My Computer is screwed!!!

Discussion in 'Tech Talk' started by wetnwild, May 2, 2004.

  1. wetnwild

    wetnwild
    [OP]
    New Member

    Joined:
    Apr 4, 2004
    Messages:
    14
    Likes Received:
    0
    Location:
    Spryfield
    I can't get rid of this damn worm.....(worm_agobot.mg) and now it says that there is another one as well...(dos_agobot.hm) and I can't seem to fix it. When I try to get on to certain websites, that I know are available...like where i can download antiviruses....it says that they are not available. I had a site where it told me how to get rid of Worm_agobot.us but it says that i need to download a virus scanner!!!! :x :( :confused: :x CAN YOU HELP???? :pissed:
     
  2. JBI

    JBI
    tight hole stimulator

    Joined:
    Mar 18, 2004
    Messages:
    3,030
    Likes Received:
    7
    Location:
    Mount Uniacke , NS
    Try this

    Solution:



    Restarting in Safe Mode


    Restarting your system in safe mode prevents the malware from running as a service and disables its autostart routine.

    On Windows NT (VGA mode)

    Click Start>Settings>Control Panel.
    Double-click the System icon.
    Click the Startup/Shutdown tab.
    Set the Show List field to 10 seconds and click OK to save this change.
    Shut down and restart your computer.
    Select VGA mode from the startup menu.
    Note: To remove the startup list menu, change the Show List value to 0.

    On Windows 2000

    Restart your computer.

    Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.

    Choose the Safe Mode option from the Windows 2000 Advanced Options Menu then press Enter.
    On Windows XP
    Restart your computer.

    Press the F8 key when prompted.
    If Windows XP Professional starts without the “Press select operating system to start” menu, restart your computer.

    Press F8 after the Power-On Self Test (POST) is done.
    Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.
    Identifying the Malware Program

    Before proceeding to remove this malware, first identify the malware program.

    Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_AGOBOT.US. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

    Terminating the Malware Program

    This procedure terminates the running malware process from memory.

    Open Windows Task Manager.
    On Windows 95/98/ME systems, press
    CTRL+ALT+DELETE
    On Windows NT/2000/XP systems, press
    CTRL+SHIFT+ESC, and click the Processes tab.
    In the list of running programs*, locate the process:
    SYSCONF.EXE

    Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
    To check if the malware process has been terminated, close Task Manager, and then open it again.
    Close Task Manager.
    *NOTE: On systems running Windows 95/98/ME, Windows Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

    Removing Autostart Entries from the Registry

    Removing autostart entries from the registry prevents the malware from executing during startup.

    To remove the malware autostart entries:

    Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
    In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entry:
    Fantasia injector = “wincfg.exe”
    In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
    CurrentVersion>RunServices
    In the right panel, locate and delete the entry or entries:
    Fantasia injector = “wincfg.exe”
    Close Registry Editor.
    NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
    Applying Patches

    This malware exploits known vulnerabilities affecting the Windows NT platforms. Download and install the following to patch your system.


    IIS5/WEBDAV vulnerability patch
    Windows NT

    http://microsoft.com/downloads/deta...5AE-4912-9967-3AA3B4D5A76F&displaylang=en

    Windows NT Terminal Server

    http://microsoft.com/downloads/deta...C4D-40E9-8879-41A09767111F&displaylang=en

    Windows XP 32 bit

    http://microsoft.com/downloads/deta...2D5-47B8-AB98-77BA7501B00B&displaylang=en

    Windows XP 64 bit

    http://microsoft.com/downloads/deta...B0B-40F8-9A2E-DE93CBB5CB3A&displaylang=en


    DCOM Patch
    WindowsNT

    http://microsoft.com/downloads/deta...90A-4DA5-93F2-FCC6300A1A43&displaylang=en

    WindowsNT Terminal Server

    http://microsoft.com/downloads/deta...7F2-47F9-8E99-016B35B7646D&displaylang=en

    Windows 2000

    http://microsoft.com/downloads/deta...5DB-4F92-9DEF-4D91A140E0E0&displaylang=en

    WindowsXP 32bit

    http://microsoft.com/downloads/deta...217-4ABD-A244-0A53320B2813&displaylang=en

    WindowsXP 64bit

    http://microsoft.com/downloads/deta...DAD-4E20-B46E-E1AEFB1F6673&displaylang=en


    RPC Patch
    Windows NT

    http://www.microsoft.com/downloads/...17E-4FA7-BDBF-DF77A0B9303F&displaylang=en

    Windows NT Terminal Server

    http://www.microsoft.com/downloads/...4FA-424C-A3C1-C9FAD2DC65CA&displaylang=en

    Windows 2000

    http://www.microsoft.com/downloads/...541-4C15-8C9F-220354449117&displaylang=en

    Windows XP 32 bit

    http://www.microsoft.com/downloads/...5B6-44AC-9532-3DE40F69C074&displaylang=en

    Windows XP 64bit

    http://www.microsoft.com/downloads/...F4C-4061-9009-3A212458E92E&displaylang=en

    Windows 2003 server 64 bit

    http://www.microsoft.com/downloads/...3F0-4EC1-995F-017E35692BC7&displaylang=en

    Refrain from using the affected software until the appropriate patch has been installed.

    Additional Windows XP Cleaning Instructions

    Running Trend Micro Antivirus

    Scan your system with Trend Micro antivirus and delete all files detected as WORM_AGOBOT.US. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

    Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC.
     
  3. JBI

    JBI
    tight hole stimulator

    Joined:
    Mar 18, 2004
    Messages:
    3,030
    Likes Received:
    7
    Location:
    Mount Uniacke , NS
    According to one of the other sites I read about this virus on it said that it was avariant of W32.gaobot.gen . I can send you the removal tool for that virus threw email if you want or you can try to get it from this link
    http://securityresponse.symantec.com/avcenter/FxGaobot.exe .
    Good luck.
     
  4. wetnwild

    wetnwild
    [OP]
    New Member

    Joined:
    Apr 4, 2004
    Messages:
    14
    Likes Received:
    0
    Location:
    Spryfield
    this is the part that confuses me....
    "Before proceeding to remove this malware, first identify the malware program.

    Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_AGOBOT.US. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner. "

    I did the free online virus scan and it says that there is no virus found....but there is a virus...my other virus scanner can find it but won't remove it.
     
  5. wetnwild

    wetnwild
    [OP]
    New Member

    Joined:
    Apr 4, 2004
    Messages:
    14
    Likes Received:
    0
    Location:
    Spryfield
    do you know what the difference..if a difference, between a worm_agobot.us or a worm_agobot.mg?
     
  6. Boots

    www.reality-check.ca

    Joined:
    Jun 3, 2003
    Messages:
    74,006
    Likes Received:
    4,026
    Location:
    Halifax
    C:\windows\system32\drivers\etc\hosts

    edit this file and remove the added lines at the end of the file. The worm places entries in there to prevent you from accessing security related sites. Once you empty off the extra lines you will be able to access all sites.
     
  7. wetnwild

    wetnwild
    [OP]
    New Member

    Joined:
    Apr 4, 2004
    Messages:
    14
    Likes Received:
    0
    Location:
    Spryfield
    it says that I cannot open this file because windows needs to know what created it. It gives 2 options; to let the internet do it or manually do it. The web page cannot be displayed. It is making me soooooo MAD!!!!!!!
     
  8. JBI

    JBI
    tight hole stimulator

    Joined:
    Mar 18, 2004
    Messages:
    3,030
    Likes Received:
    7
    Location:
    Mount Uniacke , NS
    It is just a variance of the same virus.The removal procedure should be the same. Did you try downloading the program in the link that I gave you? I know it is not for the exact virus you have but the one you have is a variant of the one that the program removes,so it may disable or remove the one you have.
     
  9. wetnwild

    wetnwild
    [OP]
    New Member

    Joined:
    Apr 4, 2004
    Messages:
    14
    Likes Received:
    0
    Location:
    Spryfield
    I did download it and it said that it removed a virus but the worm_agobot is still there.
     
  10. wetnwild

    wetnwild
    [OP]
    New Member

    Joined:
    Apr 4, 2004
    Messages:
    14
    Likes Received:
    0
    Location:
    Spryfield
    BaByGirL wrote:
    K dokey... I"m at Bonnie's house right now going to attempt the "kill of the worm"(hehe... sorry :oops: )

    I'm insstalling NOrtron, now... but Bonnie has stated that NOrton is unaffetive against the worm... any suggestions??
     
  11. NiJoMo

    ♪ ♪ La La La ♪ ♪

    Joined:
    Apr 10, 2004
    Messages:
    13,951
    Likes Received:
    0
    Location:
    Halifax, Nova Scotia
    HEEEEEEEEELP!!

    I need a quick, free d/l that'll scan for this in safe mode... Norton scans, but doesn't pick it up...


    HEEEEEEELLLLLLLPPPPPPPP!!!
     
  12. NiJoMo

    ♪ ♪ La La La ♪ ♪

    Joined:
    Apr 10, 2004
    Messages:
    13,951
    Likes Received:
    0
    Location:
    Halifax, Nova Scotia
    So, I was there for 12 hours, yesterday!! Ran like 20 anti-virus, 5 Sasser killers... and STILL... they are there... :pissed:
    somebody know a no fail way to kill this worm??

    He's very intelligent, might I add, everytime I'd get close to killing him, he'd shut down the window I was working on... damn him, damn him!!
     
  13. Dural

    Insert something witty

    Joined:
    Jul 2, 2003
    Messages:
    4,904
    Likes Received:
    0
    Location:
    Newmarket
    format c: is the fix for everything
     
  14. JBI

    JBI
    tight hole stimulator

    Joined:
    Mar 18, 2004
    Messages:
    3,030
    Likes Received:
    7
    Location:
    Mount Uniacke , NS
    Did you disable system restore before trying to get rid of the virus?
     

Share This Page