Tech Support Guy banner
Cancel

Dos_AGOBOT.HM Virus!!!!!!!!!!

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 7 of 7 Posts
S

· Registered
Joined
·
274 Posts
Discussion Starter · #1 ·
Ok I have ran Sophos, Norton, Mcafee with all current updates and they do not find any virus. I do a online scan from housecall and it finds the following item Dos_AGOBOT.HM and the locations is
C:\WINNT\SYSTEM32\DRIVERS\ETC\HOSTS and it can not clean it so I have it delete the file..

Then I boot in safe mode and delete the file again. I have ran Adaware, spybot,Hijackthis. Hijackthis did find Netsnake on this system and had it fix that

Have delete trash, IE cookies and files

Still have this piece of crap any help by the pro's

Thanks
 
G

· Registered
Joined
·
103 Posts
#2 ·
DOS_AGOBOT is a byproduct of the actual virus WORM_AGOBOT.HM. You get this virus by a vulnerability found in Windows. So make sure you immediately update your windows by going to

http://www.windowsupdate.com

This worm is what is creating that hosts file.

You can find removal instructions here:

Agobot.HM Removal Steps

Follow these instructions. Reboot, download HijackThis from here:

HijackThis

Save it into its own directory. Make sure all Internet Explorer windows are closed and run the program. Click on Scan and have it save a log. A notepad window will open with the contents of the log. Paste those contents to a reply to this post.
 
S

· Registered
Joined
·
274 Posts
Discussion Starter · #4 ·
Logfile of HijackThis v1.97.7
Scan saved at 9:44:44 AM, on 4/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\system32\desk95.exe
C:\WINNT\system32\smssv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\spyware tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [Audoi Device Loader] smssv.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [Audoi Device Loader] smssv.exe
O4 - Startup: PERSONAL.xls
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38089.6178009259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
G

· Registered
Joined
·
103 Posts
#6 ·
These three entries look strange. Looks like it could be a trojan/worm that was added as supposedly a Audio Device Loader, but they mispelled audio. I could be wrong though.

Also are you running an excel sheet on purpose on startup? If not you should fix the Startup: personal.xls.

You can fix these:

O4 - HKLM\..\Run: [Audoi Device Loader] smssv.exe
O4 - HKLM\..\RunServices: [Audoi Device Loader] smssv.exe

Only fix if you are not supposed to be opening an Excel spreadsheet
O4 - Startup: PERSONAL.xls

Reboot and move these files to another directory until they are examined and to determine they do not cause any problems with not being loaded:

c:\windows\smssv.exe
or
c:\windows\smssv.exe

If you can email this file to [email protected] so I can take a look at it.
 
1 - 7 of 7 Posts
Status
Not open for further replies.
About this Discussion
6 Replies
2 Participants
Last post:
Grinler
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top