Open Tech Support
Open Tech Support Archives
Back to HomeCommunityReviewsGuidesDownloadsTech LinksMarketplaceContact Us
 »  SITE NAVIGATION
»  OTS Home
»  OTS Forums
»  OTS Archives

»  About our site
»  Search our site
»  Support our site

»  What is this site?
»  Who are we?
 
 
 »  ADVERTISMENT
 
  Pages: 1

Worm Agobot Help!!!!

 (Click here to view the original thread with full colors/images)

Posted by: colloc

Well I just scanned my computer and found the worm and it says non cleanable so what do i do my norton didnt pick it up when it scanned but the website http://housecall.trendmicro.com what is it going to do


Posted by: NyGulkuk

Manual removal instructions on this page:

http://www.trendmicro.com/vinfo/vir...=WORM_AGOBOT.TT

In case your hosts file won't permit you to go there:
Quote:
MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process.

1. Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
2. In the list of running programs*, locate the process:
OB.EXE
3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
4. To check if the malware process has been terminated, close Task Manager, and then open it again.
5. Close Task Manager.

*NOTE: On systems running Windows 95/98/ME, Windows Task Manager may not show certain processes. You may use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
OB Updater = "ob.exe"
4. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
5. In the right panel, locate and delete the entry:
OB Updater = "ob.exe"
6. Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Cleaning the HOSTS file

This malware added loopback addresses in your hosts file. Cleaning this enables access to the said Web sites.

1. Using Notepad, edit the file “hosts” located in the %System%\drivers\etc folder.
Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.
2. Remove the lines containing the following sites:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com



 
Copyright 2000-2008 Open Tech Support. All Rights Reserved. Site Design and Development by Tolitz Rosel.