Some ??'s re: Tea Timer & Agobot-KU removal

[sandybeach]

Landlady just brought back her laptop & gave to me to update all.
Upon start-up, Tea Timer (which I keep active) threw up a reg warning re:
Reg Change deleting Spybots BHO (bad download blocker).....2484F!!
Only option offered was to Approve (deny change grayed out). Recognizing the BHO as S&D's I tried to just red X it. Soon as the pop-up disappeared, it immediately reappeared!
Opened S&D >Tools>Start-up and found 2 new start-up entries HK_LM Run (Blanks).
Info indicates Agobot-KU.
Questions:
1) Will ticking box in front of 2 and hitting Delete remove the worm or just remove the entry from the list? or Should I just "Highlight", not tick box & hit delete?
2) Can S&D in fact "Fix" this problem?? If so how do I do so?
3) Given the pop-up warning is clearly corrupted (grayed out deny option & constant re-appearance of same) does this mean my S&D installed version is now corrupted and I have to un-install and then install "clean"version? If so, what further steps need I take to ensure clean before new install?
4) After checking start list and un-ticking 2 boxes, I ran a full Spybot scan
(expecting "fix" option). Scan returned no problems!! How come??
5) Am currently running an AVG scan and so far nothing found (I expect it to at least find my Eicar test virus I keep to test AVG not corrupted) Is Agobot known for attacking AV's as well? Is it known under "other names" & which?
Sorry for the quantity of questions but it is very rare I catch any illness of this type. Additional info: XPPro SP1 + 20 hot fixes, AVG latest engine & defs,
AdawareSE, CCleaner. Help Soon Please as I don't want to connect this machine to net until solved!! Thanks in Advance for your Guidance!

[sandybeach]

posting after 3AM local!!!!
Further info: Spybot Scan found nothing. Avg Scan using latest defs found only Eicar test folder (zipped).
Didn't find RASMGR.EXE in running processes (should according to Symantec).
Battery on the "infected laptop " ran out before doing more. I will have to return to this tomorrow as it's near 5:30 AM local. My thanks for your efforts 'til then.:blush:

[md usa spybot fan]

re: TeaTimer - grayed out "Deny change" option.

During some changes the "Deny change" option is grayed out (is not an option). This appears to be on changes such as the removal of a Browser Helper Object (where "Change: Value deleted").

This is speculation but I assume that the "Deny change" is grayed out because by the time TeaTimer recognizes the Registry change the underlying code for the BHO has been deleted and therefore denying the change would do no good to save the BHO from being deleted. In these cases the registry change dialog serves as a warning that something has changed.

[tashi]

I'd suggest starting a topic in the malware forum after following the instructions here:
BEFORE you post a log, and who will advise you. Preliminary Steps
Skip the Spybot-S&D scan for now.

Additional info: XPPro SP1 + 20 hot fixes, AVG latest engine & defs,AdawareSE, CCleaner.

So how did I get infected in the first place? By Tony Klein

Cheers.

[tangrene]

Hi, been looking for info for several days about this same issue...but nothing showed till today. Good to see someone else is having same "alert". However, I only found the issue of the blank registry entry...showing info about the Agobot-KU worm when I opened up the Startup tool within Spybot. Only reason I even did so...was cause I got a Symantec alert of potential worm activity (Netspy). I *think* this is a false positive since it occurred when a long used game of mine attempted to connect to the internet upon program launch. No other spyware scan, Virus scan, as well as several online malware/spyware/virus scanners showed a problem. Since the Symantec worm alert was the first I have seen when using this game of more than 3 years...I did all the usual things, all seemed fine. I was suprised to see the "blank" entry related to the Agobot-KU worm. Since I didn't want to cause a bigger problem I did alot of searching and reading on this forum as well as others and found very little to help me about the Agobot-KU. I searched my computer for all the other names it has been reported to use or be related to. There appears to be no relation to the "Netspy" alert...and all the searchs for it's files or related items is nil here too.

I waited to respond hoping that Sandybeach or whoever would put this topic in Malware thread....but haven't seen anything related to this worm since 2005 in the forum. I am wondering if it is a malware problem, or falsepositive.

Of course that doesn't explain a blank entry...but your the experts. :-) Once I was pretty sure all was ok, I did disable entry, rebooted, did my thing, no problem, deleted entry, rebooted a few more times doing my thing for an hour or so between reboots and the entry did NOT return.

BTW, I did NOT have the tea timer running for the last week or so cause of the problem with print running off the buttons or non-existent giving me no choices to chose. I think I found the answer here...will work on that next, LOL!

Thanks for the info. I am not alone....someone else sees the same thing...;-)

[sandybeach]

To MD: Thanks for the explanation! I believe you've got it right. After doing a system restore point back 4 weeks & resetting the BHO by un- checking & the restarting & re-checking box for Blocker, problem disappeared!!

Hi again, Tashi! Thanks for posting so soon! Once again I seem to have found a way to get past the problem on my own, again denying you the chance to rescue me (awfully glad you're ready to try ). By the By: Good warning about Panda's Spam attacks! I visited their site for some info, declined to fill in any forms and left without info. Since then, they have been the most persistent spammer; at least daily and in 1 day 5 times! Outdoing ALL others by multiples!!

Hi, Tangerine!! Thanks for your thorough post! It's nice to share misery isn't it? I also wonder about a possible False Positive re the HK_LM Run (Blank).
Given this HP laptop is only 1 year old, with SP2 (well past the 2003 inclusion point for D-Com exploit patch)....
After checking TrendMicro's data base, one of the few to recognize the Agobot-KU name, I ran a process list check and no RASMNGR.EXE running.
After battery recharge, ran search for that exe in All Files & Folders (show all hidden) and there was not 1 listing of it found anywhere. I don't recall seeing those items in start-up list the last time I had it in my hands (before the LAST S&D update of June 4th). Ran another complete AVG scan with todays defs and found only Eicar Test Virus. Haven't run a Housecalls Java Online scan yet, might just for backup, but if AVG found Eicar then it's probably not corrupt & is working OK.

Now I know(understand) why Techs want so much money: When it's not your machine, things are rarely what they seem!!! Example:
Since last seen, the machine had a wireless internet connection installed/activated by her son -in-law, which besides having no icon in task bar to call ones attention seemed to be active in background from boot-up! More so it's properties included MSnetworks with internet printer file sharing also active!! This I've un-installed. Also found new 1394 (fire wire?) connection which I've left but disabled/Fire walled.
The last time here the problem was she installed a purchased (!!) update to Family Tree Maker which put in Aqueduct Profiler spyware. Being an update, nothing visible on desktop had changed.
This time, I discovered her store made vacation
photo CD installed Kodak Easy Photo Share with "BackWeb" not only included but gave itself permission (as an exception) to get thru Firewall! It may be her machine but I feel like I need to make her an "un-priviledged(sp?) user" account.
Anyway after a far back restore, and re-updating & re-scanning with CCleaner,AVG,AAW-SE,S&D etc., I seem to be out of the woods until I give it back to her. Hope you progress with as much luck!

Again, my thanks to ALL for your time and attention!!

[sandybeach]

To MD: Thanks for the explanation! I believe you've got it right. After doing a system restore point back 4 weeks & resetting the BHO by un- checking & the restarting & re-checking box for Blocker, problem disappeared!!

Hi again, Tashi! Thanks for posting so soon! Once again I seem to have found a way to get past the problem on my own, again denying you the chance to rescue me (awfully glad you're ready to try ). By the By: Good warning about Panda's Spam attacks! I visited their site for some info, declined to fill in any forms and left without info. Since then, they have been the most persistent spammer; at least daily and in 1 day 5 times! Outdoing ALL others by multiples!!

Hi, Tangerine!! Thanks for your thorough post! It's nice to share misery isn't it? I also wonder about a possible False Positive re the HK_LM Run (Blank).
Given this HP laptop is only 1 year old, with SP2 (well past the 2003 inclusion point for D-Com exploit patch)....
After checking TrendMicro's data base, one of the few to recognize the Agobot-KU name, I ran a process list check and no RASMNGR.EXE running.
After battery recharge, ran search for that exe in All Files & Folders (show all hidden) and there was not 1 listing of it found anywhere. I don't recall seeing those items in start-up list the last time I had it in my hands (before the LAST S&D update of June 4th). Ran another complete AVG scan with todays defs and found only Eicar Test Virus. Haven't run a Housecalls Java Online scan yet, might just for backup, but if AVG found Eicar then it's probably not corrupt & is working OK.

Now I know(understand) why Techs want so much money: When it's not your machine, things are rarely what they seem!!! Example:
Since last seen, the machine had a wireless internet connection installed/activated by her son -in-law, which besides having no icon in task bar to call ones attention seemed to be active in background from boot-up! More so it's properties included MSnetworks with internet printer file sharing also active!! This I've un-installed. Also found new 1394 (fire wire?) connection which I've left but disabled/Fire walled.
The last time here the problem was she installed a purchased (!!) update to Family Tree Maker which put in Aqueduct Profiler spyware. Being an update, nothing visible on desktop had changed.
This time, I discovered her store made vacation
photo CD installed Kodak Easy Photo Share with "BackWeb" not only included but gave itself permission (as an exception) to get thru Firewall! It may be her machine but I feel like I need to make her an "un-priviledged(sp?) user" account.
Anyway after a far back restore, and re-updating & re-scanning with CCleaner,AVG,AAW-SE,S&D etc., I seem to be out of the woods until I give it back to her. Hope you progress with as much luck!

Again, my thanks to ALL for your time and attention!!

[sandybeach]

having a problem when posting. While logged in, when I hit preview OR submit post, I get taken to a new log-in page as if I'm not logged in!! Then I'm not sure if the post took or not! Wonder if this is because I didn't check the box for "remember me"?? Moderator, if you see this, please delete 2nd copy. Again, my apologies!!:blush:

[bitman]

sandybeach: You are returned to the login page due to the setting of a timeout within the board software. If you don't perform an action such as Preview Post within the time allowed, you will be logged out and required to login again. Due to the design of web based software there isn't a way to inform you this has happened until you perform another action.

Repeated views with Preview Post will keep the connection alive and even if you must login again, avoids the chance of a duplicate post. Simply get in this habit, especially if you know the post will be a long one.

[tangrene]

Hi again Sandybeach, I understand your pain of working on your landlady's PC. Been there...DONE that. I have fix that situation with my landlord's computer . Perhaps you'd like to know how I did it? LOL. The next time they came for help, I gave them a book, Win98 for dummies, a list of good computers for sell and a local PC shop and their prices for tech support and suggested they get their own computer since it would be cheaper than paying for all the tech support...and give the old PC to their son and his friends to take apart and play with since it was too time consuming to search down info on that POS computer. HAHA! You see I told them I would only work on their (TINY Brand) computer, which included a complete format and reinstall.. if they kept AOL and P2P software off their computer. They again put AOL, 3 P2P programs on, and had alot of porn on PC. The first time they couldn't find their OS disk, driver disks, or anything and had NO backup...NO virus scanner or had run any tools ever. Despite my making them clean backup images the first time they again couldn't find any of those items. Amazes me how many folks expect a PC to be "protected" from time of purchase without bothering to register and activate their programs. The 2md time I immediately went to the PAID for by me Nortons symantec sytemworks logs....saw they had stopped each virus scan from running cause they had other things to do at the time, for 6 months! After seeing that , I realized my time was more valuable than their was. LOL!