Page 1 of 5 12345 LastLast
Results 1 to 10 of 45

Thread: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

  1. #1
    bridezilla Guest

    Default Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Hello again. I have had major problems with my computer in the last couple months, had to reformat due to malware/virus problems, and it seems like every time I turn it on and run a scan, something is found. I have Zone Alarm Internet Security 7 (have had for a long time), spyware sweeper, ad-aware professional version, spybot s & d, and still have subscriptions to spyware doctor, and pc tools registry mechanic, though I have not reinstalled them yet. My pc is a pavilion a1430n, dual amd processors (3800 x 2), 1 GB of RAM installed, capable of 4. Right now ZA has in quarantine "not-a-virus:RiskTool.Win32.PsKill.p", spyware sweeper has "trojan-downloader-zlob", and spybot s&d found a file in the start up section called system32.exe, that it says was installed by Agobot-Ku worm. I unchecked the box in front of the blank space that allowed system32.exe to start with the computer, and I ran more scans and searches to find the file so I could delete it, but have not been able to find it. I will be grateful for any help because I am just about going crazy, I am graduating from college in a month and my computer has not worked more than worked. Thank you in advance for any help.
    Cindy

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:7.0

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,288

    Default Re: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Hi!it is possible that what is detected by SpybotS&D is a "false positive". You can upload that suspicous file to www.virustotal.com and check with 10 other AV scanners.To remove difficult spyware/malware you need to do the following:1. Disable microsoft system restore;2. Reboot in SAFE MODE3. Run a full ZA AV/AS scan4. Reboot in Normal Mode5. Ensable System restoreCheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Win32.PsKill.p should be checked for properties to see the vendor, vrsion and time/date of install. These details alone can indicate as to whether the file is malicious or not. The same for the trojan-downloader-zlob.


    system32.exe does sound very suspicious. Here is some info>

    http://www.liutilities.com/products/...rary/system32/

    It is a bad trojan indeed. lots of cleaning up will be needed.

    See>

    http://www.file.net/process/system32.exe.html

    and>

    http://www.sophos.com/virusinfo/anal...2agobotku.html

    The amount of damage and the amount of cleanup is very big.



    Do This;

    Download the free AVG Antispy or was called Ewido and update and run.

    Free AVG or ewido>

    http://www.ewido.net/en/download/

    Run and scan and delete all items found.

    OK do this. Click here to download smitRem.exe and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop.

    smitRem.exe >
    http://noahdfear.geekstogo.com/click...click.php?id=1


    Next reboot into Safe Mode. You can get there by restarting your computer and continually tapping F8 until a menu appears. Use your arrow to highlight Safe Mode then hit enter.

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive (where your operating system is installed). You will need that log later.

    Launch ewido again:
    Click on scanner
    Click on Complete System Scan and the scan will begin (do not open any folders or open the windows control panel while the scan is in progress).
    While the scan is in progress you will be prompted to clean files, click OK
    When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
    Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    Click Save report.
    Save the report .txt file to your desktop.

    I would strongly suggest to disable the System Restore of the Windows OS. The malware is being preserved in the files and can become active in the future. It is adviseable to disable the system restore and scan again with the antivirus and the spyscanners in the Safe Mode, one at a time, and let each one find and take and delete any files.

    Oldsod
    Best regards.
    oldsod

  4. #4
    bridezilla Guest

    Default Re: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Dear Oldsod and Fax,
    Thank you both for your replies. I have an exam tomorrow in C++, but am about to start the process described in the reply. I will let you know how it turns out, and thank you again.
    Cindy

  5. #5
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Best of luck on your exam.

    Oldsod
    Best regards.
    oldsod

  6. #6
    bridezilla Guest

    Default Re: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Thank you, I will need the good luck. I did everything according to what you had written, and when I look in the start-up area of Spybot, it is still there. (unchecked of course) I did the ewido download, update, and scan, and the smitrem.exe in safe mode, with system restore turned off. I also did a webroot spysweeper scan & ad aware scan after the smitrem.exe scan. System restore is still off. Would you recommend me trying any of the scans that were on the link you sent me http://www.liutilities.com/products/...brary/system32 ? I really cannot send the file anywhere to have it scanned by other programs, because I cannot find the darn file. If the smitRem.exe report would help, I will search for that. Thank you again, I'll be staying online because I cannot begin to study until I have this thing cleared up.
    Cindy

  7. #7
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Hi Cindy

    First staying on-line to tend to the PC is non-productive in regards to your test or exam. So please study and get some rest or sleep.

    Secondly, please make sure there is no confidential data on the PC such as bank accounts or secret passwords or credit card numbers. Just incase the scan was not a false positive and there really is a trojan on the PC.

    For the most part, the ZA firewall should have detected a trojan or malware calling home. It should have alerted you or recorded it in the logs. You can check the logs to see if anything was out of the ordinary regarding connections made and remote IPs.

