I obviously have a virus on my computer, which is shutting me down like the blaster worm a few months ago.

My Norton seems to have been disabled - the icon is no longer on my desktop header, Liveupdate won't work, and automatic scanning has been disabled and I can't turn it back on. In fact, any time I try to do anything with Norton it just shuts off (Norton, I mean). Live update starts to run and then stops, and when I try to start it up again, I get a message saying it's already running, which it's not.

I have no idea what to do here. I have a link to the SYmantec website, but I get a page error when I try to connect to it. Anyone have any suggestions?

the shutdown message says system32\lass.exe

Here's the kicker - my system restore point is gone. The only one in there is today.

I anyone can help me with this I would really appreciate it because I have no idea what to do. I don't even know where to start.

Are you able to use the online antivirus here
http://housecall.antivirus.com/housecall/start_frame.asp

Apparently not. My ability use the Internet is sporadic and the antivirus never loads so I guess I'm being blocked from doing that, too.

I got the online antivirus working. It cleaned one file, and found two others, but it can't clean them and I cannot locate them to remove them. The virus shuts down the virus scan before it is completed, so I have not been able to use the "delete" function on these files. Also, unfortunately, the virus scan window shows you the general direction of the location of the viruses, but it's not wide enough to show the entire string showing the exact location, so I can't pinpoint them.

They are WORM NACHI.B ; somewhere in my system32 config files

and

DOS AGOBOT.HM; somewhere in my system32 drivers file.

The problem with my computer persists, so the cleaned file was not the answer.

Why can I not locate these files? I've done a thorough search of the system32 config and drivers folders, but there are no files by those names. I tried looking by date but nothing came up either.

Here asre instuctions on how to get rid of each of these problems manually.

Worm Nachi.B is a virus
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NACHI.B

Agobot.HM - is spyware and I think is a bigger problem than the virus
http://www.pestpatrol.com/pestinfo/b/backdoor_agobot.asp

Hope this helps.

hagatha,

DOS AGOBOT.HM, or its relation WORM.AGOBOT.HM, is probably responsible for making Norton AntiVirus unusable, preventing you from connecting to any antiviral sites, deleting your System Restore files (with the exception of the one you mentioned which is more than likely infected), and possibly some other unpleasant things.

First, you should do a search for the Hosts file (no extension, just Hosts). Open it in Notepad and look for entries like the following:

127.0.0.1 localhost

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com

If they're there, delete all that begin 127.0.0.1 except 127.0.0.1 localhost - leave that one. Save the file and then close it.

If you find more than one Hosts file, do the above for each one.

Symantec recommends that System Restore be turned off until you've cleaned your system because any restore points that are created before then will be infected. I would think you should also delete the one you currently have.

After cleaning out the Hosts file, you should be able to connect to the link Jenny100 gave and run a virus scan.

Then follow the link kwbridge gave to TrendMicro's page about WORM NACHI.B. They also have a page for DOS AGOBOT.HM here with a link to their page on WORM AGOBOT.HM

On either of TrendMicro's pages there's a cleanup tool you can download that to me reads like it will take care of both of these nasties, rather than having to do it manually.

One other thing, on the page for WORM AGOBOT.HM, there's a link to a Microsoft program you can download to check whether or not all your services are protected. I'm assuming you're running Win2000, NT, or Xp because, from what I read, Agobot doesn't infect Win9X systems.

Good luck.

Jema

Once you did all the above and your system is clean and running and if it is XP you have check to make sure that your system files are not damaged.

You do this the following way:

Start>Run> on the command line type sfc /scannow(exactly)
> Ok

Follow instructions, you will be asked for your install disk put it in the drive, exit the menu and wait thill the computer does all the scanning and repair.

Update your virus protection and if it is not on turn on your built in firewall too.

Start>Network places> Local area connections> Properties >Advanced> Put a check-mark in the box for firewall.

Good advice, lasanidine.

hagatha, I just checked the TrendMicro pages again and I couldn't find the link to the MS program I mentioned in my previous post, so I must have seen it somewhere else. Anyhow, here's the link: Security Check

You can read about and download it there.

Jema

I'm having similar issues. I keep getting shut-down with the same error message as Hagatha (lsass.exe). I was able (after a gazillion failed attempts) to use the on-line anti-virus Jenny suggested. It found 2 files (nachi.b). I deleted them just as the evil timer wound down & booted me.

I did what lasanidine suggested afterward, although nothing happened....it scanned & then just went away, never asking me for a disc. I went back on-line & ran the virus-scan again & it said I was clean but soon after I was booted yet again. I'm clueless what to do. So far I'm okay, I've been online for awhile & no boot but I'm not entirely sure it's gone.

