Backdoor Agobot ALI Trojan Please Help!!

Gus209 · #1 05-30-2008, 02:45 PM

Alright just recently my computer started running very slow so I tried scanning for viruses but when I tried to load up my Anti-virus it would just pop out and dissapear so I went online and found a free scanner which is called XoftSpySE I did a scan and it said I have 2 Backdoor Agobot ALI Trojan and its a severe risk and its locations is at software\microsoft\windows\currentversion\run\micr osoft updates and the other one is at software\microsoft\windows\currentversion\runservi ces\microsoft updates
which I have no ideal where thats at so I went to trendmicro.com and made a free scan but all it picked up was cookies and stuff like that and now I don't know what to do or what if that XoftSpySE program just tells my I have a trojan so it could download the real version which cost money xD please someone help!!

Monty007 · #2 05-30-2008, 06:47 PM

I wouldnt trust XoftSpy, go to this site down load, install and update http://www.superantispyware.com/download.html
Boot into safe mode (no networking) and run a full scan also run a full scan of your anti-virus in safe mode.

Gus209 · #3 05-30-2008, 06:58 PM

well now that might be a problem because now it says I can't install stuff becuase something wrong with the servies or something like that and it tells me it might be in safe mode but I don't have it on safe mode oh and my computer is running normal speed now but am sure I have a virus but i can't load up my anti-virus

Disk_Contented · #4 05-30-2008, 07:43 PM

Wow! what a baddie!
Gains access via unpatched vulnerabilities. Keep your machine updated!
backdoor in the name means you don't go onto a network with this machine. It is under remote access.
Change all your passwords everywhere, immediately!
See here for what it does:
http://www.trendmicro.com/vinfo/viru...OT.ALI&VSect=T
Removal:
http://www.trendmicro.com/vinfo/viru...2EALI&VSect=Sn

Gus209 · #5 05-30-2008, 10:35 PM

alright it tells me to download latest pattern file and to do a scan with my trend micro anti-virus but I can't open up the anti-virus so then it tells me to use house call but I did that like 4 times already and it didnt detect anything but i did this before i downloaded the latest pattern file so if i download that does house call scan pick up the backdoor thingy? oh then I read i had to have System Restore off so i did that already and restarted and am about to do the House call scan and see if it picks up anything oh and it told me to do this
1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
msvps = "msvps.exe"
4. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
5. In the right panel, locate and delete the entry:
msvps = "msvps.exe"
6. Close Registry Editor.
but i couldn't find the msvp file in any of thos two so idk but thanx alot for the help so far at least i understand this more

Disk_Contented · #6 05-31-2008, 10:14 AM

Quote:

Originally Posted by Monty007

I wouldnt trust XoftSpy, go to this site down load, install and update http://www.superantispyware.com/download.html
Boot into safe mode (no networking) and run a full scan also run a full scan of your anti-virus in safe mode.

It looks like Monty was right and xoftspy was listed as a rogue app at one time. I class it as untrustworthy. Try the app he suggested.

If you think It might be a false positive, Gus209. Remember your system is acting as though it will do anything to stop you scanning it. Beware!

Gus209 · #7 05-31-2008, 03:41 PM

yes maybe xsofspy just listed that trojan so i could buy the real version but i knoe i have something in my pc that aint letting me scan and trend micros house call aint picking it up and i cant use this http://www.superantispyware.com/download.html because i can't install nothing in my computer =(

Disk_Contented · #8 05-31-2008, 05:31 PM

Try combofix: http://www.bleepingcomputer.com/comb...o-use-combofix
Doesn't need installing.

Gus209 · #9 05-31-2008, 05:59 PM

OMFG it doesn't let me go that that site =( am getting really pissed now

Disk_Contented · #10 05-31-2008, 06:01 PM

Post a list of startup items or running processes, though If i were you I would start over.

Gus209 · #11 05-31-2008, 06:07 PM

in task manger rite? am not a whole lot of smart in computers

Disk_Contented · #12 05-31-2008, 06:18 PM

Yes, it may need a screen grab

Gus209 · #13 05-31-2008, 06:34 PM

well I don't know what a screen grab is lol but here is the list of the running processes
PnkBstrA.exe
mDNSResponder.exe
firefox.exe
wpabaln.exe
svchost.exe
svchost.exe
xfire.exe
svchost.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
iPodService.exe
RocketDock.exe
ctfmon.exe
rundll32.exe
rundll32.exe
iTunesHelper.exe
explorer.exe
taskmgr.exe
System
System Idle Process

and here is the list of start up items
svehost
UfSeAgnt
qttask
iTunesHelper
trtgdfua
ccgcdqhy
ApcMain
ctfmon
RocketDock
Trend Micro Internet Security

Disk_Contented · #14 05-31-2008, 06:50 PM

trtgdfua
ccgcdqhy
Nonesense names. There to confuse you.

ApcMain Can you get to this site: http://www.securitystronghold.com/ga...restriker.html

Gus209 · #15 05-31-2008, 06:59 PM

yeah i could get to that site