
F - A G O B O T
---------------

The F-Agobot utility disinfects computers infected with all known 
by April 2004 variants of W32/Agobot backdoor-worm. The variants 
of Agobot that can be disinfected by this tool are from Agobot.A 
to Agobot.RR and also include many Agobot variants that are 
detected generically.


DISINFECTION PROCEDURE
----------------------

1. Unpack the F-Agobot utility from the provided ZIP archive 
either with WinZip or PkUnzip utilities. A trial version of 
WinZip archiver can be downloaded from the following website:

http://www.winzip.com/ddchomea.htm
                                   
2. Run the unpacked F-Agobot.exe file from a hard disk to 
eliminate W32/Agobot backdoor-worm infection. You can run the 
utility by either double clicking on it from Windows Explorer or 
you can start it from a command interpreter (COMMAND.COM or 
CMD.EXE) by typing its name at command prompt and pressing 
'Enter' (for advanced users).

First the F-Agobot utility will kill W32/Agobot backdoor-worm's 
process in memory. Then the utility will remove all Registry 
values created by Agobot and will delete all Agobot's files from 
a hard disk.

3. Reboot the system. After restart your system should be clean.

If you have F-Secure Anti-Virus installed, the utility will 
temporarily disable on-access scanner to be able to disinfect 
your system. After the utility completes disinfection, it enables 
on-access scanner.

You can get a trial version of F-Secure Anti-Virus and the
latest updates for it from our website:

http://www.europe.f-secure.com/download-purchase/
http://www.europe.f-secure.com/download-purchase/updates.shtml



IMPORTANT NOTES
---------------

The F-Agobot tool unpacks several files into a temporary folder 
on a hard drive. These files are not deleted after the tool 
finishes disinfection of a computer. The unpacked files can be 
deleted manually any time after disinfection.

If Agobot infection is in a network environment, then the network 
should be temporarily taken down before all workstations and 
servers are disinfected. A single infected workstation can 
re-infect already cleaned computers.

If a computer with Windows NT, 2000 or XP operating system is 
being disinfected, please log in as Administrator or as a user 
with local admin rights, otherwise the F-Agobot utility might not 
disinfect the system correctly.

If you have Windows ME or XP, it is recommended to disable System 
Restore feature of these operating systems to prevent your 
computer from re-infection with Agobot backdoor-worm. The fact is 
that System Restore feature of these operating systems might save 
the infected file into the special folder and copy it back to a 
hard drive it every time it's been deleted by F-Agobot utility. 
The instructions on how to disable System Restore feature are 
here:

Windows ME:
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml

Windows XP:
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

If you have any problems using this utility please contact us on 
'anti-virus-support@f-secure.com' address.