Welcome to NGINX

[nanajana]

Hi Jeff,

Okay I'll check that out & make sure I remove as per instructions, thanks yet again!!!

Cheers,
Janice

[jeffce]

 

[nanajana]

Hi Jeff,

I have been checking folders in my registry and came across a folder called Binary Noise.  So I checked to see what this is and came across this again for Win32/bagle trojan

These are the keys that are suspect:
        HKEY_CURRENT_USER\Software\Binary Noise
        HKEY_CURRENT_USER\Software\Binary Noise\mPlayer
        HKEY_CURRENT_USER\Software\Binary Noise\mPlayer\[filename of the sample #1] under here I have loader_pc_mprojector.exe & webshots_desktop_installer.exe. 

Now at one time I did have webshots installed.

So again not exactly sure if these are still active but am sure it shouldn't be there!

Please advise,
Cheers,
Janice

[nanajana]

Hi Jeff,

I don't seem to be seeing the .exe files though that go with these entries so would that mean that the virus is effectively gone.  I am totally freaked out at the moment!!! but hope that is what it means.

Cheers,
Janice

[jeffce]

Hi,

We can remove that if you wish?  I see where you are concerned.

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Next I would like you to take the following steps:

• Click Start then Run type Notepad and click Ok
  
• Copy and Paste the contents of the Code box below into Notepad

Code: [Select]

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Binary Noise]


• Save as regfix.reg to your Desktop
  
• Make sure to save file type as All Files
  
• Now right-click regfix.reg and select Merge

Go ahead and check to be sure it is not there any longer and let me know. 

[nanajana]

Hi Jeff,

Did as suggested and it is gone!  Why would I have  a folder called HKEY_CURRENT_USER with sub folders SOFTWARE subfolder Microsoft subfolder Windows subfolder CurrentVersion subfolder RunOnce within the registry entry called HKEY_CURRENT_USER.  I don't recall seeing that before but....

Cheers,
Janice

[nanajana]

Hi Jeff,

Can we also get rid of HKCU\Software\Local AppWizard-Generated Applications which is part of win32/bagle trojan.

Cheers,
Janice

[jeffce]

• Click Start > Run type Notepad click OK.
  
• This will open an empty Notepad file.
• Copy/Paste the contents of the box below into Notepad.

Code: [Select]

@echo off
regedit.exe /e "%userprofile%\Desktop\look.txt" "HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications"
Notepad.exe %userprofile%\Desktop\look.txt
Del look.txt
Del %0


• Click Format and ensure Wordwrap is unchecked.
• Save as RegExp.bat
• Save as file type All Files or it won't work.
• Now double click on RegExp.bat to run it.
• A file look.txt will open on your Desktop, please post the contents in your next reply.

[nanajana]

HI Jeff,

Okay did as requested, see attached file.

Cheers,
Janice

[jeffce]

Registry keys are normally not enough to be infected.  Most of them look pretty strange but if you aren't experiencing any problems we should leave them alone. 

[nanajana]

Hi Jeff,

By "Most of them look pretty strange" do you mean the entries that I attached in my last post?  The only entry there I recognize is Zoombrowser entry which is part of my Canon camera software.

TrojanDownloader:Win32/Bagle.gen!A creates the following registry subkeys and entries as part of its installation routine:
 
Adds value: "frstrunn"
With data: "1"
To subkey: HKCU\Software\bisoft  -  I DON'T HAVE THIS ONE
 
Adds value: "EnableLUA"
With data: "<value>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\Security Center\Svc  - I DON'T HAVE THIS ONE
 
where <value> is a certain number.
 
Adds key: HKCU\Software\Local AppWizard-Generated Applications
 
and all its associated subkeys.  I JUST HAVE THIS ONE
 
It may also create the following folders:
 

    %AppData%\drivers
    %AppData%\drivers\downld  - I DON'T KNOW ABOUT EITHER OF THESE AS I DON'T KNOW WHERE TO LOOK!

Anyway, sorry to be obsessing about this & being such a pest, I just want to be sure I'm free of this virus!
Well okay I will leave this alone.  You're the best, thanks soooo much yet again!

Cheers,
Janice

[jeffce]

I understand your desire to be infection free. 

I feel confident that you are and I am glad that I could help. 

[nanajana]

Hi Jeff,

If you are confident that I'm virus free then I am confident that I am virus free !

Thank you, thank you, thank you!

Cheers,
Janice

[jeffce]

You are more than welcome. 

[nanajana]

HI,

I'm not sure what is going on with my computer, I got the unresponsive script message "Warning:  Unresponsive Script"  A Script may be busy or it may have stopped responding.  You can stop the script now, or you can continue to see if the script will complete.  Script:chrome//browser/content/sanatize.js:133 but at least I don't get the "Welcome to NGINX" page yet.  I do have a few problems though.  From time to time I lose my disconnect from the internet button.  I look like I'm disconnected, my connection shows that I have to connect to go on the net but I am actually still on the net.  I'm not getting the blue screen of death this go round but I do have to reboot fairly often because things are hanging up and I can't get rid of them example:  I had deleted something I wanted back so I went to my trash to restore it, it restored but the restore command stayed on my desktop.  My clock will be slow by about 1/2 hr on one reboot but when I reboot again it will be correct.  My update from Avast (the green box that comes up), hangs up & I can't get rid of it either until I rebooted.  Clicking on the "x" does nothing. 

I will admit to being totally paranoid and hope the virus isn't back but don't know if I should run the tools again or if this is a different issue altogether! 

Cheers,
Janice