1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Dos_AGOBOT.HM Virus!!!!!!!!!!

Discussion in 'Virus & Other Malware Removal' started by samwalton, Apr 13, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. samwalton

    samwalton Guest Thread Starter

    Joined:
    Feb 26, 2004
    Messages:
    274
    Ok I have ran Sophos, Norton, Mcafee with all current updates and they do not find any virus. I do a online scan from housecall and it finds the following item Dos_AGOBOT.HM and the locations is
    C:\WINNT\SYSTEM32\DRIVERS\ETC\HOSTS and it can not clean it so I have it delete the file..

    Then I boot in safe mode and delete the file again. I have ran Adaware, spybot,Hijackthis. Hijackthis did find Netsnake on this system and had it fix that

    Have delete trash, IE cookies and files

    Still have this piece of crap any help by the pro's

    Thanks
     
  2. Grinler

    Grinler Malware Specialist

    Joined:
    Mar 10, 2004
    Messages:
    103
    DOS_AGOBOT is a byproduct of the actual virus WORM_AGOBOT.HM. You get this virus by a vulnerability found in Windows. So make sure you immediately update your windows by going to

    http://www.windowsupdate.com

    This worm is what is creating that hosts file.

    You can find removal instructions here:

    Agobot.HM Removal Steps

    Follow these instructions. Reboot, download HijackThis from here:

    HijackThis

    Save it into its own directory. Make sure all Internet Explorer windows are closed and run the program. Click on Scan and have it save a log. A notepad window will open with the contents of the log. Paste those contents to a reply to this post.
     
  3. samwalton

    samwalton Guest Thread Starter

    Joined:
    Feb 26, 2004
    Messages:
    274
    Sorry I should have told you that I have all windows update. Running 2000

    Non of the files that they listed were not in the regedit
     
  4. samwalton

    samwalton Guest Thread Starter

    Joined:
    Feb 26, 2004
    Messages:
    274
    Logfile of HijackThis v1.97.7
    Scan saved at 9:44:44 AM, on 4/13/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\atiptaxx.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINNT\system32\desk95.exe
    C:\WINNT\system32\smssv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\spyware tools\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
    O4 - HKLM\..\Run: [Audoi Device Loader] smssv.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\RunServices: [Audoi Device Loader] smssv.exe
    O4 - Startup: PERSONAL.xls
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38089.6178009259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  5. samwalton

    samwalton Guest Thread Starter

    Joined:
    Feb 26, 2004
    Messages:
    274
    When I run Hijackthis or try running regedit both are closed in about 20 seconds
     
  6. Grinler

    Grinler Malware Specialist

    Joined:
    Mar 10, 2004
    Messages:
    103
    These three entries look strange. Looks like it could be a trojan/worm that was added as supposedly a Audio Device Loader, but they mispelled audio. I could be wrong though.

    Also are you running an excel sheet on purpose on startup? If not you should fix the Startup: personal.xls.

    You can fix these:

    O4 - HKLM\..\Run: [Audoi Device Loader] smssv.exe
    O4 - HKLM\..\RunServices: [Audoi Device Loader] smssv.exe

    Only fix if you are not supposed to be opening an Excel spreadsheet
    O4 - Startup: PERSONAL.xls

    Reboot and move these files to another directory until they are examined and to determine they do not cause any problems with not being loaded:

    c:\windows\smssv.exe
    or
    c:\windows\smssv.exe

    If you can email this file to [email protected] so I can take a look at it.
     
  7. Grinler

    Grinler Malware Specialist

    Joined:
    Mar 10, 2004
    Messages:
    103
    Mickey,

    Please create a new post with this log. It is difficult to analyze to logs in the same topic.

    Thanks
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/219986

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice