Hello Tuliothx
Youre friend is running a very dangerous worm at his system: W32/Agobot-IX:
W32/Agobot-IX is an IRC backdoor Trojan and network worm. W32/Agobot-IX copies itself to network shares protected by weak passwords. When first run W32/Agobot-IX copies itself to the Windows system folder as winlogin.exe and sets the following registry entries to ensure it is run at system logon. Each time W32/Agobot-IX is run it attempts to connect to a remote IRC server and join a specific channel. The worm then runs in the background allowing a remote intruder to issue commands which control the computer. W32/Agobot-IX can be instructed to download and install other programs on the system as well as to flood other computers with network packets. W32/Agobot-IX will terminate and disable various anti-virus and security related programs. W32/Agobot-IX will write to the hosts file so that various security related internet sites can no longer be accessed.
-----------------------
There is a very dangerous worm at the system.
Online-banking, file-sharing, mailing, messaging,
up and downloads behalve to security sites untill the system is clean
are not allowed.
Take a look to "Security Tips" in my signature.
-----------------------
Please follow these steps:
1
Turn off System Restore during the whole time we are working at your system.
2
Make sure you set windows to see the hidden files and folders.
3
Load down RegistryProt, read the instructions and follow the instructions!
4
Load down Registrar Lite, a tool to edit the registry.
5
For the greatest safety, Symantec recommends that if you edit the registry, you back up the entire registry: Backing up the Windows registry.
6
# Open Windows Task Manager.
» press CTRL+SHIFT+ESC, then click the Processes tab.
# In the list of running programs, locate the malware file(s) detected earlier.
# Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
# Do the same for all detected malware files in the list of running processes.
# To check if the malware process has been terminated, close Task Manager, and then open it again.
# Close Task Manager:
winlogin.exe
7
START > RUN > (type) REGEDIT [enter] (of use 'Registrar Lite')
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
delete
WinLogin = winlogin.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
delete
WinLogin = winlogin.exe
Close the registry editor.
8
You will want to copy the text from this post and save it as a text file (*.txt) or print it because you will be working offline (in safemode) to resolve your problem and not have access to this forum.
Follow these STEPS.
STEP 1
You must turn off System Restore during this process. You will keep it off until we are done fixing your system.
STEP 2- Download mwavscan (It is free), if you don't have a zip-tool we suggest zipgenius (It is free).
- You MUST Unzip mwavscan to 'C:\bases' (case sensitive, any other folder and it won't work properly)
- After installing some systems automatically start up the program, if this happens close it, you don't want to run it now.
- Open 'My Computer'
- Double click on 'C:'
- Double click on the folder 'bases'
- Now in that root folder look for 'kavupd.exe' and double click on it. (We are updating mwavscan to the latest definitions.)
- NOTE: Occasionally users receive an error that 'signatures are more then 30 days old'. If you receive this keep trying to run kavupd.exe, it means the definition server is busy, but you will eventually get through.
CleanUp312.
If after or during the cleaning process you find that your internet connection has been broken, please run lspfix, so please download it now.
STEP 3
Doubleclick the file cleanup312.exe
Go to the option
Select ‘custom’
Put a checkmark to:
* Cookies
* Prefetch
* Temp
* All users.
Press the 'cleanup' button
STEP 4- Now turn off your computer and remove the network cable/phone line from your machine.
- Reboot your computer in Safe Mode
STEP 5- Open 'My Computer'
- Double click on 'C:'
- Double click on the folder 'bases'
- Double click on 'mwavscan.com'
- Now close all other windows, browsers, and programs other then Mwavscan before continuing
- Checkmark: Memory, StartUp-Folders, Drives, All Local Drives, Registry and INI Files, System Folders, Services
- Now select 'Scan All Files'
- Finally, click on 'Scan Clean' (The program will take several hours to run)
- When the scan is complete, click 'View Log' and Save it!
STEP 6- Reconnect your network cable/phone line
- Reboot your system into normal mode.
STEP 7- Open 'My Computer'
- Double click on 'C:'
- Double click on the folder 'bases'
- Find the log file in the directory.
- Open it with an editor (Notepad will do fine)
- Look for the files which are tagged as "virus" or "infected"
- Copy&paste all these files tagged as "virus" or "infected" in a new document and save to your desktop
STEP 8
Run Hijackthis again and have it save a new log file.
Step 9
Come back to the site and post every file mwavscan tagged as "virus" and the names of the viruses in this thread.
(It looks like this: File C:\WINDOWS\sssasasb32.exe infected by "Trojan-Downloader.Win32.Agent.ig" Virus. Action Taken)
Also post the total results:
=>Total Number of Files Scanned:
=>Total Number of Virus(es) Found:
=>Total Number of Disinfected Files:
=>Total Number of Files Renamed:
=>Total Number of Deleted Files:
=>Total Number of Errors:
***** Scanning complete. *****
Finally, post the new Hijackthis logfile!
