UGOBOT-KU blank entry on system startup list??

[faico]

Hello, problem is solved. I have restarted computer in safe mode. Made a Registry Mechanic scan. Fixed registry entry and then erased Spybot entry.
It seems to have disapeared.

As you said it was a wrong registry entry.


Thanks my friend
Bye!

[faico]

Hello again,
I must have done something wrong because now I cant open internet explorer.
It loads but the window closes very quick.

What do you suggest?

[md usa spybot fan]

If your Windows OS (ME, XP or Vista) has a system restore facility, do a system restore to a restore point prior to when you ran Registry Mechanic.

[faico]

Hello, I disabled system restore just before running Regystry Mechanic. I did that because I read something about disabling system restore after fixing trojan problems. Now I know I did it wrong!

What can I do?

[md usa spybot fan]

If you took a Registry Mechanic backup use that. If not, I am not sure I can help.

I am not familiar with Registry Mechanic because I don't use it or any other registry cleanup tools (although I do know that you can take backups within Registry Mechanic before making changes).

If Registry Mechanic has a detailed log of exactly what was changed, post the log and possibly someone may be able to determine what happened.

On the other hand if Registry Mechanic does not have a detailed log of exactly what was changed, the only thing that I can suggest is that you attempt to uninstall and reinstall Windows Internet Explorer and if that fails you possibly may have to rebuild your entire system.

[angieromero]

Hello
Sorry to re-open this rather old thread, but I have this same kind of question, and I didn't think it appropriate to open a new thread as it is not exactly a "false positive" detected by SpybotSD. I hope it's ok
Well, the thing is, I have in my system startup list this same blank entry with the agobot-ku comment warning, but moreover I have trojan-virus comments in some other entries, and I don't know if they fall in the "descriptions are not detections" category (since they are not blank entries but concrete files.
Here is what I mean. For example, in the entry

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 282624
MD5: 30e1f03dcc8825988528d9058312ede2

I receive the comments:

Filename:qttasks.exe
Description_CoolWebSearch_ parasite variant
--
Filename: [random filename]
Description:_Trafficadvance_ dialer

On the entry

Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 25ecfa69af1563fde8dfd31f9954497a

I receive the warnings:

Filename: ctfmon32.exe
Description: CoolWebSearch _Ctfmon32_ parasite variant
--
Filename:ctfmon.exe
Description: Added by the _RAIDYS_ TROJAN! Note - this should not be confused with the valid Office XP file, see _here_
--
Filename: msupdate32.exe
Description:Spy Sheriff/SpywareNO malware, also detected as the _SPYHOAX-A_ TROJAN, pretends to be a spyware remover! - file names spotted sofar include VXH8JKDQ2.EXE, NS6281400.so, CVXH8JKDQ2.EXE, down3.exe, sefe.exe, winstall.exe, and tool2.exe

On the entry

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
size: 83608
MD5: 9c1c80bbf8e6044980890e2d2d91091c

I receive the warnings

Filename: scvhost.exe
Description: Added by the _SDBOT-AVX_ WORM!
--
Filename: javamx.exe
Description: Added by the _SDBOT-WI_ WORM!

So, my question is, is none of these entries a detection? I have checked my PC with the SpybotSD up to date and it comes up clean. I also have scanned with avast, panda online, kaspersky online, bitdefender online, ewido online, and none of them has detected anything.I have not used Spysheriff as that comment for msupdate32 says. But, in spite of this, I have problems with my internet connection (maybe related to the svchost file?)

Well, if these entries are not dangerous, then I'll try to find another reason for my connection problems. If not, maybe I should post this on the Malware removal forum with a hjt log.What do you think?

Thanks in advance for your answer

[md usa spybot fan]

angieromero:

In each case you are only quoting a portion of the startup entry information. The following don't sound as bad do they?

Current filename: "C:\Program Files\QuickTime\qttask.exe" -atboottime

Database status: Typically not required
Value: QuickTime Task
Filename: Qttask.exe

Description
System Tray access to Apple's "Quick Time" viewer from version 5 onwards

Source: Paul Collins Startup list

Current filename: C:\WINDOWS\system32\ctfmon.exe

Database status: Necessity depends on users preferences
Value: ctfmon.exe
Filename: ctfmon.exe

Description
CTFMon is involved with the language/alternative input services in Office XP. Ctfmon.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features. For more info on ctfmon see _here_. Ctfmon can be disabled from Control Panel, Text & Speech Services. Note - the file will always be located in the System32 folder, if it is located elsewhere it will likely be a worm or trojan! Can cause problems with some other programs if left enabled - see _here_ for such an example

Source: Paul Collins Startup list

Current filename: "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

Database status: Typically not required
Value: SunJavaUpdateSched
Filename: jusched.exe

Description
Checks with Sun's Java updates site to see if newer Java versions are available. Visit _ http://java.sun.com_ or just run the Java Plug-In Control Panel

Source: Paul Collins Startup list

Typically your anti-virus would pick up the executable programs qttask.exe, ctfmon.exe and jusched.exe if they were the things you quoted.
___________________

ps: Check Sun Java version you are running. The latest is Java Runtime Environment (JRE) 6 Update 3. See:

• SunJava JRE 6 Update 3 released
  http://forums.spybot.info/showthread.php?t=18601

[angieromero]

Thanks very much md usa spybot fan for your quick response.
You are right, I only chose the specific sentences where they talked about the "infections", sorry if I should have posted all the complete comments. Here they are, in case they can be of any use:

Current filename: "C:\Program Files\QuickTime\qttask.exe" -atboottime

Database status: Typically not required
Value: QuickTime Task
Filename: Qttask.exe

Description
System Tray access to Apple's "Quick Time" viewer from version 5 onwards

Source: Paul Collins Startup list
____________________

Current filename: "C:\Program Files\QuickTime\qttask.exe" -atboottime

Database status: Not required - virus, spyware, malware or other resource hog
Value: QuickTime Task
Filename: qttasks.exe

Description
_CoolWebSearch_ parasite variant

Source: Paul Collins Startup list
____________________

Current filename: "C:\Program Files\QuickTime\qttask.exe" -atboottime

Database status: Not required - virus, spyware, malware or other resource hog
Value: QuickTime Task
Filename: [random filename]

Description
_Trafficadvance_ dialer

Source: Paul Collins Startup list
____________________

Current filename: C:\WINDOWS\system32\ctfmon.exe

Database status: Not required - virus, spyware, malware or other resource hog
Value: ctfmon.exe
Filename: ctfmon32.exe

Description
CoolWebSearch _Ctfmon32_ parasite variant

Source: Paul Collins Startup list
____________________

Current filename: C:\WINDOWS\system32\ctfmon.exe

Database status: Not required - virus, spyware, malware or other resource hog
Value: ctfmon.exe
Filename: ctfmon.exe

Description
Added by the _RAIDYS_ TROJAN! Note - this should not be confused with the valid Office XP file, see _here_

Source: Paul Collins Startup list
____________________

Current filename: C:\WINDOWS\system32\ctfmon.exe

Database status: Not required - virus, spyware, malware or other resource hog
Value: ctfmon.exe
Filename: msupdate32.exe

Description
Spy Sheriff/SpywareNO malware, also detected as the _SPYHOAX-A_ TROJAN, pretends to be a spyware remover! - file names spotted sofar include VXH8JKDQ2.EXE, NS6281400.so, CVXH8JKDQ2.EXE, down3.exe, sefe.exe, winstall.exe, and tool2.exe

Source: Paul Collins Startup list
____________________

Current filename: C:\WINDOWS\system32\ctfmon.exe

Database status: Necessity depends on users preferences
Value: ctfmon.exe
Filename: ctfmon.exe

Description
CTFMon is involved with the language/alternative input services in Office XP. Ctfmon.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features. For more info on ctfmon see _here_. Ctfmon can be disabled from Control Panel, Text & Speech Services. Note - the file will always be located in the System32 folder, if it is located elsewhere it will likely be a worm or trojan! Can cause problems with some other programs if left enabled - see _here_ for such an example

Current filename: "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

Database status: Typically not required
Value: SunJavaUpdateSched
Filename: jusched.exe

Description
Checks with Sun's Java updates site to see if newer Java versions are available. Visit _ http://java.sun.com_ or just run the Java Plug-In Control Panel

Source: Paul Collins Startup list
____________________

Current filename: "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

Database status: Not required - virus, spyware, malware or other resource hog
Value: SunJavaUpdateSched
Filename: scvhost.exe

Description
Added by the _SDBOT-AVX_ WORM!

Source: Paul Collins Startup list
____________________

Current filename: "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

Database status: Not required - virus, spyware, malware or other resource hog
Value: SunJavaUpdateSched
Filename: javamx.exe

Description
Added by the _SDBOT-WI_ WORM!

Source: Paul Collins Startup list
____________________

So,anyway, if I understand correctly, you say these comments from the startup list are not really dangerous, even if they talk about trojans, parasites or worms, and the antiviruses/antyspyware I used would have detected it if there had been any infection on these files? Well, that's a relief,really
Thank you very much

Ps: I'll check the Java release, thanks

[md usa spybot fan]

angieromero:

Additional information:

The comments on startup entries are the known possibilities for the names of the entries. Since malware often attempts to mask itself as something innocent, the names of common startup entries, in this case QuickTime Task, ctfmon.exe and SunJavaUpdateSched, are often used by malware.

Spybot’s > Tools > System Startup does not analyze the startup entries so the comments are just that, comments. In other words Spybot is just presenting comments about possibilities for the startup entries by the names of QuickTime Task, ctfmon.exe and SunJavaUpdateSched. You must analyze the entry including the executable portion of the entry to determine if it is a legitimate entry or not:

• QuickTime Task - "C:\Program Files\QuickTime\qttask.exe" –atboottime
• ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe
• SunJavaUpdateSched - "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

In most cases either anti-virus or anti-malware scans would identify either the entries or the programs they are executing as a potential problem.

One of the primary purposes Spybot’s > Tools > System Startup is to see what is starting in the system and determine if that startup is required. A relatively good source for determining whether a startup entry is actually required or not is the Task List at AnswersThatWork:

• AnswersThatWork - PC Tuning & Troubleshooting, HelpDesk, Computer Tips & Solutions
  http://www.answersthatwork.com/

[angieromero]

Thank you very much again!