ÄÄhm, why not ?
illegal copy or svchost gets attacked/PC rebooting ?
if after formatting it keeps returning: you should apply ALL the relevant RPC/DCOM/IIS/WebDAV patches FIRST before going online
(or install/activate a firewall while offline and block:
UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445, 593. )

P.s: Where exactly (full path and filename) does KAV detect it ?
what happens if you start the PC in SafeMODe (F8-Boot) and then run Kaspersky or delete it manually ?

what do RAV & TREND online scanners say ?
also read here:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.AO

or if you use filesharing → read up on the filesharing agobot variants on Trend’S AV-Site