what should I make of this?

I went into my documents and saw something in there called “utility.dll”

It looked suspicious being in my documents so I scanned it in virus total and jotti`s

Kaspersky was the only scanner to find this trojan (results are below)

Antivirus Version Update Result

AntiVir 6.31.1.0 09.02.2005 no virus found
Avast 4.6.695.0 09.02.2005 no virus found
AVG 718 08.31.2005 no virus found
Avira 6.31.1.0 09.02.2005 no virus found
BitDefender 7.0 09.02.2005 no virus found
CAT-QuickHeal 8.00 09.02.2005 no virus found
ClamAV devel-20050725 09.02.2005 no virus found
DrWeb 4.32b 09.02.2005 no virus found
eTrust-Iris 7.1.194.0 09.02.2005 no virus found
eTrust-Vet 11.9.1.0 09.02.2005 no virus found
Fortinet 2.41.0.0 09.02.2005 no virus found
F-Prot 3.16c 09.02.2005 no virus found
Ikarus 0.2.59.0 09.02.2005 no virus found
Kaspersky 4.0.2.24 09.03.2005 Trojan.Win32.StartPage.abj
McAfee 4573 09.02.2005 no virus found
NOD32v2 1.1208 09.02.2005 no virus found
Norman 5.70.10 09.02.2005 no virus found
Panda 8.02.00 09.02.2005 no virus found
Sophos 3.97.0 09.02.2005 no virus found
Symantec 8.0 09.02.2005 no virus found
TheHacker 5.8.2.099 09.02.2005 no virus found
VBA32 3.10.4 09.02.2005 no virus found

jotti`s are below:

AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan.Win32.StartPage.abj
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

Could this be a kaspersky false positive?

It probably could be, as all those virus dectors never found it. Maybe contact the software creators, and explain the problem.

I won’t be so sure… this dll is very strange… If I were you, I’ll open Chest and add the file to the user file folder there.
Keep there until further need of it.

Could quite easily be a browser hijack (adware) as the detection indicates StartPage.ab and since avast is an antivirus adware or browser start page hijack may well not be detected as with most of the other AVs.

I would do a google search for it - http://www.google.com/search?num=30&hl=en&lr=&q="utility.dll"

I would also run my anti-adware/spyware tools also.

I have ran:

adaware
spybot
spy sweeper
microsoft anti spyware
spware doctor
trend micro spyware scan
CWS Shredder

although some things were detected, the utility.dll was not found by any of them.

any more advice? any more programmes that can be run?

HiJack This - I’m sorry I don’t know the website, google should bring it up. :slight_smile:

In fact, it seems a false positive. Anyway, it’s strange a dll located into the my documents folder…
If I can suggest you, besides HiJackThis like Luke said, try ewido 8)

I`ll try scans with RAV and F-secure. In the mean time here is my log

Logfile of HijackThis v1.99.1
Scan saved at 13:18:27, on 03/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Filseclab\xfilter\xfilter.exe
C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Filseclab\FilMsg.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\Program Files\Common Files\AOL\1125490140\ee\AOLHostManager.exe
C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe
C:\Program Files\Common Files\AOL\1125490140\ee\AOLServiceHost.exe
c:\program files\common files\aol\1125490140\ee\services\antiSpywareApp\ver0_9_6\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1125490140\ee\AOLServiceHost.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Skinno79\LOCALS~1\Temp\Temporary Directory 1 for HijackThis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [XFILTER] “C:\Program Files\Filseclab\xfilter\xfilter.exe” -a
O4 - HKLM..\Run: [IE Privacy Keeper] “C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe” -startup
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime
O4 - HKLM..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM..\Run: [%FP%Friendly fts.exe] “C:\Program Files\VoyagerTest\fts.exe”
O4 - HKLM..\Run: [outpost_uninst] C:\DOCUME~1\Skinno79\LOCALS~1\Temp_uninstop.exe /u
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125490140\ee\AOLHostManager.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - Global Startup: Filseclab Messenger.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125091301421
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip..{37DE05C3-4FFF-4B8E-A657-4F378DE6BDDC}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\aolserv.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll

The 010 entries must have something to do with the “filseclab firewall”, i have installed.

On-line I suppose… not installed in your system.

About the Logfile of HijackThis, why don’t you try the HILOA tool of Eddy, it will automatically check it and give you suggestions.

There are a number of items that are either classed as Nasty or Unknown that should be checked and fixed.

R3 - Default URLSearchHook is missing (nasty)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) - Unknown, but I would get rid of it.

There are many other unknown entries relating to AOL and other programs, check this on-line analysis of your log file http://hijackthis.de/logfiles/ea63f85e5f870741901796e26f68f694.html

Hi,

those 2 entries in hijack this have now been fixed.

I recognise the AOL entries becuase I use AOL software (spyware scanner etc). Other unknown entries were my modem etc.

I scanned with Eiwdo and utility.dll was not found.

  1. I scanned with the kaspersky online scanner it found:

C:\Documents and Settings\Skinno79\Local Settings\Temp\nsgAB.tmp\utility.dll Infected: Trojan.Win32.StartPage.abj

  1. I scanned with F-Secure, it found:

C:\Documents and Settings\Skinno79\My Documents\utility.dll Trojan.Win32.StartPage.abj

any more advice, should this utility.dll be deleted?

I was going to run eScan virus but i noticed it is powered by kaspersky, so it would probably find the utility.dll!

Send it to avast! Chest.
Open Chest and manually add it. After that, delete it.

sorry-do you mean to e-mail the virus to avast? was this a virus or is it adaware?

Since it is after all in a temp folder I would suggest clearing your temp folders and it should be gone.

You could send it to virus @ avast.com without the spaces as a zipped and password protected (virus would be fine, in the body of the email) with a brief outline on what happened, the link to this thread, etc.

However it does look like it could be a false positive, so there would be little point in sending it to avast unless it was confirmed by more than one source or we could find avast falsely detecting it.

It makes little difference if it is adware, spyware or malware, etc. avast would categorise it acordingly and enter it if required in the VPS file.

Sorry, my fault, I thought it was a file not an email message.

interesting I ran the file again against jotti`s and virus total. More scanners are picking it up now-(not just kaspersky)

Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found W32/StartPage.ABJ-tr
Kaspersky Anti-Virus Found Trojan.Win32.StartPage.abj
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

This is a report processed by VirusTotal on 09/03/2005 at 23:04:24 (CET) after scanning the file “utility.dll” file.
Antivirus Version Update Result
AntiVir 6.31.1.0 09.02.2005 no virus found
Avast 4.6.695.0 09.02.2005 no virus found
AVG 718 08.31.2005 no virus found
Avira 6.31.1.0 09.02.2005 no virus found
BitDefender 7.0 09.02.2005 no virus found
CAT-QuickHeal 8.00 09.03.2005 Trojan.StartPage.abj
ClamAV devel-20050725 09.03.2005 no virus found
DrWeb 4.32b 09.02.2005 no virus found
eTrust-Iris 7.1.194.0 09.02.2005 no virus found
eTrust-Vet 11.9.1.0 09.02.2005 no virus found
Fortinet 2.41.0.0 09.03.2005 W32/StartPage.ABJ-tr
F-Prot 3.16c 09.02.2005 no virus found
Ikarus 0.2.59.0 09.02.2005 no virus found
Kaspersky 4.0.2.24 09.03.2005 Trojan.Win32.StartPage.abj
McAfee 4573 09.02.2005 no virus found
NOD32v2 1.1208 09.02.2005 no virus found
Norman 5.70.10 09.02.2005 no virus found
Panda 8.02.00 09.03.2005 no virus found
Sophos 3.97.0 09.03.2005 no virus found
Symantec 8.0 09.03.2005 no virus found
TheHacker 5.8.2.099 09.02.2005 no virus found
VBA32 3.10.4 09.02.2005 no virus found

Don`t you think the file should defo be sent to aavast now?

You can do what you want, but if it was me I believe I would send it to Avast.

utility.dll has been placed in the virus chest.

file was sent to avast a short while ago :wink: I hope it is added to the data base quickly!

Well done.

Thanks. We hope the same 8)