Under strange agobot.gen

  • Thread starter Thread starter Carlos Pumarin
  • Start date Start date
C

Carlos Pumarin

My computer is under a strange virus named by Kaspersky agobot.gen,
which copies itself by creating .shd and .spl infected files at
system32\spool\printers.

Those files can be deleted after killing 'spoolsv.exe', but whenever I
switch my firewall off for a while, they would appear again, so,
somewhere, the virus is still in my computer, but no more infected files
are found by the Kaspersky scanner.

Any ideas what to do?

TIA
 
On that special day, Carlos Pumarin,
([email protected]) said...
Those files can be deleted after killing 'spoolsv.exe', but whenever I
switch my firewall off for a while, they would appear again,
Click to expand...

That means they come in by a vulnerability, the RPC/DCOM or the lsass
weakness.
somewhere, the virus is still in my computer,
Click to expand...

or in the net that you are accessing. These worm-trojans don't wait for
someone to fetch them, but are actively seeking for victims. Your whole
network is infested. It is like living in a city that is stricken by the
plague.
but no more infected files
are found by the Kaspersky scanner.
Click to expand...

As I said, they come over the 'net, after removing. It is like STD. If
only one of the partners goes to see the doctor, (s)he will get re-
infected by zthe other.
Any ideas what to do?
Click to expand...

Save every data (that is savegames, letters, pictures and music files to
CD or similar devices). DON'T save anything executable, though. Flatten
your machine. See why:
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

Then rebuild from scratch. Get a CD with Microsoft's SP2 for XP. Install
that. If you can't FIRST OF ALL, activate the XP's Internet Connection
Firewall; and only *then* access the Windows Update, and have that
install ALL security related patches.

And don't deactivate the ICF. If your ISP gave you an access program
that deactivates it (there are some), give them a ring and ask them how
to set up an internet connection *without* their cheapo program. Or
change your ISP.

And then read Art's pages and apply them, to harden your system:
http://www.claymania.com/safe-hex.html

They are invaluable.


Gabriele Neukam

(e-mail address removed)
 
On Sun, 19 Dec 2004 16:51:21 +0100, Gabriele Neukam

[snipulated stuff]
And then read Art's pages and apply them, to harden your system:
http://www.claymania.com/safe-hex.html
Click to expand...

Heh... Art's pages? He certainly contributed but they're actually the
ACV pages (alt.comp.virus). Many people contributed directly and
indirectly to the page cited above.

Art does have his own site though.
Art's Antivirus Stuff: http://home.epix.net/~artnpeg/

Regards and happy holidays,
 
On that special day, Clay, ([email protected])
said...
Heh... Art's pages? He certainly contributed but they're actually the
ACV pages (alt.comp.virus). Many people contributed directly and
indirectly to the page cited above.
Click to expand...

Sorry, I did it off my head, and that obviously was wrong. But the pages
*are* good.


Gabriele Neukam

(e-mail address removed)
 
On that special day, Clay, ([email protected])
said...


Sorry, I did it off my head, and that obviously was wrong. But the pages
*are* good.
Click to expand...

Oh no need to apologize. I thank you for your helpful contributions
here and elsewhere. I hope you will continue to make time to post for
many more years. :-)
 
On Sun, 19 Dec 2004 16:51:21 +0100, Gabriele Neukam

[snipulated stuff]
And then read Art's pages and apply them, to harden your system:
http://www.claymania.com/safe-hex.html
Click to expand...
Click to expand...


Nice site, good info.
Heh... Art's pages? He certainly contributed but they're actually the
ACV pages (alt.comp.virus). Many people contributed directly and
indirectly to the page cited above.

Art does have his own site though.
Art's Antivirus Stuff: http://home.epix.net/~artnpeg/

Regards and happy holidays,
Click to expand...


thx, happy holidays to everyone.

later,

tom @ www.URLBee.com
 
lol,
Let me explain.

The Agobot is a "auto-spreading" irc based bot.
if you are infected with it, when you go into command prompt and type:
netstat
you should see some where connections. depending on if the person using
this bot configured it to be on a default irc port (6667,6668,6669,7000)
than you should see the ip/server:port your connected to.
usually you can find the actual kit by searching file/folder for files such
as, xdcc.config and firedeamon.exe
those are the 2 more common ones.
Usually these files are hidden with in your default root windows directory
somewhere.
like... C:\windows\system32\dllcache\i386\
If you would like the assistance to remove this bot, just ask.

Cyrus

On Sun, 19 Dec 2004 16:51:21 +0100, Gabriele Neukam

[snipulated stuff]
And then read Art's pages and apply them, to harden your system:
http://www.claymania.com/safe-hex.html
Click to expand...
Click to expand...


Nice site, good info.
Heh... Art's pages? He certainly contributed but they're actually the
ACV pages (alt.comp.virus). Many people contributed directly and
indirectly to the page cited above.

Art does have his own site though.
Art's Antivirus Stuff: http://home.epix.net/~artnpeg/

Regards and happy holidays,
Click to expand...


thx, happy holidays to everyone.

later,

tom @ www.URLBee.com
Click to expand...
 
Back
Top