Ok, Hagatha ....The Battle begins:

First I want to see if you can do this:

Do not restart the computer just yet.

The reason why your Norton antivirus isn't making thing better right away is because this worm attacks it and renders it useles.... but we'll fix that.
Your Recycle bin has been changed to
"Norton Protected" because there are files in it which have certain extenstions to them which are listed in your Norton Program by default.

Can you open up your Norton program at all?

They would be located in: Options/exclusions

Norton defaults to protect these:
*.nch
*.dbx
\system volume information.

The worm didn't create the Norton Protected...that's you antivirus trying to protect you system files. It takes over your recycle bin when your system is being attacked.

... More to Come in a minute.

Inferno

Hahahahahahahahahahah

Too bad I don't drink.

Actually,it's not every day I convince myself of the need for a spanking new, kick-butt second computer. And dang, does my dear partner ever need a new keyboard! I'll have to pick one up when I pick up the new screamer (it better scream or I will - a custom job).

I was able to open Safe Mode (XP for Dummies to the rescue) and open the Recyle bin - it contains about 50 copies of AGOBOT and SASSER (all of the ones I have "deleted")

I see that the Recycle bin can be returned to normal, however. Other than the fact that I can't do anything with it in anything but Safe Mode. Still, that makes me feel better. At least SOMETHING worked.

I actually have resigned myself to a complete reinstall on my computer. But if there's a couple of other things I can do, I'll try them.

This all started with me not being able to install a game because of the copy protection, and turning off Norton, and then going on the Internet for about 30 seconds before I remembered. The problems started shortly thereafter. And SASSER got into my system while I was on the 'net getting the AGOBOT scan. So the moral of the story is - if you have to disable Norton to install a game properly because of the copy protection, return the game for a refund and send a nasty note to the developer.

Preparing the field:

I'm happy to see that you are in better spirits. By the time we're finished ...you will be an expert and people from all over the world will be clamoring for your words of wisdom on the subject.

I'm glad that you've discovered what Safe mose is. To properly get rid of any virus in XP you must always use it. Go to the sites below and read. This will help you to understand what just happened to you 'puter.

Go here:
Read everything carefully ...miss nothing and take notes.

Removing the Norton Protected Recycle Bin

How to Exclude Files From the Protected Files Bin


MS SUpport article:Cannot Delete Any Files in Windows

Inferno

You'll have to begin again. If your in safe mode now, stay there. Do not reboot. In the meantine use the other computer for your access to the internet. and find some 3.5 floppies while your at it.

go here and download this fix to the floppy.
Make sure your label it, so'll you'll be able to find it,, when you need it. Make sure that you download from the uninfected computer not the XP.

DOS AGOBOT.HM and a SYSHOST new .zip

Inferno

The DOS in AGOBOT means "Denial of Services"
that why you can't get to Norton's site... especially about this subjectGezzlouise....whoever created this is really smart.....their punishment shoould be that they have to create a noninfected patch for "Amber"... and then have all thier little fingers broken and be forced to play "The Scroll" with their nose!

INferno

heeheehee Inferno smiles and winks wickedly at her GB Buddy, Hagatha*

Inferno

Actually there are a number of games that don't install properly with an antivirus running - and it has nothing to do with the copy "protection." It has to do with the antivirus detecting the installation as "virus-like activity" and blocking parts of the install so you get a bad install.

But it's important to realize you shouldn't connect to the Internet without some form of firewall or antivirus protection. Some of these newer viruses can infect without opening an email or doing anything other than connecting to the Net. If you "tend to forget," I'd recommend getting a hardware firewall that will at least block incoming probes.

Once you get your computer sorted out, you can check your firewall protection with the Shields Up test here
https://grc.com/x/ne.dll?bh0bkyd2
Use the Common Ports option when it comes up.

Before you begin:
If you are running Windows NT/2000/XP, make sure that you do, or have done, the following:
Create a secure password. This worm takes advantage of weak network passwords. (A full-time Internet connection, such as DSL or Cable, is considered a network connection for these purposes.)
Patch the DCOM RPC vulnerability as described in Microsoft Security Bulletin MS03-026
Patch the WebDav vulnerability as described in Microsoft Security Bulletin MS03-007 .

--------------------------------------------------------------------------------

if you can't get onto the internet you'll have to do this step afterward. but try to see if it will work. (you'll have to reboot out of Safe Mode for
these steps.

Inferno

After the MS patches are in. Reboot into regular mode (sorry, I know that it hurts)

and:

Here we go:
These are our avenues of attack.

• Disable System Restore (Windows Me/XP).
• Restart the computer in Safe mode or VGA mode.
• Restore the Hosts file.
• Reverse the changes made to the registry (removing the service and Run keys that the worm added).
• Update the virus definitions.
• Run a full system scan and delete all the files detected as
  W32.Gaobot.gen!poly
  Dos AGOBOT.HM
  AGOBOT B
  WORMNACH B

• Disable System Restore
  
  To turn off Windows XP System Restore
  Click Start > Programs > Accessories > Windows Explorer
  Right-click My Computer, and then click Properties.
  Click the System Restore tab.
  Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box as shown in this illustration:
  Click Apply. A message should appear in a small window.
  Click "Yes"
  This will delete all existing restore points.
  Click Yes to do this.
  Click OK.

• To use the F8 method
  Use this method only if Windows XP is the only operating system installed on your computer.
  Start Windows, or if it is running, shut Windows down, and then turn off the computer.
  Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
  As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

Inferno

• To restore the Hosts file
  Removing these will fix the Windows host file so that the added name resolution entries from the Worm will not prevent you from visiting the Web sites of antivirus vendors.

Using Windows Explorer, look for a file named "hosts" in the following locations, if they exist:

C:\Windows\System32\Drivers\Etc\hosts
C:\Winnt\System32\Drivers\Etc\hosts
D:\Windows\System32\Drivers\Etc\hosts
D:\Winnt\System32\Drivers\Etc\hosts


For each \hosts file that you find, double-click the file.
When the "Open With" dialog box appears, scroll through the list and select Notepad. Do not check the "Always open this program with. . ." box.
Delete the following lines within the file:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com


Do not delete the line:

127.0.0.1 localhost


Save the hosts file.

INferno

• Reverse the changes made to the registry
  
  Click Start, and then click Run. (The Run dialog box appears.)
  
  Type regedit
  
  Then click OK. (The Registry Editor opens.)
  
  
  Navigate to the key:
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run
  
  
  In the right pane, delete any of the following values:
  
  "^`d}qZxu" = "~`d}qzxu3zYF"
  
  "Configuration Loader"="confgldr.exe"
  
  "Video Process"="sysconf.exe"
  
  "Service Host Process"="spoolsvc.exe"
  
  "svchost"="winhelp.exe"
  
  "csrs"="csrs.exe"
  
  
  Do one of the following:
  If you are using Windows NT/2000/XP, skip to step h.
  If you are using Windows 95/98/Me, go on to step f.
  
  
  Navigate to the key:
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\RunServices
  
  
  In the right pane, delete any of the following values:
  
  "^`d}qZxu" = "~`d}qzxu3zYF"
  
  "Configuration Loader"="confgldr.exe"
  
  "Video Process"="sysconf.exe"
  
  "Service Host Process"="spoolsvc.exe"
  
  "svchost"="winhelp.exe"
  
  "csrs"="csrs.exe"
  
  
  Navigate to and delete the keys:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\SoundMan
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\svc32
• Exit the Registry Editor.
• Restart the computer in Normal mode.

INferno

I'm afraid you lost me a while back- I don't know how to create a secure password......

• Restart in Normal Mode
  Close all open programs.
  Click Start, and then click Run. The Run dialog box appears.
  type msconfig and then click OK.
  
  The System Configuration Utility appears Check the /SAFEBOOT option, and then click OK.
  
  You'llsee the prompt to restart the computer. Click Restart.
• Locate your Norton Antivirus Software.
• Run live update
• If nothing happens...don't panic. Uninstall
  Norton and reinstall it.
• Run Live update again.
• Start your Symantec antivirus program and make sure that it is configured to scan all the files
• Scan your system
• delete all the files detected as
  W32.Gaobot.gen!poly
  Dos AGOBOT.HM
  AGOBOT B
  WORMNACH B

take 2aspirin and call me in the morning.

Inferno

OK, Hagatha I'm working on it.
Inferno

Creating a password even if you are the "Owner"
or Administrator for your system is one of the best things that you can do for yourself.

Go TO-->Start-->Control Panel-->User Accounts

Double Click. Take the time to read all the help files here as well, they explain a lot.

