Hello all,

First time poster here! And am totally confused. I’ve been playing with the online virus scanner at you have listed here and have been getting all sorts of strange responses. The site has been telling me that I have password stealers, backdoors, keyloggers, dropper viruses … you name it, it says I have it. Thing is, it usually differs each time I start firefox. So I do a virus scan / root kit scan…any scan I can think of / have in safe mode and nothing comes up. Are all these real or is something else going on?

I’m using:
Windows XP SP2
Comodo firewall
LinkSys router
Spybot S&D
Modified HOST files from How To: MVPS Hosts File FAQ

Here is my HJT log file:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:05:58 PM, on 4/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Analize.exe (HJT - renamed)

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKLM..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-20..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘Default user’)
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe

End of file - 2121 bytes

So, am I being overly paranoid? These virus hits are really starting to freak me out.


This is what I got from one pass earlier -

Last file scanned at least one scanner reported something about: huashengke.exe (MD5: 25396dd704ba4c8151332c2be9ab3314, size: 753152 bytes)

Scanner Malware name
AntiVir HEUR/Crypted
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web BackDoor.Huai
F-Prot Antivirus Possibly a new variant of W32/Threat-HLLAV-based!Maximus
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
Norman Virus Control Hupigon.gen18
Panda Antivirus X
Rising Antivirus X
VirusBuster X
VBA32 BackDoor.Huai

Here is what I got on a second pass -

Last file scanned at least one scanner reported something about: ntkey.scr (MD5: 508cbbabf857a27f1d44cdab57d33b88, size: 868352 bytes)

Scanner Malware name
AntiVir TR/Spy.Banker.bci.1
ArcaVir Trojan.Spy.Banker.Ark
Avast Win32:Trojan-gen. {Other}
AVG Antivirus PSW.Banker2.VMM
BitDefender Trojan.Spy.Banker.ABG
ClamAV Trojan.Spy.Banker-1950
Dr.Web Trojan.PWS.Banker.7585
F-Prot Antivirus W32/Banker.ACNQ
F-Secure Anti-Virus Trojan-Spy.Win32.Banker.ark
Fortinet Spy/Banker
Kaspersky Anti-Virus Trojan-Spy.Win32.Banker.ark
NOD32 a variant of Win32/Spy.Banker.CHC
Norman Virus Control W32/Banker.BFZB
Panda Antivirus X
Rising Antivirus X
VirusBuster TrojanSpy.Banker.IJX
VBA32 Trojan.PWS.Banker.7585

This may be a problem with Jotti.

Upload the same file to:


Post back what they say please.