Hi, I am running Kaspersky anti virus 2009, I keep getting this detected and it gets deleted but always returns.
I have made a rescue "boot disk" and kaspersky finds nothing.
I believe that svchost.exe is starting FTP.exe but cant find how it is doing it.
I have attached a Kaspersky system state file.
Help!
Thanks
Full Version: trojan-downloader.bat.ftp.gt
Welcome. Let's start off with the name of the file that is detected, and its location. Post screenshot of Detected > Active threats. With columns widened to show full name and object details.
How to take and post screenshot: PrtSc (Print screen) key (upper right part of keyboard)> open Paint (Start > All programs > Accessories) > Edit > Paste, File > Save as (jpeg or
png, Not bmp). When replying, Browse > click once to select file > Open > Upload > add reply.
png, Not bmp). When replying, Browse > click once to select file > Open > Upload > add reply.
QUOTE(richbuff @ 7.11.2009 06:41) 
Welcome. Let's start off with the name of the file that is detected, and its location. Post screenshot of Detected > Active threats. With columns widened to show full name and object details.
How to take and post screenshot: PrtSc (Print screen) key (upper right part of keyboard)> open Paint (Start > All programs > Accessories) > Edit > Paste, File > Save as (jpeg or
png, Not bmp). When replying, Browse > click once to select file > Open > Upload > add reply.
png, Not bmp). When replying, Browse > click once to select file > Open > Upload > add reply.
Here is one screenshot
Click to view attachment
Attach a Combofix log, please review and follow these instructions carefully.
Before Saving combofix to Desktop, please rename combofix to something like 123.exe to stop malware from disabling it.
Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.
Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.
You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.
Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.
Download Combofix here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Before Saving combofix to Desktop, please rename combofix to something like 123.exe to stop malware from disabling it.
Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.
Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.
You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.
Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.
Download Combofix here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Combofix ran then when it went to create a report I got the blue screen of death.
Is the report located as indicated? If yes, please attach it.
Also, please create gsi sysinfo text, and then upload it to this parser site: http://gsi.kaspersky.fr/ and then post the link to the GSI report which may identify issue area, instructions see: http://forum.kaspersky.com/index.php?showtopic=36444 Please use the New 4.0 GSI utility. If Vista or W7, right click getsysteminfo.exe and select Run as administrator.
Also, please create gsi sysinfo text, and then upload it to this parser site: http://gsi.kaspersky.fr/ and then post the link to the GSI report which may identify issue area, instructions see: http://forum.kaspersky.com/index.php?showtopic=36444 Please use the New 4.0 GSI utility. If Vista or W7, right click getsysteminfo.exe and select Run as administrator.
Here is the url of the report.
http://www.getsysteminfo.com/read.php?file...25029d&ms=0
Combofix file only shows that the app was started.
http://www.getsysteminfo.com/read.php?file...25029d&ms=0
Combofix file only shows that the app was started.
QUOTE
Please use the New 4.0 GSI utility.
Please use the New 4.0 GSI utility.Also, run Combofix in Safe mode. (tap F-8 on boot up)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.