PDA

View Full Version : UGOBOT-KU blank entry on system startup list??



faico
2007-07-14, 17:24
Hello my friends,

My spybot startup program list shows a strange blank entry with this description:

"Added by the AGOBOT-KU WORM! Note: has a blank entry under the Startup Item/Name field"

I have a lot of updated antispyware and antivirus programs and no one have detected any trojan. The strange fact is that when I had Spysweeper installed (I dont have it anymore) it detected the blank startup entry too but it didn´t gave any description.

Could this blank entry be a false positive?


Regards!

md usa spybot fan
2007-07-14, 18:13
It would be helpful if you posted the "strange blank entry" you are talking about. One way to do that is to right click on the listing a either do an "Export..." or "Copy to Clipboard". Edit the listing and post the entry you are questioning.

faico
2007-07-14, 18:57
Hello, thanks for your answer, here is the entry but as I said it is blank


Located: HK_LM:Run, (DISABLED)
command:
file:

Do you need me to post the entire log?

md usa spybot fan
2007-07-14, 20:22
It appears that you may have an invalid entry or a problem in the format of the entries in the following register key:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
The description is probably being picked up because the entry appears to have a blank "ValueName" although the entry for Agobot-KU is usually "" = system32.exe.

faico
2007-07-14, 21:25
Well I didnt wrote the entire description wich apears on the righte side of Spybot´s system startup window when I click the blank entry. Here it is:

Current filename:

Database status: Not required - virus, spyware, malware or other resource hog
Value:
Filename: system32.exe

Description
Added by the AGOBOT-KU WORM! Note- has a blank entry under the Startup Item/Name field

Source: Paul Collins Startup list


What do you think?I fear that my computer is infected but I cant find the trojan. Could you help me?


Regards!

md usa spybot fan
2007-07-14, 22:11
I believe that it is just a bad entry in the registry. Please note that:
The Current filename (Command line) is blank, so that the entry is not pointing to a file to be executed.
The entry is disabled (Run-):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
If you are familiar with Regedit, take a look at the registry key and see what is there.

I'll repeat:


The description is probably being picked up because the entry appears to have a blank "ValueName" …
The descriptions associated with startup entries are not detections and in this case I believe the description is being presented because of an erroneous entry in the registry.

faico
2007-07-14, 22:28
Sorry but I am not very familiar with those terms. What should I do?



Thanks for your help my friend!

md usa spybot fan
2007-07-14, 23:43
Sorry but I am not very familiar with those terms.
What terms?


What should I do?
Either ignore the entry since:


I believe that it is just a bad entry in the registry. Please note that:
The Current filename (Command line) is blank, so that the entry is not pointing to a file to be executed.
The entry is disabled (Run-):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
--- OR ---


If you are familiar with Regedit, take a look at the registry key and see what is there.

faico
2007-07-15, 04:19
Sorry about my english, Im spanish and my english level as my computering level isn´t very good.

With "term" I wanted to say something like "subjects" meaning reg editing. Could you please help me deleting the entry with regedit?



Regards

md usa spybot fan
2007-07-15, 14:55
faico:

Using Registry Editor, navigate to the following Registry Key, export and post the contents:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
Specific instructions:
Go into Start > Run… > type "regedit" (no quotes) > then click "OK".
Expand HKEY_LOCAL_MACHINE by clicking the + (plus sign) in front of it.
Expand HKEY_LOCAL_MACHINE\SOFTWARE by clicking the + (plus sign) in front SOFTWARE.
Expand HKEY_CURRENT_USER\ SOFTWARE\Microsoft by clicking the + (plus sign) in front Microsoft.
Expand HKEY_CURRENT_USER\Software\Microsoft\Windows by clicking the + (plus sign) in front of Windows.
Expand HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion by clicking the + (plus sign) in front of CurrentVersion.
Click on Run- (actually HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-) to display the contents.
Export the registry key to a file:
Go to the File menu and select Export…
Remember the file name you used and where you saved the file.
Exit the Registry Editor.
Post the contents of the registry key: Using Windows Explorer, navigate to the file you just saved.
Right click on the file and select "Edit". The file should open file with Notepad.
Right click on the listing and select "Select All".
Right click on the listing again and select "Copy". That will copy the content of the file into the Clipboard.
Exit Notepad.
Paste (Ctrl+V) the contents of the Clipboard to a new post in this thread.

faico
2007-07-15, 14:59
Hello, problem is solved. I have restarted computer in safe mode. Made a Registry Mechanic scan. Fixed registry entry and then erased Spybot entry.
It seems to have disapeared.

As you said it was a wrong registry entry.


Thanks my friend
Bye!

faico
2007-07-15, 15:42
Hello again,
I must have done something wrong because now I cant open internet explorer.
It loads but the window closes very quick.

What do you suggest?

md usa spybot fan
2007-07-15, 18:07
If your Windows OS (ME, XP or Vista) has a system restore facility, do a system restore to a restore point prior to when you ran Registry Mechanic.

faico
2007-07-15, 20:32
Hello, I disabled system restore just before running Regystry Mechanic. I did that because I read something about disabling system restore after fixing trojan problems. Now I know I did it wrong!

What can I do?

md usa spybot fan
2007-07-15, 21:56
If you took a Registry Mechanic backup use that. If not, I am not sure I can help.

I am not familiar with Registry Mechanic because I don't use it or any other registry cleanup tools (although I do know that you can take backups within Registry Mechanic before making changes).

If Registry Mechanic has a detailed log of exactly what was changed, post the log and possibly someone may be able to determine what happened.

On the other hand if Registry Mechanic does not have a detailed log of exactly what was changed, the only thing that I can suggest is that you attempt to uninstall and reinstall Windows Internet Explorer and if that fails you possibly may have to rebuild your entire system.

angieromero
2007-10-26, 15:12
Hello
Sorry to re-open this rather old thread, but I have this same kind of question, and I didn't think it appropriate to open a new thread as it is not exactly a "false positive" detected by SpybotSD. I hope it's ok:red:
Well, the thing is, I have in my system startup list this same blank entry with the agobot-ku comment warning, but moreover I have trojan-virus comments in some other entries, and I don't know if they fall in the "descriptions are not detections" category (since they are not blank entries but concrete files.
Here is what I mean. For example, in the entry

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 282624
MD5: 30e1f03dcc8825988528d9058312ede2

I receive the comments:

Filename:qttasks.exe
Description_CoolWebSearch_ parasite variant
--
Filename: [random filename]
Description:_Trafficadvance_ dialer
On the entry


Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 25ecfa69af1563fde8dfd31f9954497a

I receive the warnings:


Filename: ctfmon32.exe
Description: CoolWebSearch _Ctfmon32_ parasite variant
--
Filename:ctfmon.exe
Description: Added by the _RAIDYS_ TROJAN! Note - this should not be confused with the valid Office XP file, see _here_
--
Filename: msupdate32.exe
Description:Spy Sheriff/SpywareNO malware, also detected as the _SPYHOAX-A_ TROJAN, pretends to be a spyware remover! - file names spotted sofar include VXH8JKDQ2.EXE, NS6281400.so, CVXH8JKDQ2.EXE, down3.exe, sefe.exe, winstall.exe, and tool2.exe


On the entry



Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
size: 83608
MD5: 9c1c80bbf8e6044980890e2d2d91091c

I receive the warnings


Filename: scvhost.exe
Description: Added by the _SDBOT-AVX_ WORM!
--
Filename: javamx.exe
Description: Added by the _SDBOT-WI_ WORM!

So, my question is, is none of these entries a detection? I have checked my PC with the SpybotSD up to date and it comes up clean. I also have scanned with avast, panda online, kaspersky online, bitdefender online, ewido online, and none of them has detected anything.I have not used Spysheriff as that comment for msupdate32 says. But, in spite of this, I have problems with my internet connection (maybe related to the svchost file?)

Well, if these entries are not dangerous, then I'll try to find another reason for my connection problems. If not, maybe I should post this on the Malware removal forum with a hjt log.What do you think?

Thanks in advance for your answer

md usa spybot fan
2007-10-26, 16:10
angieromero:

In each case you are only quoting a portion of the startup entry information. The following don't sound as bad do they?


Current filename: "C:\Program Files\QuickTime\qttask.exe" -atboottime

Database status: Typically not required
Value: QuickTime Task
Filename: Qttask.exe

Description
System Tray access to Apple's "Quick Time" viewer from version 5 onwards

Source: Paul Collins Startup list


Current filename: C:\WINDOWS\system32\ctfmon.exe

Database status: Necessity depends on users preferences
Value: ctfmon.exe
Filename: ctfmon.exe

Description
CTFMon is involved with the language/alternative input services in Office XP. Ctfmon.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features. For more info on ctfmon see _here_. Ctfmon can be disabled from Control Panel, Text & Speech Services. Note - the file will always be located in the System32 folder, if it is located elsewhere it will likely be a worm or trojan! Can cause problems with some other programs if left enabled - see _here_ for such an example

Source: Paul Collins Startup list


Current filename: "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

Database status: Typically not required
Value: SunJavaUpdateSched
Filename: jusched.exe

Description
Checks with Sun's Java updates site to see if newer Java versions are available. Visit _ http://java.sun.com_ or just run the Java Plug-In Control Panel

Source: Paul Collins Startup list
Typically your anti-virus would pick up the executable programs qttask.exe, ctfmon.exe and jusched.exe if they were the things you quoted.
___________________

ps: Check Sun Java version you are running. The latest is Java Runtime Environment (JRE) 6 Update 3. See:
SunJava JRE 6 Update 3 released
http://forums.spybot.info/showthread.php?t=18601

angieromero
2007-10-26, 16:56
Thanks very much md usa spybot fan for your quick response.
You are right, I only chose the specific sentences where they talked about the "infections", sorry if I should have posted all the complete comments:oops:. Here they are, in case they can be of any use:



Current filename: "C:\Program Files\QuickTime\qttask.exe" -atboottime

Database status: Typically not required
Value: QuickTime Task
Filename: Qttask.exe

Description
System Tray access to Apple's "Quick Time" viewer from version 5 onwards

Source: Paul Collins Startup list
____________________

Current filename: "C:\Program Files\QuickTime\qttask.exe" -atboottime

Database status: Not required - virus, spyware, malware or other resource hog
Value: QuickTime Task
Filename: qttasks.exe

Description
_CoolWebSearch_ parasite variant

Source: Paul Collins Startup list
____________________

Current filename: "C:\Program Files\QuickTime\qttask.exe" -atboottime

Database status: Not required - virus, spyware, malware or other resource hog
Value: QuickTime Task
Filename: [random filename]

Description
_Trafficadvance_ dialer

Source: Paul Collins Startup list
____________________




Current filename: C:\WINDOWS\system32\ctfmon.exe

Database status: Not required - virus, spyware, malware or other resource hog
Value: ctfmon.exe
Filename: ctfmon32.exe

Description
CoolWebSearch _Ctfmon32_ parasite variant

Source: Paul Collins Startup list
____________________

Current filename: C:\WINDOWS\system32\ctfmon.exe

Database status: Not required - virus, spyware, malware or other resource hog
Value: ctfmon.exe
Filename: ctfmon.exe

Description
Added by the _RAIDYS_ TROJAN! Note - this should not be confused with the valid Office XP file, see _here_

Source: Paul Collins Startup list
____________________

Current filename: C:\WINDOWS\system32\ctfmon.exe

Database status: Not required - virus, spyware, malware or other resource hog
Value: ctfmon.exe
Filename: msupdate32.exe

Description
Spy Sheriff/SpywareNO malware, also detected as the _SPYHOAX-A_ TROJAN, pretends to be a spyware remover! - file names spotted sofar include VXH8JKDQ2.EXE, NS6281400.so, CVXH8JKDQ2.EXE, down3.exe, sefe.exe, winstall.exe, and tool2.exe

Source: Paul Collins Startup list
____________________

Current filename: C:\WINDOWS\system32\ctfmon.exe

Database status: Necessity depends on users preferences
Value: ctfmon.exe
Filename: ctfmon.exe

Description
CTFMon is involved with the language/alternative input services in Office XP. Ctfmon.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features. For more info on ctfmon see _here_. Ctfmon can be disabled from Control Panel, Text & Speech Services. Note - the file will always be located in the System32 folder, if it is located elsewhere it will likely be a worm or trojan! Can cause problems with some other programs if left enabled - see _here_ for such an example



Current filename: "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

Database status: Typically not required
Value: SunJavaUpdateSched
Filename: jusched.exe

Description
Checks with Sun's Java updates site to see if newer Java versions are available. Visit _ http://java.sun.com_ or just run the Java Plug-In Control Panel

Source: Paul Collins Startup list
____________________

Current filename: "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

Database status: Not required - virus, spyware, malware or other resource hog
Value: SunJavaUpdateSched
Filename: scvhost.exe

Description
Added by the _SDBOT-AVX_ WORM!

Source: Paul Collins Startup list
____________________

Current filename: "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

Database status: Not required - virus, spyware, malware or other resource hog
Value: SunJavaUpdateSched
Filename: javamx.exe

Description
Added by the _SDBOT-WI_ WORM!

Source: Paul Collins Startup list
____________________



So,anyway, if I understand correctly, you say these comments from the startup list are not really dangerous, even if they talk about trojans, parasites or worms, and the antiviruses/antyspyware I used would have detected it if there had been any infection on these files? Well, that's a relief,really :)
Thank you very much:)

Ps: I'll check the Java release, thanks

md usa spybot fan
2007-10-26, 18:25
angieromero:

Additional information:

The comments on startup entries are the known possibilities for the names of the entries. Since malware often attempts to mask itself as something innocent, the names of common startup entries, in this case QuickTime Task, ctfmon.exe and SunJavaUpdateSched, are often used by malware.

Spybot’s > Tools > System Startup does not analyze the startup entries so the comments are just that, comments. In other words Spybot is just presenting comments about possibilities for the startup entries by the names of QuickTime Task, ctfmon.exe and SunJavaUpdateSched. You must analyze the entry including the executable portion of the entry to determine if it is a legitimate entry or not:
QuickTime Task - "C:\Program Files\QuickTime\qttask.exe" –atboottime
ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe
SunJavaUpdateSched - "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
In most cases either anti-virus or anti-malware scans would identify either the entries or the programs they are executing as a potential problem.

One of the primary purposes Spybot’s > Tools > System Startup is to see what is starting in the system and determine if that startup is required. A relatively good source for determining whether a startup entry is actually required or not is the Task List at AnswersThatWork:
AnswersThatWork - PC Tuning & Troubleshooting, HelpDesk, Computer Tips & Solutions
http://www.answersthatwork.com/

angieromero
2007-10-26, 21:07
Thank you very much again! :bigthumb::bow: