View Full Version : Continued Detection of Deleted Vundo/SmitFraud/Win32.Agent.at Files

2007-06-07, 20:05
I recently caught the Vundo--SmitFraud--Psapianalyzer browser-hijacker bug that's going around. Spybot was able to detect the Psapianalyzer files (which it labeled Win32.Agent.at), and claimed to be fixing them, but they would immediately reappear. I went to another forum (BleepingComputer) and, with the help I obtained there, was able to get rid of the bug. The ONLY trace of this experience that's left anywhere on my computer (as far as I can tell) is that there are four entries at the bottom of the "System Startup" page on SpyBot's Tools tab for combd (loading from c:\winnt\inf\combd.dll), hggebaa (loading from hggebaa.dll), nnlkj (loading from C:\winnt\system32\nnlkj.dll), and SensLogn (loading from WINotify.dll). SpyBot says these are loading from System.ini, but there is no mention of these files (or much of anything else) in my System.ini file. Incidentally, I'm running Win2K Pro, SP4, with all updates and patches current.

Before the BleepingComputer repair process, when I un-checked these entries to disable them, new checked non-disabled ones automatically regenerated the next time I viewed the Tools/System Startup page. After the BleepingComputer repair process, the check boxes for these items are no longer checked, but as before, if I delete the entries on the Tools/System Startup page, they automatically regenerate the next time I view that page. The referenced files are NOT in the locations shown, and I have exhaustively searched my computer (with both Windows and third-party search programs), and have exhaustively scanned my Registry, and there are NO references to these files that I can find anywhere...except on the Tools/System Startup page of SpyBot. Other programs that show what's starting when my computer boots up (such as AVG AntiSpyware's Analysis/Autostart tab) do NOT show these four entries. I have even completely uninstalled SpyBot, rebooted, completely deleted the subdirectory where SpyBot was formerly installed, downloaded the current installation file directly from the Safer Networking website mirror, done a fresh install, performed all updates, and enabled the Immunize feature, only to find that the four (unchecked) entries are STILL listed, and STILL cannot be deleted. I am 99.99999999% certain that these four files are NOT anywhere on my computer any longer, and that these four entries are just a false positive, but that last tiny bit of doubt exists because SpyBot is still listing them on the Tools/System Startup page. Any thoughts or suggestions? :cool:

md usa spybot fan
2007-06-07, 21:00
Firstly, it may be helpful to anyone attempting to analyze the problem if rather than describe the entries in question if you actually posted the entries. When you go into Spybot > Mode > Advanced mode > System Startup you can right click on the listing and select either Export or Copy to Clipboard. If you did either and then edited the results to show the entries in question it would probably be helpful.

I personally am not familiar with Windows 2000. However, in Windows XP the entries listed by Spybot as System.ini do not come from the System.ini file, they are sub keys of the following registry entry (see Note #1):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
Entries from that location are started just like other startup entries. For more information on startup locations, see:
A Collection Of Autostart Locations, by Tony Kleinkramer
Note #1: According to the A Collection Of Autostart Locations, by Tony Kleinkramer (http://forums.subratam.org/index.php?act=Print&client=printer&f=29&t=1063), Item # 27, the same entries also apply to Windows 2000 and NT.

2007-06-12, 08:03
Sorry that my first post on the forum apparently wasn't in proper form. Here are the actual entries from the Start-Up page of the Tools tab of my copy of SpyBot, edited to show only the ones to which I was referring:

[Begin Quoted Text]

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

Located: System.ini, comdb (DISABLED)
command: c:\winnt\inf\comdb.dll
file: c:\winnt\inf\comdb.dll

Located: System.ini, hggebaa (DISABLED)
command: hggebaa.dll
file: hggebaa.dll

Located: System.ini, nnlkj (DISABLED)
command: C:\WINNT\system32\nnlkj.dll
file: C:\WINNT\system32\nnlkj.dll

Located: System.ini, SensLogn (DISABLED)
command: WINotify.dll
file: WINotify.dll

[End Quoted Text]

My registry does contain an [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion] branch, but it does not contain a Winlogon or Notify branch. I believe the corresponding auto-run branches in Windows 2000 are Run and RunOnce, neither of which contain any reference to any of the above-quoted files. I have also done a search of my entire registry (using the search function built into regedit.exe), and it finds NO references ANYWHERE to the files referred to in these four entries.

Does that clarify the problem any?

md usa spybot fan
2007-06-12, 08:25
I believe that you may have looked in the wrong place. Please try again:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

2007-06-12, 08:38
Yes, you're right. It's been a long day! There is a both a "Notify" branch that includes all the legitimate items shown on the SpyBot's Start-Up page, and a "Notify_Disabled" branch that shows the four offending entries. It appears my earlier searches through the registry did not find these four items because I was searching for the files (for example, comdb.dll) rather than just for their names (for example, comdb). Here is what the registry branch looks like:

[Begin quoted text]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify_Disabled]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify_Disabled\comdb]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify_Disabled\hggebaa]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify_Disabled\nnlkj]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify_Disabled\SensLogn]

[End quoted text]

Unlike when I delete these items from Spybot's Start-up page and they then regenerate themselves, when I deleted the entire Notify_Disabled key from the registry (after backing it up), it did NOT regenerate, and the persistent entries have now disappeared from a freshly started instance of SpyBot. I believe the problem is solved!

I'm headed to bed now, but after tonight's shut-down and tomorrow's restart, I'll post one more message to verify that the entries really have been banished. Thanks very much for your help (and my bleary-eyed inability to properly read your posts)! :oops:

2007-06-12, 18:24
The computer started fine this morning, with no ill effects from the deletion of the Notify_Disabled branch, and the offending four entries are now gone from SpyBot's System Startup page, even after a full system scan. Thanks for your help! I'm glad to get actual proof that the infected files really are NOT anywhere on my hard drive any longer! :bigthumb: