totallysusan Posted April 30, 2004 Share Posted April 30, 2004 I'm going in a circle here. First, Mcafee found a virus and said it got rid of it Qhosts.apd, and then kept on telling me that I had it. Then, I couldn't get it to even do a virus check. Something called Adware runs on here all the time (had a smiley face for an icon) and it keeps telling me it found something black listed called microsoft.exe. I tell it no, then it shutsdown Mcafee. I booted into safe mode and scanned with Mcafee and it found Qhosts.apd again, got rid of it. I rebooted, can't get rid of Adware, it's still shutting down Mcafee, and I keep getting a CONSTANT warning that says:McAfee ActiveShield has detected a virus on your computer. We recommend that you use the Scan feature to scan all the drive of your computer for viruses.I tell it okay and it pops up every 30 seconds. I went to a virus sight and found that I had the DOS AGOBOT.HM, got something called Stinger from McAfee, went back to the site and it didn't find it this time, but I still have the problem from Adware (control panel won't let me get rid of it) and it shutting down McAfee and the warning from Active Shield every 30 seconds.Any suggestions? I can get to McAfee's site now, but not symantecs. Link to comment Share on other sites More sharing options...
TomcaT Posted April 30, 2004 Share Posted April 30, 2004 Hi Susan,It sounds like your virus is still there, have a look at the link below, it gives instructions on how to manually remove it. Print them out then disconnect you machine from the internet, by removing the cable from the modem!!!Virus InformationOnce you have got rid, uninstall McAfee and reinstall it and get the latest definitions downloaded. or get the free scanner from www.grisoft.comGood luck!! TC Link to comment Share on other sites More sharing options...
totallysusan Posted April 30, 2004 Author Share Posted April 30, 2004 Won't let me go to the link. It re-directs me. Can you cut and paste here? Link to comment Share on other sites More sharing options...
Aaron Posted April 30, 2004 Share Posted April 30, 2004 Link works fine. If its redirecting you, then your virus has edited the HOSTS file.Open %systemroot%\system32\drivers\etc\hosts (Windows XP) in Notepad and see if sophos.com is listed. Link to comment Share on other sites More sharing options...
TomcaT Posted May 1, 2004 Share Posted May 1, 2004 This is from the Sophos website.Description W32/Agobot-EX is an IRC backdoor Trojan and network worm. When first run W32/Agobot-EX copies itself to the Windows system folder with the filename soundman.exe. The following registry entries are created with the intention of starting the worm when a user logs into Windows, but an error results in these values being garbage: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\^`d}qZxu= ~`d}qzxu3zYF HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\^`d}qZxu= ~`d}qzxu3zYF W32/Agobot-EX also registers itself as a service which will be activated when Windows starts up. The name of the service is SoundMan. W32/Agobot-EX connects to a remote IRC server and joins a specific channel. The backdoor functionality of the worm can then be accessed by an attacker using the IRC network. An attacker can issue commands to start the worm scanning for vulnerable computers to copy itself to. The worm also attempts to terminate and disable various security-related programs. Recovery You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry. At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens. Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup. Locate the HKEY_LOCAL_MACHINE entries: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\^`d}qZxu= ~`d}qzxu3zYF HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\^`d}qZxu= ~`d}qzxu3zYF and delete them if they exist. Close the registry editor. Link to comment Share on other sites More sharing options...
totallysusan Posted May 1, 2004 Author Share Posted May 1, 2004 This is what was found. I can't open my registry because it keeps closing back down. It's doing this to a lot of programs.Scan started at 5/1/2004 9:20:04 AMScanning memory...Scanning boot sectors...Scanning files...C:\daubatyq.exe - Win32/HLLW.Gaobot -> InfectedC:\dvmintdp.exe - Win32/HLLW.Gaobot -> InfectedC:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1215: (paul davd [Find a good f... - Win32/Yaha.K@mm -> InfectedC:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.1038: (paul davd [i Love You])-... - Win32/Yaha.K@mm -> InfectedC:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.981: (paul davd [u realy Want t... - Win32/Yaha.K@mm -> InfectedC:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.956: (paul davd [Learn How To L... - Win32/Yaha.K@mm -> InfectedC:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.868: (paul davd [make ur friend... - Win32/Yaha.K@mm -> InfectedC:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.867: (paul davd [Learn How To L... - Win32/Yaha.K@mm -> InfectedC:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.866: (paul davd [Are you lookin... - Win32/Yaha.K@mm -> InfectedC:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.854: (paul davd [Learn How To L... - Win32/Yaha.K@mm -> InfectedC:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.848: (paul davd [Wowwwwwwwwwww ... - Win32/Yaha.K@mm -> InfectedC:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.793: ( [screensaver])->(part000... - Win32/Sobig.B@mm -> InfectedC:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.79: ( [Re: My details])->(part0... - Win32/Sobig.B@mm -> InfectedC:\Documents and Settings\funpartyz\My Documents\My Documents\from old drive\Documents and Settings\Long\Application Data\Identities\{88A94540-389B-11D7-88C3-F6C89D4E0841}\Microsoft\Outlook Express\Deleted Items.dbx->Message.36: (paul davd [Wowwwwwwwwwww c... - Win32/Yaha.K@mm -> InfectedC:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\611JMFO0\bot[4].exe - Win32/HLLW.Gaobot -> InfectedC:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\611JMFO0\bot[5].exe - Win32/HLLW.Gaobot -> InfectedC:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MPMYQ6WB\bot[3].exe - Win32/HLLW.Gaobot -> InfectedC:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MPMYQ6WB\bot[4].exe - Win32/HLLW.Gaobot -> InfectedScanned============================ Objects: 44461 Directories: 4744 Archives: 7332 Size(Kb): 1676744 Infected files: 18Found============================ Viruses found: 3 Suspicious files: 0 Disinfected files: 0 Mail files: 4911 Link to comment Share on other sites More sharing options...
TomcaT Posted May 1, 2004 Share Posted May 1, 2004 You have a dirty dirty dirty machine!! Assuming that you are using XP, press CTRL, ALT and DELETE keys, look at the processes that are running, look for daubatyq.exe and dvmintdp.exe and stop those processes, also have look at any process that has your username as the process owner, look for odd named files, ie M1crosoft.exe etc... stop those as well.Then try and run regedit.If you are successful, delete all your temporary internet files, empty your email trash and delete those emails, delete those documents that it shows in your list! do it manually! and empty the trashcan. Then run your scanner and see what happens.Good luck Link to comment Share on other sites More sharing options...
XtremeMaC Posted May 2, 2004 Share Posted May 2, 2004 that won't solve her problems thoughthe idea of the virus is that it copies itself to other placesafter she stops those processes another process will be running. i'd go to registry wipe out the startup programstry msconfig if it doesn't let u open regeditalso if that doesn't workgo to run and type cmdthen use "reg" command to delete the run keyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\if u want to delete the individual entries u'll have to query the values in them then delete the values...so like thisreg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /vato delete everything under Run keyorreg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runit will give u a list of programs that are working to delete them 1 by one go like thisreg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "name of process"replace "name of process" with the name of the process without the quotes....repeat this for suspicios values and also do these for the HKCU tooand for services.. though i dunno if that particular virus goes into services..then restart the computerafter the restart none of those files should be running... then go through the suspicios files and delete them.and as said delete the temp internet files,delete this folder tooc:\documents and settings\funpartyz\Local Settings\Tempand u're lucky it has affected your Deleted Items.dbx so u can also delete that dbx file and still be able to see your mails (not the deleted ones though..)good luck... have fun Link to comment Share on other sites More sharing options...
TomcaT Posted May 2, 2004 Share Posted May 2, 2004 Thanks XtremeMac, I have learnt something new today. Link to comment Share on other sites More sharing options...
XtremeMaC Posted May 3, 2004 Share Posted May 3, 2004 always a pleasure Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now