[Gnarf]

... but this (agobot.ik) one seems to be the only one dealing with ntsyskrnl.exe ... so I dunno which is right, if any. It's likely to be the .ik one, as it dissables access to, amongst others, that trendmicro site.

For agobot.ik:

Quote:

Description: This AGOBOT variant is a network worm and a backdoor. It propagates into machines unpatched to the following vulnerabilities: Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability Microsoft Security Bulletin MS03-026 http://www.microsoft.com/technet/tre...n/MS03-026.asp RPC Locator vulnerability Microsoft Security Bulletin MS03-001 http://www.microsoft.com/technet/tre...n/MS03-001.asp IIS5/WEBDAV buffer overrun vulnerability Microsoft Security Bulletin MS03-007 http://www.microsoft.com/technet/tre...n/MS03-007.asp It also uses a list of user names and passwords to propagate into machines with weak passwords. This malware has backdoor capabilities. It allows remote users to manipulate infected systems and steal information, including game CD keys. It also terminates different programs, including antivirus and firewall applications. It runs on Windows NT, 2000, and XP. Solution: Terminating the Malware Program This procedure terminates the running malware process from memory. Open Windows Task Manager. Press CTRL+SHIFT+ESC, and click the Processes tab. In the list of running programs, locate the process: ntsyskrnl.exe Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system. To check if the malware process has been terminated, close Task Manager, and then open it again. Close Task Manager. Removing Autostart Entries from the Registry Removing autostart entries from the registry prevents the malware from executing during startup. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>Windows> CurrentVersion>RunServices In the right panel, locate and delete the entry: System Kernel = "ntsyskrnl.exe" In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>Windows> CurrentVersion>Run In the right panel, locate and delete the entry: System Kernel = "ntsyskrnl.exe" Close Registry Editor. NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system. Cleaning the HOSTS file This malware added loopback addresses to your hosts file. Cleaning this would enable access to the Web sites. Using Notepad, edit the file ?hosts? located in the %System%\drivers\etc folder. Remove the lines containing the following sites: avp.com ca.com customer.symantec.com dispatch.mcafee.com download.mcafee.com f-secure.com kaspersky.com liveupdate.symantec.com liveupdate.symantecliveupdate.com mast.mcafee.com mcafee.com my-etrust.com nai.com networkassociates.com rads.mcafee.com secure.nai.com securityresponse.symantec.com sophos.com symantec.com trendmicro.com update.symantec.com updates.symantec.com us.mcafee.com viruslist.com viruslist.com www.avp.com www.ca.com www.f-secure.com www.kaspersky.com www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com Note: %System% is the Windows system folder, which is C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP. Additional Windows XP Cleaning Instructions Running Trend Micro Antivirus Scan your system with Trend Micro antivirus and delete all files detected as WORM_AGOBOT.IK. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner. Applying Patches Download the latest patch. Information and download links on the vulnerabilities exploited by the malware can be found at the following links: Microsoft Security Bulletin MS03-026 Microsoft Security Bulletin MS03-001 Microsoft Security Bulletin MS03-007 Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC.

Edit: Link to that housecall thing: http://housecall.antivirus.com/
Also, you can try using system restore, starting the puter in safe-mode then deleting file or... something.

[ 05-28-2004, 01:28 PM: Message edited by: Gnarf ]