Removing agobot.spoolsrv32

  • Thread starter Thread starter Chris
  • Start date Start date
C

Chris

On my XP Home machine, MSAS identifies agobot.spoolsrv32 and offers to
remove it, but following removal the report is that it has been ignored. Any
suggestions?

Chris
 
Try restarting in safe mode, and logging in as "administrator" then doing a
full, deep scan, and removing that item. Let's see whether it can do it in
this mode.
 
This is the Agobot worm which opens alot of ports on your
system leaving it open to attacks from the remote user
who put it there.Plus its stays in the memory so that it
can send information from your pc to the IP address which
it was sent from.

Id advise running the TrendMicro Damage Cleanup Services
to remove any traces of this

http://de.trendmicro-
europe.com/file_downloads/common/tsc/tsc.zip


Also run a scan at Trends Housecall Virus Scanner

http://housecall.trendmicro.com/housecall/start_corp.asp

This way is far easier than going for this manually as it
involves Registry editing plus you would need to run the
online scanner anyway to reveal where the worm has saved
itself in your system.

If you have any problems then just repost and id help
where i can.

Good Luck Andy
 
I tried this on my system. I was interested, since Sunbelt's system is also
an offshoot of Giant antispyware's technology.

On my system, besides some cookies, it found a couple of threats. One was a
file associated with one of those utilities which shows you the passwords on
your own systems which are hidden by asterisks--i.e. if you have the
password to your system, it will allow you to see other passwords in your
password storage file. What is interesting was that the online scan
described this in these terms:
-----------------------------
Password Recovery Pro

Type: Password Hijacker

Threat Level: Elevated

Author: Sureshot

Description: Password Recovery Pro is a password hijacker.

Advice: This is a high risk threat and should be removed or quarantined as
to prevent harm to your computer or your privacy.

---------------------------------------------
However, it didn't directly identify the particular file involved, so I
wanted more information. Here's what Sunbelt's online information base says
about this same item:

http://research.sunbelt-software.com/threat_display.cfm?name=Password Recovery Pro

Note that the advice here is to keep this in place (presuming that you
knowingly installed it in the first place, perhaps!)
(I wasn't able, using the information in the web link, to find anything
related to this app on my system, but it isn't entirely unlikely--I've
looked at such apps in the past.)

The second item of interest the scan found was:
--------------------------------------------
brutus-v1-b2.exe

Type: Password Hijacker

Threat Level: Elevated

Author:

Description: Brutus is a multi-protocol authentication negotiation agent or
password cracker.

Advice: This is a high risk threat and should be removed or quarantined as
to prevent harm to your computer or your privacy.

------------------------------------------------------------------
Needless to say, this got me to sit up and take notice, so I looked up the 5
registry keys which were the evidence cited for the presence of this critter
on my machine:
HKEY_LOCAL_MACHINESOFTWARE\Classes\TypeLib\{33101C00-75C3-11CF-A8A0-444553540000}

HKEY_LOCAL_MACHINESOFTWARE\Classes\TypeLib\{33101C00-75C3-11CF-A8A0-444553540000}\1.0\0\win32

HKEY_LOCAL_MACHINESOFTWARE\Classes\TypeLib\{33101C00-75C3-11CF-A8A0-444553540000}\1.0\FLAGS

HKEY_LOCAL_MACHINESOFTWARE\Classes\TypeLib\{33101C00-75C3-11CF-A8A0-444553540000}\1.0\HELPDIR

HKEY_LOCAL_MACHINESOFTWARE\Classes\TypeLib\{33101C00-75C3-11CF-A8A0-444553540000}\1.0

And, I looked up their web information:
http://research.sunbelt-software.com/threat_display.cfm?name=brutus-v1-b2.exe

I was unable to discern any of the executables named in the web link on my
machine, but of course they could be renamed. I didn't scan for the MD5
hashes, but since the online scan only identified the registry items, I'm
not too worried.

So--what about those registry items? The registry items appear to be
associated with a particular control--Catalyst Socketwrench. This seems
entirely aboveboard, although, in fact, the OCX named is not present on my
system.

Bottom line: This online scan appeared to identify a couple of serious
threats that hadn't been caught by Microsoft Antispyware.

On closer examination, however, neither was what appeared at first glance:
The first password hijacker was a trace of an app which their own
recommendation says :leave alone.

The second password hijacker consisted entirely of registry entries related
to a commonly available control which is common to many pieces of software.

I don't think either of these findings rises to the level of a false
positive--but they are described in terms which are scary, and a closer
examination of both of them left me feeling that the findings were somewhat
"hyped."

I doubt this is intentional on Sunbelt's part--the problem of false
positives and misidentifications is one which all products in this area
face.
 
To actually clean somethin found by the free online scan, you need to
download the app itself, which has a free 15-day trial, it looks like.

I'd go with trying the removal in safe mode with Microsoft Antispyware,
myself.
 
Bill, I downloaded a few anti-spyware programs that when I started the
install my Anti-Virus sent off bells and whistles and quaranteened trojan
horses(Win32 trojan xx) I forget the exact name now but I deleted it and the
program. You gotta be careful these days.
Ed
 
Hi Bill

Something isnt right with counter spy Ive had it
installed for about 8 days as i was testing it and have
the protection enabled but havent seen any alerts while
having it but have only used it once.I read your post and
decided to test it myself and chose to deepscan.

About 30 seconds into the scan it said it had detected
SPYEX was trying to install,then after i said remove it
said a unknown ActiveX was tring to install,Then after
removing it it said it detected changes to my LSP list I
chose remove again and was getting abit worried and then
it finished its scan and said i had 1 spyware on my
pc.Then clicking the next button it shows the spyware as
a cookie from passport.com :)


When the scan finished i ran the scanner again and when
it got to the end it said i had another spyware installed
this time saying it was ALL-IN-ONE 2.0 (Surveillance)
which was a high risk threat and a key logger i checked
the areas it was showing and again it showed a cookie so
think these amount to false postives in my view

Im going to check the registry and Winsock LSP list just
to be on the safe side but find it hard to believe all
this just decided to install 30 seconds into a counterspy
scan.I use adaware,spyware guard,spyware
blaster,spybot,ccleaner,spy sweeper,Norton,CWShredder and
Yahoo antispy so think this is a false reading but its a
pain im still going to have to make sure now,Ive just
checked the lsp lists and activex and there isnt anything
out of place there

Its all very strange and makes me believe i had problems
when using the scanner but really there isnt anything on
my system now im checking for any changes

Regards Andy
 
This area (antispyware) is chock full of snake oil. See:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

These days, when searching on "threatname removal" via google, the top
hits, and all or most of the ads, appear to come from rogue apps and sites,
as far as I can spot.

Sunbelt and their product are reputable, but this is a tough area to keep up
on, and false positives are a significant issue with most antispyware
products--including Microsoft Antispyware. I don't see too many posts about
them these days, though--the Media Tickets issue is the one I recall at the
moment.
 
Thanks for the link. It was Spy Ban now that I checked it out. It was a
nasty piece of malware. Luckily all the true anti-spyware apps and
anti-virus programs I have running arrested and removed this POS.
Ed
 
back again.

in safe mode as admin running MSAS (full & deep) does not find agobot.
Booting back in normal mode as a user, MSAS now finds the pesky blighter, so
I'm back where I started.

It's interesting reading the discussion between yourself/Bill.Andy regarding
which tools to use. Bill's use of the term snake oil is well justified; I'm
happiest using well known brands.

Chris
 
Chris, Did you try the sunbelt product? That was the only place I could find
with a search that had definitions for the Agobot malware.
Ed
 
Chris--if that didn't do the job, there's probably some additional steps
needed--perhaps signing on in safe mode to each individual user defined on
the machine.

I'll try to do some research later to see if I can find a good brand-name
tool to remove this specific threat--these naming issue is a problem.

One good possibility you might consider trying in the mean time:

http://housecall.trendmicro.com This is Trend Micro's online scanner. It
scans for viruses, spyware, and also system critical patches--optionally.
And it removes what it finds. Might well be worth the try.
 
Hi Chris

Do you want to explain what you mean my snake oil????

This isnt a term i know,You have a worm so MS antispy
doesnt remove worms,The products i suggested both target
this worm and both come from Trend Micro so im not sure
what you are trying to say.If you think Trend Micro isnt
a genuine program then this could be one of the reasons
you get worms in your pc as you will not take advise from
someone who is trying to help you.

Bill knows that MS antispy will not remove worms but he
is a MVP so his view is to promote the antispy product
but we both know its not going to help with a Worm


If you want a solution then run the programs i suggested
if you want to discuss possble snake oils then i cannot
help on that as the term means nothing to me.Im not
gaining anything from offering my advise on here but like
to help out where i can but if you choose to ignore my
advise then this is your choice and i will not offer any
more about this as ive already gave you a solution

Regards Andy
 
Hi Bill

What's with giving the impression im advising products
that are not genuine and then telling him to use exactly
the same product as i suggested.This seems abit silly to
me.

This is a Worm he is dealing with and ive posted what it
does and the solution using Trends products but you gave
him the impression MS Antispy can fix this which is aload
of rubbish,MS antispy cannot even remove basic
adware/spyware and will not delete a Worm/Virus so lets
be honest about this

I know you are here to promote AntiSpy but you know as
well as i do this isnt going to remove a worm and its
annoying you have said these Program names are a issue
then advise him to use the same product that i advised

So abit of honesty would hurt anyone now would it Bill

Regards Andy
 
Andy - I certainly didn't mean anything negative about the help that you
offer in this forum.

If Microsoft Antispyware identifies this threat on Chris' machine, I believe
that the intent of the developers is that it be able to remove it. That's
behind my suggestions of trying in safe mode, etc.

At this point, I would say that Microsoft Antispyware has flunked the test,
and I'm happy to open the field to any solution that Chris is willing to
try.

The snake oil reference was made in response to Ed Barba's message, and
referred to Eric Howes article listing "rogue" antispyware products.

I value your contributions to these groups and this thread--feel free to
propose a solution--I've given a couple, but there are more, I'm sure.
 
Thanks for the quick reply Bill,I know about this worm as
ive had to remove it before this is why i sugested Trend
Micro's Damage Clean Up as it Removes this worm,

I even ran it on my own system again before posting my
advise to make sure its still in their definitions which
it is.

I appreciate you are warning people about these rogue
programs which is needed these days as they do alot more
harm then good but i would never post a reply on here
that i wasnt sure about,

The damage clean up tool is a hassle free product that
scans many Malware prints within a couple of minutes then
repairs the damage that was caused by the virus or worm
involved so to me it saves alot of registry work and
fault finding as it repairs it for you.Ive used it alot
of times on peoples pc's when they have malware issues
and recommend it on my own site.

Im sorry if my comments seemed abit harsh but i knew
straight away how it can be fixed and the issue has
gotten confused abit to the point where he didnt trust my
advise because of these so called ' snake oils'

But i respect your view on this and understand you are
trying to protect users from getting more malware by
using these products so no offence was meant to you in my
post i was just trying to point out im not advising he
use a rogue product but 2 free products from Trend Micro
which is a genuine as they get.

I agree with the MS antispy comment that it is failing on
alot of issues but hopefully by the time it gets released
they would of covered all these issues,mainly restore the
Winsock stacks and upgrading their definitions but im
sure it will all come together by release time.

Its late here as im in the UK so will say goodnight and
Hopefully Chris will solve his Worm problem one way or
the other,Symantecs removals are usually very precise so
he can put his trust in that and go that way as like you
say there's afew ways to remove these worms.Once we know
where its saved it can be shut down manually easy enough
but hopefully he can find a quick fix to prevent all the
hassle

Thanks again for the reply its good to know you wasnt
targeting my comments

Regards Andy :o)
 
Back
Top