Frontpage
Forums
Tutorials
Members
Calendar
Subscription
Donate
Links
Contact 
Help
I'm going in a circle here. First, Mcafee found a virus and said it got rid of it Qhosts.apd, and then kept on telling me that I had it. Then, I couldn't get it to even do a virus check. Something called Adware runs on here all the time (had a smiley face for an icon) and it keeps telling me it found something black listed called microsoft.exe. I tell it no, then it shutsdown Mcafee.
I booted into safe mode and scanned with Mcafee and it found Qhosts.apd again, got rid of it. I rebooted, can't get rid of Adware, it's still shutting down Mcafee, and I keep getting a CONSTANT warning that says:
McAfee ActiveShield has detected a virus on your computer. We recommend that you use the Scan feature to scan all the drive of your computer for viruses.
I tell it okay and it pops up every 30 seconds.
I went to a virus sight and found that I had the DOS AGOBOT.HM, got something called Stinger from McAfee, went back to the site and it didn't find it this time, but I still have the problem from Adware (control panel won't let me get rid of it) and it shutting down McAfee and the warning from Active Shield every 30 seconds.
Any suggestions? I can get to McAfee's site now, but not symantecs.
Page 1 of 1
DOS AGOGOT.HM Help?
Virus
Rate Topic:
Back to top
#2
- Member
-
- Group: Members
- Posts: 208
- Joined: 30-December 03
Posted 30 April 2004 - 02:58 PM
Hi Susan,
It sounds like your virus is still there, have a look at the link below, it gives instructions on how to manually remove it. Print them out then disconnect you machine from the internet, by removing the cable from the modem!!!
Virus Information
Once you have got rid, uninstall McAfee and reinstall it and get the latest definitions downloaded. or get the free scanner from www.grisoft.com
Good luck!!
TC
It sounds like your virus is still there, have a look at the link below, it gives instructions on how to manually remove it. Print them out then disconnect you machine from the internet, by removing the cable from the modem!!!
Virus Information
Once you have got rid, uninstall McAfee and reinstall it and get the latest definitions downloaded. or get the free scanner from www.grisoft.com
Good luck!!
TC
#3
Posted 30 April 2004 - 03:58 PM
Won't let me go to the link. It re-directs me. Can you cut and paste here?
#4
- The MSFN Banana
-
- Group: Patrons
- Posts: 5,767
- Joined: 17-August 01
Posted 30 April 2004 - 04:21 PM
Link works fine. If its redirecting you, then your virus has edited the HOSTS file.
Open %systemroot%\system32\drivers\etc\hosts (Windows XP) in Notepad and see if sophos.com is listed.
Open %systemroot%\system32\drivers\etc\hosts (Windows XP) in Notepad and see if sophos.com is listed.
#5
- Member
-
- Group: Members
- Posts: 208
- Joined: 30-December 03
Posted 01 May 2004 - 01:53 AM
This is from the Sophos website.
Description
W32/Agobot-EX is an IRC backdoor Trojan and network worm.
When first run W32/Agobot-EX copies itself to the Windows system folder with the filename soundman.exe. The following registry entries are created with the intention of starting the worm when a user logs into Windows, but an error results in these values being garbage:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
^`d}qZxu= ~`d}qzxu3zYF
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
^`d}qZxu= ~`d}qzxu3zYF
W32/Agobot-EX also registers itself as a service which will be activated when Windows starts up. The name of the service is SoundMan.
W32/Agobot-EX connects to a remote IRC server and joins a specific channel. The backdoor functionality of the worm can then be accessed by an attacker using the IRC network. An attacker can issue commands to start the worm scanning for vulnerable computers to copy itself to.
The worm also attempts to terminate and disable various security-related programs.
Recovery
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
^`d}qZxu= ~`d}qzxu3zYF
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
^`d}qZxu= ~`d}qzxu3zYF
and delete them if they exist.
Close the registry editor.
Description
W32/Agobot-EX is an IRC backdoor Trojan and network worm.
