bs2105 Posted March 29, 2009 ID:68355 Share Posted March 29, 2009 bs2105 Forum note from May 2008 says that MB product will find and remove trojan.agent, but:I'm currently using MB 1.35 free version on XP Pro sp3 Dell laptop and MB finds this trojan, promises to delete on reboot, but the bad guy is still there at next MB scan (see below).XP Auto restore is disabled at this time. I can find the MB detected trojan using Regedit, but I can't delete it. I can make changes, but after reboot, it is restored to previous condition.There must be some undetected files or something double-teaming me on this one. I'm about to the point of rebuilding. Do you have anything else I can try first?Thanks,bob===================================Malwarebytes' Anti-Malware 1.35Database version: 1911Windows 5.1.2600 Service Pack 33/28/2009 2:57:18 PMmbam-log-2009-03-28 (14-57-06).txtScan type: Full Scan (D:\|)Objects scanned: 74100Time elapsed: 2 minute(s), 3 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 4Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)====================================================================Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:56:41 AM, on 3/29/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\Dell Support Center\bin\sprtsvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\fxssvc.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\SMARTD~1\Messages\SDNotify.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Apoint\Apoint.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Dell Photo AIO Printer 924\dlccmon.exeC:\Program Files\Dell Support Center\bin\sprtcmd.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exeC:\WINDOWS\system32\dlcccoms.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\Standard Time\Standard Time.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exeC:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dllO2 - BHO: Java Link to post Share on other sites More sharing options...
Mad Dog Vee Posted March 30, 2009 ID:68579 Share Posted March 30, 2009 G'day BS2105 and Welcome to Malwarebytes.orgThe following is how they usually like to proceed. Please follow the instructions carefully.If you're having Malware related issues with your computer that you're unable to resolve.Please read and follow the instructions provided here: I'm infected - What do I do now?If needed please post your logs in a NEW topic here: Malware Removal - HijackThis LogsWhen posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.Using these other tools often makes the cleanup task more difficult and time consuming.If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for reviewNOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now