When your ready: Click on your file...it's probably still listed as "Owner" or "Administrator"

First click on "Change my Name" Don't keep it as "Owner"!!! That's the biggest mistake that eveyone makes and it's the first thing an attacker will look for (everyones XP is called "Owner" unless they change that) if you have "Guest" change that one to after your done with changing yours.

Next, Click on Create a password. Read the articles below about this and follow what they say... you'll be glad that you did.


I keep a notebook with all my passwords written down. Silly in this day and age I know...but it has saved me and the things I do more times then I can count. You can create a password reset disk for it if you wish ...just read the help file on your computer. I don't use this function, but you may want to.



Read these:
Creating Strong Passwords


Windows XP Tips and Tricks


Inferno

If you have any other questions. Let me know

OK. I amready to start...but not sure exactly where... I thinkI amsupposed to start by going to it and downloading a file onto a floppy.

(Sorry to sound dense, but this is a lot of information and hard to keep track of everything I have to do; also I am working on a very slow computer with a keyboard that requires literally a hard smack to get the space bar to work - it's my old keyboard and that space bar has seen a lot of battle pauses).

The link leads me to a thread on some board somewhere and I can't work out what I am supposed to download off that thread. It is on the Tech Guy support forums.

After you've downloaded this set it aside. You'll only use this if the manual removal does not work.

http://www.accs-net.com/hosts/Downloads/hosts127001.zip

Inferno

Thanks. File downloaded onto floppy. Now I've printed all of the above information and will see if I can do any of this.

(I may have to be sick tomorrow).

I've hit a brick wall already...here's whatI have done:

1. Secure Password-already had one, it turns out.

2. I had disabled System Restore yesterday

3. Restarted in Safe Mode and deleted (for the 500th time) the files in the hosts file.
4. Saved now empty hosts file (the "local" file not supposed to remove is not there anyway- not sure if that is a problem - it stopped appearing after the very first time I deleted all the other files and never returned. I've checked very carefully each time but it's never there)

5. None of the listed files were in the Registry.

6. Where it says "XP-skip to step h" - there is no step h letter anywhere. However,none of the files listed appeard in any of those locations-I checked them all. By the way, I do not understand the term "key" as in Navigate to and delete the keys".

7. Restarted in Normal mode.

8. I don't know how to turn off all open programs in XP. I knew which two programs to leave running in 98, but I have always heard that this does not apply to XP, so that I can't do.

9. There is nothing called SAFEBOOT option listed in the System Configuration Utility. And the Utility just gets shut down almost immediately anyway. There are a fewoptionslisted, but the Utility doesn't stay open long enough for me to write them down.

So that's as far as I got.

I thought I saw another post about what to shut down in XP so maybe I'll have a look at that.

Found the list of programs to shut down.

In the System Configuration Utility,there are three options listed-Normal, Diagnostic Startup,and a third one which has a series of checkboxes that I wouldn't touch with a ten foot pole without guidance. Of course there are some other tabs, but none of these have a SAFEBOOT option either.

When I restart in Diagnostic Startup, I cannot run Liveupdate because my internet connections is disabled in this mode. In fact, all of the small icons that normally appear on the desktop header (or footer, on some desktops) are gone in this mode.

So I can't go any further. And I have been working on this for 12 hours today and that's it for now. I just checked the HOSTS file and the bad files are back in there again so I have to start from scratch anyway. But I don't know where scratch is anymore.....

go to bed. I'll try to make it clearer for you for tomorrow. check back here again.

Inferno

Change your password, You've been compromised.
"KEY"

• That refers to the "registry" key. It's located in the Registry editor (well, it's the fastest way to find it.
• Take a look here:
  
  
  
  after you locate "Microsoft" again click on the + to the left and scroll down until you see "Windows" click on the + to the left and scroll down until you locate see "current version" click on the left and scroll down until you locate run and click on the left until you see "run". Double Click on "run" , now look at the window on the right. See anything?
• Follow part "D >" below. (If you double click on the files here you will see the values) delete only the "values" listed here. Do not delete the folders on the left, only the values on the right.
• Then use the same "navigation proceedure" to locate the "Key" in step "h" but now if you find that "key" located on the left side of the window (it will look like a folder)delete it entirely.
• it will be in the left side of the registry window. There are two you must delete ...these are the registries for the worms themselves! They are the worm's Hooks.
  One is called "soundman" the other is "svc"
• Therefore these computer sentences need to go:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\SoundMan
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\svc32
  
  understand?
• A> Click Start, and then click Run. (The Run dialog box appears.)
• B> Type regedit
  
