Page 1 of 2 12 LastLast
Results 1 to 10 of 45

Thread: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

Hybrid View

  1. #1
    bridezilla Guest

    Default Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Hello again. I have had major problems with my computer in the last couple months, had to reformat due to malware/virus problems, and it seems like every time I turn it on and run a scan, something is found. I have Zone Alarm Internet Security 7 (have had for a long time), spyware sweeper, ad-aware professional version, spybot s & d, and still have subscriptions to spyware doctor, and pc tools registry mechanic, though I have not reinstalled them yet. My pc is a pavilion a1430n, dual amd processors (3800 x 2), 1 GB of RAM installed, capable of 4. Right now ZA has in quarantine "not-a-virus:RiskTool.Win32.PsKill.p", spyware sweeper has "trojan-downloader-zlob", and spybot s&d found a file in the start up section called system32.exe, that it says was installed by Agobot-Ku worm. I unchecked the box in front of the blank space that allowed system32.exe to start with the computer, and I ran more scans and searches to find the file so I could delete it, but have not been able to find it. I will be grateful for any help because I am just about going crazy, I am graduating from college in a month and my computer has not worked more than worked. Thank you in advance for any help.
    Cindy

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:7.0

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,285

    Default Re: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Hi!it is possible that what is detected by SpybotS&D is a "false positive". You can upload that suspicous file to www.virustotal.com and check with 10 other AV scanners.To remove difficult spyware/malware you need to do the following:1. Disable microsoft system restore;2. Reboot in SAFE MODE3. Run a full ZA AV/AS scan4. Reboot in Normal Mode5. Ensable System restoreCheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    bridezilla Guest

    Default Re: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Hi Fax,
    I would love to do this if I could find the file. I have tried searching so many times, and some of the things I have read about the agotbot-ku is that it is extremely difficult to find, since it remains hidden very well. Well I believe it because I cannot find it anywhere. If you have any suggestions on how to find it, I will send it to the site you suggested for further testing. I am also going to ask the spybot site what they might know about this file, since their information pops up on the tools screen start up menu. Still studying for tomorrow's, well at this point, today's exam. Thank you for your help, I know I can always come here for help and answers, you all are the best.
    Cindy

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Hi Cindy

    If you uninstall the SpyBot and clean all files left and reinstall the SpyBot, do you think the SpyBot will have the file found once again or perhaps the SpyBot does not even find any further issues and the file is no longer there.

    Oldsod
    Best regards.
    oldsod

  5. #5
    bridezilla Guest

    Default Re: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Hi. Sorry this took me so long, was at school from 8:30 am until 5, and then walked the dogs. I think I did pretty well on my exam, I don't know why but all biology majors are required to take a semester of C++, and it's a big pain in the butt for me. The class requires a lot of work, and I'm overwhelmed enough with molecular biology, biochemistry, finishing organic chem 2 and physics 2 from last semester, and trying to get them all done in time to graduate May 19. (with decent grades) It sure was easier the first time around in college. I plan on going to vet school, but I need to take the GRE exam, and I have not had a spare minute to study for it yet.

    Okay, I wasn't clear enough about spybot finding the file, I found the file in the spybot tools menu when I was looking at system startup. It has a blank space next to the box that was checked signifying it started with the pc. I unchecked the box immediately, looked at the blurb Paul Collins had written about it and proceeded to search for the file he said it would be in, 'system32.exe'. I have tried searching everywhere on the computer and cannot find the file, but when I check the startup menu in Spybot, it is still there, so far the check mark has not come back. I did notice one thing yesterday that slipped my mind, and it happened again today as well. (I wrote the entire error message down and now I cannot find it) When the pc starts, I get an error message that says a dll file has been illegally moved, and because of that RTHDCPL and another file/program will not run, and I should contact the vendor. I know I did not move anything illegally. I can certainly try removing spybot and reinstalling, then looking through the start up again. In the meantime I will look for the paper where I wrote the error message verbatim.

    Cindy

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Hi

    Sounds like you will graduate and do very well. You courses are heavy and time intensive. You seem like you will make a great vet. Curious to know, if you going to be a small animal or large animal vet. The small animal area is popular.

    Okay lets get to business.....

    http://www.processlibrary.com/directory/files/rthdcpl/

    http://www.liutilities.com/products/...brary/rthdcpl/

    I think I have this on the laprop. If it is missing, then uninstall the sound driver and the extra control panel feature and re-install them from the drivers disk (if it came with the PC) or from the realtek driver download site. Or from the PC vendor download site- your make and model usually is enough to get the correct download menu. Maybe this file got clobbered in some previous scan and just needs replacing.

    I haven't used SpyBot in years, so my exact memory of what it is described is dim.

    Check the startups.

    So do this: open Start and select Run and type in msconfig and ok. In the System Configuration Utility, select the Startup tab and see if there is any mention of the system32.exe It can be diabled here just by using the Windows if it is found.

    Second way to check is with Windows. Open Start and All Programs and then Accessories and open System Tools. Select System Information and under Software Enviroment select Start Programs. Look for the file again. If it is found then at least you are forewarned.

    Both methods of checking are done without any additional security applications. It does take time, but is can be done and done well.

    Also there is this to check and do>

    1. Click Start, click Run, type regedit in the Open box, and then click OK.
    2. For each of the following registry keys, locate the key, click the key, on the Edit menu, click Delete, and then click Yes to confirm the deletion:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\SystemSAS system32.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\CMD cmd32.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices\SystemSAS system32.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices\CMD cmd32.exe

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce\SystemSAS system32.exe

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce\CMD cmd32.exe

    HKEY_Local_Machine\Software\Krypton
    3. Locate, and then click the following key in the registry:
    HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    4. On the Edit menu, click Modify.
    5. Type Explorer.exe, and then press ENTER.
    6. Locate, and then click the following key in the registry:
    HKEY_CURRENT_USER\SOFTWARE\Kazaa\LocalContent
    7. Delete any values that refer to the C:\%Windir%\UserTemp or the C:\%Windir%\User32 folders.
    8. Locate, and then click the following key in the registry:
    HKEY_CURRENT_USER\SOFTWARE\iMesh\Client\LocalConte nt
    9. Delete any values that refer to the C:\%Windir%\UserTemp or the C:\%Windir%\User32 folders.
    10. Quit Registry Editor.
    11. Restart your computer.

    Exerpted from here>

    http://support.microsoft.com/kb/833767

    There is a good chance that the SpyBot is seeing one of these keys and deleting these leftovers may solve the SpyBot problem.

    Just some ideas.
    Oldsod

    Message Edited by Oldsod on 04-04-2007 10:15 PM
    Best regards.
    oldsod

  7. #7
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Win32.PsKill.p should be checked for properties to see the vendor, vrsion and time/date of install. These details alone can indicate as to whether the file is malicious or not. The same for the trojan-downloader-zlob.


    system32.exe does sound very suspicious. Here is some info>

    http://www.liutilities.com/products/...rary/system32/

    It is a bad trojan indeed. lots of cleaning up will be needed.

    See>

    http://www.file.net/process/system32.exe.html

    and>

    http://www.sophos.com/virusinfo/anal...2agobotku.html

    The amount of damage and the amount of cleanup is very big.



    Do This;

    Download the free AVG Antispy or was called Ewido and update and run.

    Free AVG or ewido>

    http://www.ewido.net/en/download/

    Run and scan and delete all items found.

    OK do this. Click here to download smitRem.exe and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop.

    smitRem.exe >
    http://noahdfear.geekstogo.com/click...click.php?id=1


    Next reboot into Safe Mode. You can get there by restarting your computer and continually tapping F8 until a menu appears. Use your arrow to highlight Safe Mode then hit enter.

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive (where your operating system is installed). You will need that log later.

    Launch ewido again:
    Click on scanner
    Click on Complete System Scan and the scan will begin (do not open any folders or open the windows control panel while the scan is in progress).
    While the scan is in progress you will be prompted to clean files, click OK
    When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
    Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    Click Save report.
    Save the report .txt file to your desktop.

    I would strongly suggest to disable the System Restore of the Windows OS. The malware is being preserved in the files and can become active in the future. It is adviseable to disable the system restore and scan again with the antivirus and the spyscanners in the Safe Mode, one at a time, and let each one find and take and delete any files.

    Oldsod
    Best regards.
    oldsod

  8. #8
    bridezilla Guest

    Default Re: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Dear Oldsod and Fax,
    Thank you both for your replies. I have an exam tomorrow in C++, but am about to start the process described in the reply. I will let you know how it turns out, and thank you again.
    Cindy

  9. #9
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Best of luck on your exam.

    Oldsod
    Best regards.
    oldsod

  10. #10
    bridezilla Guest

    Default Re: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Thank you, I will need the good luck. I did everything according to what you had written, and when I look in the start-up area of Spybot, it is still there. (unchecked of course) I did the ewido download, update, and scan, and the smitrem.exe in safe mode, with system restore turned off. I also did a webroot spysweeper scan & ad aware scan after the smitrem.exe scan. System restore is still off. Would you recommend me trying any of the scans that were on the link you sent me http://www.liutilities.com/products/...brary/system32 ? I really cannot send the file anywhere to have it scanned by other programs, because I cannot find the darn file. If the smitRem.exe report would help, I will search for that. Thank you again, I'll be staying online because I cannot begin to study until I have this thing cleared up.
    Cindy

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •