Well I talked to eBoundary on IRC today to try and fix this, and apparently he says its a worm (agobot or something) and the only way to get rid of it is to format. Of course, I'm gonna get a second opinion, as formatting is gonna be my last course of action, and only if nothing else is possible. So my problem is that whenever I plug the computer into the network (it's a laptop), it basically freezes up to a crawl. We know its not a driver thinng because I plugged in a random ethernet PCMCIA card and that didnt worjk eihteer. So is it that worm? And is there any way to get rid of it?
I looked at that about this family and it said to check teh hosts file to see if if blocks these websites, and it doesn't, so apparently its not agobot or phatbot, also it doesnt disable my norton or anything. It just completely stops ym computer when it connects to the network.
I've ran Stinger, and Norton AV, with no results (both with latest definitions).
It depends on the variant you have, all of them dont edit hosts file. Delete everything in registry run, and run services. If you dont know what it is, even if it looks like windows delete it. Windows doesnt put anything in their you cant take out. But id have to agree with others, this is either phatbot.agobot.mbot.or a hyped up version of a few others. Bascially, it joins the channel when you get connected to the net. And recieves the scan command, and kills your machine.
Nick, thats always the worst suggestion imo. Xshare when did this start happening? You can also do a whole, registry restore. From about 2 weeks ago. That usually stops any viruses from boot up 80%. I have had to do it 2 times, from viruses that totally took over the machine. If you want to do that I can give you a link to some info.
You can skip part 1, its for a backup.. Never needed it myshelf.
Do that stuff in step 1, so you can see the folder in C:/ Now go into, system volume information. View by details, and you can see when each folder was created, inside these folders are restore points. Go back as far as you need to (before it) started happening. Then go into the snapshot folder, and do as the site says. You will need to reboot with hopefully you are using xp, with the xp cd in. And starting the cd and goto the recovery console. Hit 1 to select C:/ hit enter when it asks for the password. Then do everything the site says. This should revert your registry, and should fix any problems.
The recovery cd may work the same, stick it in. And see if their is a recovery console, if not. Download a copy of an XP cd *Since you own it* and go from their. Unless someone knows of a good "NTFS" dos boot up disk alternative.
Originally posted by NH-Benjamin agobot hehehehe I removed over 39 agobots from my friends computer it was milking her bandwidth
Yeah, but are you *sure* the worm is the only thing that was on the system? Which variant was it? How do you know the controllers did not use the IRC controlled backdoor to update its files to include some backdoor that wasn't/isn't in any advisories?
These machines were obviously already vulnerable to the attacks that the worm/malware used to break into the system so there is obviously no guarantee that this particular exploit/vulnerability had not already been used by someone or something else.
Without full audit trails (which obviously don't exists or the system would not have been compromised in the 1st place) on the system there is no way to guarantee your system[s] are back to a trusted state.
NH-Benjamin, I also do this for a living and I can assure you I've picked apart at least 7 of these nasties that had previously unidentified characteristics, backdoors and custom rootkit type functions. Some of them included a built in SSL p2p type network functionality which allowed them to pass personal information such as keystrokes, passwords and the contents of files with *xls, *.mdb *password* *money* *cards* and store them in a distributed fashion to ensure the data would be available even if the host machine was taken offline.
In my opinion it is *always* better to take your machine back to a trusted state after a compromises because frankly if you have the technical ability to forensically analyze the binaries on the system and all factors of the break in then you probably would not have been in a position to get compromised in the 1st place.
http://www.eBoundary.com - Let us help you expand your eBoundaries!
Fast, Secure and reliable FreeBSD shared, reseller and dedicated hosting.
FREE Peace of mind with every account!