Welcome, Guest. Please Login or Register.
Search
Members
Login
Register
   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   TrojanHunter won't remove Agent.100 and Vundo.100		 « Previous topic | Next topic »
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: TrojanHunter won't remove Agent.100 and Vundo.100  (Read 2501 times)
leew
Newbie
*





   
WWW  

Gender: male
 Posts: 13
TrojanHunter won't remove Agent.100 and Vundo.100
« on: Mar 28th, 2009, 7:58am »		 Quote Quote  Modify Modify
Hi Guys,
 
I'm having a problem with TrojanHunter not catching some trojans, especially the ones that are advertising based like agent.100 and Vundo.100 etc?
I regularly get these from sites when I'm looking for small script programs.
 
Now I can't access my online (server side) email accounts like all my Yahoo accounts.  My Gmail is barely working but with a lot of work arounds and  
 
won't load when I change folders.  My computer is definitely infected and when I clean these trojans they just seem to come right back.
 
This is URGENT!
 
From running all the plugins in TrojanHunter below is the results log.  It says 2 Trojans found and when I clean them I get "Unable to remove..." or  
 
"Unable to open..." and when I check again they are still there.  I've tried to delete them directly in my registry editor but they won't allow me to  
 
delete these registry places.
 
I'm not a techi just trying to reslove these.
 
I have Trojan Hunter 5.0 build 962, running XP Pro with service pack 3, Pentium 4 - 2.80GHz, 2 gigs RAM.
 
24 March 2009
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Vundo.100)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Vundo.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C} (matches Agent.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C} (matches Agent.100)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Agent.100)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Agent.100)
Port 9999/TCP is open (matches ForcedEntry.100)
Port 9999/TCP is open (matches Infra.100)
Port 9999/TCP is open (matches Prayer.120)
Port 9999/TCP is open (matches Prayer.130)
Port 9999/TCP is open (matches Skipper.100)
Port 9999/TCP is open (matches SpadeAce.100)
Port 9999/TCP is open (matches TakeOver.200)
Port 9999/TCP is open (matches TakeOver.300)
Found NTFS alternate data stream: C:\DELL\Thumbs.db:encryptable:$DATA
 
Ran full clean and delete Trojan Hunter and NOD32 24 Mar 09 and got rid of Port 999 trojans but it won't get these two.
 
25 March 2009
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Vundo.100)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Vundo.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C} (matches Agent.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C} (matches Agent.100)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Agent.100)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Agent.100)
AppInitChecker Executing
Unable to open key HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocSer ver32
Unable to remove registry key HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
Unable to open key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C}\InprocServer32
Unable to remove registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C}
Unable to open key HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocSer ver32
Unable to remove registry key HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
 
25 March 2009 10am in Safe Mode with networking
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Vundo.100)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Vundo.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C} (matches Agent.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C} (matches Agent.100)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Agent.100)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Agent.100)
Port 5025/TCP is open (matches Keylogger.WMRemote.100)
AppInitChecker Executing
Unable to open key HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocSer ver32
Unable to remove registry key HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
Unable to open key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C}\InprocServer32
Unable to remove registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C}
Unable to open key HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocSer ver32
Unable to remove registry key HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
 
 
Thanks,
Lee
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7357
Re: TrojanHunter won't remove Agent.100 and Vundo.
« Reply #1 on: Mar 28th, 2009, 11:47am »		 Quote Quote  Modify Modify
Have you tried running TH scanner in SAFE MODE without Networking.  This may release those registry keys.  
 
 
Also, I recommend that your download security utility Combofix.exe and save it to your desktop.  The link below provides detailed instructions on how to use Combofix and also a download link for Combofix.  Please print out these instructions for use because you need to close your browser when running Combofix.exe
 
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
-  Be sure to temporarily disable all your security programs except your software firewall and close down as many programs as you can (icons next to the computer time/date in the Task bar) BEFORE you run Combofix.
 
-  You can omit the part about adding the Windows Recovery Console if you wish.  
 