  Then click OK. (The Registry Editor opens.)
• C> Navigate to the key:
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run
• D> In the right pane, delete any of the following values:
  
  "^`d}qZxu" = "~`d}qzxu3zYF"
  
  "Configuration Loader"="confgldr.exe"
  
  "Video Process"="sysconf.exe"
  
  "Service Host Process"="spoolsvc.exe"
  
  "svchost"="winhelp.exe"
  
  "csrs"="csrs.exe"
• E> Do one of the following:
  If you are using Windows NT/2000/XP, skip to step h.
  If you are using Windows 95/98/Me, go on to step f.
• F> Navigate to the key:
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\RunServices
• G> In the right pane, delete any of the following values:
  
  "^`d}qZxu" = "~`d}qzxu3zYF"
  
  "Configuration Loader"="confgldr.exe"
  
  "Video Process"="sysconf.exe"
  
  "Service Host Process"="spoolsvc.exe"
  
  "svchost"="winhelp.exe"
  
  "csrs"="csrs.exe"
• H> Navigate to and delete the keys:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\SoundMan
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\svc32
• I> Exit the Registry Editor.
• J> Restart the computer in Normal mode.

Hopefully, it will be gone. You will have killed it.




Inferno

Diagnostic Startup is Safe Mode

You do the manual regedit in this mode.
Then restart the system into normal mode.
and then see if you can get Norton to do the live update not before.

You may have to reinstall Norton and then run the live update.
Inferno

Inferno, you are a wiz!!! I hope the manual process you outlined works for hagatha since the cleanup tool didn't.

Jenny100, thanks for posting the link to Gibson's site. I've known about GRC for years and periodically go there and run the port scan to make sure something either I do or a patch or an install does hasn't changed my "all ports stealthed" to something less secure.

I suggest that everyone also go to GRC's homepage, follow the links, and read, read, read!

Jema

Hi guys - I'm afraid this isn't working, after all your time and effort. Here is what I THINK I'm supposed to do:

1. Edit the Hosts File in Safe mode; save edited file
2. Edit Registry in safe Mode
3. Restart computer in Normal mode and run Liveupdate.

1. I have edited and saved the Hosts file at least 100 times (no exaggeration). Doesn't matter. As I found out yesterday when I started using Safe Mode, the next time I start my computer, be it in Safe or Normal Mode, the virus files are back in the Hosts file. Always. 100%of the time. They aren't going anywhere.

2. There are no virus files in the Registry. I have double and triple checked, and those files don't appear. There is nothing in any of those registry Keys that has an = in it at all. Nor are the keys I am to delete present. Now I don't know if there is something that is not displayed, but I can't see any of those files or keys.

3. When I restart my computer in Normal Mode, my Norton still won't start. Not just the live Update, but Norton Antivirus itself. Nothing happens when I click on it. But that wouoldn't matter, because as soon as I have restarted my computer, all the virus files are back in the Hosts file. This happens without fail - Safe or Normal mode.

Also, in the instructions last night I was to Open the SYstem configuration Utility and restart in SAFEBOOT and THEN run Norton. But as I noted, there is no Safeboot and the Diagnostic Mode option I have is not at all the same as Safe Mode- it looks totally different. Am I supposed to do this step now? I can't tell.

So, I must have missed something or a step somehwere, or this just is not working.

I have not installed any patches at all. When I tried to get the MS03-26 and MS03-007 patches from the Security site, the page never loaded.

Thanks for all your time.

My last-ditch attampt was to edit the Hosts file and registry in Safe, and then run that virus removal program I downloaded. It indicated no virus on my computer.

Then I restarted in Normal, and the Hosts file was full again. So manually removing the files apparently is not the solution. The virus seems to be residing somewhere else on my system and is reactivated when the computer starts.

Even with the Hosts file edited and saved, and all non-essential programs turned off, and the antivirus program indicating no virus, running in Normal Mode, I cannot uninstall or run Norton Antivirus (I could, however, uninstall anything else if I wanted to).

Don't know if anyone else has had this happen, but it seems I am not going to get rid of this without a complete re-install.