i can't remove AGOBOT trojan

Discussion in 'adware, spyware & hijack cleaning' started by essex___, Jun 8, 2004.

Thread Status:
Not open for further replies.
  1. essex___

    essex___ Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    4
    Hi! First i have to tell you that i have ran adware and spybot (with the ultimate updates installed) and deleted all the problems they detected but when i wanted to ran Hijackthis the program it's closing instantly and the same thing happens with any antivirus program that i run including NOD32 with the latest update installed. I could take a screnshot of what NOD told me and it said that the operating memory it's infected with AGOBOT trojan. The follwing programs are also closed by the virus when i open them: System Config Utility (under Run\msconfig), Pascal, an win update for a trojan. I also tried to use 2 utilities (agobtgui and clnabot) especially for removing AGOBOT but one of them said i-m not infected with agobot the other said after the scan that it removed agobot but after the restart i'm also infected. Please HELP!!!
     
  2. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    We need a closer look at what's happening.
    Please download Hijack this
    Copy it into its own folder, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log, do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
     
  3. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    if you cannot run hijackthis try asviewer

    unzip it to a folder and then run it
    first enable it to show everything: click the main dropdown menu and enable show service, show drivers and show active setup components. then press ctrl+r to refresh the table and save it from the main menu. post the asviewer log here
     
    Last edited: Jun 8, 2004
  4. essex___

    essex___ Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    4
    Hi! First i have to tell you that i have ran adware and spybot (with the ultimate updates installed) and deleted all the problems they detected but when i wanted to ran Hijackthis the program it's closing instantly and the same thing happens with any antivirus program that i run including NOD32 with the latest update installed. I could take a screnshot of what NOD told me and it said that the operating memory it's infected with AGOBOT trojan. The follwing programs are also closed by the virus when i open them: System Config Utility (under Run\msconfig), Pascal, an win update for a trojan. I also tried to use 2 utilities (agobtgui and clnabot) especially for removing AGOBOT but one of them said i-m not infected with agobot the other said after the scan that it removed agobot but after the restart i'm also infected. Please HELP!!!

    ps: my internet explorer also opens by itself when i'm conected to the net and loads some strange web pages.

    I tried the asviewer and it worked fine, here is the list: (i'm sorry for the length)
    --------------------------------------------------------------------------
    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for David Essex@ESSEX, 06-09-2004
    c:\autoexec.bat
    PATH %PATH%:D:\FOXPRO26;;
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\wininit.ini [rename]
    nul=C:\DOCUME~1\DAVIDE~1\LOCALS~1\Temp\DivSetup.exe
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    MARINE~1.SCR
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    MARINE~1.SCR
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tweak UI
    RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
    RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
    nwiz.exe /install
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BluetoothAuthenticationAgent
    rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvMediaCenter
    RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft System Checkup
    C:\WINDOWS\system32\wnetlogin.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NT Logging Service
    syslog32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Alcohol.exe Autorun
    C:\Program Files\#Utils\Alcohol 120\Alcohol.exe /startup
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PowerMenu
    C:\WINDOWS\system32\powermenu.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
    C:\WINDOWS\system32\wserv32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nod32kui
    C:\Program Files\#Utils\Eset\nod32kui.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Restore
    C:\WINDOWS\system32\scrgrd.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SYSTEM
    C:\WINDOWS\system32\lsas.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft System Checkup
    C:\WINDOWS\system32\wnetlogin.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Update
    C:\WINDOWS\system32\wserv32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Restore
    C:\WINDOWS\system32\scrgrd.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SYSTEM
    C:\WINDOWS\system32\lsas.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Norton SystemWorks
    C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
    C:\WINDOWS\system32\wserv32.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Restore
    C:\WINDOWS\system32\scrgrd.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SYSTEM
    C:\WINDOWS\system32\lsas.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
    C:\WINDOWS\system32\wserv32.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Restore
    C:\WINDOWS\system32\scrgrd.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\SYSTEM
    C:\WINDOWS\system32\lsas.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
    C:\Program Files\Norton SystemWorks\OBC.exe
    C:\WINDOWS\Tasks\Symantec Drmc.job
    C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
    C:\Documents and Settings\David Essex\Start Menu\Programs\Startup\Don't Forget.lnk
    C:\Program Files\#Utils\Don't Forget\dforget.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINDOWS\inf\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINDOWS\system32\ie4uinit.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
    C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINDOWS\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\Aspi32\
    C:\WINDOWS\System32\drivers\aspi32.sys
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\C-DillaSrv\
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\dmserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\ERSvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lfmf84nt\
    \??\C:\WINDOWS\System32\Lfmf84nt.sys
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\Network Client Monitor\
    C:\WINDOWS\system32\nvchost.exe
    HKLM\System\CurrentControlSet\Services\NOD32krn\
    C:\Program Files\#Utils\Eset\nod32krn.exe
    HKLM\System\CurrentControlSet\Services\PfModNT\
    \??\C:\WINDOWS\System32\PfModNT.sys
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Secdrv\
    C:\WINDOWS\System32\DRIVERS\secdrv.sys
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\stisvc\
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    HKLM\System\CurrentControlSet\Services\SVKP\
    \??\C:\WINDOWS\System32\SVKP.sys
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\uploadmgr\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    --------------------------------------------------------------------------
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Using ASviewer
    right click these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and select delete registry entry

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft System Checkup
    C:\WINDOWS\system32\wnetlogin.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NT Logging Service
    syslog32.exe

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
    C:\WINDOWS\system32\wserv32.exe
    H
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Restore
    C:\WINDOWS\system32\scrgrd.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SYSTEM
    C:\WINDOWS\system32\lsas.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft System Checkup
    C:\WINDOWS\system32\wnetlogin.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Update
    C:\WINDOWS\system32\wserv32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Restore
    C:\WINDOWS\system32\scrgrd.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SYSTEM
    C:\WINDOWS\system32\lsas.exe

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
    C:\WINDOWS\system32\wserv32.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Restore
    C:\WINDOWS\system32\scrgrd.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SYSTEM
    C:\WINDOWS\system32\lsas.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
    C:\WINDOWS\system32\wserv32.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Restore
    C:\WINDOWS\system32\scrgrd.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\SYSTEM
    C:\WINDOWS\system32\lsas.exe


    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\system32\lsas.exe
    C:\WINDOWS\system32\wserv32.exe
    C:\WINDOWS\system32\scrgrd.exe
    C:\WINDOWS\system32\wnetlogin.exe
    C:\WINDOWS\system32\syslog32.exe

    then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it

    as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this
    while in the temp folder, select view and select details.
    then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.
    select all the files/folders except the today ones and delete them all.

    and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Reboot normally &

    then post a new hijackthis log to check what is left
     
  6. essex___

    essex___ Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    4
    I did what you said, except that i couldn't find this file syslog32.exe. I could open hijackthis now and the configuration startup utility and there were this files selected to start with windows (lsas and scrgrd). This the log:
    --------------------------------------------------------------------------
    Logfile of HijackThis v1.97.7
    Scan saved at 23:52:37, on 09.06.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\system32\nvchost.exe
    C:\Program Files\#Utils\Eset\nod32krn.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\#Utils\Alcohol 120\Alcohol.exe
    C:\Program Files\#Utils\Eset\nod32kui.exe
    C:\Program Files\#Utils\Don't Forget\dforget.exe
    C:\Program Files\#Utils\totalcmd\TOTALCMD.EXE
    C:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://81.211.105.43/search.php?v=5
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://81.211.105.43/index.php?v=5
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\#Utils\Acrobat\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\justDo\Jd2002.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\#INTER~1\FLASHGET\jccatch.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\#INTER~1\FLASHGET\fgiebar.dll
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Program Files\#Utils\Alcohol 120\Alcohol.exe /startup
    O4 - HKLM\..\Run: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\#Utils\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
    O4 - HKLM\..\Run: [SYSTEM] lsas.exe
    O4 - HKLM\..\RunServices: [SYSTEM] lsas.exe
    O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
    O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
    O4 - HKCU\..\Run: [SYSTEM] lsas.exe
    O4 - Startup: Don't Forget.lnk = C:\Program Files\#Utils\Don't Forget\dforget.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\#internet\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\#internet\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\#Utils\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\#Utils\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Flash Catcher (HKLM)
    O9 - Extra 'Tools' menuitem: Flash Catcher (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38014.6449884259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------------------------------
    PS: can you tell what is the best program for protection agains this?If i have the NOD32 monitor alwais opend can i get infected aagain?
    can you tell me haw can i delete the registry entries from the startup configuration utility? (maybe searching it in regedit and delete it?)

    THANK YOU for your help!
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Agobot gets on via various recently plugged security holes in windows. Doing the updates mentioned below will go a long way to protecting you,

    Nod should protect you if it's running, but many of these agobot worms target antiviruses and shut them down.

    a very useful application to help prevent this is regprot from http://www.diamondcs.com.au/index.php?page=regprot download and install it, then allow only the known good applications you have running, then any new ones refuse unless you install anything that needs to start up

    it will pop up and warn you if anything tries to write to the registry like viruses or worms and will allow you to prevent them doing their damage

    now to continue cleaning up, you also appear to have a cws hijacker showing in the log now

    Before you start, please unzip or move hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder or in the root of C: or get scattered all over the desktop and we need to empty the temp folders to remove the hijackers

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://81.211.105.43/search.php?v=5
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://81.211.105.43/index.php?v=5

    O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
    O4 - HKLM\..\Run: [SYSTEM] lsas.exe
    O4 - HKLM\..\RunServices: [SYSTEM] lsas.exe
    O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
    O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
    O4 - HKCU\..\Run: [SYSTEM] lsas.exe

    then
    download CWshredder from http://www.thespykiller.co.uk then Run it
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.


    Reboot After running cwshredder and as soon as possible follow this advice:
    Now as CWS Hijacks are normally installed via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    then

    run NOD after making sure it is updated and to be totally safe

    Run an online antivirus check from at least one and preferably 2 of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www3.ca.com/virusinfo/

    then post another hjt log to check please
     
  8. essex___

    essex___ Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    4
    Some things happend in the meantime: A message appeared and said that my computer will restart in 50 sec and informed me that came from c:\windows\system32\lsasss.exe and after restart i went to safe mod and deleted that file, after that i saw another file lsass.exe but that one i couldn't delete, then i went to asviewer and deleted all registry entries with lsass or lsas or lsasss and than restarted. then i remembered that i can use my antivirus nod32 so i scan the system and found this files:
    cool.exe - agobot.nae
    wnetmgr.exe - agobot.3.ace
    2905_uploader.exe - i don't know what worm
    and i deleted them all.
     
Thread Status:
Not open for further replies.