virus thingym-doo reet geekozoids, have a problem with a virus on the PC that i use to connect to the net from my laptop - appears to come on when i go online on my laptop, when the computer hasnt been touched (whether this is a coincidence i dont know) AVG has pciked it up again, so was wondering if i should use another thing to take is off, or would anyone have any other suggestions? what comes up is Worm/Agobot.43.BI C:\WINDOWS\system32\spool\drivers\serviceconnect.exe any help chucks?
I know its a worm that allows people to gain remote access to your PC, will have a think as i'm sure we had it at work a while back Normally caught through peer 2 peer file sharing
Agobot's quite nasty, and it may stop AVG from updating too. Go straight to http:\\housecall.trendmicro.com - run the on-line scan, then follow these removal instructions: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.GEN&VSect=Sn (If you can't see that page it's because agobot is fucking around with your hosts file - I'll copy and paste it here if you can't see it) You also should update XP - there's patches for the vulnerabilities it exploits.
Restart in Safe Mode On Windows XP 1. Restart your computer. 2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen. 3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter. Identifying the Malware Program Before proceeding to remove this malware, first identify the malware program. Scan your system with antivirus and NOTE all files detected as WORM_AGOBOT.GEN. Terminating the Malware Program This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier. 1. Open Windows Task Manager. On Windows 9x/ME systems, press CTRL+ALT+DELETE On Windows NT/2000/XP systems, press CTRL+SHIFT+ESC, and click the Processes tab. 2. In the list of running programs*, locate the malware file or files detected earlier. 3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system. 4. Do the same for all detected malware files in the list of running processes. 5. To check if the malware process has been terminated, close Task Manager, and then open it again. 6. Close Task Manager. *NOTE: On systems running Windows 9x/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions. Removing Autostart Entries from the Registry Removing autostart entries from registry prevents the malware from executing during startup. You will need the name(s) of the file(s) detected earlier. 1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter. 2. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run 3. In the right panel, locate and delete the entry or entries whose data value (in the rightmost column) is the malware file(s) detected earlier. 4. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>RunServices 5. In the right panel, locate and delete the entry or entries whose data value (the rightmost column) is the malware file(s) detected earlier. 6. Close Registry Editor. Removing the Malware Entries in the HOSTS file Deleting entries in the HOSTS files prevents the redirection of antivirus Web sites to the local machine. 1. Open the following file using a text editor such as Notepad: • %System%\drivers\etc\HOSTS 2. Delete the following entries: * 127.0.0.1 www.trendmicro.com * 127.0.0.1 trendmicro.com * 127.0.0.1 rads.mcafee.com * 127.0.0.1 customer.symantec.com * 127.0.0.1 liveupdate.symantec.com * 127.0.0.1 us.mcafee.com * 127.0.0.1 updates.symantec.com * 127.0.0.1 update.symantec.com * 127.0.0.1 www.nai.com * 127.0.0.1 nai.com * 127.0.0.1 secure.nai.com * 127.0.0.1 dispatch.mcafee.com * 127.0.0.1 download.mcafee.com * 127.0.0.1 www.my-etrust.com * 127.0.0.1 my-etrust.com * 127.0.0.1 mast.mcafee.com * 127.0.0.1 ca.com * 127.0.0.1 www.ca.com * 127.0.0.1 networkassociates.com * 127.0.0.1 www.networkassociates.com * 127.0.0.1 avp.com * 127.0.0.1 www.kaspersky.com * 127.0.0.1 www.avp.com * 127.0.0.1 kaspersky.com * 127.0.0.1 www.f-secure.com * 127.0.0.1 f-secure.com * 127.0.0.1 viruslist.com * 127.0.0.1 www.viruslist.com * 127.0.0.1 liveupdate.symantecliveupdate.com * 127.0.0.1 mcafee.com * 127.0.0.1 www.mcafee.com * 127.0.0.1 sophos.com * 127.0.0.1 www.sophos.com * 127.0.0.1 symantec.com * 127.0.0.1 securityresponse.symantec.com * 127.0.0.1 www.symantec.com 3. Save the file HOSTS and close the text editor. NOTE: %System% is the Windows System folder, which is usually C:\Windows\System or C:\WINNT\System32.
im just a one click girl ill give it a shot when i have some time, but jeez so i use the online scan to find out which files are fucked, make a list of them and follow the massive long list of shit? basically (in loopmans terms)
in simple terms, find out what processes are running using the check, STOP them by pressing cntr alt del and processes and then remove them from the registry so they dont start up again.... No easyier way about ti im affriad
Instead of removing those entries from the HOSTS file, you can just replace your HOSTS file with the one found here: http://www.mvps.org/winhelp2002/hosts.htm And seriously, get XP patched
the PC wont let us update with sp2 as its a *funny* copy, but allows most other updates, will that thing dodgy said notfuck up my net connection? done another avg check yesterday, didnt find the virus, did an online housecall check didnt find owt there. dont know what the crack is
Read the bit in the guide sticky about turning on auto-updates, and the HOSTS file won't fuck up your connection at all - it just blocks hooky sites etc.
