Jeff-
If it is agobot- update windows!!! update! update! update!
Read :
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.SY
I cannot stress how important it is to keep your system updated.I assume you are using XP.Set avast to do a boot scan. The following is from Trend:(if you don’t want to look!)
"This memory-resident worm exploits certain vulnerabilities to propagate across networks. Like the earlier AGOBOT variants, it takes advantage of the following Windows vulnerabilities:
Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
IIS5/WEBDAV Buffer Overflow vulnerability
RPC Locator vulnerability
For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-001.asp
It attempts to log on to systems using a predefined list of user names and passwords. It also has backdoor capabilities and may execute malicious commands on the host machine. It terminates antivirus-related processes and dropped files by other malware. It also steals CD keys of certain game applications.
Solution:
Terminating the Malware Program
This procedure terminates the running malware process from memory.
Open Windows Task Manager.
On Windows 95/98systems, pressCTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the process:
SYSCONF.EXE
Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Video Process = “sysconf.exe”
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry:
Video Process = “sysconf.exe”
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Removing the Malware Entries in the HOSTS file
Deleting entries in the HOSTS files prevents the redirection of antivirus Web sites to the local machine.
Open the following file using a text editor such as Notepad.
%System%\drivers\etc\HOSTS
Delete the following entries:
127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com
Save the file HOSTS and close the text editor.
Note: %System% is the Windows System folder, which is usually C:\Windows\System or C:\WINNT\System32. "
Then,after all that,(whew)
disable system restore and restart
run avast
restart and run avast again
run trend micro again
use a firewall (not just the one in XP)
keep windoze and avast up to date
use a spam blocker
lock down avast
install Spybot Search+Destroy(use the immunize tool)
install Spyware Blaster(use in conjunction w\Spybot)
learn “safe hex”
just a note-
microsoft announced that they estimate 8 million infected computers with Blaster worm
Thanks Bill !!!
-max