I got it yesterday...it prevents you from getting to any of the AV sites or windows update/security patches. It took 5 hrs to get it off.
Stolen from a friend's post in another world...far... far away...
It uses a really simple method to keep you from connecting to AV sites. It edits your hosts file and redirects AV domains to yourself. All you do is edit the hosts file and remove the offending lines and presto, instant access (though that bug will keep putting it back, should give you enough time...).
You can also do a free online scan at http://housecall.trendmicro.com which this bug does not enter into the hosts file. However, housecall does not find everything (and as of last week didn't fix this bug).
Locations of hosts file (file has no extension, is just a plain text file). Edit using notepad or DOS Edit (or your favorite plain text editor).
Win9X/Me hosts:
c:\windows\
WinXP
c:\windows\system32\drivers\etc\
Win2000
c:\winnt\system32\drivers\etc\
In the file, any line starting with # is a comment, thus ignored. First real line should read:
127.0.0.1 localhost
Anything after that line did not come with Windows. With AGOBOT you'll see:
127.0.0.1 www.symantec.com
127.0.0.1 www.mcafee.com
... etc.
There's actually a few dozen lines of the most common AV web sites. Just delete them all so you have only the "localhost" line left. If you're unsure, then you can add # to the beginning of the line - that way you can undo it easily. For instance:
#127.0.0.1 www.symantec.com
Until you get rid of it all, every time you reboot your hosts will ban AV sites again.
You should also update Windows or you can become infected again. Also, make sure you have nothing shared - especially the root directory. After it is all cleaned out, make sure your updated AV software runs properly on boot. These bugs are known to break the autoprotect (in Win2000/XP, under ControlPanel/Admin/Services).
Here's a DL to remove it automatically
Stolen from a friend's post in another world...far... far away...
It uses a really simple method to keep you from connecting to AV sites. It edits your hosts file and redirects AV domains to yourself. All you do is edit the hosts file and remove the offending lines and presto, instant access (though that bug will keep putting it back, should give you enough time...).
You can also do a free online scan at http://housecall.trendmicro.com which this bug does not enter into the hosts file. However, housecall does not find everything (and as of last week didn't fix this bug).
Locations of hosts file (file has no extension, is just a plain text file). Edit using notepad or DOS Edit (or your favorite plain text editor).
Win9X/Me hosts:
c:\windows\
WinXP
c:\windows\system32\drivers\etc\
Win2000
c:\winnt\system32\drivers\etc\
In the file, any line starting with # is a comment, thus ignored. First real line should read:
127.0.0.1 localhost
Anything after that line did not come with Windows. With AGOBOT you'll see:
127.0.0.1 www.symantec.com
127.0.0.1 www.mcafee.com
... etc.
There's actually a few dozen lines of the most common AV web sites. Just delete them all so you have only the "localhost" line left. If you're unsure, then you can add # to the beginning of the line - that way you can undo it easily. For instance:
#127.0.0.1 www.symantec.com
Until you get rid of it all, every time you reboot your hosts will ban AV sites again.
You should also update Windows or you can become infected again. Also, make sure you have nothing shared - especially the root directory. After it is all cleaned out, make sure your updated AV software runs properly on boot. These bugs are known to break the autoprotect (in Win2000/XP, under ControlPanel/Admin/Services).
Here's a DL to remove it automatically
Facebook
Twitter