susicious startup

  chugby 10:45 25 Nov 2006
Locked

Noticed startup programs appeared in MSconfig named DUPEMFCD.EXE-01BA057C.pf and TRUSTROAM.EXE-1C31C052.PF which have located in the windows prefetch file.

Nothing comes up on usual AV/Spyware scans.
Initially tried deleting from MSConfig startup programs but came back, then tried using CleanUp! 4.5.2 but still came back. Managed to manually delete from the Windows prefetch folder, although noticed they are still shown in the MSconfig but they are disabled.

Any advise appreciated.

Spec: AMD, XPSp2, Kaspersky AV/FW, Ewido

  Fruit Bat /\0/\ 10:59 25 Nov 2006

Have a look for something that appears like C:\WINDOWS\APPLIC~1\LOVEST~1\DupeMfcd.exe
and post the full path please.

  chugby 12:08 25 Nov 2006

thanks for reply Fruit Bat /\0/\

have checked MSconfig and the startup item (Disabled)
DupeMfcd is shown under the command line as
C:\DOCUME~1\Barry\APPLIC~1\LOVEST~1\DupeMfcd.exe.
Tried general search and also explored manually but cant trace except on MSconfig.

By coincidence as writing this was also running A-squared free antispyware and came up with Trojan.Win32.Agent.tz within my WinRAR zip program,
related ?

thanks

  Fruit Bat /\0/\ 15:17 25 Nov 2006

Yes I think it probably is.

If you had the line suspected, then you have a trojan

  chugby 15:56 25 Nov 2006

have deleted the winrar program and doing another scan.

the Trust Roam startup shows as:

C:\Documents and Settings\All Users\Application Data\Face Nurb Download Phone\Trust Roam.Exe.

Cant find alot of info on this, wonder if this is a dialup trojan although i'm on broadband. How do i get into the application data? Assume MSconfig disabling hopefully stops them in the meantime.

Thanks

  Fruit Bat /\0/\ 17:25 25 Nov 2006

USe explorer to navigate to the folder

Face Nurb Download Phone

and delete it

  chugby 18:32 25 Nov 2006

Found the folder (had to check show hidden folders) and deleted. Also got the DupeMfcd within folder Love Start Multi. Alot happier found and deleted !

Many thanks for help on this Fruit Bat /\0/\

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Fujitsu Lifebook P727 laptop review

Converse draws on iconic heritage for a fresh brand identity

Mac power user tips and hidden tricks

Comment lancer Windows 10 en mode sans ├ęchec ?