Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.agent.ht


  • Please log in to reply
7 replies to this topic

#1 Richard Collinson

Richard Collinson

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 03 September 2006 - 10:28 AM

I have a constant alert in Spyware Doctor of Trojan.Agent.HT - I clear it using Spyware Doctor and on reboot it re-appears - yet it's not showing up in anything else such as

Norton
AdAware
SpyBot
HouseCall
McAfee Stinger

can anyone please advise me how to get rid of this Trojan

Many Thanks
Richard

Logfile of HijackThis v1.99.1
Scan saved at 1:38:56 PM, on 03.09.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\GS30s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synergy\synergys.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microangelo\muamgr.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\fpplock.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\BBC Alerts\BBC_Alerts.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Uniblue\ProcessLibrary\qaccess.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Plaxo\2.10.0.32\PlaxoHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\qliner\Hotkeys\HotKeys.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ViddiPlayer\ViddiPlayer.exe
C:\Program Files\EarthView\EarthView.exe
C:\Program Files\Qlock\qlock.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Skype\toolbars\Skype for Outlook\Skype4OL.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.copernic.com/explorer17/?l=ENG&e=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Warning: do not remove it!] fpplock.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BBC Alerts] "C:\Program Files\BBC Alerts\BBC_Alerts.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Uniblue Quick Access] "C:\Program Files\Uniblue\ProcessLibrary\qaccess.exe" /startup
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Microsoft Office Outlook] C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE /recycle
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.10.0.32\PlaxoHelper.exe -a
O4 - Startup: EarthView.lnk = C:\Program Files\EarthView\EarthView.exe
O4 - Startup: qlock.lnk = C:\Program Files\Qlock\qlock.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
O4 - Global Startup: Hotkeys.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Viddi Radio Player.lnk = C:\Program Files\ViddiPlayer\ViddiPlayer.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to OneNote - {6EB2AA45-3F30-40e1-9864-45EB153C6EDC} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Send to OneNote Settings - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148587730436
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148704906687
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: LBTServ - C:\Program Files\Common Files\Logitech\Bluetooth\lbtserv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GS30s - Unknown owner - C:\WINDOWS\SYSTEM32\GS30s.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:08 PM

Posted 09 September 2006 - 03:35 PM

Hello Richard Collinson and welcome to the BC HijackThis forum. I see no signs of viruses or malware in the log. It is clean.

Can you give me the exact message that SD is throwing up (ie what is being found and where is it being found).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Richard Collinson

Richard Collinson
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 10 September 2006 - 12:42 AM

Hello OT - Thanks for your reply and for your welcome.

Normally when my computer is running Spyware Doctor is also running - however now, after about 20 minutes, Spyware Doctor picks up

Trojan.Agent.Ht and wants to reboot.

More information about Trojan.Agent.HT can be found at http://www.pctools.com/en/mrc/infections/id/Trojan.Agent.HT/

Note that although this web site says that Spyware doctor can remove Trojan.Agent.Ht it comes back on re-boot.

--------------------------------------------------------------

After running Spyware Doctor details given are as follows:

Trojan.Agent.HT

Type: Trojan

Threat Level: High

Description: Trojan.Agent.HT is a trojan that runs silently in the background. It hides itself as iexplore.exe and opens and

listens on a port to allow the attacker full access to the compromised PC.

Advice: Toss

------------------------------------------------------------------

Under Scan Results I get

High Trojan.Agent.Ht
Registry
HKCU\Control Panel\Desktop###WallpaperOriginX
HKCU\Control Panel\Desktop###WallpaperOriginY

And that's it - I suspect that this is a false positive as nothing else picks Trojan.Agent.HT up - but it renders Spyware Doctor

unusable - I have also emailed PC tools but after 10 days I have not received a peply.

Thank you very much for your help and your email
All the best
Richard

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:08 PM

Posted 10 September 2006 - 08:10 AM

Hi Richard Collinson. Yes, I agree that if that is all it is finding then it may well be a flase positive. If the trojan was present there would be more evidence than just that setting.

Let's look and see if any of the other registry keys that Trojan.Agent.Ht adds/modifies are present.

Download WinPFind2.zip and unzip it to your Desktop. It will create a folder named WinPFind2. Do NOT run the program directly from the zip file.

Also download the following AddOn to the Plugins folder inside the WinPfind2 folder: TRAgent_HT.def

Note: If you are using Ie right-click on the link and choose Save Target As... or if you are using FireFox right-click on the link and choose Save Link As....


Now run WinPFind2 and perform a scan by doing the following:
  • Open the WinPFind2 folder and double-click on winpfind2.exe to start the program.
  • In the AddOn-Options box click the checkbox for
    • TRAgent_HT.def
    to select it.
  • Now click the Add On's tab and then click the Run Add On's button.
  • When the scan is complete click back on the Configuration tab and then click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button to post the information back here and I will review it when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Richard Collinson

Richard Collinson
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 10 September 2006 - 08:30 AM

hello OT

Thanks again for your help - I hope you can make sense of the following
All the best
Richard

Logfile created on: 09.10.2006 14:26
WinPFind2 by OldTimer - Version 1.0.8 Folder = C:\Documents and Settings\Richard\Desktop\WinPFind2\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)


< Add On's >

>>>>Output for AddOn file TRAgent_HT.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders - No SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders -
DelegateFolders\{640167b4-59b0-47a6-b335-a6b3c0695aea} -
DelegateFolders\{E211B736-43FD-11D1-9EFB-0000F8757FCD} -

KEY - HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer - No SUBKEYS
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer -
Explorer\\WebFindBandHook - {68F2D3FC-8366-4a46-8224-58EFA2749425}
Explorer\\FileFindBandHook - {FFAC7A18-EDF9-40de-BA3F-49FC2269855E}
Explorer\\Logon User Name - Richard
Explorer\\ShellState - 24 00 00 00 3A 20 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 0D 00 00 00 00 00 00 00 03 00 00 00
Explorer\\CleanShutdown - 0
Explorer\\FaultCount - 0
Explorer\\FaultTime - 0
Explorer\\SearchSystemDirs - 1
Explorer\\SearchHidden - 1
Explorer\\IncludeSubFolders - 1
Explorer\\CaseSensitive - 0
Explorer\\SearchSlowFiles - 0
Explorer\\Browse For Folder Width - 318
Explorer\\Browse For Folder Height - 298
Explorer\\IconUnderline - ;
Explorer\\NoFileFolderConnection - 0
Explorer\\EnableAutoTray - 1
Explorer\\link - 00 00 00 00
Explorer\\DesktopProcess - 1
Explorer\\ThumbnailSize - 96
Explorer\Advanced -
Explorer\AutoComplete -
Explorer\AutoplayHandlers -
Explorer\Band -
Explorer\BitBucket -
Explorer\BrowseNewProcess -
Explorer\CabinetState -
Explorer\CD Burning -
Explorer\CLSID -
Explorer\ComDlg32 -
Explorer\ComputerDescriptions -
Explorer\CopyMoveTo -
Explorer\Desktop -
Explorer\Discardable -
Explorer\FileExts -
Explorer\HideDesktopIcons -
Explorer\HideMyComputerIcons -
Explorer\Map Network Drive MRU -
Explorer\MenuOrder -
Explorer\MountPoints2 -
Explorer\MyComputer -
Explorer\NewShortcutHandlers -
Explorer\PropSummary -
Explorer\RecentDocs -
Explorer\RunMRU -
Explorer\Shell Folders -
Explorer\ShellImageView -
Explorer\SmallIcons -
Explorer\StartPage -
Explorer\StreamMRU -
Explorer\Streams -
Explorer\StuckRects2 -
Explorer\tips -
Explorer\TrayNotify -
Explorer\User Shell Folders -
Explorer\UserAssist -
Explorer\VisualEffects -
Explorer\Wallpaper -
Explorer\WebView -
Explorer\WorkgroupCrawler -
Explorer\SessionInfo -

KEY - HKCU\Control Panel\Desktop - No SUBKEYS
HKCU\Control Panel\Desktop -
Desktop\\ActiveWndTrkTimeout - 0
Desktop\\AutoEndTasks - 1
Desktop\\CaretWidth - 1
Desktop\\CoolSwitch - 1
Desktop\\CoolSwitchColumns - 7
Desktop\\CoolSwitchRows - 3
Desktop\\CursorBlinkRate - 530
Desktop\\DragFullWindows - 1
Desktop\\DragHeight - 4
Desktop\\DragWidth - 4
Desktop\\FontSmoothing - 2
Desktop\\FontSmoothingType - 2
Desktop\\ForegroundFlashCount - 3
Desktop\\ForegroundLockTimeout - 1243432
Desktop\\GridGranularity - 0
Desktop\\HungAppTimeout - 1000
Desktop\\LowPowerActive - 0
Desktop\\LowPowerTimeOut - 0
Desktop\\MenuShowDelay - 400
Desktop\\PaintDesktopVersion - 0
Desktop\\PowerOffActive - 0
Desktop\\PowerOffTimeOut - 0
Desktop\\ScreenSaverIsSecure - 0
Desktop\\ScreenSaveTimeOut - 600
Desktop\\ScreenSaveActive - 1
Desktop\\TileWallpaper - 1
Desktop\\UserPreferencesMask - 9E 3C 07 80
Desktop\\WaitToKillAppTimeout - 1000
Desktop\\WallpaperStyle - 0
Desktop\\WheelScrollLines - 3
Desktop\\Pattern Upgrade - TRUE
Desktop\\NoAutoReturnToWelcome - 1
Desktop\\FontSmoothingGamma - 1000
Desktop\\FontSmoothingOrientation - 1
Desktop\\CTTuneMakeSettingsDefault - 0
Desktop\\Pattern -
Desktop\\SCRNSAVE.EXE -
Desktop\\Wallpaper - C:\Program Files\EarthView\EarthView.bmp
Desktop\\WallpaperOriginX - 0
Desktop\\WallpaperOriginY - 0
Desktop\WindowMetrics -

KEY - HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters - No SUBKEYS
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters -
parameters\\autodisconnect - 15
parameters\\enableforcedlogoff - 1
parameters\\enablesecuritysignature - 0
parameters\\requiresecuritysignature - 0
parameters\\NullSessionPipes - COMNAP;COMNODE;SQL\QUERY;SPOOLSS;LLSRPC;browser;
parameters\\NullSessionShares - COMCFG;DFS$;
parameters\\ServiceDll - %SystemRoot%\System32\srvsvc.dll
parameters\\Lmannounce - 0
parameters\\Size - 1
parameters\\Guid - 99 93 90 42 92 9D 2A 47 94 F0 52 1F F4 DB CB E9
parameters\\AdjustedNullSessionPipes - 1
parameters\\CachedOpenLimit - 0
parameters\\srvcomment - Richard's PC

KEY - HKCU\Control Panel\International - No SUBKEYS
HKCU\Control Panel\International -
International\\iCountry - 44
International\\iCurrDigits - 2
International\\iCurrency - 0
International\\iDate - 1
International\\iDigits - 2
International\\iLZero - 1
International\\iMeasure - 0
International\\iNegCurr - 1
International\\iTime - 1
International\\iTLZero - 1
International\\Locale - 00000809
International\\s1159 - AM
International\\s2359 - PM
International\\sCountry - United Kingdom
International\\sCurrency -
International\\sDate - .
International\\sDecimal - .
International\\sLanguage - ENG
International\\sList - ,
International\\sLongDate - dd MMMM yyyy
International\\sShortDate - dd.MM.yyyy
International\\sThousand - ,
International\\sTime - :
International\\sTimeFormat - h:mm:ss tt
International\\iTimePrefix - 0
International\\sMonDecimalSep - .
International\\sMonThousandSep - ,
International\\iNegNumber - 1
International\\sNativeDigits - 0123456789
International\\NumShape - 1
International\\iCalendarType - 1
International\\iFirstDayOfWeek - 0
International\\iFirstWeekOfYear - 0
International\\sGrouping - 3;0
International\\sMonGrouping - 3;0
International\\sPositiveSign -
International\\sNegativeSign - -
International\Geo -

KEY - HKCU\Software\Microsoft\Internet Explorer\Main - No SUBKEYS
HKCU\Software\Microsoft\Internet Explorer\Main -
Main\\NoUpdateCheck - 1
Main\\NoJITSetup - 1
Main\\Disable Script Debugger - yes
Main\\Show_ChannelBand - No
Main\\Anchor Underline - yes
Main\\Cache_Update_Frequency - Once_Per_Session
Main\\Display Inline Images - yes
Main\\Do404Search - 01 00 00 00
Main\\Local Page - C:\WINDOWS\system32\blank.htm
Main\\Save_Session_History_On_Exit - no
Main\\Show_FullURL - no
Main\\Show_StatusBar - yes
Main\\Show_ToolBar - yes
Main\\Show_URLinStatusBar - yes
Main\\Show_URLToolBar - yes
Main\\Start Page - http://www.google.co.uk/
Main\\Use_DlgBox_Colors - yes
Main\\Search Page - http://www.google.com
Main\\Check_Associations - yes
Main\\FullScreen - no
Main\\Window_Placement - 2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F6 05 00 00 00 00 00 00 F9 09 00 00 62 03 00 00
Main\\Use FormSuggest - yes
Main\\NotifyDownloadComplete - no
Main\\Use Search Asst - no
Main\\DisableScriptDebuggerIE - yes
Main\\Search Bar - http://search.copernic.com/explorer17/?l=ENG&e=
Main\\Error Dlg Displayed On Every Error - no
Main\\AddToFavoritesExpanded - 0
Main\\AllowWindowReuse - 1
Main\\Use Custom Search URL - 1
Main\\FavoritesImportFolder - C:\Documents and Settings\Richard\Favorites
Main\\AutoSearch - 4

KEY - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer - No SUBKEYS
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer -
Explorer\\NoDriveTypeAutoRun - 145
Explorer\\NoDriveAutoRun - 00 00 01 00
Explorer\\NoLowDiskSpaceChecks - 0
Explorer\\NoWinKeys - 1

KEY - HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced - No SUBKEYS
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced -
Advanced\\Hidden - 2
Advanced\\ShowCompColor - 1
Advanced\\HideFileExt - 0
Advanced\\DontPrettyPath - 0
Advanced\\ShowInfoTip - 1
Advanced\\HideIcons - 0
Advanced\\MapNetDrvBtn - 0
Advanced\\WebView - 1
Advanced\\Filter - 0
Advanced\\SuperHidden - 0
Advanced\\SeparateProcess - 1
Advanced\\ListviewAlphaSelect - 1
Advanced\\ListviewShadow - 1
Advanced\\ListviewWatermark - 1
Advanced\\TaskbarAnimations - 1
Advanced\\StartMenuInit - 2
Advanced\\StartButtonBalloonTip - 2
Advanced\\ServerAdminUI - 0
Advanced\\TaskbarSizeMove - 1
Advanced\\Start_ShowNetPlaces_ShouldShow - 65
Advanced\\Start_ShowNetConn - 2
Advanced\\Start_LargeMFUIcons - 0
Advanced\\Start_MinMFU - 10
Advanced\\Start_ShowControlPanel - 1
Advanced\\Start_EnableDragDrop - 1
Advanced\\StartMenuFavorites - 0
Advanced\\Start_ShowHelp - 1
Advanced\\Start_ShowMyComputer - 1
Advanced\\Start_ShowMyDocs - 1
Advanced\\Start_ShowMyMusic - 1
Advanced\\Start_ShowMyPics - 1
Advanced\\Start_ShowPrinters - 1
Advanced\\Start_ShowRun - 1
Advanced\\Start_ScrollPrograms - 0
Advanced\\Start_ShowSearch - 1
Advanced\\Start_ShowSetProgramAccessAndDefaults - 1
Advanced\\Start_ShowRecentDocs - 2
Advanced\\Start_AutoCascade - 1
Advanced\\Start_NotifyNewApps - 0
Advanced\\Start_AdminToolsRoot - 2
Advanced\\StartMenuAdminTools - 1
Advanced\\TaskbarGlomming - 1
Advanced\\NoNetCrawling - 1
Advanced\\FolderContentsInfoTip - 1
Advanced\\FriendlyTree - 1
Advanced\\WebViewBarricade - 1
Advanced\\DisableThumbnailCache - 0
Advanced\\ShowSuperHidden - 0
Advanced\\ClassicViewState - 0
Advanced\\PersistBrowsers - 0
Advanced\\EnableBalloonTips - 0

KEY - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - No SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -
Winlogon\\AutoRestartShell - 1
Winlogon\\DefaultDomainName - RICHARDS-PC
Winlogon\\DefaultUserName - Richard
Winlogon\\PowerdownAfterShutdown - 0
Winlogon\\ReportBootOk - 1
Winlogon\\Shell - Explorer.exe
Winlogon\\ShutdownWithoutLogon - 0
Winlogon\\Userinit - C:\WINDOWS\system32\userinit.exe,
Winlogon\\VmApplet - rundll32 shell32,Control_RunDLL "sysdm.cpl"
Winlogon\\SfcQuota - -1
Winlogon\\allocatecdroms - 0
Winlogon\\allocatedasd - 0
Winlogon\\allocatefloppies - 0
Winlogon\\cachedlogonscount - 10
Winlogon\\forceunlocklogon - 0
Winlogon\\passwordexpirywarning - 14
Winlogon\\scremoveoption - 0
Winlogon\\AllowMultipleTSSessions - 1
Winlogon\\UIHost - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe
Winlogon\\LogonType - 1
Winlogon\\Background - 0 0 0
Winlogon\\DebugServerCommand - no
Winlogon\\SFCDisable - 0
Winlogon\\WinStationsDisabled - 0
Winlogon\\HibernationPreviouslyEnabled - 1
Winlogon\\ShowLogonOptions - 0
Winlogon\\AltDefaultUserName - Richard
Winlogon\\AltDefaultDomainName - RICHARDS-PC
Winlogon\\AutoAdminLogon - 1
Winlogon\\LeakTrack - 0
Winlogon\GPExtensions -
Winlogon\Notify -
Winlogon\SpecialAccounts -
Winlogon\Credentials -

KEY - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore - No SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore -
SystemRestore\\DisableSR - 0
SystemRestore\\CreateFirstRunRp - 1
SystemRestore\\DSMin - 200
SystemRestore\\DSMax - 400
SystemRestore\\RPSessionInterval - 0
SystemRestore\\RPGlobalInterval - 86400
SystemRestore\\RPLifeInterval - 7776000
SystemRestore\\CompressionBurst - 60
SystemRestore\\TimerInterval - 120
SystemRestore\\DiskPercent - 12
SystemRestore\\ThawInterval - 900
SystemRestore\\RestoreDiskSpaceError - 0
SystemRestore\\RestoreStatus - 0
SystemRestore\Cfg -
SystemRestore\SnapshotCallbacks -

< End of report >

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:08 PM

Posted 10 September 2006 - 09:48 AM

Hi Richard Collinson. Nothing is showing up in the report. The Trojan.Agent.HT infection adds/modifies about a dozen keys and none of the changed keys are showing up here. Is SD still throwing up a message regarding an infection?

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Richard Collinson

Richard Collinson
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 10 September 2006 - 11:21 AM

hello OT - thanks for the fast reply - every time I run SD it throws up Trojan.Agent.HT wants to remove it and restart the computer. I think that this is a false positive - particualy as no other Virus/Spyware detector spots it.

I am now running AdAware SE Professional and it does not find any infection on my system.

I have emailed SD a couple of times over the last week but as yet I have received no reply.

Many thanks for your help
Richard

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:08 PM

Posted 10 September 2006 - 12:10 PM

Hi Richard Collinson. Yup, I would simply disable it and wait to hear from PC Tools.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users