420 YUV Codec>
2008-06-21 11:34:09 27648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-06-21 11:34:09 0 d-------- C:\Programas\AviSynth 2.5
2008-06-20 21:39:50 0 d-------- C:\Programas\Cloudbrain
2008-06-20 21:38:25 0 d-------- C:\Documents and Settings\Thiago\Application Data\Mp3tag
2008-06-20 21:38:20 0 d-------- C:\Programas\Mp3tag
2008-06-20 20:07:22 0 d-------- C:\Documents and Settings\Thiago\Application Data\MiniLyrics
2008-06-20 20:05:12 0 d-------- C:\Programas\Minilyrics
2008-06-20 19:24:31 0 d-------- C:\Programas\MediaMonkey
2008-06-13 21:06:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-06-13 21:06:54 0 d-------- C:\Programas\StuffPlug3
2008-06-13 21:05:41 0 d-------- C:\Programas\Messenger Plus! Live
2008-06-13 21:05:14 0 d-------- C:\Programas\aMSN
-- Find3M Report ---------------------------------------------------------------
2008-06-16 22:08:34 453706 --a------ C:\WINDOWS\system32\perfh016.dat
2008-06-16 22:08:34 74488 --a------ C:\WINDOWS\system32\perfc016.dat
2008-06-10 17:37:52 0 d-------- C:\Programas\Design Science
2008-06-07 09:59:42 0 d-------- C:\Documents and Settings\Thiago\Application Data\Malwarebytes
2008-06-04 19:06:52 0 d-------- C:\Programas\Virtual Earth 3D
2008-05-25 11:23:10 0 d-------- C:\Documents and Settings\Thiago\Application Data\cronometer
2008-04-21 19:25:14 481040 --ah----- C:\WINDOWS\system32\mlfcache.dat
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [18-12-2007 00:43]
"SpyHunter Security Suite"="C:\Programas\Enigma Software Group\SpyHunter\SpyHunter3.exe" [19-06-2008 16:48]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RK Launcher"="C:\Programas\RK Launcher\RKLauncher.exe" [14-09-2005 19:23]
"msnmsgr"="C:\Programas\Windows Live\Messenger\msnmsgr.exe" [18-10-2007 11:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 00:56]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide3"=cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"=0 (0x0)
"SynchronousMachineGroupPolicy"=0 (0x0)
"SynchronousUserGroupPolicy"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=1 (0x1)
"NoStrCmpLogical"=1 (0x1)
"NoClose"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"=11 (0xb)
"NoSMBalloonTip"=1 (0x1)
"NoSaveSettings"=0 (0x0)
"NoRecentDocsHistory"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"MemCheckBoxInRunDlg"=0 (0x0)
"NoClose"=0 (0x0)
"NoAutoTrayNotify"=0 (0x0)
"NoResolveTrack"=0 (0x0)
"NoResolveSearch"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"NoStartBanner"=01000000
"NoWelcomeScreen"=1 (0x1)
"NoRecentDocsNetHood"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoSharedDocuments"=1 (0x1)
"NoThemesTab"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{21572149-16d4-11dd-93d0-0090f52305b8}]
AutoRun\command- EXPLORER.EXE
explore\Command- EXPLORER.EXE
open\Command- EXPLORER.EXE
-- End of Deckard's System Scanner: finished at 2008-07-13 00:10:59 ------------
Any idea what's going on with my system?