Also, I disabled my system restore. Is it save to reactivate it or is it corrupt? If it's yucky, how do I clean it...or get a virus free restore?
ARGH!!!

Love, Jen

Jen in Chgo,

Since TrendMicro describes Worm Nachi.B as a memory-resident worm, if all you did was delete some files, I think it's safe to say you did not get rid of it. Every time you reboot Windows, the worm will reactivate.

Click on the link that kwbridge posted and either download and use the cleanup tool or follow the instructions to manually get rid of it.

Also check out the links there to some MS Security Patches - sounds like to me you need to apply one or more of those.

I don't know whether or not this worm messes with the Hosts file but, if it were me, I'd check that file or files (per my earlier post). Better safe than sorry.

After doing all of that, follow all of lasanidine's good advice.

As for System Restore, if it were my system and since I couldn't be sure when it became infected, I'd delete all restore points. Then once my system was clean, patched, and updated, and after following lasanidine's advice, I'd reactivate System Restore and create a fresh restore point.

Jema

The Security Check link doesn't work. I get a timeout error.

Also, I'm really confused...I found the Hosts file and deleted the files, but ow I don't know what to do.

The links get me to pages that don't explicitly say that they take care of these specific problems...not sure what to look for partly because I have to rush before I get shut down. So I can't find a trendmicro page about AGOBOT B. The trendmicro cleanup tool I used only deletes the files but the problem is still there.

There is a way to manaully delete the AGOBOT files but Task Manager doesn't show any of those files running and anyway I don;t know what the instuctions mean when they say "kill" the files with Task Manager. And then I am supposed to delete them

So to recap - I have removed the Hosts files but don't know what to do next. The security check link does not work. I will try the link to pest patrol again but it only has an automatic removal for AGOBOT A, not B, as far as I can tell.

Ok. I've gone to the trendmicro place where there is a dowload for AGoBOT but I cannot use it unless I also download something called a pattern file.

It gives a location to get the pattern file from, but I still can't do it:

1. The pattern file is called lpt$svpn.xxx and I am to save it as a zip file as lptxxx.zip

a)I have no idea what those xxx's mean.

b)Also, there IS no file by the above name on the pattern page, so I don't know which one to download.

2. Assuming that I can work out which pattern file to download, where do I download it to on my computer?

3. How do I save it as a zip file?

hagatha,

First, the Security Check link works fine for me, so you may be getting the timeout error because your system is infected.

Second, if you've rebooted your system after cleaning out the Hosts file, since your system is infected, those files may be back in there and you'll have to delete them again so you can stay connected to TrendMicro's site long enough to download the files you need for the cleanup. Make sure you save the Hosts file after you delete the files so the changes take effect.

Now, for some explanations. Norton calls their virus updates "definitions". Apparently, TrendMicro calls theirs "patterns". The xxx in lptxxx.zip stands for whatever the number is of their latest pattern download. At the moment, that number is 881, so the file you want to download is lpt881.zip. The actual pattern file, lpt$vpn.881, is within the .zip file.

Following the instructions in the readme file at TrendMicro, this is how to use the cleanup tool.

1. Create a new folder on your hard disk. You can call it anything you want; for this, I'm going to call it Sysclean.

2. Download the cleanup tool, which consists of one file, sysclean.com, and save it to the Sysclean folder.

3. Download lpt881.zip and save it to your desktop or any folder of your choice. Unzip its contents into the Sysclean folder. Note: To do this, use whatever zip/unzip utility you have installed.

4. Now, you should have these three files in the Sysclean folder: sysclean.com, lpt$vpn.881, and whatsnew.txt.

5. Close all applications running on your system, INCLUDING any antivirus software.

6. Double click on sysclean.com to do the cleanup.

7. After sysclean.com does its thing, enable your antivirus software and perform a manual scan of your system.

8. You should now have a fourth file in the Sysclean folder: Sysclean.log.

Hope this answers your questions.

Jema

Jema, I did download the tool to "get rid of it". It was a zip file & I unzipped it & ran it. The log came out clean....no bad files. I also updated my MS security patches. Like I said, I tried to do what lasanidine suggested but I'm not certain it worked....never asked me to insert a disc, just ran for a few seconds & then back to desktop. I'll check those HOST files per your suggestion.

I seem to be okay & am not being shut down anymore. I'm not technically proficient so could you (or anyone) please give me step-by-step instructions on how to clean/fix my system restore?

Love, Jen

I'm ready to cry after reading this post.

