Win32.Agobot - need RELIABLE cleaning tool

[Grasshopper666]

Here's the skinny. We were just hit by Win32.Agobot and Win32.Hostblock. 10 of our PC's were hit. We did a show IP nat trans on our Cisco 2600, got a list of PC's broadcasting/connecting on port 135, I checked our DHCP server and found the PC names and disconnected them from our network. Our network is now back to normal but we have 10 users downed. We are looking into host based intrusion detection for the future but that is another post.

What I need help with now is this: Agobot is the more destructive of the two. We are trying to find a cleaning tool to clean Agobot so we can get our users back online. Can anyone recommend a tool from a reliable source that works?

CA Win32.Agobot info

Our Computer Associates Antivirus 7.x, despite having the most current definitions, and despite its claim to clean by using the system cure option DOES NOT WORK. I Googled and I saw a few cleaning tools, one of them is even from CA. I tried it - it didn't even detect Agobot. Obviously, it doesn't work, and frankly I don't trust CA any more after this experience.

Any help would be greatly appreciated.

 

[mechBgon]

McAfee's write-up

McAfee indicates it can actually be removed by hand by starting in Safe Mode and deleting the files and registry entries they identify, so that might be one course of action to test. How it got in the door to start with is worth looking into. Someone bring in an infected lappie or something?

You might run Microsoft Baseline Security Analyzer on your fleet and see if they're using weak/blank passwords on their Administrator accounts, permitting this type of threat to spread easily. It sounds like you've got a domain, so you can run MBSA from any PC and scan the whole fleet if you run it with Domain Admin privileges.

Good luck on the removal 🙂

 

[flamingspinach]

Symantec Security Response always has free removal tools that always seem to work for me. 🙂

-fs