View Full Version : i can't remove AGOBOT trojan
essex___
June 8th, 2004, 04:32 PM
Hi! First i have to tell you that i have ran adware and spybot (with the ultimate updates installed) and deleted all the problems they detected but when i wanted to ran Hijackthis the program it's closing instantly and the same thing happens with any antivirus program that i run including NOD32 with the latest update installed. I could take a screnshot of what NOD told me and it said that the operating memory it's infected with AGOBOT trojan. The follwing programs are also closed by the virus when i open them: System Config Utility (under Run\msconfig), Pascal, an win update for a trojan. I also tried to use 2 utilities (agobtgui and clnabot) especially for removing AGOBOT but one of them said i-m not infected with agobot the other said after the scan that it removed agobot but after the restart i'm also infected. Please HELP!!!
dave38
June 8th, 2004, 05:09 PM
We need a closer look at what's happening.
Please download Hijack this (http://www.spywareinfo.com/downloads/tools/HijackThis.exe)
Copy it into its own folder, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
illukka
June 8th, 2004, 05:31 PM
if you cannot run hijackthis try asviewer (http://www.diamondcs.com.au/downloads/asviewer.zip)
unzip it to a folder and then run it
first enable it to show everything: click the main dropdown menu and enable show service, show drivers and show active setup components. then press ctrl+r to refresh the table and save it from the main menu. post the asviewer log here
essex___
June 9th, 2004, 02:03 PM
Hi! First i have to tell you that i have ran adware and spybot (with the ultimate updates installed) and deleted all the problems they detected but when i wanted to ran Hijackthis the program it's closing instantly and the same thing happens with any antivirus program that i run including NOD32 with the latest update installed. I could take a screnshot of what NOD told me and it said that the operating memory it's infected with AGOBOT trojan. The follwing programs are also closed by the virus when i open them: System Config Utility (under Run\msconfig), Pascal, an win update for a trojan. I also tried to use 2 utilities (agobtgui and clnabot) especially for removing AGOBOT but one of them said i-m not infected with agobot the other said after the scan that it removed agobot but after the restart i'm also infected. Please HELP!!!
ps: my internet explorer also opens by itself when i'm conected to the net and loads some strange web pages.
I tried the asviewer and it worked fine, here is the list: (i'm sorry for the length)
--------------------------------------------------------------------------
DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for David Essex@ESSEX, 06-09-2004
c:\autoexec.bat
PATH %PATH%;D:\FOXPRO26;;
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\wininit.ini [rename]
nul=C:\DOCUME~1\DAVIDE~1\LOCALS~1\Temp\DivSetup.exe
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
MARINE~1.SCR
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
MARINE~1.SCR
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tweak UI
RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
nwiz.exe /install
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BluetoothAuthenticationAgent
rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvMediaCenter
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft System Checkup
C:\WINDOWS\system32\wnetlogin.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NT Logging Service
syslog32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Alcohol.exe Autorun
C:\Program Files\#Utils\Alcohol 120\Alcohol.exe /startup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PowerMenu
C:\WINDOWS\system32\powermenu.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
C:\WINDOWS\system32\wserv32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nod32kui
C:\Program Files\#Utils\Eset\nod32kui.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Restore
C:\WINDOWS\system32\scrgrd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SYSTEM
C:\WINDOWS\system32\lsas.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft System Checkup
C:\WINDOWS\system32\wnetlogin.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Update
C:\WINDOWS\system32\wserv32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Restore
C:\WINDOWS\system32\scrgrd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SYSTEM
C:\WINDOWS\system32\lsas.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Norton SystemWorks
C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
C:\WINDOWS\system32\wserv32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Restore
C:\WINDOWS\system32\scrgrd.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SYSTEM
C:\WINDOWS\system32\lsas.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
C:\WINDOWS\system32\wserv32.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Restore
C:\WINDOWS\system32\scrgrd.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\SYSTEM
C:\WINDOWS\system32\lsas.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
C:\Program Files\Norton SystemWorks\OBC.exe
C:\WINDOWS\Tasks\Symantec Drmc.job
C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
C:\Documents and Settings\David Essex\Start Menu\Programs\Startup\Don't Forget.lnk
C:\Program Files\#Utils\Don't Forget\dforget.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINDOWS\inf\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\system32\ie4uinit.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\Aspi32\
C:\WINDOWS\System32\drivers\aspi32.sys
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\C-DillaSrv\
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\dmserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\ERSvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lfmf84nt\
\??\C:\WINDOWS\System32\Lfmf84nt.sys
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\Network Client Monitor\
C:\WINDOWS\system32\nvchost.exe
HKLM\System\CurrentControlSet\Services\NOD32krn\
C:\Program Files\#Utils\Eset\nod32krn.exe
HKLM\System\CurrentControlSet\Services\PfModNT\
\??\C:\WINDOWS\System32\PfModNT.sys
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Secdrv\
C:\WINDOWS\System32\DRIVERS\secdrv.sys
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\stisvc\
C:\WINDOWS\System32\svchost.exe -k imgsvc
HKLM\System\CurrentControlSet\Services\SVKP\
\??\C:\WINDOWS\System32\SVKP.sys
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\uploadmgr\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
C:\WINDOWS\System32\svchost.exe -k netsvcs
--------------------------------------------------------------------------
dvk01
June 9th, 2004, 03:26 PM
Using ASviewer
right click these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and select delete registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft System Checkup
C:\WINDOWS\system32\wnetlogin.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NT Logging Service
syslog32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
C:\WINDOWS\system32\wserv32.exe
H
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Restore
C:\WINDOWS\system32\scrgrd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SYSTEM
C:\WINDOWS\system32\lsas.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft System Checkup
C:\WINDOWS\system32\wnetlogin.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Update
C:\WINDOWS\system32\wserv32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Restore
C:\WINDOWS\system32\scrgrd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SYSTEM
C:\WINDOWS\system32\lsas.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
C:\WINDOWS\system32\wserv32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Restore
C:\WINDOWS\system32\scrgrd.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SYSTEM
C:\WINDOWS\system32\lsas.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
C:\WINDOWS\system32\wserv32.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Restore
C:\WINDOWS\system32\scrgrd.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\SYSTEM
C:\WINDOWS\system32\lsas.exe
Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
Delete these files
C:\WINDOWS\system32\lsas.exe
C:\WINDOWS\system32\wserv32.exe
C:\WINDOWS\system32\scrgrd.exe
C:\WINDOWS\system32\wnetlogin.exe
C:\WINDOWS\system32\syslog32.exe
then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it
as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this
while in the temp folder, select view and select details.
then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.
select all the files/folders except the today ones and delete them all.
and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well
1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive
then
Reboot normally &
then post a new hijackthis log to check what is left
essex___
June 9th, 2004, 05:00 PM
I did what you said, except that i couldn't find this file syslog32.exe. I could open hijackthis now and the configuration startup utility and there were this files selected to start with windows (lsas and scrgrd). This the log:
--------------------------------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 23:52:37, on 09.06.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\nvchost.exe
C:\Program Files\#Utils\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\#Utils\Alcohol 120\Alcohol.exe
C:\Program Files\#Utils\Eset\nod32kui.exe
C:\Program Files\#Utils\Don't Forget\dforget.exe
C:\Program Files\#Utils\totalcmd\TOTALCMD.EXE
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://81.211.105.43/search.php?v=5
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://81.211.105.43/index.php?v=5
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\#Utils\Acrobat\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\justDo\Jd2002.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\#INTER~1\FLASHGET\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\#INTER~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Program Files\#Utils\Alcohol 120\Alcohol.exe /startup
O4 - HKLM\..\Run: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\#Utils\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [SYSTEM] lsas.exe
O4 - HKLM\..\RunServices: [SYSTEM] lsas.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [SYSTEM] lsas.exe
O4 - Startup: Don't Forget.lnk = C:\Program Files\#Utils\Don't Forget\dforget.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\#internet\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\#internet\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\#Utils\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\#Utils\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Flash Catcher (HKLM)
O9 - Extra 'Tools' menuitem: Flash Catcher (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38014.6449884259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
--------------------------------------------------------------------------
PS: can you tell what is the best program for protection agains this?If i have the NOD32 monitor alwais opend can i get infected aagain?
can you tell me haw can i delete the registry entries from the startup configuration utility? (maybe searching it in regedit and delete it?)
THANK YOU for your help!
dvk01
June 9th, 2004, 05:13 PM
Agobot gets on via various recently plugged security holes in windows. Doing the updates mentioned below will go a long way to protecting you,
Nod should protect you if it's running, but many of these agobot worms target antiviruses and shut them down.
a very useful application to help prevent this is regprot from http://www.diamondcs.com.au/index.php?page=regprot download and install it, then allow only the known good applications you have running, then any new ones refuse unless you install anything that needs to start up
it will pop up and warn you if anything tries to write to the registry like viruses or worms and will allow you to prevent them doing their damage
now to continue cleaning up, you also appear to have a cws hijacker showing in the log now
Before you start, please unzip or move hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
These easily get lost in a Temp folder or in the root of C: or get scattered all over the desktop and we need to empty the temp folders to remove the hijackers
Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://81.211.105.43/search.php?v=5
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://81.211.105.43/index.php?v=5
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [SYSTEM] lsas.exe
O4 - HKLM\..\RunServices: [SYSTEM] lsas.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [SYSTEM] lsas.exe
then
download CWshredder from http://www.thespykiller.co.uk then Run it
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
Reboot After running cwshredder and as soon as possible follow this advice:
Now as CWS Hijacks are normally installed via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here (http://v4.windowsupdate.microsoft.com/en/default.asp), click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.
then
run NOD after making sure it is updated and to be totally safe
Run an online antivirus check from at least one and preferably 2 of the following sites
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www3.ca.com/virusinfo/
then post another hjt log to check please
essex___
June 9th, 2004, 05:40 PM
Some things happend in the meantime: A message appeared and said that my computer will restart in 50 sec and informed me that came from c:\windows\system32\lsasss.exe and after restart i went to safe mod and deleted that file, after that i saw another file lsass.exe but that one i couldn't delete, then i went to asviewer and deleted all registry entries with lsass or lsas or lsasss and than restarted. then i remembered that i can use my antivirus nod32 so i scan the system and found this files:
cool.exe - agobot.nae
wnetmgr.exe - agobot.3.ace
2905_uploader.exe - i don't know what worm
and i deleted them all.
vBulletin® Copyright ©2000-2008, Jelsoft Enterprises Ltd.