I just got back from a week's vacation and checked my email and visited my 3 favorite sites. While responding to an email I got the NT authority system [url=C://windows/system32/lsass.exe][url=C://windows/system32/lsass.exe][url=C://windows/system32/lsass.exe]C://windows/system32/lsass.exe[/url][/url][/url] shutdown message. I can't be on the internet long enough to fix anything. Right now I'm on my old W98.

I've have visted this Symantec site:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.ratsou.b.html

I don't know if this is the same thing.

QUESTION: how do I get into the Host file area? Is doing that so that the virus checker will work? Would I need to do that if my McAfee is working ok?

If you know which files to delete, try booting XP in safe mode by pressing the f8 key when windows first starts to load. It may not load the virus in memory in this mode.

Jen in Chgo,

Click Here to read about how to disable/enable System Restore in XP.

Disabling it will purge all your restore points. Then, when you enable it, it begins monitoring your system again.

If scannow didn't ask you to insert your install disk, I would think that means it didn't find any files that needed to be repaired/replaced. I'm not familiar with scannow, so maybe lasanidine can tell you if that's true.

Jema

burpee,

The Hosts file can be used to list sites the user doesn't want to connect to. Unfortunately, it is also used by certain viruses/worms to prevent the user from connecting to any site of its choice - including all or most of the sites that have anything to do with virus protection.

looney's suggestion to reboot into Safe Mode is a good one. I've never tried it but it may be that if your computer is infected and your antivirus software won't work in Standard Mode, it will in Safe Mode.

To find the Hosts file, click on Start, go to Find and click on Files and Folders. In the Named field type Hosts, make sure Look in has your primary drive and that Include subfolders is checked, and then click on Find now.

Open the Hosts file in Notepad (making sure always use this program is unchecked). Once you delete the offending entries, save the file and close Notepad. If theres's more than one Hosts file, do the same thing for each of them.

Jema

As per last night's post I have downloaded the files, unzipped the pattern file and run the scan. I have AGOBOT.HM on my computer as well as a SASSER variant. The Virus scan did not remove either of them although it found them and I had it set to automatically remove them. I have tried it over and over; probably a dozen times. The scan will tell me that I haveno infected files but the next time I turn on my computer it's all back again.

I have deleted the "HOSTS" files about thirty times now, as well as running the scan.

My recycle bin is now called "Norton Protected Recyle Bin" and I can not empty it. If I click on it either on Desk Top or in Explorer my computer freezes.


I do note that the scan I downloaded last night, as well as today's update, do not list AGOBOT. with the .HM extension.

The first couple of times I ran the scan It seemed to think it had deleted AGOBOT. But now when I run it the log does not show any deletions even though it sayd it has detected 82 files. I am running it to automatically delete anything it finds.

Basically,nothing has worked so far.

Do I have any other options?

Hagathaone, I am so sorry for your troubles. I just can't fathom why someone finds this so amusing...to hurt other people for no good reason. Would they do this to their own mother or father?

I was able to restore to a previous save point, reconnected to the web, McAfee updated and as soon as it finished I got off. A McAfee warning popped up on my desktop saying that it detected and deleted a W32/sasser.worm.b to complete the clean process. Said it was in [url=C://windows/system32/31869_up.exe][url=C://windows/system32/31869_up.exe][url=C://windows/system32/31869_up.exe]C://windows/system32/31869_up.exe[/url][/url][/url] and [url=C://windows/avserve2.exe.][url=C://windows/avserve2.exe.][url=C://windows/avserve2.exe.]C://windows/avserve2.exe.[/url][/url][/url]

It asked if I wanted to scan and I said yes. It found 14 files and deleted them. It then popped up with another warning saying the same virus but in systemvolume/info/_restore. It asked if I wanted to run the scan but the first one was already running so I said NO. Should I have said yes? Do I need to do anything else?

Jema, thanks for explaining the HOSTS location process.

is Hagatha and Hagathaone the same Boomer?

Inferno

Yes. I am using my partner's computer and couldn't remember my password, it's been so long since I registered. And he (my partner) needs a new keyboard, I see!

I've given up, basically. I don't think anyone can help me - the Recycle bin is probably the reason nothing is working for me because I can't really delete anything. And nobody else seems to have heard about this particular problem. Nothing has worked as it is supposed to, and I have lost my entire weekend (a nice touch after a 70-hour week and just before another one).

Yesterday I bought another computer for games which will never be connected to the Internet. When I have my other system fixed I'm putting Win 98 back on because it's less of a target. When I know my system is clean I'll download patches, updates and the like and burn a cd of them for my new computer.

You really have to wonder what's wrong with people that they get a rise out of this kind of mindless abuse of innocent bystanders. Then again, I don't hold out a whole lot of hope for the human race, anyway.

NO......No.......no! Don't give up... I'm working on it.
Hagatha... Take a break... Mix up a pitcher up Margaritas and drink one for me while your at it. (I'm not allowed to take alcohol because of the "Grave's" but you can drink one for me, I'm only allowed to write about it.)

Give me about an hour and then check back here. Do nothing to your XP just yet. There's got to be a way to fix it... we'll find it. Check back here for updates. I know your upset but remember this if nothing else; I'm here for you and so are all the other Boomies reading and watching this thread as well as your other one. We're all holding your hand.

We'll get through this.......together.


Inferno

Sasser seems to be a new worm that struck this weekend.
Yahoo news has a story on it.

Microsoft has this to say about the Sasser worm.
http://www.microsoft.com/security/incident/sasser.asp

Microsoft's tool to remove Sasser is here .

To protect yourself from future infections, get the Microsoft security update here
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Ok, Hagatha ....The Battle begins:

First I want to see if you can do this:

Do not restart the computer just yet.

The reason why your Norton antivirus isn't making thing better right away is because this worm attacks it and renders it useles.... but we'll fix that.
Your Recycle bin has been changed to
"Norton Protected" because there are files in it which have certain extenstions to them which are listed in your Norton Program by default.

Can you open up your Norton program at all?

They would be located in: Options/exclusions

Norton defaults to protect these:
*.nch
*.dbx
\system volume information.

The worm didn't create the Norton Protected...that's you antivirus trying to protect you system files. It takes over your recycle bin when your system is being attacked.

... More to Come in a minute.

Inferno

Hahahahahahahahahahah

Too bad I don't drink.

Actually,it's not every day I convince myself of the need for a spanking new, kick-butt second computer. And dang, does my dear partner ever need a new keyboard! I'll have to pick one up when I pick up the new screamer (it better scream or I will - a custom job).

I was able to open Safe Mode (XP for Dummies to the rescue) and open the Recyle bin - it contains about 50 copies of AGOBOT and SASSER (all of the ones I have "deleted")

I see that the Recycle bin can be returned to normal, however. Other than the fact that I can't do anything with it in anything but Safe Mode. Still, that makes me feel better. At least SOMETHING worked.

I actually have resigned myself to a complete reinstall on my computer. But if there's a couple of other things I can do, I'll try them.

This all started with me not being able to install a game because of the copy protection, and turning off Norton, and then going on the Internet for about 30 seconds before I remembered. The problems started shortly thereafter. And SASSER got into my system while I was on the 'net getting the AGOBOT scan. So the moral of the story is - if you have to disable Norton to install a game properly because of the copy protection, return the game for a refund and send a nasty note to the developer.

Preparing the field:

I'm happy to see that you are in better spirits. By the time we're finished ...you will be an expert and people from all over the world will be clamoring for your words of wisdom on the subject.

I'm glad that you've discovered what Safe mose is. To properly get rid of any virus in XP you must always use it. Go to the sites below and read. This will help you to understand what just happened to you 'puter.

Go here:
Read everything carefully ...miss nothing and take notes.

Removing the Norton Protected Recycle Bin

How to Exclude Files From the Protected Files Bin


MS SUpport article:Cannot Delete Any Files in Windows

Inferno

You'll have to begin again. If your in safe mode now, stay there. Do not reboot. In the meantine use the other computer for your access to the internet. and find some 3.5 floppies while your at it.

go here and download this fix to the floppy.
Make sure your label it, so'll you'll be able to find it,, when you need it. Make sure that you download from the uninfected computer not the XP.

DOS AGOBOT.HM and a SYSHOST new .zip

Inferno

The DOS in AGOBOT means "Denial of Services"
that why you can't get to Norton's site... especially about this subjectGezzlouise....whoever created this is really smart.....their punishment shoould be that they have to create a noninfected patch for "Amber"... and then have all thier little fingers broken and be forced to play "The Scroll" with their nose!

INferno

heeheehee Inferno smiles and winks wickedly at her GB Buddy, Hagatha*

Inferno

Actually there are a number of games that don't install properly with an antivirus running - and it has nothing to do with the copy "protection." It has to do with the antivirus detecting the installation as "virus-like activity" and blocking parts of the install so you get a bad install.

But it's important to realize you shouldn't connect to the Internet without some form of firewall or antivirus protection. Some of these newer viruses can infect without opening an email or doing anything other than connecting to the Net. If you "tend to forget," I'd recommend getting a hardware firewall that will at least block incoming probes.

Once you get your computer sorted out, you can check your firewall protection with the Shields Up test here
https://grc.com/x/ne.dll?bh0bkyd2
Use the Common Ports option when it comes up.

Before you begin:
If you are running Windows NT/2000/XP, make sure that you do, or have done, the following:
Create a secure password. This worm takes advantage of weak network passwords. (A full-time Internet connection, such as DSL or Cable, is considered a network connection for these purposes.)
Patch the DCOM RPC vulnerability as described in Microsoft Security Bulletin MS03-026
Patch the WebDav vulnerability as described in Microsoft Security Bulletin MS03-007 .

--------------------------------------------------------------------------------

if you can't get onto the internet you'll have to do this step afterward. but try to see if it will work. (you'll have to reboot out of Safe Mode for
these steps.

Inferno

After the MS patches are in. Reboot into regular mode (sorry, I know that it hurts)

and:

Here we go:
These are our avenues of attack.

• Disable System Restore (Windows Me/XP).
• Restart the computer in Safe mode or VGA mode.
• Restore the Hosts file.
• Reverse the changes made to the registry (removing the service and Run keys that the worm added).
• Update the virus definitions.
• Run a full system scan and delete all the files detected as
  W32.Gaobot.gen!poly
  Dos AGOBOT.HM
  AGOBOT B
  WORMNACH B

• Disable System Restore
  
  To turn off Windows XP System Restore
  Click Start > Programs > Accessories > Windows Explorer
  Right-click My Computer, and then click Properties.
  Click the System Restore tab.
  Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box as shown in this illustration:
  Click Apply. A message should appear in a small window.
  Click "Yes"
  This will delete all existing restore points.
  Click Yes to do this.
  Click OK.

• To use the F8 method
  Use this method only if Windows XP is the only operating system installed on your computer.
  Start Windows, or if it is running, shut Windows down, and then turn off the computer.
  Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
  As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

Inferno

• To restore the Hosts file
  Removing these will fix the Windows host file so that the added name resolution entries from the Worm will not prevent you from visiting the Web sites of antivirus vendors.

Using Windows Explorer, look for a file named "hosts" in the following locations, if they exist:

C:\Windows\System32\Drivers\Etc\hosts
C:\Winnt\System32\Drivers\Etc\hosts
D:\Windows\System32\Drivers\Etc\hosts
D:\Winnt\System32\Drivers\Etc\hosts


For each \hosts file that you find, double-click the file.
When the "Open With" dialog box appears, scroll through the list and select Notepad. Do not check the "Always open this program with. . ." box.
Delete the following lines within the file:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com


Do not delete the line:

127.0.0.1 localhost


Save the hosts file.

INferno

• Reverse the changes made to the registry
  
  Click Start, and then click Run. (The Run dialog box appears.)
  
  Type regedit
  
  Then click OK. (The Registry Editor opens.)
  
  
  Navigate to the key:
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run
  
  
  In the right pane, delete any of the following values:
  
  "^`d}qZxu" = "~`d}qzxu3zYF"
  
  "Configuration Loader"="confgldr.exe"
  
  "Video Process"="sysconf.exe"
  
  "Service Host Process"="spoolsvc.exe"
  
  "svchost"="winhelp.exe"
  
  "csrs"="csrs.exe"
  
  
  Do one of the following:
  If you are using Windows NT/2000/XP, skip to step h.
  If you are using Windows 95/98/Me, go on to step f.
  
  
  Navigate to the key:
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\RunServices
  
  
  In the right pane, delete any of the following values:
  
  "^`d}qZxu" = "~`d}qzxu3zYF"
  
  "Configuration Loader"="confgldr.exe"
  
  "Video Process"="sysconf.exe"
  
  "Service Host Process"="spoolsvc.exe"
  
  "svchost"="winhelp.exe"
  
  "csrs"="csrs.exe"
  
  
  Navigate to and delete the keys:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\SoundMan
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\svc32
• Exit the Registry Editor.
• Restart the computer in Normal mode.

INferno

I'm afraid you lost me a while back- I don't know how to create a secure password......

• Restart in Normal Mode
  Close all open programs.
  Click Start, and then click Run. The Run dialog box appears.
  type msconfig and then click OK.
  
  The System Configuration Utility appears Check the /SAFEBOOT option, and then click OK.
  
  You'llsee the prompt to restart the computer. Click Restart.
• Locate your Norton Antivirus Software.
• Run live update
• If nothing happens...don't panic. Uninstall
  Norton and reinstall it.
• Run Live update again.
• Start your Symantec antivirus program and make sure that it is configured to scan all the files
• Scan your system
• delete all the files detected as
  W32.Gaobot.gen!poly
  Dos AGOBOT.HM
  AGOBOT B
  WORMNACH B

take 2aspirin and call me in the morning.

Inferno

OK, Hagatha I'm working on it.
Inferno

Creating a password even if you are the "Owner"
or Administrator for your system is one of the best things that you can do for yourself.

Go TO-->Start-->Control Panel-->User Accounts

Double Click. Take the time to read all the help files here as well, they explain a lot.

When your ready: Click on your file...it's probably still listed as "Owner" or "Administrator"

First click on "Change my Name" Don't keep it as "Owner"!!! That's the biggest mistake that eveyone makes and it's the first thing an attacker will look for (everyones XP is called "Owner" unless they change that) if you have "Guest" change that one to after your done with changing yours.

Next, Click on Create a password. Read the articles below about this and follow what they say... you'll be glad that you did.


I keep a notebook with all my passwords written down. Silly in this day and age I know...but it has saved me and the things I do more times then I can count. You can create a password reset disk for it if you wish ...just read the help file on your computer. I don't use this function, but you may want to.



Read these:
Creating Strong Passwords


Windows XP Tips and Tricks


Inferno

If you have any other questions. Let me know

OK. I amready to start...but not sure exactly where... I thinkI amsupposed to start by going to it and downloading a file onto a floppy.

(Sorry to sound dense, but this is a lot of information and hard to keep track of everything I have to do; also I am working on a very slow computer with a keyboard that requires literally a hard smack to get the space bar to work - it's my old keyboard and that space bar has seen a lot of battle pauses).

The link leads me to a thread on some board somewhere and I can't work out what I am supposed to download off that thread. It is on the Tech Guy support forums.

After you've downloaded this set it aside. You'll only use this if the manual removal does not work.

http://www.accs-net.com/hosts/Downloads/hosts127001.zip

Inferno

Thanks. File downloaded onto floppy. Now I've printed all of the above information and will see if I can do any of this.

(I may have to be sick tomorrow).

I've hit a brick wall already...here's whatI have done:

1. Secure Password-already had one, it turns out.

2. I had disabled System Restore yesterday

3. Restarted in Safe Mode and deleted (for the 500th time) the files in the hosts file.
4. Saved now empty hosts file (the "local" file not supposed to remove is not there anyway- not sure if that is a problem - it stopped appearing after the very first time I deleted all the other files and never returned. I've checked very carefully each time but it's never there)

5. None of the listed files were in the Registry.

6. Where it says "XP-skip to step h" - there is no step h letter anywhere. However,none of the files listed appeard in any of those locations-I checked them all. By the way, I do not understand the term "key" as in Navigate to and delete the keys".

7. Restarted in Normal mode.

8. I don't know how to turn off all open programs in XP. I knew which two programs to leave running in 98, but I have always heard that this does not apply to XP, so that I can't do.

9. There is nothing called SAFEBOOT option listed in the System Configuration Utility. And the Utility just gets shut down almost immediately anyway. There are a fewoptionslisted, but the Utility doesn't stay open long enough for me to write them down.

So that's as far as I got.

I thought I saw another post about what to shut down in XP so maybe I'll have a look at that.

Found the list of programs to shut down.

In the System Configuration Utility,there are three options listed-Normal, Diagnostic Startup,and a third one which has a series of checkboxes that I wouldn't touch with a ten foot pole without guidance. Of course there are some other tabs, but none of these have a SAFEBOOT option either.

When I restart in Diagnostic Startup, I cannot run Liveupdate because my internet connections is disabled in this mode. In fact, all of the small icons that normally appear on the desktop header (or footer, on some desktops) are gone in this mode.

So I can't go any further. And I have been working on this for 12 hours today and that's it for now. I just checked the HOSTS file and the bad files are back in there again so I have to start from scratch anyway. But I don't know where scratch is anymore.....

go to bed. I'll try to make it clearer for you for tomorrow. check back here again.

Inferno

Change your password, You've been compromised.
"KEY"

• That refers to the "registry" key. It's located in the Registry editor (well, it's the fastest way to find it.
• Take a look here:
  
  
  
  after you locate "Microsoft" again click on the + to the left and scroll down until you see "Windows" click on the + to the left and scroll down until you locate see "current version" click on the left and scroll down until you locate run and click on the left until you see "run". Double Click on "run" , now look at the window on the right. See anything?
• Follow part "D >" below. (If you double click on the files here you will see the values) delete only the "values" listed here. Do not delete the folders on the left, only the values on the right.
• Then use the same "navigation proceedure" to locate the "Key" in step "h" but now if you find that "key" located on the left side of the window (it will look like a folder)delete it entirely.
• it will be in the left side of the registry window. There are two you must delete ...these are the registries for the worms themselves! They are the worm's Hooks.
  One is called "soundman" the other is "svc"
• Therefore these computer sentences need to go:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\SoundMan
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\svc32
  
  understand?
• A> Click Start, and then click Run. (The Run dialog box appears.)
• B> Type regedit
  
  Then click OK. (The Registry Editor opens.)
• C> Navigate to the key:
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run
• D> In the right pane, delete any of the following values:
  
  "^`d}qZxu" = "~`d}qzxu3zYF"
  
  "Configuration Loader"="confgldr.exe"
  
  "Video Process"="sysconf.exe"
  
  "Service Host Process"="spoolsvc.exe"
  
  "svchost"="winhelp.exe"
  
  "csrs"="csrs.exe"
• E> Do one of the following:
  If you are using Windows NT/2000/XP, skip to step h.
  If you are using Windows 95/98/Me, go on to step f.
• F> Navigate to the key:
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\RunServices
• G> In the right pane, delete any of the following values:
  
  "^`d}qZxu" = "~`d}qzxu3zYF"
  
  "Configuration Loader"="confgldr.exe"
  
  "Video Process"="sysconf.exe"
  
  "Service Host Process"="spoolsvc.exe"
  
  "svchost"="winhelp.exe"
  
  "csrs"="csrs.exe"
• H> Navigate to and delete the keys:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\SoundMan
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\svc32
• I> Exit the Registry Editor.
• J> Restart the computer in Normal mode.

Hopefully, it will be gone. You will have killed it.




Inferno

Diagnostic Startup is Safe Mode

You do the manual regedit in this mode.
Then restart the system into normal mode.
and then see if you can get Norton to do the live update not before.

You may have to reinstall Norton and then run the live update.
Inferno

Inferno, you are a wiz!!! I hope the manual process you outlined works for hagatha since the cleanup tool didn't.

Jenny100, thanks for posting the link to Gibson's site. I've known about GRC for years and periodically go there and run the port scan to make sure something either I do or a patch or an install does hasn't changed my "all ports stealthed" to something less secure.

I suggest that everyone also go to GRC's homepage, follow the links, and read, read, read!

Jema

Hi guys - I'm afraid this isn't working, after all your time and effort. Here is what I THINK I'm supposed to do:

1. Edit the Hosts File in Safe mode; save edited file
2. Edit Registry in safe Mode
3. Restart computer in Normal mode and run Liveupdate.

1. I have edited and saved the Hosts file at least 100 times (no exaggeration). Doesn't matter. As I found out yesterday when I started using Safe Mode, the next time I start my computer, be it in Safe or Normal Mode, the virus files are back in the Hosts file. Always. 100%of the time. They aren't going anywhere.

2. There are no virus files in the Registry. I have double and triple checked, and those files don't appear. There is nothing in any of those registry Keys that has an = in it at all. Nor are the keys I am to delete present. Now I don't know if there is something that is not displayed, but I can't see any of those files or keys.

3. When I restart my computer in Normal Mode, my Norton still won't start. Not just the live Update, but Norton Antivirus itself. Nothing happens when I click on it. But that wouoldn't matter, because as soon as I have restarted my computer, all the virus files are back in the Hosts file. This happens without fail - Safe or Normal mode.

Also, in the instructions last night I was to Open the SYstem configuration Utility and restart in SAFEBOOT and THEN run Norton. But as I noted, there is no Safeboot and the Diagnostic Mode option I have is not at all the same as Safe Mode- it looks totally different. Am I supposed to do this step now? I can't tell.

So, I must have missed something or a step somehwere, or this just is not working.

I have not installed any patches at all. When I tried to get the MS03-26 and MS03-007 patches from the Security site, the page never loaded.

Thanks for all your time.

My last-ditch attampt was to edit the Hosts file and registry in Safe, and then run that virus removal program I downloaded. It indicated no virus on my computer.

Then I restarted in Normal, and the Hosts file was full again. So manually removing the files apparently is not the solution. The virus seems to be residing somewhere else on my system and is reactivated when the computer starts.

Even with the Hosts file edited and saved, and all non-essential programs turned off, and the antivirus program indicating no virus, running in Normal Mode, I cannot uninstall or run Norton Antivirus (I could, however, uninstall anything else if I wanted to).

Don't know if anyone else has had this happen, but it seems I am not going to get rid of this without a complete re-install.

Is it possible you're being reinfected as soon as you go on line? Or do those boogers show up in your Hosts before you go on line?

Safe Boot and Selective Startup means the same thing for Windows XP.

If you type redgedit in the run command line you will get:




if you click on the boot.ini tab



just so you know.


and no, there aren't supposed to be any "=" signs there in the registry... that symbol was only meant to be for communication to you.


it only meant that in the "KEY" or FOLDER located in the left window of "regedit".

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run

if the "VALUE" which would be located on the right window pane after you double click in "RUN"


for ex.


"Service Host Process"="spoolsvc.exe"

The VALUE NAME or Value itself is Service Host Process

the VALUE DATA is spoolsvc.exe

Norton wants you to delete both. The "=" was just a way to explain it.


Inferno

YOu need to uninstall or delete Norton and then reinstall it, while in Normal mode.

Remember that "Host file I had you download? you could try that.


In Selective Startup or Safe Mode (remember that they are one and the same)
Instead of deleting all the files one at a time ... just delete the whole Host files ...replace it with the "new host file" on that floppy I had you download last night. Just use Windows Explorer and copy the unzipped new Host file into the directory which originally housed your bad file. Delete the registry values and keys once again like before.
Go to your desktop and delete the contents of the recycle bin
Use Windows explorer and delete all Norton files (you have nothing to lose now as Norton has been diabled anyway)

Go to regedit once again and choose Nornal Startup. Close out of all open programs and SHUT OFF your system.

Turn on your system .... Install Norton and try running live update. If this is successful then run a full system scan. Delete any files that it finds regarding the worm.


See if this works ... This happened to me last year with the Wehlacia Worm. I wound up removing it from my system but I had damaged my registry because I deleted the wrong file. I wound up having to reinstall Windows XP. I lost all my data
I really and empathize with what your going through. MArita can tell you just how upset I was.

Inferno

and reboot to Normal mode.

Ok I'll give another shot.

I have now deleted the Hosts file in Safe Mode and unzipped the downloaded file into that folder.

However, I still cannot findanything in the Registry that conforms tothe values you've indicated. I never have!

There is one value in Current Version/Run that is close:

scvhost=svchost.exe, but that is not the same as the one in the list.

Should I delete this??????? I don't dare try anything else until I know because if it's wrong I'm hooped. I will have to leave my computer on and in Safe Mode because once I go back into Normal, if the virus is till there I will have to download the file again and this computer I'm on right now is a royal pain; dial-up connection, and a space bar that does not work.

I do not think I keep getting re-infected because I have had my internet connection unplugged for most of the last week. The virus is lurkingsomewhere but my registry doesn't have those values or the keys.

Also, I think I have more than one problem here.

That TrendMicro scan I downloaded on Saturday,which I have run about 50 times, all of a sudden found Nachi.b TODAY. It's never done that before, and NACHI.B was was supposedly removed by the on-line scan I used last Saturday. I haven't seen it since then.

As I say, my registry does not contain the keys and values for AGOBOT, although the TrendMicro scan has dound it several times in the past (but is not finding it right now). That same scan has in the past found Sasser a few times, but it does not find it right now.

But with my computer not linked to the Internet I don't know how I could have been reinfected with NACHI.B. I just don't understand it.

Too bad I can't install Norton in SafeMode.

Hagathaone,

Is this your only computer? Would it be possible
for you to attach this drive as a slave (or 2nd
master on the other IDE chain) of another
computer?

The only reason I suggest this is because you seem
to be so deeply mired in difficuties here that you
might be better off to scan the drive for a virus,
worm, etc. from a working system. In that way you
can isolate, remove, repair, etc. from that
system. You could also simply copy all your
important data, files, favorites, etc. to the main
drive and reinstall XP (I assume) on your drive.

Hi there. In the end that is likely what will happen with my system but it won't be me who's doing it. I know someone who is a genius with this sort of thing and I guess I'll have to let him work it out for me. Thanks to everyone who tried to help. I know a heck of a lot more about computers now than I did before, that's for sure.

On the very much brighter side, I did go out and buy a second computer just for games and not to connect to the Internet. I dropped a fair bit of cash on it, and bought a 19" screen, and my word, does that thing fly! I can hardly wait to see how Morrowind and its expansions performs on it. My old system can be for older games - I think I'll put Win 98 back on or maybe have both 98 and XP on it. Since I still play a lot of BG/IWD and things like Thief and Deus Ex, that would be worthwhile for a few more years, anyway.

And anyway, a girl can't have too many shoes, handbags or computers, I always say. And my partner can't complain about my profligate spending because he has three computers himself(not as many shoes or handbags, though).

This may be impossible, but with WINDOWS???? Who knows.

Could your 'puter somehow be set to do an automatic 'Back UP', (going back to a previous date) to before you started deleting these files & programs???

I feel silly asking, but it soulds like you are stuck in a loop.