marly786 Posted October 29, 2008 ID:32773 Share Posted October 29, 2008 Hi - I'm trying to remove Trojan. Agent but after running Malwarebytes it still shows up if I scan againPlease advise how to to remove -ThanksMalwarebytes' Anti-Malware 1.28Database version: 1134Windows 5.1.2600 Service Pack 129/10/2008 14:47:40mbam-log-2008-10-29 (14-47-35).txtScan type: Quick ScanObjects scanned: 107204Time elapsed: 1 minute(s), 37 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 4Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken. [38575351343053838075667915347270798513014144385864454836344564463436414247386152483953563451386146746883808480718561567479698088846136868383707985557083847480796138898177808370836135838088847083015270858574797284936771]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken. [38575351343053838075667915347270798513014144385864454836344564463436414247386152483953563451386146746883808480718561567479698088846136868383707985557083847480796138898177808370836135838088847083015270858574797284936776]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken. [38575351343053838075667915347270798513014144385864454836344564463436414247386152483953563451386146746883808480718561567479698088846136868383707985557083847480796138898177808370836135838088847083015270858574797284937486]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken. [38575351343053838075667915347270798513014144385864454836344564463436414247386152483953563451386146746883808480718561567479698088846136868383707985557083847480796138898177808370836135838088847083015270858574797284937886]Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
marly786 Posted October 29, 2008 Author ID:32774 Share Posted October 29, 2008 HijackThis log addedLogfile of Trend Micro HijackThis v2.0.2Scan saved at 14:59:54, on 29/10/2008Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: Safe mode with network supportRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\explorer.exeC:\WINDOWS\regedit.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet.norfolk.gov.uk/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gatekeeper.norfolk.gov.uk:1080R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.norfolk.gov.uk;<local>O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: (no name) - {97BE7436-6283-4160-A5E2-1B3A699DA1CA} - C:\WINDOWS\System32\adsn.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exeO4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - Global Startup: VPN Client.lnk = ?O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dllO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO14 - IERESET.INF: START_PAGE_URL=http://intranet.norfolk.gov.ukO16 - DPF: {053779ED-484D-11D5-8ACC-0010B54030B8} (IPLogon.LogonCtl) - http://nccperfplus/pplusweb/Packages/IPLogon.CABO16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://mindlinkworkroom.pwc.com/qp2.cabO16 - DPF: {07DE79EA-6A11-11D4-BDD3-0010B54030B7} (IPBriefingBook.BriefingBookLayout) - http://nccperfplus/pplusweb/Packages/IPBriefingBook.CABO16 - DPF: {0E09D1C7-6A2A-4DCB-AD82-DCE4AE8A4A27} (IPForms.FormSvr) - http://nccperfplus/pplusweb/Packages/IPForms.CABO16 - DPF: {29260DAA-7EB5-4AC7-9FA5-1DF2A267EC1D} (IPWorkflow.Workflow) - http://nccperfplus/pplusweb/Packages/IPWorkflow.CABO16 - DPF: {338FB323-D019-4D7F-931B-3494B11C58BA} (IPPropertyWiz.PropWiz) - http://nccperfplus/pplusweb/Packages/IPPropertyWiz.CABO16 - DPF: {51C3F208-9B5A-11D4-89EF-0010B54030B8} (IPMeasureControl.Measure) - http://nccperfplus/pplusweb/Packages/IPMeasureControl.CABO16 - DPF: {5220513D-1E66-11D3-9655-0020185749AE} (CubeControl.CubeForm) - http://nccperfplus/pplusweb/Packages/CubeCtl.CABO16 - DPF: {8FF8D338-066E-11D5-8A58-0010B54030B8} (IPGenList.GenListCtl) - http://nccperfplus/pplusweb/Packages/IPGenList.CABO16 - DPF: {CE1B5296-EFC0-44BB-B7D1-4769379EE2FF} (IPMailAddress.Mail) - http://nccperfplus/pplusweb/Packages/IPMailAddress.CABO16 - DPF: {D09A21D5-CC26-11D4-8A2A-0010B54030B8} (IPDiagramCtl.IPDiagram) - http://nccperfplus/pplusweb/Packages/IPDiagram.CABO16 - DPF: {D2DB3391-D1DF-461D-BCC6-182B7FA32753} (Stellent Check Out And Open Control) - http://ncccmscont/contribution/common/checkoutandopen.cabO16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://nccsavnch2/clientinstall/webinst.cabO16 - DPF: {D9F93452-4087-4C28-84C1-C911524838A3} (IPChart.IPChartCtl) - http://nccperfplus/pplusweb/Packages/IPChart.CABO16 - DPF: {E8A1A2CF-6124-4228-8294-38A3AAB07A00} (IPReport.IPSummary2) - http://nccperfplus/pplusweb/Packages/IPReport.CABO16 - DPF: {F5D99836-D1C4-4EC8-8774-AA802CC9F246} (IPDateTime.DTPicker) - http://nccperfplus/pplusweb/Packages/IPDateTime.CABO16 - DPF: {FC37832E-00EB-11D5-8A4B-0010B54030B8} (NetworkDiagram.DiagramSvr) - http://nccperfplus/pplusweb/Packages/NetworkDiagram.CABO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.norfolk.gov.ukO17 - HKLM\Software\..\Telephony: DomainName = corporate.norfolk.gov.ukO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.norfolk.gov.ukO17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corporate.norfolk.gov.ukO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exeO23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exeO23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exeO23 - Service: WLANKEEPER - Intel Link to post Share on other sites More sharing options...
nosirrah Posted October 29, 2008 ID:32780 Share Posted October 29, 2008 Please update MBAM and scan again , there is a rootkit in your system and its using these keys to track your data .Current defs and current MBAM version deal with this one much better .If by some chance you have used a keygen/crack/serial downloaded from the internet to make MBAM pro (or any other software) free and this is why you are using 1.28 still then you have a much more serious problem , one that cant be fixed . Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now