Help with Backdoor.Agobot variant

I can's seem to remove a variant of the Backdoor.Agobot virus.

My primary Spyware removal tool is PCtools' Spyware Doctor, and it recognizes this virus but cannot remove it, i.e. it quarantines the 17 or 18 files it finds, every time. When I delete the quarantined files and do another scan, it the same files turn up (in normal or safe mode). There is no apparent logic as to why the number changes. The specific description of the virus from SD is: "Backdoor.Agobot (Backdoor.Agobot.ADH [BitDefender] W32/Gaobot.DUF [Norman Virus Control])"

I have followed the spyware removal instructions on this forum and have turned up a couple of minor issues (see attached logs) but not one has recognized the Backdoor.Agobot. Subsequent scans leave me back at square one.

My setup:

Windows XP Pro SP2 (updated) P4 512K RAM 3.0GHz
eTrust Security Suite (Firewall, Anti-Virus - up to date)
Spyware Doctor 4 (updated)

Any ideas?

Additional file attachments in the next post...

Thanks,
--Bob

 

Additional log files (HiJackThis, Panda Activescan, and Kaspersky) attached.

 

The first thing I notice is that your running eTrust EZ Antivirus and AVG AntiVirus. This is not recommended as running more than one antivirus will cause conflicts on your system. You need to pick one and uninstall the other.

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Please look in Add/Remove Programs for the following and uninstall them if found:

AutoUpdate

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = G:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm

O4 - Global Startup: DESKTOP (1).INI

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU)
O9 - Extra button: @Home - {1A3B9AE4-1D85-4749-874D-605F04F9119E} - http://home.excite.com (file missing) (HKCU)

O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.104/03b66f823aa863b64e00/netzip/RdxIE.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.merriam-webster.com/toolbar/webinstall.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/honeycombs/install.c
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/arcadegames/fallingstars/wtinst.cab

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\AutoUpdate ← Delete this whole folder if it exist!

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\Downloaded Program Files\108184.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

Once you complete the above, attach a fresh HJT log and let me know how things are running.

 

Thanks for the help! This is really driving me nuts...

I can't seem to uninstall AVG - I tried to uninstall it a while ago but I must've done some screwy combination of installing in safe mode/uninstalling in normal mode with a system restore thrown in at some point...I know, I know, not too bright. It now sort of half-runs: a dialog pops at start-up stating that AVG can't run, but the process still shows up anyway. I can delete the process, however. What is the best way for me to get rid of the AVG remnants?

RE AutoUpdate: It doesn't show up in add/remove programs, so no worries there.

HiJackThis deletes everything checked except:
O4 - Global Startup: DESKTOP (1).INI

It pops a dialog stating that the process is still running and to kill it in the task manager before clicking fix again. Slight problem: it doesn't appear in the task manager. What should I do?

Thanks again,
bonzo

P.S. How compromised is my system? I did some purchasing and online banking recently; should I be concerned about passwords/account #'s being compromised?

 

Manually remove this file, should be in Start > All Programs > Startup

I wouldn't worry about anything, what you had was nothing major.

 

Ok, I've completed everything requested and have attached a fresh HJT log. I did another Spyware Doctor scan and those 17 files are still showing up. I've attached a couple of Spyware Doctor logs to show you what files it has been digging up.

Before I started the process you prescribed, I noticed that my history pane in IE contained a record of seemingly EVERY file I open (icluding BMPs and Excel files). Alas, this is still happening now as well. Any other ideas for getting rid of this stuff would be appreciated.

Question: If I am infected with something nefarious, can it spread to another OS installed on the same machine? I am thinking of doing a clean install on another drive and then copying my docs and files over before nuking the infected install.

Also, occasionally AcroRd32.exe appears as an active process (and Acrobat 7 is not opened) - not sure what this means but I wonder if it could indicate a Bugbear variant.

Thanks,
bonzo

 

Click Start > Run > type in regedit

Manually navigate to the following keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SVKP

Right click on SVKP and select "Permissions". In the list click on "Everyone" and at the bottom, check the box next to "Full Control. Click OK to exit.

Now right click on "SVKP" and delete it. If you get any errors let me know!

Now do the same for the key below:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVKP

Right click on LEGACY_SVKP and select "Permissions". In the list click on "Everyone" and at the bottom, check the box next to "Full Control. Click OK to exit.

Now right click on "LEGACY_SVKP" and delete it.

After you complete this, reboot and see if they are still being detected.