-  Once Combofix has started its cleaning, do not interrupt it by clicking on its open window.  
 
Please post back here the results log of Combofix once it has completed its scan and cleaning.
 
Also, please download and install Hijackthis per the instructions in the link below.  Scan and post a Hijackthis scan log AFTER you run Combofix.exe
 
http://www.misec.net/forum/board/FAQ/1163329424
 
« Last Edit: Mar 28th, 2009, 12:05pm by siliconman01 » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
leew
Newbie
*





   
WWW  

Gender: male
 Posts: 13
Re: TrojanHunter won't remove Agent.100 and Vundo.
« Reply #2 on: Mar 28th, 2009, 12:55pm »		 Quote Quote  Modify Modify
Thanks Siliconman,
 
I'll try all these and let you know.
 
I did run TH in Safe Mode but with Networking.
 
Lee
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7357
Re: TrojanHunter won't remove Agent.100 and Vundo.
« Reply #3 on: Mar 28th, 2009, 2:17pm »		 Quote Quote  Modify Modify
Okay...hopefully Combofix will correct the problem.
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
leew
Newbie
*





   
WWW  

Gender: male
 Posts: 13
Re: TrojanHunter won't remove Agent.100 and Vundo.
« Reply #4 on: Mar 29th, 2009, 1:40pm »		 Quote Quote  Modify Modify
Well so far not so good.
 
I ran TH in safe mode without networking after downloading Combofix from http://www.bleepingcomputer.com/combofix/how-to-use-combofix (tried all 3 download sites) and Hijackthis from http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php.  When I checked my downloads with TH I got a trojan from Combofix every time and it deleted ComboFix.
 
Safe mode without networking did not result in any improvement, same results.  Plus after the TH scan I couldn't copy the scan report, it locked up ("not responding") and I had to "end task" to shut it down.
 
Also my computer wouldn't not reboot and I had to hard boot.
 
Here are reports I got after hard reboot from 29 Mar 09 from Plugins scan:
 
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Vundo.100)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Vundo.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C} (matches Agent.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C} (matches Agent.100)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Agent.100)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Agent.100)
AppInitChecker Executing
Unable to open key HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocSer ver32
Unable to remove registry key HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
Unable to open key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C}\InprocServer32
Unable to remove registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C}
Unable to open key HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocSer ver32
Unable to remove registry key HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
 
And here is report of TH scan of just the ComboFix file:
 
Found NTFS alternate data stream: C:\Documents and Settings\Lee Wilson\My Documents\My Downloads\TrojanHunter\ComboFix\ComboFix.exe:Zone.Identifier:$DATA
Found trojan file: C:\Documents and Settings\Lee Wilson\My Documents\My Downloads\TrojanHunter\ComboFix\ComboFix.exe/hidec.exe (RiskTool.Hidec.100)
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Lee Wilson\My Documents\My Downloads\TrojanHunter\ComboFix\ComboFix.exe/catchme.cfexe
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Lee Wilson\My Documents\My Downloads\TrojanHunter\ComboFix\ComboFix.exe/ERDNT.e_e
Found trojan file: C:\Documents and Settings\Lee Wilson\My Documents\My Downloads\TrojanHunter\ComboFix\ComboFix.exe/Upx.fjhpslvo/hidec.exe (RiskTool.Hidec.100)
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Lee Wilson\My Documents\My Downloads\TrojanHunter\ComboFix\ComboFix.exe/Upx.fjhpslvo/catchme.cfexe
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Lee Wilson\My Documents\My Downloads\TrojanHunter\ComboFix\ComboFix.exe/Upx.fjhpslvo/ERDNT.e_e
Quarantined file C:\Documents and Settings\Lee Wilson\My Documents\My Downloads\TrojanHunter\ComboFix\ComboFix.exe
Unable to quarantine file C:\Documents and Settings\Lee Wilson\My Documents\My Downloads\TrojanHunter\ComboFix\ComboFix.exe: Scheduling file to be quarantined when computer is restarted
 
I'm afraid to download ComboFix and run it after finding each time it has a trojan.  I even tried the sites directly with the same results.
 
I will go ahead and download it again and run it from the desktop and hopefully catch any trojans that might be attached to it.  Then send you the report.
 
Lee
 
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7357
Re: TrojanHunter won't remove Agent.100 and Vundo.
« Reply #5 on: Mar 29th, 2009, 2:00pm »		 Quote Quote  Modify Modify
Combofix uses several tactics that are used by the cybercriminals to infect your computer so that it (Combofix) can clean your computer.  TH sees that and thinks Combofix is a malicious file.  
 
Combofix.exe downloaded from BleepingComputer.com, GeekstoGo.com or ForoSpyware.com is not infected.  
 
Please run Combofix and do not run TH scanner until you have let Combofix clean your computer and you have posted the Combofix log back here.   After I examine the Combofix log, then we'll remove Combofix from your system.  It is a cleaning tool that is only run under specific conditions.  
 
Remember to post a Hijackthis scan log too as previously requested...after the Combofix run.
« Last Edit: Mar 29th, 2009, 2:02pm by siliconman01 » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
leew
Newbie
*





   
WWW  

Gender: male
 Posts: 13
Re: TrojanHunter won't remove Agent.100 and Vundo.
« Reply #6 on: Mar 29th, 2009, 2:25pm »		 Quote Quote  Modify Modify
OK here the results from ComboFix:
 
ComboFix 09-03-28.06 - Lee Wilson 2009-03-29 15:59:29.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1667 [GMT -4:00]
Running from: c:\documents and settings\Lee Wilson\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)
 * Created a new restore point
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\71SS0jR0.exe.a_a
c:\windows\system32\HknTwGgh.ini
c:\windows\system32\HknTwGgh.ini2
c:\windows\system32\MabryObj.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mssrv32.exe
c:\windows\system32\ntos.exe
c:\windows\system32\RuuFNqru.ini
c:\windows\system32\RuuFNqru.ini2
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\audio.dll.cla
c:\windows\system32\wsnpoem\video.dll
c:\windows\wiaserviv.log
 
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
-------\Service_TDSSserv.sys
 
 
(((((((((((((((((((((((((   Files Created from 2009-02-28 to 2009-03-29  )))))))))))))))))))))))))))))))
.
 
2009-03-28 10:09 . 2009-03-28 10:09<DIR>d--------c:\program files\EPSON
2009-03-28 10:09 . 2001-05-21 02:1661,598--a------c:\windows\system32\EBPMON2.DLL
2009-03-28 10:09 . 2001-03-29 02:2157,344--a------c:\windows\system32\ECBTEG.DLL
2009-03-28 10:09 . 2000-06-07 01:0134,304--a------c:\windows\system32\EBPCHP.DLL
2009-03-28 10:09 . 2000-09-14 02:03145--a------c:\windows\system32\EBPPORT.DAT
2009-03-25 10:10 . 2009-03-25 10:10<DIR>d--------c:\documents and settings\Administrator\Application Data\TrojanHunter
2009-03-25 10:05 . 2009-03-25 10:05<DIR>d--------c:\documents and settings\Administrator
2009-03-23 21:20 . 2009-03-24 18:0566--a------c:\windows\forumequalizer.ini
2009-03-23 20:52 . 2009-03-24 16:02<DIR>d--------c:\program files\Forum Poster 3
2009-03-23 17:26 . 2009-03-23 17:27<DIR>d--------c:\program files\Comment Sniper
2009-03-14 18:17 . 2009-03-14 18:17<DIR>d--------c:\program files\JB Virtual Enterprise
2009-03-03 19:05 . 2009-03-04 21:15<DIR>d--------c:\program files\FXDD2 - MetaTrader 4
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 19:44---------d-----wc:\documents and settings\Lee Wilson\Application Data\Skype
2009-03-29 15:31---------d-----wc:\program files\PocoMail3
2009-03-29 01:29---------d-----wc:\program files\Registry Easy
2009-03-25 16:54---------d-----wc:\program files\Auction Sentry Deluxe
2009-03-24 15:45516,096----a-wc:\windows\iwexec.exe
2009-03-24 15:45---------d-----wc:\program files\TC Web Conferencing
2009-03-14 20:15---------d-----wc:\program files\SENuke
2009-02-18 02:32---------d-----wc:\program files\Forex Strength Meter
2009-02-11 19:01---------d-----wc:\program files\Yahoo!
2009-02-11 14:34---------d-----wc:\documents and settings\Lee Wilson\Application Data\Orbit
2009-02-07 19:28---------d-----wc:\program files\Verizon
2009-02-07 19:28---------d-----wc:\program files\Common Files\SupportSoft
2009-02-03 21:37---------d--h--wc:\program files\InstallShield Installation Information
2009-02-03 21:36---------d-----wc:\program files\Java
2009-02-03 19:04---------d-----wc:\program files\ATC FX Pro
2009-01-29 15:2161,224----a-wc:\documents and settings\Lee Wilson\GoToAssistDownloadHelper.exe
2009-01-28 01:23---------d-----wc:\program files\NinjaTrader 6.5
2008-09-18 01:0160,744----a-wc:\documents and settings\Lee Wilson\g2mdlhlpx.exe
2008-02-27 18:1332----a-wc:\documents and settings\All Users\Application Data\ezsid.dat
2006-11-18 03:2466,046----a-wc:\program files\Dupe_Free_0_NO_VISTA.ico
2008-04-02 20:1888--sh--rc:\windows\system32\82AD050715.sys
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown  
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-10 148888]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.CSCD"= camcodec.dll
"MSVideo"= CSvidcap.dll
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Anonymizer Total Net Shield.lnk]
backup=c:\windows\pss\Anonymizer Total Net Shield.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
backup=c:\windows\pss\Orbit.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^Lee Wilson^Start Menu^Programs^Startup^Orbit.lnk]
backup=c:\windows\pss\Orbit.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act! Preloader]
--------- 2007-03-28 12:38 1015808 c:\program files\ACT\Act for Windows\ActSage.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act.Outlook.Service]
--------- 2007-03-28 12:43 9728 c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 17:40 1884160 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10A A}]
--a------ 2006-06-01 14:32 94208 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2005-03-08 00:42 176128 c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 17:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 c:\program files\QuickTime\QTTask.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe Version Cue CS3"=3 (0x3)
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
 
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-11-16 15424]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-06-28 28952920]
S3 CleanService;CleanService;c:\progra~1\STOMPS~1\DIGITA~1\CleanService.exe  [2008-03-26 52736]
S3 dlttape;dlttape;c:\windows\system32\drivers\dlttape.sys [2008-04-26 8320]
.
Contents of the 'Scheduled Tasks' folder
 
2009-03-03 c:\windows\Tasks\At1.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-25 c:\windows\Tasks\At10.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-28 c:\windows\Tasks\At11.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-28 c:\windows\Tasks\At12.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-28 c:\windows\Tasks\At13.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-28 c:\windows\Tasks\At14.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-28 c:\windows\Tasks\At15.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-29 c:\windows\Tasks\At16.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-28 c:\windows\Tasks\At17.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-28 c:\windows\Tasks\At18.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-28 c:\windows\Tasks\At19.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-03 c:\windows\Tasks\At2.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-28 c:\windows\Tasks\At20.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-29 c:\windows\Tasks\At21.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-29 c:\windows\Tasks\At22.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-25 c:\windows\Tasks\At23.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-18 c:\windows\Tasks\At24.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-03 c:\windows\Tasks\At25.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-03 c:\windows\Tasks\At26.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-03 c:\windows\Tasks\At27.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-03 c:\windows\Tasks\At28.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-03 c:\windows\Tasks\At29.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-03 c:\windows\Tasks\At3.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-02-28 c:\windows\Tasks\At30.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-02-28 c:\windows\Tasks\At31.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-16 c:\windows\Tasks\At32.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-23 c:\windows\Tasks\At33.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-25 c:\windows\Tasks\At34.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-28 c:\windows\Tasks\At35.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-28 c:\windows\Tasks\At36.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-28 c:\windows\Tasks\At37.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-28 c:\windows\Tasks\At38.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-28 c:\windows\Tasks\At39.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-03 c:\windows\Tasks\At4.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-29 c:\windows\Tasks\At40.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-28 c:\windows\Tasks\At41.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-28 c:\windows\Tasks\At42.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-28 c:\windows\Tasks\At43.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-28 c:\windows\Tasks\At44.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-29 c:\windows\Tasks\At45.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-29 c:\windows\Tasks\At46.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-25 c:\windows\Tasks\At47.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-18 c:\windows\Tasks\At48.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-03 c:\windows\Tasks\At5.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-02-28 c:\windows\Tasks\At6.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-02-28 c:\windows\Tasks\At7.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-16 c:\windows\Tasks\At8.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-23 c:\windows\Tasks\At9.job
- c:\windows\system32\71SS0jR0.exe []
 
