Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bagle.IX and Download Bagle Trojan [RESOLVED]


  • This topic is locked This topic is locked

#31
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Hello,
I completely removed Paretologic, copied the new combofix.exe directly to the desktop and ran it.
Received, combofix.exe is not a valid win32 application.
  • 0

Advertisements


#32
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts
It is Bagle. Somehow is re-spawining.

Lets try this:

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\drivers\srosa.sys
C:\Windows\System32\WINTEMS.EXE
C:\Windows\System32\MDELK.EXE
C:\Windows\System32\13219648.EXE
C:\Windows\System32\13213389.EXE
C:\Windows\System32\13204887.EXE
C:\Windows\System32\HLDRRR.EXE
C:\Windows\System32\ban_list.txt
C:\Windows\System32\Drivers\WINTEMS.EXE
C:\Windows\System32\Drivers\MDELK.EXE
C:\Windows\System32\Drivers\13219648.EXE
C:\Windows\System32\Drivers\13213389.EXE
C:\Windows\System32\Drivers\13204887.EXE
C:\Windows\System32\Drivers\HLDRRR.EXE
C:\Windows\System32\Drivers\ban_list.txt
C:\Windows\13219648.EXE
C:\Windows\13213389.EXE
C:\Windows\13204887.EXE
C:\RegCure 1.5.exe
C:\MGtools.exe

Drivers to delete:
srosa

Folders to delete:
C:\WINDOWS\system32\drivers\downld

Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SROSA


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V).
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

Run Combofix afterward and let me know the outcome.
  • 0

#33
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Now I get avenger.exe is not a valid Win32 application after following the directions.
It looks like Paretologic was allowing me to run most of these applications before, but now that it has been removed, it is back to square one.
  • 0

#34
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts
Posted ImageDownload Deckard's System Scanner (DSS) from here or here to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of both, the main.txt and the extra.txt in your next reply.
If the files are too long, attach them to a reply:
  • Scroll down and click the [Manage Attachments] button
  • Browse to the following folder:
    • C:\Deckard\System Scanner
  • Click Upload to upload these files one by one
  • Submit your reply

  • 0

#35
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
The two text files should be attached!

Attached Files


  • 0

#36
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts
Hi, Linda68 :)

Please print these instructions as you will need to disconnect from the Internet.

We are going to use an unconventional method to attempt to remove this Trojan from your computer.

We will need to remove AVAST and SuperAntispyware as it is possible the Trojan may be using these means to re-Spawn. That would leave your computer unprotected for the time being. You can reinstall once we have remove this trojan.

First download the enclosed folder. Save and extract its contents to the C: folder. It is important this folder be saved in the C: folder (Root directory). Once saved it should appear as C:\Baglefix

Disconnect from the internet. If you have to disconnect the cable from the computer, please do so.

Set Explorer to view Hidden Files and Folders:
  • Right-click your Start button and go to "Explore".
  • Select Tools from the menu
  • Select Folder Options
  • Select the View tab
  • Click on Show all Files and Folders
  • Select Apply to All Folders | Yes | Apply | OK.

Go to the Add Remove programs and remove these programs, then delete the following folders:

C:\WINDOWS\system32\drivers\downld
C:\paretologic
c:\program files\superantispyware
E:\Program Files\Alwil Software (Don't know why is on E:\, but it may be the cause of the infection spawning)

Set Explorer to Defaults:
  • Right-click your Start button and go to "Explore".
  • Select Tools from the menu
  • Select Folder Options
  • Select the View tab
  • Click on Restore Defaults
  • Select Apply to All Folders | Yes | Apply | OK.

Close all windows.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), navigate to the C:\Baglefix folder. Doubleclick on the Fixme.bat. The MSDOS window will open. That is normal. The computer will restart. Allow it to fully restart.

Run Combofix and let me know the results.
  • 0

#37
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
I haven't run the fix file yet, BUT, I wanted to let you know that I DO NOT have a drivers directory in the system32 parent folder in Explorer. I DO have a folder that is in blue in bold letters that says DRVSTORE and in it there is another LONG folder name (in blue) that starts with wlphonecv_8800C15 and on and on ...

I had to go through DOS to delete it. I know it is hard to believe. I saved a bmp of it for when I reconnect to the Internet so you can see.
  • 0

#38
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
I ran the fixme.bat. Upon reboot, it could not find the 2ndround.bat file, so I had to rerun it and place the 2ndround.bat file in the proper location. Afterwards, I tried combofix without luck, same win32 error. It appears I have a catchme txt file on my desktop I don't recall seeing. Is is okay if I hook back up to the internet to send?

Is there a way I can verify that the 2ndround.bat file ran?
  • 0

#39
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts
Hi, Linda68 :)

That is the reason I asked to save the folder n the root directory, C:\, as I insert a command in the registry to run the C:\\BagleFix\\2ndRound.bat at startup.

Download the enclosed folder. It contains a renamed copy of Combofix, as MyPoppy.exe. Save and extract it to the desktop. Do not rename Combofix unless instructed.

Remove original Combofix.

Run the Fixme.bat file once again. (Make sure the Baglefix folder is in the root diretory, C:\), then after a full restart, try running Mypoppy.exe file.
  • 0

#40
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts

Is is okay if I hook back up to the internet to send?


Yes, but do not expend too much time online unprotected.
  • 0

Advertisements


#41
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
The combofix log is attached ...
I have WinRAR on my PC, when I double clicked, it made two Baglefix folders...at the root and another subfolder of the same name. Sorry ...

Attached Files


  • 0

#42
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts
Hi, Linda68 :)

One last check. Rightclick on the Internet Explorer link and select Properties. If a shortcut, it should indicate the Target and the Start in location. Please post this information on your next reply.
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnkC:\WINDOWS\pss\LaunchU3.exe.lnkCommon StartupRegistry::[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into MyPoppy.exe, and post back the resulting report along with a Hijackthis log..
  • 0

#43
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Hi :)
My IE link was not a shortcut. The Properties selection brought up the big box with all the tabs.
Combofix is attached...hijackthis still won't run.

Attached Files


  • 0

#44
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts
Can you run Hijackthis?
  • 0

#45
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Nope, I mentioned it in my previous post. Still get not a valid win32 app
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP