|
After running a routine virus-check, I found a virus named "Worm/Agobot.14.AP", but my virus program couldnt remove it! So its still on my computer, and I dont really see a way to remove it...Its located on a file named "C:\WINDOWS\SYSTEM32\ntsyskrnl.exe", so I can see why the program couldnt remove it, but Id like to now: 1)What is it, 2)What does it do and 3)How do I get rid of it. Any help would be welcome!
edit]After checking recent test results, it seems that nearly everytime the program has found a "hidden extension"...what can I do to prevent this? [ 05-28-2004, 12:51 PM: Message edited by: Raistlin Majere ] |
Could be this thing (didn't find agobot.14.AP at the site, only agobot.AP).
|
hmmm...I cant open the page! very odd...
|
Overview Technical Details Statistics
QUICK LINKS Solution | Critical Update -------------------------------------------------------------------------------- Virus type: Worm Destructive: Yes Aliases: W32.HLLW.Gaobot.AO Pattern file needed: 679 (0.679.03) Scan engine needed: 5.600 Overall risk rating: Low -------------------------------------------------------------------------------- Reported infections: Low Damage Potential: High Distribution Potential: High -------------------------------------------------------------------------------- Description: This memory-resident worm propagates through network-shared folders. Like the earlier AGOBOT variant, WORM_AGOBOT.AN, it also exploits certain vulnerabilities to propagate across the network. It takes advantage of the following Windows vulnerabilities: Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability IIS5/WEBDAV Buffer Overflow vulnerability For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages: Microsoft Security Bulletin MS03-026 Microsoft Security Bulletin MS03-001. This worm also has backdoor capabilities. It randomly opens a TCP port where it waits for connection from a remote user. It also connects to an IRC channel and waits for commands from a remote malicious user. It allows a remote user to perform the following malicious actions: Log off user Shut down the machine Reboot the machine Connect to a different IRC server Reconnect to an IRC server Send raw message to the IRC server Quit from the IRC session Send a private message Leave a channel Print netinfo Perform a mode change Join a channel Disconnect from IRC server It also terminates antivirus-related processes and steals CD keys of certain game applications. It is compressed with Neolite and runs on Windows 2000 and XP. Solution: AUTOMATIC REMOVAL INSTRUCTIONS To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Services. MANUAL REMOVAL INSTRUCTIONS Disconnecting Network Connection Unplug the Unshielded Twisted Pair (UTP) cable that is normally located at the back of the machine to disconnect from the network and avoid reinfection. Apply the proceeding instructions. Once the malware is completely removed from all the machines in the network, it is then safe to plug the UTP cable and reconnect to the network. Terminating the Malware Program This procedure terminates the running malware process from memory. Open Windows Task Manager. Press CTRL+SHIFT+ESC, and click the Processes tab. In the list of running programs, locate the process: CSRRS.EXE Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system. To check if the malware process has been terminated, close Task Manager, and then open it again. Close Task Manager. Removing Autostart Entries from the Registry Removing autostart entries from the registry prevents the malware from executing during startup. To remove the malware autostart entries: Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run In the right panel, locate and delete the entry: %System32%CSRRS.EXE Note: %System32% is the Windows system folder, which is usually C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>Windows> CurrentVersion>RunServices In the right panel, locate and delete the entry or entries: %System32%CSRRS.EXE Close Registry Editor. NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system. Applying Patches This malware exploits known vulnerabilities affecting the Windows NT platforms. Download and install the following to patch your system. IIS5/WEBDAV vulnerability patch Windows NT http://microsoft.com/downloads/detai...displaylang=en Windows NT Terminal Server http://microsoft.com/downloads/detai...displaylang=en Windows XP 32 bit http://microsoft.com/downloads/detai...displaylang=en Windows XP 64 bit http://microsoft.com/downloads/detai...displaylang=en DCOM Patch WindowsNT http://microsoft.com/downloads/detai...displaylang=en WindowsNT Terminal Server http://microsoft.com/downloads/detai...displaylang=en Windows 2000 http://microsoft.com/downloads/detai...displaylang=en WindowsXP 32bit http://microsoft.com/downloads/detai...displaylang=en WindowsXP 64bit http://microsoft.com/downloads/detai...displaylang=en RPC Patch Windows NT http://www.microsoft.com/downloads/d...displaylang=en Windows NT Terminal Server http://www.microsoft.com/downloads/d...displaylang=en Windows 2000 http://www.microsoft.com/downloads/d...displaylang=en Windows XP 32 bit http://www.microsoft.com/downloads/d...displaylang=en Windows XP 64bit http://www.microsoft.com/downloads/d...displaylang=en Windows 2003 server 64 bit http://www.microsoft.com/downloads/d...displaylang=en Refrain from using the affected software until the appropriate patch has been installed. Additional Windows XP Cleaning Instructions Running Trend Micro Antivirus Scan your system with Trend Micro antivirus and delete all files detected as WORM_AGOBOT.AP. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner. Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC. Here ya go then. :D |
... but this (agobot.ik) one seems to be the only one dealing with ntsyskrnl.exe ... so I dunno which is right, if any. It's likely to be the .ik one, as it dissables access to, amongst others, that trendmicro site.
For agobot.ik: Quote:
Also, you can try using system restore, starting the puter in safe-mode then deleting file or... something. [ 05-28-2004, 01:28 PM: Message edited by: Gnarf ] |
When I open the task manager and end the process, instead of ending it, it just switches its place, but remains on the list! Damn, I dont like this thing at all...
|
Tried starting the puter in safe mode? It's likely that the ntsyskrnl.exe thing won't be loaded then, and you can delete it.
|
How do I boot in safe mode? I dont remember what I have to press on the start up...Im running XP pro., btw
|
Hmmm... I think it's either F5 or F8 while you're booting. I can never remember which one, so I usually alternate between them, about once every second or so, during the boot process.
Good luck in killing it... |
You can probably do it with F8 or something, or:
start > run > "msconfig" > "boot.ini" tab > check /safeboot. You'll be prompted to restart puter after clicking "OK", do so. Uncheck /safeboot when you want puter to return to normal. |
| All times are GMT -4. The time now is 07:52 PM. |
Powered by vBulletin® Version 3.8.3
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
©2024 Ironworks Gaming & ©2024 The Great Escape Studios TM - All Rights Reserved