Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bagle.IX and Download Bagle Trojan [RESOLVED]


  • This topic is locked This topic is locked

#136
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
:)
It finally failed...here is the jpg of the failure...scroll to bottom to see ActiveX message.

Attached Thumbnails

  • kaspersky_II.JPG

  • 0

Advertisements


#137
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,962 posts
Hi, Linda68 :)

Sorry for the delay, but my ISP is experiencing problems.

You had previously indicated you were able to network with this computer. If you do, there is a possibility that you can scan this computer throughout yours by selecting the folders to be scanned. Wouldn't you?

We need to be able to scan the computer. There is no other way to identify where is the Trojan dropper may be. In the other hand, and since this is a new variant, we may never will. If you cannot scan the computer that way please let me know.
Here is another option:
Click here to download Dr.Web CureIt and save it to your desktop.
  • Doubleclick the drweb-cureit.exe file and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new HijackThis log.

  • 0

#138
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Hi :)
No worries about the ISP problem. Last night I ran combofix, removed IE and used Mozilla to listen to the webcasts from my class. I was falling way too far behind. My desktop is the only computer that is quick enough to run Dragon Dictate, MS Word and the webcast together. I am almost done at which point I am going to reload IE and together we'll figure this thing out.

I will try your latest suggestion and let you know the results later tonight after I finish a couple more webcasts.

Thanks!
  • 0

#139
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,962 posts
:)
  • 0

#140
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Hi :)
I didn't have much luck running Kaspersky over the network due to a flaky network connection, BUT Drcureit is running and just want to let you know it is going to take awhile to finish. The express scan DID find problems with sprtsync.dll and sprtupdate.dll in the c:\program files\comcast\desktop doctor\bin directory. The program moved both the files ... somewhere.

I'll post as soon as it is finished!
Linda
  • 0

#141
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Here is what happened since my last post. The cureit program was running on my program, when I went to recheck the status, the computer had rebooted and stated it had recovered from a serious error. I then started cureit again, it wouldn't start and then the performance jumped to 98% utilization...I rebooted, same thing, 98 to 100% utilization.

So, I tried to use Kaspersky webscanner after mapping a drive...think I finally gor the connection to stay up long enough to complete a report. Let me know if this is what you are looking for.

By the way, the "show all files and folders" under the View tab in Explorer under Tools-Folder Options has once again disappeared.

Talk Soon!
Linda

Attached Files


  • 0

#142
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,962 posts
Hi, Linda68 :)

Here is what happened since my last post. The cureit program was running on my program, when I went to recheck the status, the computer had rebooted and stated it had recovered from a serious error. I then started cureit again, it wouldn't start and then the performance jumped to 98% utilization...I rebooted, same thing, 98 to 100% utilization.


That is definitely, Baggel. Run MyPoppy.exe to clear it.

Nothing New in the Kaspersky report..

Please remove the following folders:

C:\Combo-Fix
C:\Qoobox
C:\MyPoppy


Remove all tools downloaded, including MyPoppy.exe.

Download OTCleanIt from here:

http://download.blee...r/OTCleanIt.exe

Run the program. It will remove various files used by the tools used. A restart will be necessary,

Once done, lets download a new version of Combofix as follows:

Download the enclosed file. Save and extract its contents to the desktop. I have renamed it Browny.exe. Never rename combofix on your own. That could cause some serious problems.

Run Browny.exe and post its report. After running Browny.exe, re-try Dr. WebCureit.
  • 0

#143
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Hi :)
Here are the logs ...
When I ran browny.exe, I noticed in the log I hadn't deleted c:\baglefix or c:\ccleaner...so I ran it a second time after I deleted the directories.

So, the pre-combo is the browny.exe before I removed those directories and the combofix is after I removed them. I found out the second time that the Qoobox directory returned after running browny.exe both times.

Downloaded drwebcureit and tried to run / install.
The error bitmap is attached.

Linda

Attached Thumbnails

  • cureit.JPG

Attached Files


  • 0

#144
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,962 posts

Downloaded drwebcureit and tried to run / install.
The error bitmap is attached.


Perhaps a bad download? Did you do this after running Browny.exe? There is a small time period after running Combofix (Browny.exe) that the Trojan becomes dormant.

  • Open Hijackthis
  • Click on Open the Misc Tools Section
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, and attach the results in your next reply.
Let me also see a fresh Hijackthis log.
  • 0

#145
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
I am running Drweb Cureit again... I am scanning all drives, so I'll have to check on the process before I leave for work (work... :) )

The Express scan didn't find any problems.
If the complete scan fails, I will run your previous post instructions.

Linda
  • 0

Advertisements


#146
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Good Morning :)
The DrWeb Cureit finished!
I saved the csv file BEFORE the files were moved, hope that doesn't matter. Then, I rebooted the machine and ran hijackthis successfully. I was unable to upload these two files to this site, so I am going to try and post to bleepingcomputer.com
  • 0

#147
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,962 posts
Hi, Linda68 :)

Go to the Add/Remove programs item in the Control Panel and remove all related to Google. Seems that its notifier was infected with Baggle.

After doing so, if present remove the C:\Program Files\Google folder.

I need to see that Uninstall Manager list I requested. You should remove any Tool bar and Bowser Helper Objects now installed in your computer, to later re-install IE 7.0.

Please open the DoctorWeb folder. Right click on the quarantaine-folder and select Send to -> Compressed (zipped) folder. That would create a .zip folder within the DoctorWeb folder. Please upload this .zip folder to the Spykiller forum as follows:

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "Baggle"
  • Put a link to this thread in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:

    • zipped folder in the DoctorWeb folder
  • Click Open.
  • Click Post.

Keep me posted.
  • 0

#148
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Hello,
Here is the uninstall text. I am having problems posting to Spy Killer...keep getting an error with the download (this is why you will see two messages that have nothing in it.)

I at least want to get this to you...I will keep retrying the other file.

Thanks!
Linda

Attached Files


  • 0

#149
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Successfully uploaded to Spy Killer

Linda
  • 0

#150
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,962 posts
Hi, Linda68 :)

Remove the following programs:

Comcast Toolbar
MSN Toolbar
MSN


You can always reinstall after the computer is cleaned.

Restart the computer

Reinstall IE6:

Run:

rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %windir%\Inf\ie.inf

Make sure you have the Windows XP installation CD. You will be asked for the Iexplore.exe file. Insert the XP CD and redirect the installation wizard to the i386 folder in the installation CD. Select the Iexplore.exe file and click on Next.

Follow the prompts.. Restart the computer..

Download IE7 once again. If you download IE7 before, remove that download, and re-download:

http://www.microsoft...e/getitnow.mspx

Restart and test.

Keep me posted.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP