UGOBOT-KU blank entry on system startup list??
Hello my friends,
My spybot startup program list shows a strange blank entry with this description:
"Added by the AGOBOT-KU WORM! Note: has a blank entry under the Startup Item/Name field"
I have a lot of updated antispyware and antivirus programs and no one have detected any trojan. The strange fact is that when I had Spysweeper installed (I dont have it anymore) it detected the blank startup entry too but it didn´t gave any description.
Could this blank entry be a false positive?
Regards!
It would be helpful if you posted the "strange blank entry" you are talking about. One way to do that is to right click on the listing a either do an "Export..." or "Copy to Clipboard". Edit the listing and post the entry you are questioning.
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
Hello, thanks for your answer, here is the entry but as I said it is blank
Located: HK_LM:Run, (DISABLED)
command:
file:
Do you need me to post the entire log?
It appears that you may have an invalid entry or a problem in the format of the entries in the following register key:
The description is probably being picked up because the entry appears to have a blank "ValueName" although the entry for Agobot-KU is usually "" = system32.exe.Code:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
Well I didnt wrote the entire description wich apears on the righte side of Spybot´s system startup window when I click the blank entry. Here it is:
Current filename:
Database status: Not required - virus, spyware, malware or other resource hog
Value:
Filename: system32.exe
Description
Added by the AGOBOT-KU WORM! Note- has a blank entry under the Startup Item/Name field
Source: Paul Collins Startup list
What do you think?I fear that my computer is infected but I cant find the trojan. Could you help me?
Regards!
Last edited by faico; 2007-07-14 at 20:34.
I believe that it is just a bad entry in the registry. Please note that:
- The Current filename (Command line) is blank, so that the entry is not pointing to a file to be executed.
- The entry is disabled (Run-):
Code:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
If you are familiar with Regedit, take a look at the registry key and see what is there.
I'll repeat:
The descriptions associated with startup entries are not detections and in this case I believe the description is being presented because of an erroneous entry in the registry.Originally Posted by md usa spybot fan
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
Sorry but I am not very familiar with those terms. What should I do?
Thanks for your help my friend!
What terms?
Either ignore the entry since:
--- OR ---
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
Sorry about my english, Im spanish and my english level as my computering level isn´t very good.
With "term" I wanted to say something like "subjects" meaning reg editing. Could you please help me deleting the entry with regedit?
Regards
Last edited by faico; 2007-07-15 at 03:25.
faico:
Using Registry Editor, navigate to the following Registry Key, export and post the contents:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
Specific instructions:
- Go into Start > Run… > type "regedit" (no quotes) > then click "OK".
- Expand HKEY_LOCAL_MACHINE by clicking the + (plus sign) in front of it.
- Expand HKEY_LOCAL_MACHINE\SOFTWARE by clicking the + (plus sign) in front SOFTWARE.
- Expand HKEY_CURRENT_USER\ SOFTWARE\Microsoft by clicking the + (plus sign) in front Microsoft.
- Expand HKEY_CURRENT_USER\Software\Microsoft\Windows by clicking the + (plus sign) in front of Windows.
- Expand HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion by clicking the + (plus sign) in front of CurrentVersion.
- Click on Run- (actually HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-) to display the contents.
- Export the registry key to a file:
- Go to the File menu and select Export…
- Remember the file name you used and where you saved the file.
- Exit the Registry Editor.
Post the contents of the registry key:
- Using Windows Explorer, navigate to the file you just saved.
- Right click on the file and select "Edit". The file should open file with Notepad.
- Right click on the listing and select "Select All".
- Right click on the listing again and select "Copy". That will copy the content of the file into the Clipboard.
- Exit Notepad.
- Paste (Ctrl+V) the contents of the Clipboard to a new post in this thread.
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
Posting Permissions
Reply With Quote