please review my log. Thank you.

Discussion in 'adware, spyware & hijack cleaning' started by Boat Drinks J.T.S., Jun 6, 2004.

Thread Status:
Not open for further replies.
  1. Boat Drinks J.T.S.

    Boat Drinks J.T.S. Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    11

    hello every body,
    I just joined and I really HOPE you experts out there can solve my doubts, please. I use:
    OS: W98SE
    Antivirus: ANTIVIR Personal Edition Version 6.25.00.03
    Firewall: ZONEALARM free
    I also run since one year an FTP server using: BPFTPSERVER
    (www.bpftpserver.com)

    3 days ago I went to launch the SERVER as usual and to my immense shock my ANTIVIR PE popped up saying this:
    "THE FILE G6FTPSRV.EXE CONTAINS SUSPICIOUS CODE (HEURISTIC/TROJAN.WIN32.PWS)"

    A trojan inside a sofware I registered and paid for?
    A trojan on my PC even using ANTIVIR and Firewall?
    Is it dangerous? How can it be?
    How do I get rid of it?

    I even uninstalled BPFTPserver and downloaded it again brand new from ther site but problem still the same. I CANNOT LAUCH IT ANYMORE.

    A friend told me that also in the latest FREE version of antivir PE the heuristics were included....and you can choose between 3 settings from low-medium-high. I'm not very techie person and I dont know what HEURISTICS are... ......I checked and heuristics are set to medium by default.

    I tried LOW and the server launches OK no problem but if I revert it to
    MEDIUM it's poppin up preventing the launch.

    should i worry ??
    Can you please please help as soon as possible?
    Thank you for reading me and for your time.
    My HijackThis log is below for you.

    all the best
    Claudio


    bOATdRINKS

    I cleaned my system with SPYBOT.

    Logfile of HijackThis v1.97.7
    Scan saved at 18.34.06, on 06/06/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAMMI\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\GSICON.EXE
    C:\WINDOWS\SYSTEM\DSLAGENT.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\HIJACK THIS LOGS\HIJACKTHIS.EXE

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.free-av.de/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\PROGRAMMI\TECHSMITH\SNAGIT 6\SNAGITBHO.DLL
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programmi\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programmi\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\PROGRAMMI\TECHSMITH\SNAGIT 6\SNAGITIEADDIN.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [zSPGuard] c:\programmi\pjw\spguard\spguard.exe /s /r
    O4 - HKLM\..\Run: [CleanRam] C:\WINDOWS\TEMP\CLEANRAM.EXE
    O4 - HKLM\..\Run: [RegProt] c:\windows\desktop\reg protection\regprot.exe /start
    O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMMI\AVPERSONAL\AVGCTRL.EXE /min
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Modem ADSL B-QUICK.lnk = ?
    O4 - Startup: PowerReg Scheduler.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Convert and Open - C:\PROGRAMMI\CAMTECH\ConvertIt.htm
    O8 - Extra context menu item: Download using Download &Express - file://C:\Programmi\Download Express\Add_Url.htm
    O8 - Extra context menu item: Compila Modulo &] - file://C:\Programmi\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Salva Moduli &[ - file://C:\Programmi\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Personalizza - file://C:\Programmi\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Aggiungi l'indirizzo alla Lista Nera della pubblicità - C:\PROGRAMMI\AVANT BROWSER\AddToADBlackList.htm
    O8 - Extra context menu item: Blocca tutte le immagini provenienti dal server di questa - C:\PROGRAMMI\AVANT BROWSER\AddAllToADBlackList.htm
    O8 - Extra context menu item: Cerca con Google - C:\PROGRAMMI\AVANT BROWSER\Search.htm
    O8 - Extra context menu item: Evidenzia in questa pagina - C:\PROGRAMMI\AVANT BROWSER\Highlight.htm
    O8 - Extra context menu item: Apri tutti i collegamenti nella pagina in linguette diverse - C:\PROGRAMMI\AVANT BROWSER\OpenAllLinks.htm
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Barra strumenti &2 (HKLM)
    O9 - Extra button: Compila (HKLM)
    O9 - Extra 'Tools' menuitem: Compila Modulo &] (HKLM)
    O9 - Extra button: Salva (HKLM)
    O9 - Extra 'Tools' menuitem: Salva Moduli &[ (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37867.9011805556
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4290/mcfscan.cab
    O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab?new
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_11) -
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Claudio,

    Nothing disturbing in your log.

    I would get rid of this one:
    O4 - Startup: PowerReg Scheduler.exe
    because it is a waste of resources.

    Regards,

    Pieter
     
  3. Boat Drinks J.T.S.

    Boat Drinks J.T.S. Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    11
    ...cheers Pieter
    ...you've been very kind
    ...you say all is OK, KAV online check say as well that file is OK....
    ...but my problem still there...everytime i try to launch the server
    ...antivir PE pops up....
    ...I guess in order to solve my problem I'll have to wait for the replies
    ...from the BPFTPSERVER support and ANTIVIR support......
    ...will let u know
    ...thanks again.....all the best

    ps: got rid of Startup: PowerReg Scheduler.exe
    as you suggested.....thanks


    bOATdRINKS
     
Thread Status:
Not open for further replies.