Trojan.Win32.FTP

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis


When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan
• HijackThis

.

 

It will take a lot longer than a second! Do not post a HijackThis log without running all the steps in the READ & RUN ME.

 

Please read message # 2 & # 4 again!!!!

 

NOTE:

Yahoo is more than likely giving you a false positive detection on the below which is not Trojan.Win32.FTP
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

 

What does what mean?

What is a common folder? Do you mean that Windows Explorer opens up your system32 folder?

 

Quite simply it means that Yahoo is wrong!!

False positive is a term used to describe a situation where any malware scanner detects something to be bad when it is not. It means they did not use the proper methods in their program to actually truly detect the malware. In many instances they just blindly look at the name of a file and decide that it is bad because of the name.

Read this: http://www.liutilities.com/products/wintaskspro/processlibrary/Remind_XP/

 

Are you sure it is opening to that folder? Or is it opening to the c:\windows\system32 folder. If system32, this is a typical problem that occurs on many system when their is a corrupted registry entry in startups (which is would not be a malware problem).

 

Please run the steps in Using GetRunKey and attach the runkeys.txt log.

Do you know what the below process is supposed to be doing at startup? Is it really something from HP?
O4 - HKLM\..\RunOnce: [regcmdcons] c:\windows\regedit.exe /s c:\hp\bin\cmdcons2.reg

 

Locate the cmdcons2.reg file and put it into a ZIP file and attach it to your next message.

 

Do you have WinZIP installed on your PC?

If so, just right click on the file and select Add to ZIP.

 

What did you use to extract HijackThis.exe from the ZIP file?

 

Sounds like you just used the extractor built into to Windows XP.

Make a copy of the file in another folder. Then right click on the file and select Rename. Rename it to cmdcons2.txt

Then attach the cmdcons2.txt file to a message!

 

It seems to me that you jsut have a few startup programs that are not properly quoted in the registry. This is not a malware problem. You may want to discuss it in the Software Forum. But based on your HJT log the below items look to be missing quotes.

O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"

There should be quotes as given below in bold red color.

O4 - HKLM\..\Run: [SSC_UserPrompt] "c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [IS CfgWiz] "c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe" /GUID NIS /CMDLINE "REBOOT"

You will need to edit the registry to add these quotes or correct where they are located.
Or you have something application missing in from an expected location.

You can see info about that in links like below:

http://www.techimo.com/forum/archive/index.php/t-128257.html
http://www.miclasificado.com.ar/cgi/News/i50/How_to_stop_folder_c_program_files_common_opening_on_startup.php
http://www.experts-exchange.com/Applications/MultiMedia_Applications/Q_21092755.html

 

Deleting this will not do anything for you other than make Yahoo not complain about somethings they should not be complaining about. But it is not a process you really need, so you can remove the registry entry without it causing you any problems but is will not fix your problem with the C:\Program Files\Common Files folder opening at startup.

I already told you that in message # 7 when I said it was a false positive.

Your problem is not malware. It is related to problems with some of those registry keys being incorrectly formatted (with quotes) or corrupted. It is probably one of the items that show in your HJT log in the O4 items that list show C:\Program Files\Common Files

If you need to discuss this further, you should be able to do that in the Software Forum.

 

You're welcome.