2009-03-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1645522239-682003 330-1003.job
- c:\documents and settings\Lee Wilson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 13:23]
.
- - - - ORPHANS REMOVED - - - -
 
BHO-{96038f77-4c62-454e-988b-74fd33425203} - (no file)
BHO-{C33E0681-82FF-4D79-A125-143C94C69028} - (no file)
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
 
 
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=101863&l=dis
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = 69.10.61.79:51013
uSearchURL,(Default) = hxxp://www.ask.com/?o=101868&l=dis
LSP: imon.dll
DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} - hxxps://techinline.net/Client/TIClient.cab
FF - ProfilePath - c:\documents and settings\Lee Wilson\Application Data\Mozilla\Firefox\Profiles\ek1htx34.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.rr.com/division/34
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101861&gct=&gc=1&a mp;q=
FF - component: c:\documents and settings\Lee Wilson\Application Data\Mozilla\Firefox\Profiles\ek1htx34.default\extensions\{a7c6cf7f-112c -4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\Lee Wilson\Application Data\Mozilla\Firefox\Profiles\ek1htx34.default\extensions\RemoteDesktopC lient@techinline.com\plugins\npTiClient.dll
FF - plugin: c:\documents and settings\Lee Wilson\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.
 
************************************************************************ **
 
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 16:09:41
Windows 5.1.2600 Service Pack 3 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ...  
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
************************************************************************ **
.
--------------------- LOCKED REGISTRY KEYS ---------------------
 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\ssqNdbay.dll"
"ThreadingModel"="Both"
 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ECD1C806-377F-45D6-91BD-76A974A2C673}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\hgGwTnkH.dll"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
- - - - - - - > 'lsass.exe'(700)
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\AstSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ESET\nod32krn.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\windows\system32\wscntfy.exe
.
************************************************************************ **
.
Completion time: 2009-03-29 16:14:48 - machine was rebooted
ComboFix-quarantined-files.txt  2009-03-29 20:14:45
 
Pre-Run: 145,198,333,952 bytes free
Post-Run: 145,161,715,712 bytes free
 
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
 
318--- E O F ---2009-03-20 22:14:22
 
Thanks,
Lee
IP Logged
leew
Newbie
*





   
WWW  

Gender: male
 Posts: 13
Re: TrojanHunter won't remove Agent.100 and Vundo.
« Reply #7 on: Mar 29th, 2009, 2:26pm »		 Quote Quote  Modify Modify
Here are the results from HiJackThis:
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:17:55, on 3/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AstSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101863&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.ask.com/?o=101868&l=dis
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.10.61.79:51013
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiO S%20Installer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662. cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/clien t/wuweb_site.cab?1194968671187
O16 - DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} (TIClientControl Object) - https://techinline.net/Client/TIClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AST Service (astcc) -  Advanced Software Technologies - C:\WINDOWS\system32\AstSrv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CleanService - Unknown owner - C:\PROGRA~1\STOMPS~1\DIGITA~1\CleanService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
 
