infected by naruto.sys.vbs/recycle.sys.vbs [resolved]

look at this screenshot. i need to use IE6 just recently & i see this funny note ???
oh i use CIS & MBAM & SAS.
but think i haven’t scan my whole system for about 2 months 88)

[attachment deleted by admin]

Hi Ganda,

If you google about:blank, you will find plenty of information which should show if you have a hijacker.

A Hijack this log would help.

I think some “skinning” tool gave him a IE custom provider name with that text in it, but then again it’s a wild guess…

Ganda please post a hijackthis log. We’ll take a look at it (again)


CSC allows you to change the IE window name. 88)

Maybe it’s because ganda goes to too many p0rn sites. (:NRD)

Why not let me help you with TeamViewer? ;D

I remember I got this after running a malware on purpose. Go to this key in the registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

You should find a value named Window Title or something, containing the information ‘Cursed Seal is The Poweful’.

Just look for the sentence in regedit, it may be in HKLM or several places.

And guys, surf as admin, NOT :stuck_out_tongue:

Why not? :’( :slight_smile:

I don’t like changing accounts when I have to run stuff as admin.

I would guess that ganda plays a game called Naruto.

Don’t have to re-log in, just right click and “Run as Admin” if you use Vista.

You can change that part with a Limited User Account. IE’s title isn’t really a critical part of the system. 88)

Why not ? I never had any problems with it…


Ganda, Ganda, Ganda, living on the edge again, what are we going to do with you? Ganda please run your browser sandboxed with “Sandboxie” or for heavens’ sake man disconnect yourself permanently from the Internet! ;D
Xman ^^ ^^ :slight_smile:
Cheers and happy virus hunting :stuck_out_tongue:
Xman (:KWL)

:-TU :-TU :-TU :-TU :-TU

As much as Ganda is teased on this board, the world would miss his comments/remarks if he wasn’t around.
Good hunting, Ganda.

skinning tool? like what? i use windowblinds & desktopX builder 88) is it related?

run sandboxie & miss my chance to get a cool malware?no way ;D
ehm, this powerful cursed seal is pretty cool. you think i should keep the malware? ;D

here you go honey :-* oh, i don’t play naruto, i play barbie :-*

and one more question, what’s wscript.exe ??? i’ve googled for it, i think it’s legit
wscript.exe is a process relating to Microsoft Windows operating system which allows additional functions to scripting. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems

i got that D+ alert saying wscript is an “unsafe blah blah…” when i open my C: drive. ???
i can’t open my C: drive unless i treat it as trusted ???

oh i found this “ageia” on hijackthis log. what’s that? and i think D+ alerted me about that wscript trying to access ageia too ???

OK, so i’ve found that “cursed seal is powerful” on
HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Cursed Seal is The Powerful

so what should i do next? delete it? if i’m infected with browser hijacker, why i’ve never seen any commercial ads or other strange thing happen on my comp?

[attachment deleted by admin]

ganda I think you are looking at the right one with recycle.vbs, but cannot find much about it.

It does seem similar to this:

Ganda do you get some strange Defense+ behavior ? For example that programs are always trying to acces the same files or so ?


wscript.exe is the Windows Script Host, used to run JScript and VBScript. Not needed at all, so you can safely remove the file wscript.exe from your system. It won’t do any harm, only prevent malware relying on it from running.

Ageia seems to be a company acquired by Nvidia.

Delete it, unless you want to keep it. :wink:

Then see if it comes back.