help me asap, what is this?

[legolas]

hi,

when i try to copy a file from 1 dir to other dir, it says this, i hav attached the image file... i ran an online virus check, dint get any virus detected? then wats the problem? my system behaves so weird, i guess this is the reason... does any one know abt this? and i hav atatched the hijack this file also for verification. pls help me.

Quote:

Originally Posted by hijack this file

Logfile of HijackThis v1.99.1
Scan saved at 8:23:33 PM, on 10/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIRTEL\AIRTEL-Broadband\fts.exe
C:\program files\softwin\bitdefender9\bdnagent.exe
C:\program files\softwin\bitdefender9\bdswitch.exe
C:\Program Files\AIRTEL\AIRTEL-Broadband\pppoetray.exe
C:\WINDOWS\system32\dllhost.exe
D:\aragorn\_softwares\!!!\hijackthis\HijackThis.ex e

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O4 - HKLM\..\Run: [%FP%AIRTEL fts.exe] "C:\Program Files\AIRTEL\AIRTEL-Broadband\fts.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe"
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C24503D-D56C-4E99-97FC-36E0004F90E7}: NameServer = 203.145.184.13,202.56.250.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3D353C7-A024-4577-8E42-C7C8E673DA08}: NameServer = 203.145.184.13 202.56.250.5
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

/legolas

[144]

Do you have kaspersky installed on your system? Cos this looks like the mischeif of KAV. ( Kaspersky Anti Virus ).
Also get the latest version of TorjanHunter Scanner and update to the latest ruleset and run a scan for Trojans.
http://www.misec.net/

[djmykey]

Hey this doesnt look like KAV this looks like System Restore ok. This happens on one of my machine too and it was when System Restore was on. But dint check now tho, after disabling it. But the machine on which no Kav is there this occurs. And the machine on which KAV is there I have neva seen this.

[legolas]

i hav assured myself that there is no virus in my system, as i feard coz of this activity coz i hav checked online using panda, norton, bitdefender, trend micro and kaspersky. but i hav used system restore before as i faced some other problems like this! is it coz of that? is this means of security only?

/legolas

[swatkat]

Are you using NTFS file system? The "KAVICHS:$DATA" text is the Alternate Data Stream (ADS) attached to the files.
This ADS is attached by Kaspersky to the files. Probably it uses this ADS for its Integrity checking feature.

If you are NOT using Kaspersky anymore, then you can remove the ADS entries by using the KLStreamremover tool. Get it here:
http://download.kaspersky.cl/utils/klstreamremover/

You can check the ADS present in system using ADSspy tool in HijackThis only or you can get it here:
http://www.bleepingcomputer.com/files/adsspy.php

[siriusb]

Sometimes I get the same when I am copying media files downloaded off the Internet and onto a recordable medium. I thought those were extra tag information appended by programs.
But as swatkat says, they are alternate file stream data associated with that file. The error is raised because this stream is a feature of NTFS and when you are copying to a non-ntfs filing system, you are warned.
Different applications use it for different purposes, as I found out. Some encryption s/w may use it for storing crypto info to decrpt the file. Or an Antivirus s/w may use it to flag a file as "scanned".

[choudang]

have the cumulative update for KAV

[alib_i]

@sirius
If you get the error while copying media ... then it's most probably because of "thumbs.db" file, not because of AV.
Either switch off thumbnail caching or dont copy thumbs.db, if you keep on getting this error.

thumbs.db keeps a cache of thumbnails of media files in the folder. You can ignore the file while burning CDs, etc

-----
alibi