Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Worm Agobot removal instructions.

Mar 6, 2004 1:23PM PST

I need to find a link, and/ or removal instructions for worm Agobot.

A friend of mine who is a newbie has picked up the Worm on her WIN-XP-Pro standalone home PC.

as far as I know all windows updates are in place as well, her AV [free AVG] definitions are current.

she ran Trend housecall after disabling the system restore and it picked up information about the worm but could not clean it.

the following information is relevant...

on start up she gets this message:

worm/Agobot.6.BG. c:\windows\system 32\s.3serv.exe.

housecall gave her the following messages

1. worm.agobot.gen. c:\windows\system32\s3serv

2. worm agobot.A-1. c:\windows\system32\spolsv

I have been to the Sophos website based on warnings about Agobot posted here, but the only IDES I can find require the use of the Sophos AV.

can someone please help with a removal tool/ link and /or instructions as to where to go in Regedt to eliminate the values.

thank you.

david williams

Discussion is locked

- Collapse -
Re:Worm Agobot removal instructions.
Mar 6, 2004 2:18PM PST

for: 1. worm.agobot.gen. c:\windows\system32\s3serv

The way i deleted the virus was to simply rename regedit.exe in the c:\WINDOWS\ folder to a random file name so it wouldn't be recognised by the virus. From there it was simple to remove all traces of s3serv.exe and restart the pc. Then the file which was in the C:\WINDOWS\system32\ directory could simply be deleted. There were 2 other files which had s3serv in the name which could be found using search which i also deleted.
http://www.hostclub.net/forums/showthread.php?s=1a3273efb8ebb185dca091fc323beb47&threadid=10068

spolsv
http://www.sophos.com/virusinfo/analyses/w32agobotcs.html

- Collapse -
Worm Agobot removal instructions.
Mar 6, 2004 2:37PM PST

thank you.
will pass on.
david

- Collapse -
(NT) David, You're Welcome :)
Mar 6, 2004 2:45PM PST

.

- Collapse -
Worm Agobot removal instructions.
Mar 7, 2004 1:46PM PST

went to my friends place and I found that i could not get REGEDIT to work even though I renamed the file.

was able to do a general search and found the s3serv.exe and spolsv file and deleted them.

I susbsequently went into safe mode and then into the registry and was able to find both file and folders for the executable and another file known as winampa.exe that showed as a downl4oader file.

Trend Micro had previously identified this as being part of the Agobot worm and so I deleted it and found it in the c:\windows\prefetch folder and deleted it from there as well.

I believe I have cleaned the PC except now the AV will not execute or the firewall.

I uninstalled and re-installed AVG but it would not execute a scan and all defs are curent.

I am able to connect to the net etc.

I thought at first that the worm had not been completely eleiminated, but on re-boot I did not see the message at boot up, that there was Agobot in the c:\windows\system32 folder.

it may be that I have deleted a registry entry that is required to execute programs.

do you have any idea what this could be because I can re-load it using the O/S disc and SFC.

thanks M.

david williams

- Collapse -
David, You did NOT make a registry backup??
Mar 7, 2004 3:22PM PST

You are sure - you only deteleted these 2:

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SpoolService= spolsv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
SpoolService= spolsv.exe

- Collapse -
David, You did NOT make a registry backup??
Mar 8, 2004 12:09AM PST

i saw and deleted spolsv but not sure if I got the spolsv.exe.

i saw and deleted s3serv.exe and winampa.exe and i know i saw and deleted spolsv which was just below the default spoolserver files which have to do with the printer.

going there to re-check today.

will let you know.

and no I did not back up the registry.

i did however do it in safe mode and wonder if the worm re-activated when i re-booted to normal mode?

also chaging regedit had no effect and I could not find a regedit.exe folder.

the O/S is WinXP.

david williams