Results 1 to 4 of 4

Thread: a false positive or is it infected?

  1. #1
    Junior Member
    Join Date
    Feb 2008
    Posts
    2

    Default a false positive or is it infected?

    OS win xp pro, firefox 2.00.12, spybot v.1.5.1.15,last update ran on 27 Feb 08, found after scan.
    Using Spybot in advanced mode, tools, system startup it showed:
    system32.exe Added by the AGOBOT-KU WORM! Note - has a blank entry under the Startup Item/Name field
    pathex.exe Added by the MKMOOSE-A WORM! Note - has a blank entry under the Startup Item/Name field
    svchost.exe Added by the DELF-UX TROJAN! Note - this is not the legitimate svchost.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Winnt or Windows folder. Note - has a blank entry under the Startup Item/Name field
    MSPF.EXE Added by a variant of the SDBOT WORM! This file is located in the Winnt or Windows folder. Note - has a blank entry under the Startup Item/Name field
    dllvirtual.exe Added by the DADOBRA-IW TROJAN! Note - has a blank entry under the Startup Item/Name field
    dllvirtual.dll Added by the DADOBRA-IW TROJAN! Note - has a blank entry under the Startup Item/Name field
    dllvirtual.js Added by the DADOBRA-IW TROJAN! Note - has a blank entry under the Startup Item/Name field

    I checked via run, msconfig.exe, checked the startup tab and found nothing unusual listed there. I did a system search for each of these entires and found nothing. Is there a problem with my machine or is Spybot listing something that isn't there? I did a search of this problem and found someone had the same problem but the support person said if the machine tests out clean then it's clean. I doubt it would say there are problems if there aren't any so please help me understand this result.
    Thank you

  2. #2
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    saamicat:

    It would helpful if you posted the "Current filename:" from the description or the entry itself. To post the entry itself, right click on the startup listing and select "Copy to clipboard". Then paste (Ctrl+V) those results to a new post in this thread editing out all entries except the one you are questioning.

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  3. #3
    Junior Member
    Join Date
    Feb 2008
    Posts
    2

    Default

    Located: HK_LM:Run, KernelFaultCheck (DISABLED)
    command: %systemroot%\system32\dumprep 0 -k
    file: C:\WINDOWS\system32\dumprep.exe
    size: 10752
    MD5: 13922EB54890C77005268882629A31FE TROJAN LEGMIR-BN, filename ptool32.exe

    Located: HK_CU:RunOnce,
    where: .DEFAULT...
    command: OSK.exe
    file: C:\WINDOWS\system32\OSK.exe
    size: 215552
    MD5: C449FDB6D69414B5E5FF8FC9F7FB5B0F
    OSK.EXE added by AGOBOT-KU WORM, note - has a blank entry under startup item/field. Current file name - OSK.EXE, file name: pathex.exe ADDED by MKMOOSE-A WORM, note - same as above.Current file name: OSK.EXE, file name:svchost.exe ADDED by DELF-UX TROJAN, Note: this is not the legitmate svchost.exe process which is always located in the system 32 folder & should not normally figure in the MsconfigStartup. This file is located in the winnt or windows folder. Note - has a blank entry under startup item/name field.OSK.EXE, file name: MSPF.EXE, ADDED by variant of the SDBOT WORM.This file is in the Winnt or Windows folder.Note - has a blank entry under startup item/name field. OSK.EXE, file name: dllvirtual.exe, ADDED by the DADOBRA-IW TROJAN.Note - has a blank entry under startup item/name field. OSK.EXE, file name: dllvirtual.dll ADDED by the DADOBRA-IW TROJAN.Note - has a blank entry under startup item/name field. OSK.EXE, file name:dllvirtual.js ADDED by the DADOBRA-IW TROJAN.Note - has a blank entry under startup item/name field. OSK.EXE, file name:

    Located: HK_CU:RunOnce,
    where: S-1-5-18...
    command: OSK.exe
    file: C:\WINDOWS\system32\OSK.exe
    size: 215552
    MD5: C449FDB6D69414B5E5FF8FC9F7FB5B0F

    OSK.EXE added by AGOBOT-KU WORM, note - has a blank entry under startup item/field. Current file name - OSK.EXE, file name: pathex.exe ADDED by MKMOOSE-A WORM, note - same as above.Current file name: OSK.EXE, file name:svchost.exe ADDED by DELF-UX TROJAN, Note: this is not the legitmate svchost.exe process which is always located in the system 32 folder & should not normally figure in the MsconfigStartup. This file is located in the winnt or windows folder. Note - has a blank entry under startup item/field OSK.EXE, file name: MSPF.EXE, ADDED by variant of the SDBOT WORM.This file is in the Winnt or Windows folder.Note - has a blank entry under startup item/name field. OSK.EXE, file name: dllvirtual.exe, ADDED by the DADOBRA-IW TROJAN.Note - has a blank entry under startup item/name field. OSK.EXE, file name: dllvirtual.dll ADDED by the DADOBRA-IW TROJAN.Note - has a blank entry under startup item/name field. OSK.EXE, file name:dllvirtual.js ADDED by the DADOBRA-IW TROJAN.Note - has a blank entry under startup item/name field.

    This is the 1st time I've used a forum. Please forgive my ignorance if I'm not giving you the correct info.
    Thanks!

  4. #4
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    Hello saamicat ,

    this is most likely not an infection. The information you see in the startup info is from Paul Collins' startup list and may not fit exactly the actual files on your computer.
    If you are in doubt if the listed files on your computer are malicious or not, you can send them to detections@spybot.info for analysis.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •