Member Avatar for layla

I am not sure if this is the right forum to post this but here goes:-

I had MS Blaster which was shutting down all my programs. Now I find I have WORM AGOBOT.UY which seems to prevent me from running any virus software. It is in C:\windows\system32\msnmsgr.exe and I tried the malaware fix but it never lists the program as running. I don't want to have to do a reformat can anyone help me please?

Brief synopsis. Something was sent to me in an offline message which deleted or corrupted my vmm.vxd files. I called a computer tech and asked how much to fix the computer. He said $143. I know this probably isn't much but I could ill afford it. Sighs. Anyway I said ok. After a couple of hours on my computer he handed me a bill for $500.50. I was aghast. Talked to his boss on the phone who said ....."that is per hour lady". I mean I am not stupid but it never occured to me when he said $143 it meand PER HOUR. Anyway I said I can't pay that so he ordered his tech to take my computer. After much ado the tech left the computer but put a password block on it so I could not access bios. I had to take it to a second tech to fix that. Since then I have had all these problems. Could he have put something in my computer? By the way, I paid the $143 that I agreed and said we would have to debate the rest. The computer is an old 300 and barely worth $50 so I think they should have informed me a little better.

So far I have found blaster, w32/geobot.ek, win32.netsky.c@mm and agobot.uy.

Can anyone please help me get rid of all these bugs without having to reformat????? Treat me gently please I am not totally computer literate.

  • 5 Contributors
  • 9 Replies
  • 328 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by layla

Recommended Answers

All 9 Replies

Member Avatar for caperjack

Run the online virus scan in my signature then follw this .And i only charge $25.00.lol

Download the latest version of Ad-Aware at http://download.com.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button

After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions. http://www.lavahelp.com/howto/updref/index.html

Now do the follwing :

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"

Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.
That ought to get rid of most of your spyware.

And after that, please do the following:
download and update
SPYBOT

how to setupSpyBot
reboot computer and post a new hijackthis log

Member Avatar for orion

I wanna say that sucks you got a little duped on your deal with that per hour lady and the tech guy. Who knows if they put the worm on your pc? It would be almost impossible to prove and I am certain you don't wont to go through those accusations.

However I found this page here which gives very detail information on that worm and how to remove it from your system. I hope that will help you with your problem.

Worm Agobot.uy

Member Avatar for roy66

orion,
cgcyBXCVNCGVCXSvhvcsnmcgxz
No, that is not abusive language, but it seems that one's gotta learn a bit a chinese to follow the site
Worm

Thats where it takes me anyway.

roy66

Member Avatar for TallCool1

I am not sure if this is the right forum to post this but here goes:-

I had MS Blaster which was shutting down all my programs. Now I find I have WORM AGOBOT.UY which seems to prevent me from running any virus software. It is in C:\windows\system32\msnmsgr.exe and I tried the malaware fix but it never lists the program as running. I don't want to have to do a reformat.

This worm has various names. That's one of the problems with multiple anti-virus companies crawling over each other to "solve" your problems for competitive gain. Try this Symantec link, and enter the word Agobot in the search box. You can also try this Google search. I'm not sure which tool removes it.

Member Avatar for layla

Orion thanks for the link but I have tried that link for removal and the first thing it says it to end task the link in Task Manager. The problem is it is not showing as running so I can't progress to step 2 to remove it. Trend online detects the worm but lists it as "cannot access". I have gone through all the steps as outlined by Caperjack above and am posting the new Hijackthis log below.

On boot up I also still getting a box that says "You (or a program) have requested information from storm.godofthe.net which connection do you wish to use?" The message also used to use the name "relay.kontiki.com" but Ad-Aware found the kontiki folder and removed same. Thanks all for your help this is driving me more insane that I already am.

Logfile of HijackThis v1.97.7
Scan saved at 9:13:37 AM, on 18/03/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msnmsgr.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Documents and Settings\user\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Messenger] msnmsgr.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\RunServices: [Windows Messenger] msnmsgr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4337/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6179ED18-10E5-40A1-94DE-4AF6F58DEC60}: NameServer = 203.109.250.50 203.109.250.61

Member Avatar for TallCool1

On boot up I also still getting a box that says "You (or a program) have requested information from storm.godofthe.net which connection do you wish to use?" The message also used to use the name "relay.kontiki.com" but Ad-Aware found the kontiki folder and removed same. Thanks all for your help this is driving me more insane that I already am.

O17 - HKLM\System\CCS\Services\Tcpip\..\{6179ED18-10E5-40A1-94DE-4AF6F58DEC60}: NameServer = 203.109.250.50 203.109.250.61

That last 017 item is interesting. Are you in Australia, by chance? Is yout ISP iHug? If not, that may be your culprit, if "StormGod" is hosted by them.

Folks, when you sign up, at least tell us what country you are from. It is not at all unusual for that information to affect the answer. This is one of those cases.

You also seem to have a lot of references to the on-line virus scans that you did (nearly all the 016 items), but that probably has no effect on performance. They really should clean up after themselves better!

Other than that, I see nothing in the HijackThis log that seems amiss. There are a few things that I would remove because they are pigs, but that's just me. Have you cleared out your Internet Temporary Files folder lately?

Member Avatar for orion

I found a forum and another person printed out his log and seemed to think that it was O4 - HKLM\..\RunServices: [Windows Messenger] msnmsgr.exe. THere were similarities between yours and his log.

Forum

I am simply just searching and trying to find others that have your same problem, maybe this one will be of more help, now seeing your log and being able to view another's log.

Also within the site there was another posting about this same worm... techtalkforum

Member Avatar for layla

Thanks Tall and sorry, yes I am in Australia and ihug is my ISP but I have used them for 5 years and never had boxes like that come up before. Am thinking I will get rid of xp pro and just reformat. Just wanted to avoid that.

I am checking that link out thanks Orion.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.