Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bagle.IX and Download Bagle Trojan [RESOLVED]


  • This topic is locked This topic is locked

#61
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

Collect::
C:\WINDOWS\system32\dllcache\register.exe
C:\WINDOWS\system32\register.exe
C:\WINDOWS\system32\dllcache\sysinfo.exe
C:\WINDOWS\system32\sysinfo.exe
C:\Documents and Settings\Linda Kristina\Desktop\HJT.exe


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..

Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
Please submit this file to:

http://www.bleepingc...e.php?channel=4


Please include a link to this topic in the message.
  • 0

Advertisements


#62
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Combofix is attached...the zip file will be on bleeping in a minute.

Attached Files


  • 0

#63
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
Foer Better reading. (See at the end of post)

ComboFix 08-04-11.8 - Linda Kristina 2008-04-13 11:32:40.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.75 [GMT -5:00]
Running from: C:\Documents and Settings\Linda Kristina\Desktop\MyPoppy.exe
Command switches used :: C:\Documents and Settings\Linda Kristina\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\register.exe
C:\WINDOWS\system32\dllcache\sysinfo.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-12 21:02 . 2008-04-12 21:02 <DIR> d-------- C:\Deckard
2008-04-12 13:50 . 2008-04-12 13:50 139,406 --a------ C:\BagleFix.zip
2008-04-12 11:40 . 2008-04-12 11:42 <DIR> d-------- C:\Combo-Fix
2008-04-11 13:43 . 2008-04-11 13:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 13:43 . 2008-04-11 13:43 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\Malwarebytes
2008-04-11 13:43 . 2008-04-11 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 10:20 . 2008-04-11 20:54 <DIR> d-------- C:\Geeks_New
2008-04-10 20:36 . 2008-04-13 08:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-04-09 21:51 . 2008-04-09 21:51 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\Thinstall
2008-04-09 20:11 . 2008-04-09 21:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 20:11 . 2008-04-09 21:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-09 19:53 . 2008-04-09 19:53 <DIR> d-------- C:\Program Files\CCleaner
2008-04-05 17:10 . 2008-04-05 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\U3
2008-04-05 17:04 . 2008-04-05 18:12 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\U3
2008-04-05 17:03 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\WINDOWS\system32\windows media
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\Program Files\Windows Media Components
2008-04-05 10:09 . 2008-04-05 15:21 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-04-04 22:40 . 2006-10-26 20:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-04-04 22:36 . 2008-04-04 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 14:18 . 2008-03-21 14:18 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-21 14:17 . 2007-10-22 19:58 1,721,712 --------- C:\WINDOWS\system32\InetClnt.dll
2008-03-16 19:58 . 2008-03-16 19:58 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 15:20 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\ComcastToolbar
2008-04-12 21:50 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\Intuit
2008-04-10 00:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-21 19:17 --------- d-----w C:\Program Files\Common Files\Intuit
2008-03-20 12:03 --------- d-----w C:\Program Files\CrossTrainerII
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 11:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series (Copy 1) on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 15:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
--a------ 2004-03-10 16:16 204800 E:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2006-11-15 22:01 244512 C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-06 18:33 282624 E:\Program Files\QuickTime_4\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 03:01 32768 E:\Program Files\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2006-08-07 02:04 688128 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\dnloads\\eMule\\eMule.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\EMule Extracts\\EMule.46c\\emule.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"D:\\dnloads\\eMule\\eMule_II\\eMule.exe"=
"D:\\Program Files\\EMule\\emule.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\drivers\hpt3xx.sys [2004-01-05 04:10]
R0 hptpro;hptpro;C:\WINDOWS\system32\drivers\hptpro.sys [2003-01-27 10:12]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17282e89-0346-11dd-a3b2-000103c623f3}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 11:33:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-13 11:34:20
ComboFix-quarantined-files.txt 2008-04-13 16:34:03
ComboFix2.txt 2008-04-13 15:51:28
ComboFix3.txt 2008-04-13 01:58:24
ComboFix4.txt 2008-04-13 01:10:54
ComboFix5.txt 2008-04-12 20:19:00
Pre-Run: 1,420,185,600 bytes free
Post-Run: 1,409,265,664 bytes free

==========================================================

Antivirus programs play an important role in the protection of your system. Here are some options:
As a Firewall try COMODO.

Play around with the computer. Post a fresh MyPoppy.exe report tonight to confirm. Fingers crossed!
  • 0

#64
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Thanks so much for your help, I will definitely look into the software you mentioned.
The concerns I still have is that the webcasts I view on my desktop still are not coming up. I was never having a problem with this before this problem. I also checked Tools-Folder Options - View tab and the how hidden files and folder entry is still not visible. Any thoughts???

Thanks! :)
  • 0

#65
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
Download the enclosed folder. Save and extract its contents to the desktop. It is a batch file. Once extracted doubleclick on the batch file and post its entire contents in a reply. No need to attach.
  • 0

#66
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Here it is ...

[codebox]

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun REG_DWORD 0x91

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun REG_DWORD 0x91

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ServerAdminUI REG_DWORD 0x0
Hidden REG_DWORD 0x2
ShowCompColor REG_DWORD 0x1
HideFileExt REG_DWORD 0x0
DontPrettyPath REG_DWORD 0x0
ShowInfoTip REG_DWORD 0x1
HideIcons REG_DWORD 0x0
MapNetDrvBtn REG_DWORD 0x0
WebView REG_DWORD 0x0
Filter REG_DWORD 0x0
SuperHidden REG_DWORD 0x0
SeparateProcess REG_DWORD 0x0
ListviewAlphaSelect REG_DWORD 0x1
ListviewShadow REG_DWORD 0x1
ListviewWatermark REG_DWORD 0x1
TaskbarAnimations REG_DWORD 0x1
StartMenuInit REG_DWORD 0x2
StartButtonBalloonTip REG_DWORD 0x2
NoNetCrawling REG_DWORD 0x0
FolderContentsInfoTip REG_DWORD 0x1
FriendlyTree REG_DWORD 0x1
WebViewBarricade REG_DWORD 0x1
DisableThumbnailCache REG_DWORD 0x0
ShowSuperHidden REG_DWORD 0x0
ClassicViewState REG_DWORD 0x0
PersistBrowsers REG_DWORD 0x0
TaskbarSizeMove REG_DWORD 0x1
TaskbarGlomming REG_DWORD 0x1
Start_ShowNetPlaces_ShouldShow REG_DWORD 0x41
[/codebox]
  • 0

#67
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
After connecting to Internet, I quickly closed the window through Task Manager after the IE window did not respond quickly...CPU usage is also up to 100% with no open programs after I did this.
  • 0

#68
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
Same deal:


  • 0

#69
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
[codebox]
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ServerAdminUI"=dword:00000000
"Hidden"=dword:00000002
"ShowCompColor"=dword:00000001
"HideFileExt"=dword:00000000
"DontPrettyPath"=dword:00000000
"ShowInfoTip"=dword:00000001
"HideIcons"=dword:00000000
"MapNetDrvBtn"=dword:00000000
"WebView"=dword:00000000
"Filter"=dword:00000000
"SuperHidden"=dword:00000000
"SeparateProcess"=dword:00000000
"ListviewAlphaSelect"=dword:00000001
"ListviewShadow"=dword:00000001
"ListviewWatermark"=dword:00000001
"TaskbarAnimations"=dword:00000001
"StartMenuInit"=dword:00000002
"StartButtonBalloonTip"=dword:00000002
"NoNetCrawling"=dword:00000000
"FolderContentsInfoTip"=dword:00000001
"FriendlyTree"=dword:00000001
"WebViewBarricade"=dword:00000001
"DisableThumbnailCache"=dword:00000000
"ShowSuperHidden"=dword:00000000
"ClassicViewState"=dword:00000000
"PersistBrowsers"=dword:00000000
"TaskbarSizeMove"=dword:00000001
"TaskbarGlomming"=dword:00000001
"Start_ShowNetPlaces_ShouldShow"=dword:00000041

[/codebox]
  • 0

#70
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
Take a screen shot of the Task Manager.

  • You can do this by pressing the PrintScreen key.
  • Then go to Start > All Programs > Accessories > Paint
  • In Paint, go up to Edit > Paste
  • Then Go up to File > Save As. Click the drop-down box to change the "Save As Type" to "JPEG", name it what you want, and save it where you want.
  • Then click Add Reply in this topic.
  • Click the Browse button.
  • Locate the file you just saved, click on it, then click Open.
  • Click Add This Attachment.

  • 0

Advertisements


#71
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts
Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, Regfix.reg . Once extracted, double click on the Regfix.reg file and select Yes when prompted to merge it into the registry.

Restart the computer. Check the Folder Options.
  • 0

#72
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Let me know if it worked, I had to install winzip...haven't zipped for years.
The bmp was > 500k

Attached Files


  • 0

#73
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts

Let me know if it worked, I had to install winzip...haven't zipped for years.
The bmp was > 500k

It is Bagle.. Run MyPoppy.exe and post its report. That happened after you clicked IE?
  • 0

#74
Linda68

Linda68

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
When I initially opened IE after the "fingers crossed" post, it started quickr than it has since this problem began. When I went to the website that contains webcasts for my class, it popped up a white window but wouldn't begin playing the clip.

So, I had some saved webcasts on my hard drive and tried to play it and also had MS Word and Dragon dictate open to dictate the video clip into a Word document. The dictation was too slow for it to be effective, so I shut everything down.

I then proceeded to open up an IE window. This is when IE took awhile to open up, so I closed it immediately and it is when I noticed the 100% CPU usage.

Attached Files


  • 0

#75
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,965 posts

it started [b]quickr[/b] than it has


What does that term in red stands for?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP