Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Win32.agent.qt Hijack Log

  • This topic is locked This topic is locked
2 replies to this topic

#1 Texterp


  • Members
  • 1 posts
  • Local time:11:55 PM

Posted 08 January 2008 - 09:22 PM

Please help with cleaning the file listed above. I did all the instructions listed but cannot remove the Win32.Agent.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:01 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\kernel\kernel.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ---------- HOSTS
O1 - Hosts: rojo #Sun Enterprise 420r (Solaris 2.6)
O1 - Hosts: gindo #Sun Enterprise 420r (Solaris 2.6)
O1 - Hosts: red red_le0 sybserver #Virtual IP for Sybase Cluster
O1 - Hosts: stc03a #Xylogics Microannex 2000(RAS)
O1 - Hosts: modemsout #Xylogics Microannex Modem Rotary
O1 - Hosts: modem #Firewall -Qwest
O1 - Hosts: stc06r #Radius
O1 - Hosts: blanco mailhost datehost loghost puffer.com smtp #Sun Enterprise 250
O1 - Hosts: blanco_hme0 #Sun Enterprise 250
O1 - Hosts: blanco_hme1 #Sun Enterprise 250
O1 - Hosts: stc08r #Stafford Cisco 3640 (eth 0)
O1 - Hosts: stc09r #Fisher Cisco 2501 Router (eth 0)
O1 - Hosts: stc00r puffer_nb st_nb0 #en0 port on Telebit NetBlazer
O1 - Hosts: stc01r stfd_ags0 #Stafford Cisco 3640 (eth 0)
O1 - Hosts: carver carver.puffer.com #Sun V480
O1 - Hosts: Carver #Sun V480
O1 - Hosts: einstein einstein.puffer.com #Sun V480
O1 - Hosts: Einstein #Sun V480
O1 - Hosts: edison edison.puffer.com #Sun V480
O1 - Hosts: Edison #Sun V480
O1 - Hosts: pasteur pasteur.puffer.com #Sun V480
O1 - Hosts: Pasteur #Sun V480
O1 - Hosts: davinci davinci.puffer.com #Sun V480 Development Server
O1 - Hosts: Davinci #Sun V480 Development Server
O1 - Hosts: stc17p #Websense Server
O1 - Hosts:
O1 - Hosts: mxsrp009hou1 mxsrp009hou1.puffer.com #Exchange firewall
O1 - Hosts: mailfrontier mailfrontier.puffer.com #Mail Frontier
O1 - Hosts: stc21s #Sun SPARCstation 10
O1 - Hosts: stc21s_le0 #Sun SPARCstation 10
O1 - Hosts: stc21s_le1 #Sun SPARCstation 10
O1 - Hosts: stc22s #Sun SPARCstation 10
O1 - Hosts: nueces #Sun SPARCstation 2
O1 - Hosts: stc24p #Sharepoint Server
O1 - Hosts: saba #Sun SPARCstation 10 (Solaris 2.4)
O1 - Hosts: stc26p #PI shop network DHCP Server
O1 - Hosts: zeus #BDC
O1 - Hosts: zeus_ne0 #PUFFER_S West NIC
O1 - Hosts: stc28p #PRE #DOM:PUFFER_S
O1 - Hosts:
O1 - Hosts: stc30p #Liquid Server
O1 - Hosts: HAL9000 #Currently PRP mail server. Formerly, smtpgwy smtpgwy.puffer.com smtpgwy.devlan.puffer #CCMail Link to SMTP
O1 - Hosts: colorado lprhost monhost #Sun SPARCstation 10
O1 - Hosts: stc33p stc33p.puffer.com #Wired Hyperion Server
O1 - Hosts: stc35p #PC
O1 - Hosts: stc36p #CCMail "Router"
O1 - Hosts: timeclock3 #Timeclock - See fjb
O1 - Hosts: stc385 #HP 5si Laser Printer
O1 - Hosts: stc39p #Connected Networker Remote Server
O1 - Hosts: pufweb pufweb.puffer.com #Puffer Web server - Internal
O1 - Hosts: stc41p #SMS
O1 - Hosts: stc42p stc42p.puffer.com www2 www2.puffer.com #Mirror of external web server
O1 - Hosts: stc43u #Ultra5 Solaris Migration test machine
O1 - Hosts: fftxpuf2 #New Fisher Sql server/Paylinx
O1 - Hosts: stc45x #Tektronix XP217c
O1 - Hosts:
O1 - Hosts: stc24u namebroker #New Neches Solaris 2.6
O1 - Hosts: stc48p #Websense Server
O1 - Hosts: comal #Sun Fire V240
O1 - Hosts: stc50p #WTSRV SERVER
O1 - Hosts: stc51p #WTSRV SERVER
O1 - Hosts: stc52p #WTS Storage Array Server
O1 - Hosts: stc53p #WTSRV SERVER
O1 - Hosts: stc54p #Development - Data Warehouse Essbase Server
O1 - Hosts: stc555 #Landscape printer for printing Fisher Reports
O1 - Hosts: stc56p #WTSRV SERVER - Test Bed
O1 - Hosts: stc57p stc57p.puffer.com #Paylinks Server
O1 - Hosts: stc58p #Production - Data Warehouse Essbase Server
O1 - Hosts:
O1 - Hosts: medina #Ultra 5 (Solaris 2.6)
O1 - Hosts: stc61x #Tektronix XP11 X-Terminal
O1 - Hosts:
O1 - Hosts:
O1 - Hosts: stc65p #Legato Networker Remote Server
O1 - Hosts: stc66p #WTSRV SERVER
O1 - Hosts:
O1 - Hosts: stw29x #XP217C
O1 - Hosts: stc69p stc69p.puffer.com #Dell Disk Array
O1 - Hosts: stw34x #XP18
O1 - Hosts: stw40x #Tektronix XP18 X-Terminal
O1 - Hosts: stc72p stc72p.puffer.com #HYPERION SERVER
O1 - Hosts: stw48x #Tektronix XP119M X-Terminal (Jim)
O1 - Hosts: stw505 #HP LaserJet 5000 Printer
O1 - Hosts: frio #SUN E420R - Accounting
O1 - Hosts: stc76p #WEB Portal Server
O1 - Hosts: stw56x #Tektronix XP330up;04 X-Terminal
O1 - Hosts: stw57x #NCD 200
O1 - Hosts: stwa22x #X-Terminal TestJim
O1 - Hosts: stw63x #Personal Computer
O1 - Hosts: stw695 #HP LaserJet 5000
O1 - Hosts: stw715 #HP 5000
O1 - Hosts: stw83s #Temp Solaris Server
O1 - Hosts: stw84s ste82s #Temp Sun OS
O1 - Hosts: stc85s #Sun SPARCstation 20 Merlin Server
O1 - Hosts: stc86p #Terminal Server
O1 - Hosts: stw87x #NCD 200 X-Terminal
O1 - Hosts: stc88p #Terminal Server
O1 - Hosts: stw89p #Static address for Todd Pierce
O1 - Hosts: stw874 #HP 4V LaserJet Printer
O1 - Hosts: stw955 #HP 5000
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7B2C8F98-D3FE-4D9C-833D-359C7E3477E3} - C:\WINDOWS\system32\gebbc.dll (file missing)
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\byxyvus.dll (file missing)
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TrackIT-65] \\stc42p\Track-It!65\Audit32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM .EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mbbn] C:\Data\?ecurity\j?vaw.exe
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: DVD@ccess.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...nology/vmp.html
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://mpsnet.com/JavaVM3186.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {495DEA80-49C2-4891-94CD-C2016615D16F} (ProductView Control) - http://www.catalogds.com/dtd/pvcadview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093379196019
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator - http://prism.puffer.com:8000/jinitiator/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = puffer.com
O17 - HKLM\Software\..\Telephony: DomainName = puffer.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = puffer.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = puffer.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = puffer.com
O20 - Winlogon Notify: byxyvus - byxyvus.dll (file missing)
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Corporation - C:\WINDOWS\system32\slClient.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Unknown owner - C:\WINDOWS\TIREMOTE\wuser32.exe (file missing)
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

End of file - 15951 bytes

BC AdBot (Login to Remove)


#2 SifuMike


    malware expert

  • Members
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:55 PM

Posted 12 January 2008 - 09:44 PM

Hello Texterp,

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike


    malware expert

  • Members
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:55 PM

Posted 18 January 2008 - 10:14 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users