Spyware, Viruses, & Security forum

General discussion

AGOBOT worm infestation

by Pat S / May 6, 2004 12:07 AM PDT

First, a thanks to Darren for his advice on removing the Sasser worm. My computer was infected with six different viri. Five have been removed sucessfully. One stuborn one remains. "Agobot.14.AX" AVG finds it and attempts to move it to the vault but move fails. Message says System32/soundcontrol.exe cannot be moved. I ran the TrendsMicro fix program which took an incerdibly long time but failed to remove it. Any suggestions? Also, how do I determine if my XP firewall is active? Thanks in advance. These forums are lifeboats in a sea of nasties Happy

Discussion is locked
You are posting a reply to: AGOBOT worm infestation
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: AGOBOT worm infestation
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Re:AGOBOT worm infestation
by Marianna Schmudlach / May 6, 2004 12:27 AM PDT

Patrick,

Run ad aware and spybots&D !

Download Ad-aware from here: http://www.lavasoftusa.com/software/adaware
Install by double-clicking on the downloaded file.
After installing but before running, update Ad-aware by using its Globe icon.
After updating, shutdown and restart Ad-aware.
Ad-aware is ready to scan and clean your system following these steps:

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
"Unload recognized processes during scanning."
Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
"Let Windows remove files in use after reboot."
Press "Scan Now"
Check option "Use Custom scanning options"
Check option "Activate In-Depth Scan"
Press "Select drives\folders to scan"
Select the active partition which is usually C:
Press "Next" to let Ad-aware scan your drives...
If it finds "bad" files and registry keys, press "Next" again
Right-click in that pane and choose "select all"
Press "next"
When it asks to remove all checked items, Press "OK"
Close Ad-aware, reboot your system and go on to Step 2 below.


Spybot S&D
The download for Spybot S&D is available here: http://www.safer-networking.org/index.php?page=spybotsd

Install by double-clicking on the downloaded file.
Run Spybot S&D from desktop icon or Start menu.
Press "Search for updates" button to get list of updates available.
Press "Download updates" button.
Close all IE windows and close & restart Spybot S&D.
Press "Check for problems" button.
Have SpyBot remove all it marks in red by pressing "Fix selected problems"
Close Spybot S&D, reboot your system .

did it help?

Collapse -
Marianna
by Pat S / May 6, 2004 3:33 AM PDT

I always run ad-aware at every start up. It doesn't find this problem. I ran Spybot Wednesday before I installed the updates and fixes but I haven't run it since the repair. I'll do it when I get home from work and let you know the results.

Collapse -
Patrick... How to XP Internet Connection Firewall (ICF)
by glenn30 / May 6, 2004 2:00 AM PDT

Under Help - ICF - Enable/Disable you find these instructions.

To enable or disable Internet Connection Firewall
Open Network Connections
Click the Dial-up, LAN or High-Speed Internet connection that you want to protect, and then, under Network Tasks, click Change settings of this connection.
On the Advanced tab, under Internet Connection Firewall, select one of the following:
To enable Internet Connection Firewall (ICF), select the Protect my computer and network by limiting or preventing access to this computer from the Internet check box.
To disable Internet Connection Firewall, clear the Protect my computer and network by limiting or preventing access to this computer from the Internet check box.


HTH

Happy

Glenn

Collapse -
Thanks Glen...
by Pat S / May 6, 2004 3:38 AM PDT

Shortly after I posted, my FAX request for the Sasser virus fix from Microsoft arrived. It contains the instructions. Typical for Microsoft I asked for the info Wednesday and was promised a fax in three hours - closer to three days Happy Since I don't ever remember performing that operation I guess my firewall wasn't enabled. I'll have to check it when I get home from work.

Collapse -
Re:Thanks Glen...
by glenn30 / May 6, 2004 3:50 AM PDT
In reply to: Thanks Glen...

Patrick, generally ICF is enabled by default. You may find it already enabled... if not just tic the block. Happy

Glenn

Collapse -
AGOBOT worm infestation
by dawillie / May 6, 2004 3:56 AM PDT
Collapse -
Thanks Dave
by Pat S / May 6, 2004 5:27 AM PDT

I ran this last night. It was successful in deleting the viri quarantined in the AVG Vault but AGOBOT remained. Sad I downloaded it specifically to remove the AGOBOT. It ran for 3 plus hours and the log contained several errors where it could not access files.

Collapse -
Re:Thanks Dave
by dawillie / May 7, 2004 1:19 AM PDT
In reply to: Thanks Dave

Patrick,
if i remember correctly, Agobot also makes several entries that require a REGEDIT and changes to the startup configuration to eradicate.
the entries written will vary depending on what version of Agobot your PC has.
please run the program again and list the files in question.
we can then determine what erasing is required.
david

Collapse -
Re:AGOBOT worm infestation
by Che / May 6, 2004 7:45 PM PDT

Hi Patrick,
you got some very good advices allready.
SpyBot and Ad-Aware run one after the other should kill allmost all Spy- and Adware. But if you want that the most of them don't even try to install them selves on your computer, try thees out:
SpywareGuard + SpywareBlaster
http://www.javacoolsoftware.com/downloads.html

If you have problems to delete viruses, troyans or spy-/adware for example from the folder "Temporary Internet Files". There's a sollution for that too: EasyClean. http://personal.inet.fi/business/toniarts/ecleane.htm

But not allways do the virusprograms rekognize all viruses... There is one place where I go to check if I'm not shure: http://uk.trendmicro-europe.com/consumer/products/housecall_pre.php

Of course there's allways stinger... if a worm gets through: http://vil.nai.com/vil/stinger/

I hope thees help. Good luck.

Che

Collapse -
Finally killed the pest
by Pat S / May 7, 2004 1:43 AM PDT

Thanks for all the help. Problem was in a file in the System32 folder. There was a program called soundcntrl.exe that carried the worm. The reason AVG couldn't move it to the vault was because the file was running. I located it in the task manager and stopped the process. Then I opened explore and found the .exe file and checked the properties. Surprise!!! It was created the same day the virus struck. I deleted it and a message popped up telling me the Recycle bin had a virus - clicked empty and flushed the sucker. Everything back to normal - only took a week. Happy

Collapse -
Patrick - GREAT job - thanks for your feedback !
by Marianna Schmudlach / May 7, 2004 1:58 AM PDT

.

Collapse -
Re:Finally killed the pest
by Tufenuf / May 7, 2004 10:29 PM PDT

Patrick, You may also want to check out the Removal Instructions at the link below to clean out all remnants of that virus(registry entries, hosts file alterations). I had the same one last week and it had me half nuts till I finally got rid of it. The file name I had was "msawindows.exe" which is another file name it uses.


http://sarc.com/avcenter/venc/data/w32.gaobot.afj.html

HTH,
Tufenuf

Collapse -
Congratulations!
by glenn30 / May 8, 2004 12:49 AM PDT

Patrick, I have followed your post from the start. Persistence and patience paid off... I learned some things also, like how to back up the registry from "tufenuf's" post. The best to you and happy computing!!

Happy

Glenn

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!