    Re: the smitRem report. You would have noticed if something was out of the ordinary on the report. You can post it if you wish or just check the results on the'net. Either way is acceptable.

    You could follow up the SpyBot findings on the SpyBot forum. The usual experts there will have sound advice.

    http://forums.spybot.info/forumdisplay.php?f=4

    There is a special section dedicated to the HJT (HijackThis) where finer details of the OS are seen and analyzed.

    http://forums.spybot.info/forumdisplay.php?f=22

    They usually have some requirements to do before posting a HJT log, and you are probably almost there.
    HJT forums are excellent. They have expert advice and great results. But it is done by posting and often the logs are not checked immediately, so expect some delay and possiblely several days time to get to the very end.

    From what you have scanned with so far- adaware, spysweeper, antivirus, za antispy, ewido- they should have seen some trace of the worm/trojan. If they have not detected anything besides cookies, then the PC is probably clean. All of your scanners are top notch, even if you seem to be using too many at the same time on the pc.

    Oldsod
    Best regards.
    oldsod

  8. #8
    bridezilla Guest

    Default Re: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Okay, I will take your advice and go study. Since I had a major virus/trojan/something a few weeks ago, I back everything up to an external hard drive now. I would love a suggestion on what antispyware programs to use and I will get rid of some. Thanks again for helping me relax about the whole thing.
    Cindy

  9. #9
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Hi Cindy

    Basically my point is there is probably overlap of the scanners. The OSFirewall and the Spysweeper and the Ad-Aware (if used full time) all have guards or shields that do the same job of protection, repeatedly.

    I cannot actually give direct orders as to what to use or what not to use- that is your choice and it is your PC.

    But, strategy and technicallity do come in play. A single user on a single user PC behind a router with a direct internet connection is a different situation from a multi-user PC with several PCs on a router or server. Or maybe no hardware firewall is involved. Just as a PC used for banking/business and on-line shopping is different from the general browsing/some email PC. They all have different requirements of security. The individual user tastes and preferences comes into play when considering security software- one uses a comprehensive security suite and another may just use HIPS with an antivirus. The variables involved are large.

    This is what the ZA does by itself to stop spyware:

    The OSFirewall keeps the browser search and home page protected, the host file locked, the startup list and the activeX installs guarded. The Spysweeper (and other spyware software of different kinds) does the same.

    The Privacy feature of the ZA (as do many software firewalls) filters the web content before they enter the PC. So activeX exploits, CWS, adware, drive-by spyware, java trojans and script-type of trojans and malware can be prevented completely.

    The Triple Defense Firewall stops malware from entering the PC, stops malware from starting up and stops their attempts to connect to the internet. It does not stop all, but it does work against some rootkits and keyloggers and various types pf malware and trojans.

    The antivirus used by your ZASS version 7 (and up) is from Kaspersky Labs. The Kaspersky does have excellent anti-trojan abilities and good riskware/malware detection and removal. The ZA antispy scanner , not the best IMO, does have some merit. The Site Blocker is very limited, to just a small list of sites, but it does help the firewall permanently block off the site that was attempted to be reached by a trojan or outgoing malware.

    There is some overlapping withe SpyBot TeaTimer and the ZA. There is some overlapping with the Ad-Aware Ad-watch, the PCTools SpywareDocotor guards and the Spysweeper shields.

    In terms of straight detection and removal, the SpywareDoctor and the SpySweeper are probably two of the best that are available today. But their shields/guards are not that neccessary with the ZASS protection.


    Just some things to consider..

    Some reading for ideas and help and advisements:

    http://www.cert.org/tech_tips/WIDC.html

    http://www.cknow.com/vtutor/SafeComputingPractices.html

    http://www.sitepoint.com/avantgo/art...aid=888&pid=13

    http://www.securityfocus.com/columnists/419

    http://packetstormsecurity.org/links/

    http://spywarewarrior.com/asw-features.htm

    http://www.bleepingcomputer.com/tuto...utorial41.html

    http://www.pchell.com/support/spyware.shtml

    http://spywarewarrior.com/sww-help.htm

    http://www.firewallguide.com/spyware.htm

    http://en.wikipedia.org/wiki/Spyware

    Best regards.

    Oldsod
    Best regards.
    oldsod

  10. #10
    bridezilla Guest

    Default Re: Spybot found Agobot-Ku worm, not able to find file or find with Zone Alarm

    Hi Fax,
    I would love to do this if I could find the file. I have tried searching so many times, and some of the things I have read about the agotbot-ku is that it is extremely difficult to find, since it remains hidden very well. Well I believe it because I cannot find it anywhere. If you have any suggestions on how to find it, I will send it to the site you suggested for further testing. I am also going to ask the spybot site what they might know about this file, since their information pops up on the tools screen start up menu. Still studying for tomorrow's, well at this point, today's exam. Thank you for your help, I know I can always come here for help and answers, you all are the best.
    Cindy

Page 1 of 5 12345 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •