Hello there
I signed on about a year ago with Avast because I had a trojan that no other A/V could find.
The people in this forum were very quik to help.
It appears as thuogh I may need a helping hand again.
I just updated driver for Creative x-fi sound card.On restart got spybot warning that AGOBOT-KU was detcted.Under details,
filename:system32.exe
added by the AGOBOT-KU WORM!
has a blank entry under the Statup Item/Name file
Currently running an Avast scan(seems extremely slow,still at 0% after 50 mins,but can see the files that it is currently scanning constantly change)
Currently running Spybot scan,nothing yet
Just finished Super anti spyware scan,just cookies found.
I did update these AV before scan.
searched here for agobot here and found only one thead from 2005/6.
When shutting down a warning for acces denied … . … (can’t remember exactly what) comes up.
Spybot found nothing.
After 1.5 hours Avast finished,found 949 items that it could not scan!
On shut down a warning stating"Access violation at address ########" where the numbers change at each shut down.
At shut down Spybot requires “end program”
every time I boot, the Creative driver tries to reinstall even though it recoginses that it is the same as the present driver.
Some time ago, when i had spybot, i had an entry under startup list,which was blank, which it said was added by the AGOBOT-KU WORM! I posted on their forum, and was ressured it was harmless. I no longer have SSD, but I would assume these ‘alerts’ are coming from the teatimer. Did you download the updates from creative ? If so I would guess maybe these alerts could be a false positive.The teatimer has possibly blocked the full installation of the firmware.If you are absolutely certain the download is from a safe source ( the manufacturer ) you could try installing again with the teatimer disabled.You could post a HijackThis log first http://www.filehippo.com/download_hijackthis/
The update came directly from Creative’s website.
Here is the hijackthis log
THANKS for the help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:01 AM, on 24/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
obviously there must be a way to copy the complete log in one piece.I just used copy and paste and am limited to 1000 character.Sorry it’s split up but it’s all here.
The system32.exe isn’t a system file (not on my system), it might just be one trying to look like one to stop you dealing with it.
So considering both of the above it certainly seems to be a good detection.
Why did you update the creative driver ?
If it was at your own initiative, not so much of an issue and may 2nd question applies. If however, it was a suggestion whilst browsing, etc. it could simply be a hook to get you to install malware, a common tactic (normally codecs are suggested as needed).
Where did you download this driver from ?
e.g. a trusted source or one you haven’t a clue where it was (download in the background).
It is possible that the driver was legit but at the same time you got an unwanted guest.
Is that a boot-time scan you are/were doing ?
If not then if you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.
I always find it strange when there is a run once from a temp folder, C:\WINDOWS\temp\CRF000\SETUP.exe so I did a google search on it.
I lost sound and thought that A update in driver would help,it did.And as stated it came from me going to Creative and getting it myself.
I did also google system32.exe. but not being too knowledgable it seemed fishy to me also.
I will do a boot time scan now.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
I did a search on the Spybot forums for system32.exe. There are a few threads relating to this and AGOBOT-KU worm. I am still thinking this is a spybot false positive.
Have a look at the posts.While system32.exe is obviously malicious, spybot, seems to confuse this with this blank startup entry on the paul collins start up list.I find it odd that Avast,SAS and especially Kaspersky cannot find this worm.
@ ianeuropean
I had forgotten about the original system32.exe file so do a system search (see below)and see if it is actually on your system.
If so, I would also suggest you check that at virustotal also.
Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.
OK looks like someone else was suspicious of the setup.exe file, but it appears clean.
Though I would wonder exactly what purpose that registry entry serves and what this setup.exe file was about, e.g. if your sound driver update then it seems a very strange way to go about the update.
As is suspected it could be an FP on the blank start-up entry (which if you haven’t done so already you should disable, see below) which S&D seems to associate with system32.exe, although the physical file might not be there.
Check out the startup entry, Windows Start button, Run, type msconfig and click OK. From the window select the Startup tab find the blank startup entry. Is there anything in any part of that entry (Startup Item, Command or Location columns) that might indicate what/where it might be ?
Having gained any information available disable (uncheck the box to the left) the blank startup item and click OK. Notice I said disable, reboot and watch for any errors displayed to the screen about a missing file and if displayed make notes on the information. If no errors monitor your boots and how the system runs for a few days and if no adverse reaction, delete that blank disabled startup entry.
OK I ran theMalware bytes scan in safe mode and nothing was found.Also in the start up entry I found nothing with a blank entry or AGOBOT.So is this a false positive that I have wasted your time with?
Your time is seldom wasted in things like this as you have gained some valuable experience and some new tools.
Personally (if it were my system) I would run the ‘specialist’ tool.
It is so long since I gave up on S&D that I can’t recall what it does on ‘allow change’ so I’m not really in a position that I can say. But as you say it has put you to a lot of extra trouble not to mention stress I would be tempted to uninstall it and replace it with MBAM.
Whilst SAS and MBAM are on-demand only in the free versions their detections are I feel much better and you could do a weekly scan with them. Or do as I have done pay for the Pro/paid option for one of them (small one off payment) and you would have resident anti-spyware protection.
;D