[feroas]

Hi there.

Am I glad to have found this site. I hope you experts can help me. I appear to have picked up some bug. An online check has said it is the bagle or beagle-zv trojan.

It has disabled Norton and AVG and wont let me reinstall them. Neither will it allow me to install Avast or Kaspersky. When I try to boot in safe mode it fails and reboots again. Even trying to boot in normal mode now it may take 4 or 5 boots before it actually starts.

I have searched the forum and found a very similar problem http://www.geekstogo...orum/Infection-here but some of the solution is specific to the person's computer.

My IP has been blocked from sending emails and my bandwidth usage is enormous.

I have gone though the preparation guide and spent two days trying everything I could think of but every time I try something the computer shuts down and reboots.

Please help!

[Advertisements]

I forgot to mention that Hijackthis wont run either.

[feroas]

I forgot to mention that Hijackthis wont run either.

[Essexboy]

Hi there sorry for the delay

Please read the instructions carefully before you download this programme as if you do not download it as stated it will not run correctly

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[feroas]

Hi Essesxboy,

Thanks for your help.

I followed the instructions and combofix deleted a lot of files!.. great

The only part that I'm not sure about is the anti-malware programs. You instructions said diable them but the virus had already disabled them so there was nothing for me to disable. After combofix did its thing they kicked back in again. So the scan combofix did after reboot was while the antimalware programs were running. Let me know if I need to do it again now that I have a little more control of my computer.

Here are the logs:

 ComboFix.txt   270.18KB   298 downloads

 hijackthis.txt   11.44KB   187 downloads

Thanks again.

[Essexboy]

Looks a lot better - not that I saw it before

I will now do a deep scan for any residual files, I see you have remnants of Kasperky and AVG anti-virus. Do you want them removed ?

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the OTScanit folder and double-click on OTScanit.exe to start the program.
• Check the box that says Scan All User Accounts
• Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
• Under Additional Scans check the following:
  • Reg - BotCheck
  • Reg - ControlSets
  • File - Additional Folder Scans
  • File - Purity Scan
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[feroas]

Hi Again,

While I was waiting, I did the following:

I re-ran Combo-Fix and it didn't delete anything but it did reboot.
I then ran a thorough scan with each of the following in this order:
Avast,
Spybot S&D
Trojanhunter
Ad-Aware
Stinger

They each found various malware infections and claimed to fix them (mostly bagle variants)

Now I have carried out you latest instruction and the file is here:

 OTScanIt.Txt   438.55KB   256 downloads

For pig iron, I also re-ran ComboFix and HijackThis (Combofix didn't reboot this time) Logs here:

 Combo_Fix_log.txt   15.31KB   178 downloads
 hijackthis.txt   10.46KB   150 downloads

I also tried to uninstall Kaspersky (AVG not in my list). Any help removing remnants of these or any other partials appreciated.

Thanks for getting me this far. If there are any other nasties hidden in these logs I hope you can help me weed them out.

[Essexboy]

Please do not run any additional scans please as it could corrupt what I am trying to achieve

Working

[feroas]

ok sorry

[Essexboy]

OK nearly did I think

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\GRISOFT\AVG7\avgamsvr.exe -> E:\Program Files\GRISOFT\AVG7\avgamsvr.exe [E:\Program Files\GRISOFT\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe]
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\GRISOFT\AVG7\avgemc.exe -> E:\Program Files\GRISOFT\AVG7\avgemc.exe [E:\Program Files\GRISOFT\AVG7\avgemc.exe:*:Enabled:avgemc.exe]
[Files/Folders - Created Within 90 days]
NY -> avg7core.sys -> %SystemRoot%\System32\drivers\avg7core.sys
NY -> avg7rsw.sys -> %SystemRoot%\System32\drivers\avg7rsw.sys
NY -> avg7rsxp.sys -> %SystemRoot%\System32\drivers\avg7rsxp.sys
NY -> avgtdi.sys -> %SystemRoot%\System32\drivers\avgtdi.sys
NY -> cfgocvga.dll -> %SystemRoot%\System32\cfgocvga.dll
NY -> 7091.bmp -> %SystemRoot%\7091.bmp
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> Avg7 -> %AllUsersProfile%\Application Data\Avg7
NY -> avg75free_516a1225.exe -> %UserProfile%\Desktop\avg75free_516a1225.exe
[Files/Folders - Modified Within 90 days]
NY -> avg7core.sys -> %SystemRoot%\System32\drivers\avg7core.sys
NY -> avg7rsw.sys -> %SystemRoot%\System32\drivers\avg7rsw.sys
NY -> avg7rsxp.sys -> %SystemRoot%\System32\drivers\avg7rsxp.sys
NY -> avgtdi.sys -> %SystemRoot%\System32\drivers\avgtdi.sys
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> Avg7 -> %AllUsersProfile%\Application Data\Avg7
NY -> avg75free_516a1225.exe -> %UserProfile%\Desktop\avg75free_516a1225.exe

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

FINAL SCAN

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Logs required : Just The MBAM and how is your system now ?

[feroas]

Hi,

Here is the first part logs:

 OTScanIt2.Txt   3.56KB   151 downloads

 hijackthis3.txt   11.04KB   151 downloads

I will upload the Final scan result when it completes. The computer is running much better but there are delays when I type. The text takes time catching up with me (and I am not a fast typist!). I just hope its not a keylogger or something.

[feroas]

Mbam says I'm clean. Nothing found.

Log:

 mbam_log_3_27_2008__23_42_42_.txt   739bytes   169 downloads

That's gotta be good. Still have delays though. It happens about every 10 seconds. I just a look at task manager and cpu spikes every 10seconds. A nice regular pulse wave. Looks like its firefox.

[Essexboy]

Now the best part of the day ----- Your log now appears clean

Double click OTScanit once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTScanit wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe

Do you have the same problem with IE or is it just Firefox ?

[Essexboy]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

[Essexboy]

Please Download Avast Rootkit Cleaner to your desktop

Close all running programmes

Run the ASWAR file and select Scan Now



On completion of the scan you will then have this screen up



Now close the programme and on the desktop will be a text file called ASWAR please post that. Do not fix anything yet

The programme will take from 3 to 5 minutes to run.

[feroas]

Nothing found:

avast! Antirootkit, version 0.9.6
Scan started: 01 April 2008 08:44:58


Scan finished: 01 April 2008 08:45:48
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0


----------


avast! Antirootkit, version 0.9.6
Scan started: 01 April 2008 08:49:51


Scan finished: 01 April 2008 08:50:41
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0


----------


I also uninstalled all of my addons in firefox to see if that fixed the cpu problems but no joy.