Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bagle.IX and Download Bagle Trojan [RESOLVED]


  • This topic is locked This topic is locked

#46
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts
Still spawning:

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::C:\WINDOWS\Tasks\Pareto UNS.jobFolder::C:\Program Files\Common Files\ParetoLogicRegistry::[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk][-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into MyPoppy.exe, and post back the resulting report along with a Hijackthis log..
  • 0

Advertisements


#47
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts
Afterwards run DSS once again. Post the Main.txt. It should provide us with a Hijackthis log.
  • 0

#48
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Here is the new combofix file
Hijackthis still wouldn't run. It was renamed to HJT.exe somewhere down the line.
Still received win32 app error

Attached Files


  • 0

#49
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Sorry, missed the second part of your message. I'm running it now ...
  • 0

#50
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
You've got a lot of neat tricks up your sleeve :)

Attached Files

  • Attached File  main.txt   11.89KB   146 downloads

  • 0

#51
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts
Go to Virus Total here:

http://www.virustotal.com/


Scan the following files:

C:\WINDOWS\system32\drivers\hpt3xx.sys
C:\WINDOWS\system32\drivers\hptpro.sys

Post the results in your next reply.

Set Explorer to view Hidden files and folders. Remove the following folders:

C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

I'll be checking on this topic in the AM. Don't use the computer until we have this sorted-out.

Thanks and Good Night.
  • 0

#52
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Good Morning :)
The docs are attached ...

Attached Files


  • 0

#53
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Hello,
I DO want you to know that on my infected desktop "Hidden Files and Folders" does not exist on Tools - Folder Options View tab. I do see it on my laptop. Looks like the spyware / virus may have effected this.

I went to DOS and was able to delete everything EXCEPT the paretologic anti-spyware folder. But the subdirs and files have been deleted. Superantispyware was no problem to delete.

I have to step out for about an hour and a half. I will return ...

Thanks Much!
Linda
  • 0

#54
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts
Hi, Linda68 :)

Hijackthis still wouldn't run. It was renamed to HJT.exe somewhere down the line.


Right link on the Hijackthis icon, it should be a shortcut. Select Properties. Post its Target and the Start in Infomation



If other than "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe", have that target scanned as VirusTotal. Also look in the C:\Program Files\Trend Micro\HijackThis folder and look if the original Hijackthis.exe still be in the folder. If the trojan copied itself as HJT.exe, chances are the original file still in the folder. Have also HJT.exe scanned if different from the target. Post these results.

Just noticed you ran Hijackthis from your desktop:

C:\Documents and Settings\Linda Kristina\Desktop\HiJackThis.exe

Where did you download Hijackthis from?(This information is important) Have this file scanned, whether renamed HJT.exe or Hijackthis.exe. If the results are positive, have this file uploaded at:

http://www.bleepingc...e.php?channel=4

Leave a link to this topic.

Follow the instructions above as they may apply, even if striked out.

  • After performing the above steps, remove Hijackthis and its folder under Program Files (Trend Micro) (if applies). It puzzles me it was renamed HJT.exe along the line without any help on your part. Perhaps is the culprit for having this trojan spawning.
  • Run MyPoppy.exe once again to find out if it has spawned again and post its report..
  • Run the SafeBootKeyRepair.exe by sUBs as requested on Post #2. That should take care of the Safe Boot key. Test and let me know

Do not reinstall Hijackthis.
  • 0

#55
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Hi, I'm back
The first scan showed the DOC file I left for you at bleeping. I am reanalysing it and there is a report that it is generating. I will put this up on the site when it is finished. I will then complete the rest of your requests. On the second analysis, I do see a worm.huhk.a and a suspicious trojan/worm in red already in the report.
  • 0

Advertisements


#56
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
The reanalysis is also posted ...
  • 0

#57
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts
Thanks for the document. But what I need uploaded to BC in the file itself. Are you still have it? Perhaps in the Recycle Bin?
  • 0

#58
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Combofix is attached as well as the safeboot_repair. Nothing out of the ordinary happened with safebootkeyrepair.

Don't be puzzled, I mentioned back on page one that I changed the hijackthis executable before we even started communicating because I did a lot of research on my problem before contacting this website. The file never worked either way "hijackthis.exe" or "hjt.exe"

We're getting close!!

Attached Files


  • 0

#59
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts
Still spawning. See post 57
  • 0

#60
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Oh NO, I misread, it has been removed...out of the recycle bin too.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP