Dos_AGOBOT.HM Virus!!!!!!!!!!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

samwalton

Thread Starter
Guest
Joined
Feb 26, 2004
Messages
274
Ok I have ran Sophos, Norton, Mcafee with all current updates and they do not find any virus. I do a online scan from housecall and it finds the following item Dos_AGOBOT.HM and the locations is
C:\WINNT\SYSTEM32\DRIVERS\ETC\HOSTS and it can not clean it so I have it delete the file..

Then I boot in safe mode and delete the file again. I have ran Adaware, spybot,Hijackthis. Hijackthis did find Netsnake on this system and had it fix that

Have delete trash, IE cookies and files

Still have this piece of crap any help by the pro's

Thanks
 

Grinler

Malware Specialist
Joined
Mar 10, 2004
Messages
103
DOS_AGOBOT is a byproduct of the actual virus WORM_AGOBOT.HM. You get this virus by a vulnerability found in Windows. So make sure you immediately update your windows by going to

http://www.windowsupdate.com

This worm is what is creating that hosts file.

You can find removal instructions here:

Agobot.HM Removal Steps

Follow these instructions. Reboot, download HijackThis from here:

HijackThis

Save it into its own directory. Make sure all Internet Explorer windows are closed and run the program. Click on Scan and have it save a log. A notepad window will open with the contents of the log. Paste those contents to a reply to this post.
 

samwalton

Thread Starter
Guest
Joined
Feb 26, 2004
Messages
274
Sorry I should have told you that I have all windows update. Running 2000

Non of the files that they listed were not in the regedit
 

samwalton

Thread Starter
Guest
Joined
Feb 26, 2004
Messages
274
Logfile of HijackThis v1.97.7
Scan saved at 9:44:44 AM, on 4/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\system32\desk95.exe
C:\WINNT\system32\smssv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\spyware tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [Audoi Device Loader] smssv.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [Audoi Device Loader] smssv.exe
O4 - Startup: PERSONAL.xls
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38089.6178009259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 

samwalton

Thread Starter
Guest
Joined
Feb 26, 2004
Messages
274
When I run Hijackthis or try running regedit both are closed in about 20 seconds
 

Grinler

Malware Specialist
Joined
Mar 10, 2004
Messages
103
These three entries look strange. Looks like it could be a trojan/worm that was added as supposedly a Audio Device Loader, but they mispelled audio. I could be wrong though.

Also are you running an excel sheet on purpose on startup? If not you should fix the Startup: personal.xls.

You can fix these:

O4 - HKLM\..\Run: [Audoi Device Loader] smssv.exe
O4 - HKLM\..\RunServices: [Audoi Device Loader] smssv.exe

Only fix if you are not supposed to be opening an Excel spreadsheet
O4 - Startup: PERSONAL.xls

Reboot and move these files to another directory until they are examined and to determine they do not cause any problems with not being loaded:

c:\windows\smssv.exe
or
c:\windows\smssv.exe

If you can email this file to [email protected] so I can take a look at it.
 

Grinler

Malware Specialist
Joined
Mar 10, 2004
Messages
103
Mickey,

Please create a new post with this log. It is difficult to analyze to logs in the same topic.

Thanks
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top