--
End of file - 6490 bytes
 
Thanks,
Lee
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7357
Re: TrojanHunter won't remove Agent.100 and Vundo.
« Reply #8 on: Mar 29th, 2009, 3:34pm »		 Quote Quote  Modify Modify
Okay, please do the following:
 
1.  Locate the Combofix quarantine folder named Qoobox.  It should be located under the root C:\
 
2.  Right click on the Qoobox folder and select Send to > Compress (zipped) folder.  This will create a compressed folder named Qoobox.zip
 
3.  Please send Qoobox.zip as an email attachment to submit@TrojanHunter.com
 
-  In the email subject line, enter Combofix Quarantine Folder for Analysis
 
-  In the body of the email, place a link to this forum post so that Gavin will know where to look in the forum.  
 
-  Gavin will further analyze the Combofix quarantined files and incorporate them into TrojanHunter's detection ruleset.
 
-  After you email Qoobox.zip, you can delete the Zip file from your system.
 
4.  Remove Combofix from your system
 
-  Go to START>RUN and type in   Combofix /u
 
-  Click OK
 
-  Let Combofix uninstall itself.  All Combofix files will be removed from your system...including the desktop Combofix.exe
 
5.  Reboot your computer.
 
6.  Run another Hijackthis scan.  When the scan is completed, place a checkmark in the box next to the following items.  BE SURE that these are the only items checked.  
 
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
 
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
 
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
 
7.  Close your Browser
 
8.  Click on Fix Checked located at the lower left of the Hijackthis window.  Confirm that you want Hijackthis to fix these items and let it fix them.
 
9.  Close Hijackthis and immediately reboot your computer.
 
10.  Now run another Full Scan with TrojanHunter and post back here the TrojanHunter scan report.
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7357
Re: TrojanHunter won't remove Agent.100 and Vundo.
« Reply #9 on: Mar 29th, 2009, 4:04pm »		 Quote Quote  Modify Modify
In addition to my post above:
 
IF the TrojanHunter scan still reports that it cannot remove those registry keys, please do the following.
 
1.  Go to the link below and download RegAssassin.  Save it on your desktop.
 
http://www.malwarebytes.org/regassassin.php
 
2.  Double click on the RegAssassin icon on your desktop.
 
-  Agree to the terms and conditions.
 
3.  When you get to the window that says RegAssassin loaded, please enter a registry key., enter the following key into the entry box.  BE SURE it is exactly this key (best to copy from here and paste into the box).
 
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
 
-  Be sure that "Reset registry key permissions" is check marked.
 
-  Be sure that "Delete registry key and all subkeys" is check marked.
 
-  Click on Delete and let RegAssassin delete the key.
 
4.  Repeat Step 3 for the registry key below.  
 
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A  FBDC02C}
 
5.  Exit RegAssassin.
 
6.  Run another scan with TH to confirm that the keys are removed.  
 
And, is your computer running any better?
« Last Edit: Mar 29th, 2009, 4:13pm by siliconman01 » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
leew
Newbie
*





   
WWW  

Gender: male
 Posts: 13
Re: TrojanHunter won't remove Agent.100 and Vundo.
« Reply #10 on: Mar 29th, 2009, 9:14pm »		 Quote Quote  Modify Modify
I'm sorry.  After doing #10 scanning again with TH I had these 2 trojans still in tact and one other which I didn't write down.
 
I right clicked to save scan report and TH crashed and I could only close it with "End Task" and of course no report of the hours of scanning was saved.
 
I'm getting very tired of TH crashing.
 
I will try your 2nd post suggestions.
 
Lee
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7357
Re: TrojanHunter won't remove Agent.100 and Vundo.
« Reply #11 on: Mar 29th, 2009, 10:40pm »		 Quote Quote  Modify Modify
Quote:
I'm sorry.  After doing #10 scanning again with TH I had these 2 trojans still in tact and one other which I didn't write down.  
 
I right clicked to save scan report and TH crashed and I could only close it with "End Task" and of course no report of the hours of scanning was saved.

 
I was not aware that you were having a TH crash problem.   Sad
 
Is this something that has just recently started occurring with TrojanHunter?  
 
Does TH only crash when your right click to save the scan report?
 
Instead of right clicking to save the Scan Report, go up to File in the top menu and select Save Scan Report.  
 
Is your version of TH a license version with the subscription current?  
 
And are your TH rulesets the very latest version...via LiveUpdate?
 
Are you having problems with other programs on your system crashing or not working correctly?
 
 
Also, is there an ATI Control Panel icon showing up in the icons next to the computer clock in the Task Bar?  If so, this could be a reason for the TH crash...conflict.  
« Last Edit: Mar 29th, 2009, 11:34pm by siliconman01 » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
leew
Newbie
*





   
WWW  

Gender: male
 Posts: 13
Re: TrojanHunter won't remove Agent.100 and Vundo.
« Reply #12 on: Mar 30th, 2009, 6:47am »		 Quote Quote  Modify Modify
Hi Siliconman,
 
Here are your answers.
 
Is this something that has just recently started occurring with TrojanHunter?
It has just started recently, last month or so.
 
Does TH only crash when your right click to save the scan report?
Yes, only when I attempt to save log file by right clicking after a full scan so that I know where it is and can save it.  I will now use File>Save Scan Report.
 
Is your version of TH a license version with the subscription current?
Yes.  I'm using ver 5.0, build 962 and subscription is current.  I update every morning.  I'm running on a PC with XP Pro service pack 3
 
And are your TH rulesets the very latest version...via LiveUpdate?
Yes.
 
Are you having problems with other programs on your system crashing or not working correctly?
No, except Firefox and Word off and on but that's almost a normal expected routine.
 
Also, is there an ATI Control Panel icon showing up in the icons next to the computer clock in the Task Bar?
Yes, my TH loads when I boot which is what I use to update every morning.
 
Lee
IP Logged
leew
Newbie
*





   
WWW  

Gender: male
 Posts: 13
Re: TrojanHunter won't remove Agent.100 and Vundo.
« Reply #13 on: Mar 30th, 2009, 7:28am »		 Quote Quote  Modify Modify
I ran RegASSASSIN and put in the 2 registry keys in your post and they deleted.
 
When I ran TH after rebooting I still got my 2 trojans Agent.100 and Vundo.100 immediately so I stopped scan and attempted to clean them.
 
Here is TH report.
TrojanHunter Scan Report - Saved 2009-03-30 09:16
 
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Vundo.100)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Vundo.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C} (matches Agent.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C} (matches Agent.100)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Agent.100)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (matches Agent.100)
Unable to open key HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocSer ver32
Unable to remove registry key HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
Unable to open key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C}\InprocServer32
Unable to remove registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C}
Unable to open key HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocSer ver32
Unable to remove registry key HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
 
When I put in the 2 unique registry keys from this report in RegASSASSIN to delete
 
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
 
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77A FBDC02C}
 
I get "RegASSASSIN could NOT remove the registry key."
 
What is your next suggestion?
 
Lee
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7357
Re: TrojanHunter won't remove Agent.100 and Vundo.
« Reply #14 on: Mar 30th, 2009, 9:56am »		 Quote Quote  Modify Modify
Try using RegAssassin with your computer booted into SAFE MODE and see if that lets the registry keys be deleted.
 
Are you familiar and comfortable with how to edit your system registry via Regedit?  In other words, have you manually edited your system registry before?  I ask this because manually changing the registry is inherently dangerous if not done correctly.
 
These registry keys are apparently locked by whatever infection put them there.  You have XP PRO which provides the capability of you, the administrator, to manually manipulate the registry permissions.  If you are familiar with Regedit, I will supply you directions for trying to removing these keys manually.
« Last Edit: Mar 30th, 2009, 10:18am by siliconman01 » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »