Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan? Spyware? Corupt File? Can Anyone Help?


  • This topic is locked This topic is locked
2 replies to this topic

#1 mudfoot

mudfoot

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 03 May 2004 - 10:57 PM

AVG Virus Scan keeps popping up with this messege.

Virus
Could Be Infected Startpage
is found in file
C:\System Volume Information\_restore {A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP36\A0004086.hta

But when I run AVG it says my computer is clean. I've run Adaware, CW Shredder, and Spybot S&D. But everything says I'm clean. Can anyone help me. Here's my Hijack this log>


Logfile of HijackThis v1.97.7
Scan saved at 2:46:01 PM, on 5/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Documents and Settings\lo\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/...mv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab

BC AdBot (Login to Remove)

 


m

#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:19 PM

Posted 04 May 2004 - 01:34 AM

Hi mudfoot,
You're in pretty good shape. Don't worry about that file that AVG keeps flagging. Your system in not presently infected. But at one time it was and there is a backup to the infected file/registry setting in System Restore. If you were to run System Restore & chose that particular restore point, you could get reinfected. All you have to do to prevent this from happening is to turn off System Restore--that will delete ALL of your Restore Points. How to do that is in our tutorial Disabling System Restore.. So I suggest you do that--disable System Restore & then after you reboot, turn it back on again. If your system is clean, then AVG won't flag that file anymore.

Before you do that you have one item that needs fixing with HijackThis. Close all windows, put a check by the following item & hit "Fix Checked". Close HT then reboot.

O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe

Then navigate to C:\WINDOWS & delete sysupd.exe.

Let us know how it goes or if you encounter any problems.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 mudfoot

mudfoot
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 04 May 2004 - 10:44 PM

Thanks a lot PapaKid. So far so good.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users