I just updated my Spybot defs and included was an update for the PaulCollins Startup list, so I thought I’d run that function just to see what it would say.

One of the entries it found was an HK_LM:RunOnceEx with no value or command line. The extra info box on the side says it’s added by the Agobot-ku worm which is supposed to have added the filename “system32.exe”

A search on Google didn’t really give me much that doesn’t originate with Syphos, although viruslist.com gives one of its variant’s aliases as “Win32:Gaobot-268” for Alwil.
A search here and on the homepage for either that or for agobot doesn’t give any hits.

I remember getting false positives from this Spybot startup list in the past on win98 so don’t really trust it, but obviously I’m a bit worried that I may have an infection.

CodeStuff Starter lists it under start up but just ignores me when I try to look at its properties. Starter also shows “System” running as a process, with no corresponding executable, and again won’t list any properties for this entry.

Avast is telling me I have no problems (I’ve done a regular scan and also a boot scan).

Does anybody else get this same message, or know anything helpful about whether this is a real virus or not?
:-\

Hi,

please post a hijackthis-Logfile for diagnosis (best one in Normal mode, and one from SafeMode - F8-Boot)

can you find a file that fits the malware-description (normal-boot or safeBoot) ?

Here’s my HJT log in normal mode. I’ll have to get another one in safe mode in a few minutes after shutting down.

Logfile of HijackThis v1.99.0
Scan saved at 4:55:28 PM, on 2/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Gary\Desktop\Gary\Holding Station\HijackThis199.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Dell\Media Experience\PCMService.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &WordWeb… - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Download using Download &Express - file://C:\WINDOWS\System32\MetaProducts\Add_Url.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O17 - HKLM\System\CCS\Services\Tcpip..{8EC74779-0733-4C3E-BB4E-EE9C91E8F618}: NameServer = 216.254.141.13 209.90.160.220
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

I’ve checked this at Eddy’s online analyzer and nothing particularly dangerous seems to show up. Another thing is that if I do have the system32.exe on my system I can’t find it in search.
I’ve never had a virus on this machine afaik so I doubt it’s a leftover from something else… ???

No need to do a safe mode log as this doesn’t give the full picture normal mode is what is required.

There doesn’t appear to be any thing nasty but some things that don’t need to be run at start-up. See this for an on-line analysis of your log, http://hijackthis.de/logfiles/e8e4342c11bd9e816b4ecb88c3ad41d9.html you might want to save the home page for future use. http://hijackthis.de/

Thanks David… it looks like we ‘crossed posts’

I remember having a similar experience a year or two ago with Spybot’s Startup list and something connected with a supposed infection of the Norton I was using at the time. A search on Google and the Wilders forum revealed it to be a false alarm.
In this case though, nobody seems to be writing about it.

Does anyone else have Spybot who could check on their machine for this problem? (It’s in Spybot’s Tools section, under System Startup)?

Attached is a screenshot of what I get…

Thanks

I have just checked my S&D and nothing with blank details and in the RunOnce.

It seems a bit sus to me, since S&D has the Restore function, I would un-tick it and see what happens or rather what doesn’t happen. The RunOnce shouldn’t really have any system stuff, so it should be ok, tongue firmly in cheek.

Done as you suggested…Restarted, and so far no problems have cropped up. But then, no problems were apparent before either

I’ll post updates if anything happens.

Thanks for your help

I got this same issue. Blank startup entry being identified as AGOBOT KU by Spybot. Adware, spybot, Microsoft’s antispy and AVG (as well as a few others) do not detect anything.

Then it may be a false positive by Spybot, however, the blank entry should be able to be removed in the same way as ‘garyb’ if it is truely the same HK_LM:RunOnceEx key.

David:

Wanted to add a note this thread. My machine also comes up with this entry in Spybot. My guess is that it’s a false positive -but unchecking it is definately a precaution to take. I do not seem to have any problems-also my Zone Alarm logs don’t note any unusual activity.
Hope this helps for all.
Mike

Don’t forget that Spybot S&D isn’t the only tool in the box, you can also check with Adaware and hijackthis to see what is running on your system.

That is the weird thing-nothing connected with this shows up! I was looking at the U of Kansas security site this morning, and there is a lengthy discourse on the Agobot family-extremely virulent, and almost impossible to rid yourself of, but did not see anything abount a “ku” version (I need to check again-was getting scooted out the door to church Will post the link once I go back there.

Mike

hay all,

I have the same problem with the agobot-ku worm showing up in spybot… but nothing appears to be on my system when i manually check everything there is to check. all XP service packs and norton has been running since day 1, i have run trend micro, mcafee, plus other online virus scans yet nothing has shown up.

I unchecked it from the startup using SD, however a few days later and … oh look… another one had started up… i am guessing there is something on our machines that’s not been discovered yet (long shot) or its a tech hitch somewhere either way its getting really annoying. any ideas…???

Welcome to the forums, yazoo.

all XP service packs and norton has been running since day 1,

Do you have Norton and Avast running on the same computer?

hiya,

nope, i have norton on one - my work machine, and avast on the other. they are both on my home network and both have my usuall security stuff, however it’s only my work machine that has the problem! i have even taken out the main hard drive at put it in a caddy and run scans, yet nothing shows up…

i have the same problem, however i have defender pro software in adition to spybot. their antivirus is supposed to find this, (i have the start up entries disabled) but does not, however, the firewall does pick it up when it tries to connect which is also blocked, i have all of the behaviors listed for this on the defender pro site (which also gives the names for this other antivirus software use

http://www.viruslist.com/en/viruses/encyclopedia?virusid=48833

Backdoor.Win32.Agobot.ku
Other versions: .a
Aliases
Backdoor.Win32.Agobot.ku (Kaspersky Lab) is also known as: Backdoor.Agobot.ku (Kaspersky Lab), W32/Gaobot.worm.gen.d (McAfee), W32.HLLW.Gaobot.gen (Symantec), Win32.HLLW.ForBot.based (Doctor Web), W32/Agobot-Gen (Sophos), Win32/Gaobot.gen! (RAV), WORM_AGOBOT.GEN (Trend Micro), Win32:Trojan-gen. (ALWIL), Worm/Agobot.16.BC (Grisoft), Backdoor.Agobot.3.63E55EB4 (SOFTWIN), W32/Gaobot.gen.worm (Panda), Win32/Agobot.3.RF (Eset)

i do have files that were not there before which my antispy/antivirus programs cannot access nor can they be deleted. i also cannot do a complete defrag, because of these locked files. but with these items blocked my system does run ok and is not as slow as it used to be. if i find any other info i will let you know.