Jump to content

Trojan.Agent


Recommended Posts

Hi - I'm trying to remove Trojan. Agent but after running Malwarebytes it still shows up if I scan again

Please advise how to to remove -Thanks

Malwarebytes' Anti-Malware 1.28

Database version: 1134

Windows 5.1.2600 Service Pack 1

29/10/2008 14:47:40

mbam-log-2008-10-29 (14-47-35).txt

Scan type: Quick Scan

Objects scanned: 107204

Time elapsed: 1 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301414438586445483634456446343641424738615

24839535634513861467468838084807185615674796980888461368683837079855570838474807

9

6138898177808370836135838088847083015270858574797284936771]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301414438586445483634456446343641424738615

24839535634513861467468838084807185615674796980888461368683837079855570838474807

9

6138898177808370836135838088847083015270858574797284936776]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301414438586445483634456446343641424738615

24839535634513861467468838084807185615674796980888461368683837079855570838474807

9

6138898177808370836135838088847083015270858574797284937486]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301414438586445483634456446343641424738615

24839535634513861467468838084807185615674796980888461368683837079855570838474807

9

6138898177808370836135838088847083015270858574797284937886]

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

HijackThis log added

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:59:54, on 29/10/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\regedit.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet.norfolk.gov.uk/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gatekeeper.norfolk.gov.uk:1080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.norfolk.gov.uk;<local>

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {97BE7436-6283-4160-A5E2-1B3A699DA1CA} - C:\WINDOWS\System32\adsn.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O14 - IERESET.INF: START_PAGE_URL=http://intranet.norfolk.gov.uk

O16 - DPF: {053779ED-484D-11D5-8ACC-0010B54030B8} (IPLogon.LogonCtl) - http://nccperfplus/pplusweb/Packages/IPLogon.CAB

O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://mindlinkworkroom.pwc.com/qp2.cab

O16 - DPF: {07DE79EA-6A11-11D4-BDD3-0010B54030B7} (IPBriefingBook.BriefingBookLayout) - http://nccperfplus/pplusweb/Packages/IPBriefingBook.CAB

O16 - DPF: {0E09D1C7-6A2A-4DCB-AD82-DCE4AE8A4A27} (IPForms.FormSvr) - http://nccperfplus/pplusweb/Packages/IPForms.CAB

O16 - DPF: {29260DAA-7EB5-4AC7-9FA5-1DF2A267EC1D} (IPWorkflow.Workflow) - http://nccperfplus/pplusweb/Packages/IPWorkflow.CAB

O16 - DPF: {338FB323-D019-4D7F-931B-3494B11C58BA} (IPPropertyWiz.PropWiz) - http://nccperfplus/pplusweb/Packages/IPPropertyWiz.CAB

O16 - DPF: {51C3F208-9B5A-11D4-89EF-0010B54030B8} (IPMeasureControl.Measure) - http://nccperfplus/pplusweb/Packages/IPMeasureControl.CAB

O16 - DPF: {5220513D-1E66-11D3-9655-0020185749AE} (CubeControl.CubeForm) - http://nccperfplus/pplusweb/Packages/CubeCtl.CAB

O16 - DPF: {8FF8D338-066E-11D5-8A58-0010B54030B8} (IPGenList.GenListCtl) - http://nccperfplus/pplusweb/Packages/IPGenList.CAB

O16 - DPF: {CE1B5296-EFC0-44BB-B7D1-4769379EE2FF} (IPMailAddress.Mail) - http://nccperfplus/pplusweb/Packages/IPMailAddress.CAB

O16 - DPF: {D09A21D5-CC26-11D4-8A2A-0010B54030B8} (IPDiagramCtl.IPDiagram) - http://nccperfplus/pplusweb/Packages/IPDiagram.CAB

O16 - DPF: {D2DB3391-D1DF-461D-BCC6-182B7FA32753} (Stellent Check Out And Open Control) - http://ncccmscont/contribution/common/checkoutandopen.cab

O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://nccsavnch2/clientinstall/webinst.cab

O16 - DPF: {D9F93452-4087-4C28-84C1-C911524838A3} (IPChart.IPChartCtl) - http://nccperfplus/pplusweb/Packages/IPChart.CAB

O16 - DPF: {E8A1A2CF-6124-4228-8294-38A3AAB07A00} (IPReport.IPSummary2) - http://nccperfplus/pplusweb/Packages/IPReport.CAB

O16 - DPF: {F5D99836-D1C4-4EC8-8774-AA802CC9F246} (IPDateTime.DTPicker) - http://nccperfplus/pplusweb/Packages/IPDateTime.CAB

O16 - DPF: {FC37832E-00EB-11D5-8A4B-0010B54030B8} (NetworkDiagram.DiagramSvr) - http://nccperfplus/pplusweb/Packages/NetworkDiagram.CAB

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.norfolk.gov.uk

O17 - HKLM\Software\..\Telephony: DomainName = corporate.norfolk.gov.uk

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.norfolk.gov.uk

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corporate.norfolk.gov.uk

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites

  • Staff

Please update MBAM and scan again , there is a rootkit in your system and its using these keys to track your data .

Current defs and current MBAM version deal with this one much better .

If by some chance you have used a keygen/crack/serial downloaded from the internet to make MBAM pro (or any other software) free and this is why you are using 1.28 still then you have a much more serious problem , one that cant be fixed .

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.