trouble removing agobot/gaobot worm

I can't seem to get rid of the agobot.gen (gaobot.gen, according to Norton) worm.

I'm running XP, system pack 2, and I'm up to date on all patches and things. I've got Norton and AVG both running, and they've been trading off giving continual warnings about the virus. Norton detects and deletes the files (crss.exe and nvc32.exe, specifically), while AVG is unable to quarantine, fix or delete them.

I ran the Symantec fix tool (here) multiple times, but it doesn't find an infection at all.

So far, I've done everything recommended on your 'read first' thread, including all the optional stuff. (By the way, that thread's the best and most comprehensive virus removal how-to I've seen!) Here are the results of the virus scans:

Trendmicro scan: found infection, but unable to clean or delete
Symantec: page wouldn't load (possibly a problem with Firefox?)
McAfee: no infection
Bitdefender and TrojanScan: found popcap dialer, deleted
RavAntiVirus, a2, avast: no infection

I've also googled like crazy to find a manual fix, but the only available one seems to be the one recommended by Symantec (on the page linked to above). I can't find any of the registry values that correspond to the virus. (I ran RegScrubXP in case I was missing something, but to be honest, I couldn't make heads or tails of the results, so I didn't want to change anything.) Similarly, my hosts file is clean (only entry is the 127.0.0.1 localhost one).

I'm at a bit of a loss now. So, hopefully you can give me some advice on how to get this thing gone. Sorry this post is so long!

 

I did try the Gaobot fix tool, but it doesn't find an infection to fix.

HijackThis log is attached. Thank you!

 

The troublesome files are:

C:\crss.exe
C:\Documents and Settings\All Users\Documents\crss.exe
C:\nvc32.exe
C:\Documents and Settings\All Users\Documents\nvc32.exe
C:\WINDOWS\System32\spool\PRINTERS\*.SPL (* is a 5 digit number, different each time it has come up.)

I used the Java version of the TrendMicro scan.

 

I removed the files, but as soon as I booted back in normal mode, c:\nvc32.exe came back. (The others haven't made an appearance yet.) The virus vault fills up as quickly as I can empty it...

 

System restore is off, and I uninstalled AVG.

This morning I started getting this error when I start the computer:

 

I wasn't able to find the WER7b22.dir00 folder at all manually, and when I ran CCleaner, those files were not on the list of deleted items. (Yesterday's error message didn't appear today.)

C:\nvc32.exe is still there, and C:\Documents and Settings\All Users\Documents\nvc32.exe and all the entries in the C:\WINDOWS\system32\spool\PRINTERS folder have reappeared in the last few hours.

I installed, updated and ran Spy Sweeper (in normal mode because it wasn't specified - is that alright?), log is attached.

 

That was all I got from Spy Sweeper, unless I took the info from the wrong place - I copied out what was in the window in the lower part of the screen.

I had trouble with Pocket KillBox. It wouldn't paste the filenames correctly, so I tried to do them individually, but each time I got an error saying the files don't exist. Searching manually, I couldn't find them either. The Norton warnings are still coming, however, in fits and spurts - I'll get a couple hundred warnings over a few minutes, and then everything will be quiet for a few hours. Maybe what's happening is that Norton is actually doing a good job getting rid of the files when they show up, but somehow I'm periodically getting reinfected?

The computer is running fine, other than the alerts - if it weren't for the Norton pop-ups, I wouldn't suspect anything was wrong.

 

I downloaded ZoneAlarm, and have had no more virus problems - thank you so much for all your help with that.

I am still occasionally getting the error message I mentioned previously. The same files are reported, but with different paths each time. It's happened twice since I last posted, and the files were:

C:\DOCUME~1\sims\LOCALS~1\Temp\WERc3ec.dir00\svchost.exe.mdmp
C:\DOCUME~1\sims\LOCALS~1\Temp\WERc3ec.dir00\appcompat.txt

and:

C:\DOCUME~1\sims\LOCALS~1\Temp\WER8e81.dir00\svchost.exe.mdmp
C:\DOCUME~1\sims\LOCALS~1\Temp\WER8e81.dir00\appcompat.txt

Any idea what this is?

 

you are still are infected. at symantecs site do a search on: WERc3ec

and any other file you have issues with.

also, do a scan in DOS with F-Prot, google it.

 

I searched for appcompat.txt, and the only file that showed up was under a different user-name. (One that hasn't been used in quite some time, though the file was last modified May 4, 2005.)

I don't usually play games, though I played Zuma (from this site) recently. I don't use any P2P software. I'm the only active user on the computer, as well.

I've run CCleaner under my username - is there a way to get it to clean all usernames, or do I need to do it under each individually?

 

The other user accounts are there because my family shares the computer when I'm home. I'm currently at school, though, so they've been unused for the last 4 months, approximately. They are password protected.

The full pathname was:

C:\Documents and Settings\Kathleen\WER2.temp.dir00\appcompat.txt

I've gone through and run all the clean-up programs in each username. The only programs I've installed recently are the ones recommended here in the course of fixing the virus. Could one of these be causing trouble?

 

also: new strange thing. Something's gone screwy with the task manager. The tabs and menus have disappeared - even the top bar with the close/minimize/maximize buttons. All I've got is the lower part of the window - with the program list, status, and the three end task, switch to and new task buttons. There's no way to close it except right-clicking on the icon in the system tray. I'm not sure when this happened, as I don't open the task manager that often, but the computer was running slowly as I was trying to open a browser window, and I opened it to see if something was going on in the background. (Various Norton processes take over now and again, and I wanted to check what it was doing.)

 

Sorry, never mind that last post, fixed it. (Stupid me double-clicked somewhere I shouldn't have, apparently. Duh.)

 

I figured as much...is there any indication in the file where the software conflict might be coming from?

Should I move over to the software forum with this?

 

Alright - thank you so, so much for all your help. This forum is really an awesome resource. Thank you for your (and everyone's) hard work in making this such a great place.