I am trying to find the file on my system but when I go to regedit, it automatically closes and same thing with windows task manager. I was wondering what is a good program to sniff the info such as which server and channel is it connecting to. I want to get this f*cker. I tried to use ethereal but I really don't see anything there or maybe I just don't know how to use it. Anybody care to explan ethereal or does anyone recommended another sniffer that is maybe more simpler to use? Say I find the file on my system, can I unpack it somehow to find out the info that way. Thanks for all your help guys.
OneNight
Mar 30 2004, 08:11 AM
Perhaps try Spybot - Search & Destroy 1.2 grab it here. Its a freeware scanner which will scan/clean your pc of "spyware, adware, hijackers and other malicious software".
And try an online scanner like this one and afterwards get the specific removal tools from, for example, here.
Also, perhaps its better if you cut your losses about getting the guy back, because chances are, as a novice, that you wont be able to. Learning about how he got into your system and perhaps looking at the tools he used would teach you more.
Also look into some articles on system hardening (use the search button on this forum and google) so that you can secure urself against any future attacks.
if your interested heres a good reason on closing open ports might lesson the chances of it happening agian
G-Ryder
Mar 30 2004, 03:05 PM
If you install a firewall such as zone alarm or any which has outgoing protection, then when it attempts to connect to the internet you will get a pop up box telling you the name of the program.. You could then search for the file, kill it and delete it.. Only trouble may be if it has joined itself to one of your system files.. Then they need to be replaced by un infected ones. Also, have you tried using msconfig to see if its on the start up list? You never know, you may get lucky and find a conf file for the bot, that will say what server its connecting too
tribalgoa
Mar 30 2004, 03:36 PM
rename your regedit.exe to regedit.com and it won't be closed by the agobot
izzykahn
Mar 31 2004, 03:54 PM
try using fport which is a command line tool. It will show you what application is running on an associated port. This is handy if you think you have a trojan and it is undetectable by anti_v . Usually I'll do a netstat -an first to see what connections are being made to what hosts and on what ports. Then I'll use fport and see what app is running on those suspicious ports. Once found, reboot in safe mode, kill the process, delete the file, delete the reg entries, reboot again and check your net connections and processes.
Spookie
Mar 31 2004, 04:19 PM
QUOTE
I was wondering what is a good program to sniff the info such as which server and channel is it connecting to
Port Explorer (Purchased) will allow you to monitor the port you selected to view traffic through socket spy. You can find the screen shots on the above link or you can view them here.
You may want to burn all to a cd- then go offline and install - check out tds3 and run a scan to see if the bot can be identified. Once you identify it you can better figure out how you got it. Just my opinion.
When all else fails, and you feel uncomfortable staying online because you think your box is {Dirty} after, your best peace of mind will come from restore or clean install. Stayoffline -Put Wormguard on-Your AV-and your PFW-then update your AV- Reboot and start the joys of windows updates.
As I stated this is just my opinion and I hope it provides you with some assistance
Qlimax
Mar 31 2004, 04:31 PM
kill the bot! open tlist and look @ the list kill the process that look like bot u can kill it with alt+ctrl+delete good luck
JMP
Mar 31 2004, 09:14 PM
QUOTE (Qlimax @ Mar 31 2004, 04:31 PM)
kill the bot! open tlist and look @ the list kill the process that look like bot u can kill it with alt+ctrl+delete good luck
tlist, isn't that the task manager?
JohnAcres
Mar 31 2004, 09:21 PM
if u want to figure out what the bot is doing if its an irc bot then u can open up netstat and see what server its connecting to, most of the time they're password protected but if u follow the advice above about finding the files u can generally find the password and channel and the channel key in a config file for the bot. maybe u can put their bots to use for ur own gain or find out whos running it and get ur venegence (legally of course)
Maverick
Mar 31 2004, 11:57 PM
You've been given a few good ideas already, so I'll just add my $0.02 here as well.. I did a quick search on Google for you, and I found a link that sounds very similar to your situation. Have a look here: http://www.worth1000.com/stories/thread.asp?cid=31&eid=92672
In that thread, the thread starter was having the same issues that you seemed to be having - they give some more ideas and such and in the end, he is able to fix his problem. From what they were talking about, the problem was with a file called 'winchost.exe'... Check out what they have to say, you might get your issue fixed...
Hope I could help...
ArchAngel
Apr 1 2004, 05:04 AM
One of my close friends had gotten a bot recently... couple things to fix it is to either get a software firewall... norton internet security pack is a nice package containing everything you need to rid of it and make sure it doesn't happen again... or simply go get a nice little linksys/netgear router... built in firewall will prevent incoming traffic. Hence it will not allow the "bot maker" priviledge to come back in.
K1LL3RB0Y
Apr 7 2004, 03:11 PM
open dos and enter netstat -n and look which of your ports are open and kill the bot by ctrl+alt+del kill proces then search for the files on your pc also look into your menu for a boot link else in the msconfig disable them
kebab1701
Apr 7 2004, 10:18 PM
good job on posting that online scanner im giving that a go just now just incase
Roby
Apr 10 2004, 05:29 PM
so xtcanything, did you fix your problem or not?
I have a similar problem, but only thing that differs is that the bot is on a remote system. Anyone has had any experience with dealing with this remote? Or anyone has any idea how to remove the bot?
Info I have gathered: system is infected with a WORM_AGOBOT.HM (Im not 100% sure). List of processes running (my backdoor is removed from list):
CODE
0 System Process 4 System 432 smss.exe 492 csrss.exe 516 winlogon.exe Winlogon generic control dialog 560 services.exe 572 lsass.exe 744 svchost.exe 932 svchost.exe 972 svchost.exe 1108 spoolsv.exe 1140 CCEVTMGR.EXE 1332 mdm.exe 1348 NAVAPSVC.EXE 1368 NPROTECT.EXE 1636 svchost.exe 1660 wanmpsvc.exe 400 explorer.exe Program Manager 124 ccApp.exe 784 PgMonitr.exe 820 hpwuSchd.exe 852 hpcmpmgr.exe 872 sms.exe 888 rundll32.exe 952 Babylon.exe Babylon 912 msnmsgr.exe 1256 QuickDCF.exe 1468 hpqtra08.exe 3200 HPZipm12.exe 2352 svchost.exe 2248 msmsgs.exe 7184 ctfmon.exe 1064 IEXPLORE.EXE Your.com - Your license to find anything on the web - Microsoft 2388 WINWORD.EXE Cover_Letter_Police - Microsoft Word 10608 cmd.exe 12572 IEXPLORE.EXE Overstock.com, save up to 80% every day! - Microsoft Internet E 13516 cmd.exe 13248 logon.scr Screen Saver
List of active ports (my backdoor is removed from list):
When trying to connect to port 22953 with ftp browser, I get following output:
CODE
Connecting to x.x.x.x Connected to x.x.x.x -> IP=x.x.x.x PORT=22953 220 Bot Server (Win32) USER anyname 331 Password required. PASS anypass 230 Login successful. Have fun. SYST 215 UNIX Type: L8 REST 100 500 command not understood This site may not allow file resuming PWD 257 "/" is current directory. TYPE A 200 Type set to I. PASV QUIT 500 command not understood Logged off: x.x.x.x
Two things I have tried to do:
CODE
C:\WINDOWS\system32>del soundman.exe del soundman.exe The handle is invalid.
CODE
C:\WINDOWS\system32>net stop soundman net stop soundman . The soundman service could not be stopped.
I have found some info about this worm here: hxxp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.HM&VSect=T but Im not sure how to use it properly to disable the beast. Maybe editing a registry would first disable its capability of autostarting after reboot and then it would be easyliy removed after rebooting the system? I dont have a clue on how to deal with this, so, please, any advice is more then just apreciated!
Thank you for your time!
aapje
Apr 10 2004, 06:12 PM
i had the same virus, trend micro cleaned it like 10 times but it kept coming back, dont know what it was but i formatted so its gone now (didnt format because of that bot)
pcg33k
Apr 10 2004, 09:02 PM
yeah norton firewall is the best solution, firs of all disconnect from the internet, then del the the files and install norton firewall, that way no1 will axx ur pc. in case u wanna catch hi dontdel the trojan and the moment the dude axx ur pc where will b pop up with the dude's ip an dother ifo about him ;D
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