When first run W32/Agobot-EX copies itself to the Windows system folder with the filename soundman.exe. The following registry entries are created with the intention of starting the worm when a user logs into Windows, but an error results in these values being garbage:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
^`d}qZxu= ~`d}qzxu3zYF
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
^`d}qZxu= ~`d}qzxu3zYF
W32/Agobot-EX also registers itself as a service which will be activated when Windows starts up. The name of the service is SoundMan.
W32/Agobot-EX connects to a remote IRC server and joins a specific channel. The backdoor functionality of the worm can then be accessed by an attacker using the IRC network. An attacker can issue commands to start the worm scanning for vulnerable computers to copy itself to.
The worm also attempts to terminate and disable various security-related programs.
Recovery
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
^`d}qZxu= ~`d}qzxu3zYF
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
^`d}qZxu= ~`d}qzxu3zYF
and delete them if they exist.
Close the registry editor.
#6
Posted 01 May 2004 - 09:05 AM
This is what was found. I can't open my registry because it keeps closing back down. It's doing this to a lot of programs.
Scan started at 5/1/2004 9:20:04 AM
Scanning memory...
Scanning boot sectors...
Scanning files...
C:\daubatyq.exe - Win32/HLLW.Gaobot -> Infected
C:\dvmintdp.exe - Win32/HLLW.Gaobot -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1215: (paul davd [Find a good f... - Win32/Yaha.K@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1038: (paul davd [I Love You])-... - Win32/Yaha.K@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.981: (paul davd [U realy Want t... - Win32/Yaha.K@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.956: (paul davd [Learn How To L... - Win32/Yaha.K@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.868: (paul davd [make ur friend... - Win32/Yaha.K@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.867: (paul davd [Learn How To L... - Win32/Yaha.K@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.866: (paul davd [Are you lookin... - Win32/Yaha.K@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.854: (paul davd [Learn How To L... - Win32/Yaha.K@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.848: (paul davd [Wowwwwwwwwwww ... - Win32/Yaha.K@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.793: ( [Screensaver])->(part000... - Win32/Sobig.B@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.79: ( [Re: My details])->(part0... - Win32/Sobig.B@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.36: (paul davd [Wowwwwwwwwwww c... - Win32/Yaha.K@mm -> Infected
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\611JMFO0\bot[4].exe - Win32/HLLW.Gaobot -> Infected
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\611JMFO0\bot[5].exe - Win32/HLLW.Gaobot -> Infected
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MPMYQ6WB\bot[3].exe - Win32/HLLW.Gaobot -> Infected
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MPMYQ6WB\bot[4].exe - Win32/HLLW.Gaobot -> Infected
Scanned
============================
Objects: 44461
Directories: 4744
Archives: 7332
Size(Kb): 1676744
Infected files: 18
Found
============================
Viruses found: 3
Suspicious files: 0
Disinfected files: 0
Mail files: 4911
Scan started at 5/1/2004 9:20:04 AM
Scanning memory...
Scanning boot sectors...
Scanning files...
C:\daubatyq.exe - Win32/HLLW.Gaobot -> Infected
C:\dvmintdp.exe - Win32/HLLW.Gaobot -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1215: (paul davd [Find a good f... - Win32/Yaha.K@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1038: (paul davd [I Love You])-... - Win32/Yaha.K@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.981: (paul davd [U realy Want t... - Win32/Yaha.K@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.956: (paul davd [Learn How To L... - Win32/Yaha.K@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.868: (paul davd [make ur friend... - Win32/Yaha.K@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.867: (paul davd [Learn How To L... - Win32/Yaha.K@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.866: (paul davd [Are you lookin... - Win32/Yaha.K@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.854: (paul davd [Learn How To L... - Win32/Yaha.K@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.848: (paul davd [Wowwwwwwwwwww ... - Win32/Yaha.K@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.793: ( [Screensaver])->(part000... - Win32/Sobig.B@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.79: ( [Re: My details])->(part0... - Win32/Sobig.B@mm -> Infected
C:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.36: (paul davd [Wowwwwwwwwwww c... - Win32/Yaha.K@mm -> Infected
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\611JMFO0\bot[4].exe - Win32/HLLW.Gaobot -> Infected
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\611JMFO0\bot[5].exe - Win32/HLLW.Gaobot -> Infected
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MPMYQ6WB\bot[3].exe - Win32/HLLW.Gaobot -> Infected
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MPMYQ6WB\bot[4].exe - Win32/HLLW.Gaobot -> Infected
Scanned
============================
Objects: 44461
Directories: 4744
Archives: 7332
Size(Kb): 1676744
Infected files: 18
Found
============================
Viruses found: 3
Suspicious files: 0
Disinfected files: 0
Mail files: 4911
#7
- Member
-
- Group: Members
- Posts: 208
- Joined: 30-December 03
Posted 01 May 2004 - 12:55 PM
You have a dirty dirty dirty machine!! 
Assuming that you are using XP, press CTRL, ALT and DELETE keys, look at the processes that are running, look for daubatyq.exe and dvmintdp.exe and stop those processes, also have look at any process that has your username as the process owner, look for odd named files, ie M1crosoft.exe etc... stop those as well.
Then try and run regedit.
If you are successful, delete all your temporary internet files, empty your email trash and delete those emails, delete those documents that it shows in your list! do it manually! and empty the trashcan. Then run your scanner and see what happens.
Good luck
Assuming that you are using XP, press CTRL, ALT and DELETE keys, look at the processes that are running, look for daubatyq.exe and dvmintdp.exe and stop those processes, also have look at any process that has your username as the process owner, look for odd named files, ie M1crosoft.exe etc... stop those as well.
Then try and run regedit.
If you are successful, delete all your temporary internet files, empty your email trash and delete those emails, delete those documents that it shows in your list! do it manually! and empty the trashcan. Then run your scanner and see what happens.
Good luck
#8
- MSFN SuperB
-
- Group: Members
- Posts: 5,070
- Joined: 13-October 03
Posted 01 May 2004 - 07:58 PM
that won't solve her problems though
the idea of the virus is that it copies itself to other places
after she stops those processes another process will be running.
i'd go to registry wipe out the startup programs
try msconfig if it doesn't let u open regedit
also if that doesn't work
go to run and type cmd
then use "reg" command to delete the run key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
if u want to delete the individual entries u'll have to query the values in them then delete the values...
so like this
to delete everything under Run key
or
it will give u a list of programs that are working
to delete them 1 by one go like this
replace "name of process" with the name of the process without the quotes....
repeat this for suspicios values
and also do these for the HKCU too
and for services.. though i dunno if that particular virus goes into services..
then restart the computer
after the restart none of those files should be running...
then go through the suspicios files and delete them.
and as said delete the temp internet files,
delete this folder too
c:\documents and settings\funpartyz\Local Settings\Temp
and u're lucky it has affected your Deleted Items.dbx so u can also delete that dbx file and still be able to see your mails (not the deleted ones though..)
good luck... have fun
the idea of the virus is that it copies itself to other places
after she stops those processes another process will be running.
i'd go to registry wipe out the startup programs
try msconfig if it doesn't let u open regedit
also if that doesn't work
go to run and type cmd
then use "reg" command to delete the run key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
if u want to delete the individual entries u'll have to query the values in them then delete the values...
so like this
Quote
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /va
or
Quote
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
it will give u a list of programs that are working
to delete them 1 by one go like this
Quote
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "name of process"
replace "name of process" with the name of the process without the quotes....
repeat this for suspicios values
and also do these for the HKCU too
and for services.. though i dunno if that particular virus goes into services..
then restart the computer
after the restart none of those files should be running...
then go through the suspicios files and delete them.
and as said delete the temp internet files,
delete this folder too
c:\documents and settings\funpartyz\Local Settings\Temp
and u're lucky it has affected your Deleted Items.dbx so u can also delete that dbx file and still be able to see your mails (not the deleted ones though..)
good luck... have fun
#9
- Member
-
- Group: Members
- Posts: 208
- Joined: 30-December 03
Posted 01 May 2004 - 11:53 PM
Thanks XtremeMac, I have learnt something new today.
#10
- MSFN SuperB
-
- Group: Members
- Posts: 5,070
- Joined: 13-October 03
Posted 02 May 2004 - 08:32 PM
always a pleasure
- ← Zonealarm forces my computer to do a memory dump
- Networks and the Internet
- downloads getting cut off? how do i resume? →
Share this topic:
Page 1 of 1