Bagles, Pakes and Agents

[Boggy]

In c:\combofix i have 2 .txt files. One named combofix.txt in which is only this:

Code: [Select]

ComboFix 08-02-25.3 - Boggy 2008-02-26 21:56:34.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1033.18.1509 [GMT 2:00]
Running from: C:\Documents and Settings\Boggy.BOGGY-A69F48D4D\Desktop\Aproape inutile-nefolosite\ComboFix(2).exe
.

,
and a pend.txt in which is this:

Code: [Select]

.:\\(0!|0\\0)
C:\\WINDOWS\\system32\\(0!|0\\0)
C:\\WINDOWS\\system32\\config\\(0!|0\\0)
C:\\WINDOWS\\system32\\csrss.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\drivers\\(0!|0\\0)
C:\\WINDOWS\\system32\\hal.dll\\(0!|0\\0)
C:\\WINDOWS\\system32\\lsass.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\ntdll.dll\\(0!|0\\0)
C:\\WINDOWS\\system32\\services.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\smss.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\svchost.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\userinit.exe\\(0!|0\\0)
C:\\WINDOWS\\system32\\wbem\\(0!|0\\0)
C:\\WINDOWS\\system32\\winlogon.exe\\(0!|0\\0)
C:\\boot.ini\\(0!|0\\0)
C:\\ntdetect.com\\(0!|0\\0)
C:\\ntldr\\(0!|0\\0)
C:\\WINDOWS\\(0!|0\\0)
C:\\WINDOWS\\explorer.exe\\(0!|0\\0)
There is a folder in c:\combofix, named test, but it's empty...

P.S.: I have 2 new folders in C:, C:\Avenger, which i've deleted because it was empty, and a c:\QooBox, in which I have the "nasty" files. Didn't combofix delete those? Are those files safe? Should I delete QooBox?

[CharleyO]

***

Qoobox is like Combofix's safe box and lists what has been removed.


***

[oldman]

Please disable teatimer per the previous instructions. It will only interfere.

We'll try to get a combofix log. It looks like your other security programs intercepted combofix last time. Please follow all instructions regarding combofix and security programs. I don't know if it was damaged. Delete the copy of combofix.exe from your desktop (leave the rest on c:\).



Open HJT, run a system scan only, check mark these lines if present

O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\kmd.exe /c C:\ComboFix(2)\Combobatch.bat

Close all other browsers/windows, click fix, close HJT.


Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
  
  -----------------------------------------------------------

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
  
• When finished, it will produce a report for you. 
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
  

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


For safe mode repair use this

Download & run this tool > SafeBootKeyRepair-CF http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe
It shall only take a short moment for it to finish running. A log shall be produced at C:\SafeBoot_Repair.txt.

[Boggy]

ComboFix.txt & a new HJT log...

L.E. & SafeBoot log

L.L.E. Great! XoftSpy doesn't detect anything! This Bagle thing is GONE! Thanks a lot!

One more question. XoftSpy detects Kazaa after every boot... how can I delete this, because the repair of XoftSpy is inefficient?

[oldman]

So everything ok now, safe mode works?

Don't know how to keep XoftSpy from detecting Kazaa. Perhaps ask on the  XoftSpy forum, if they have one.

If everything is all right, then cleanup the tools you used.


* Click start button, run, then copy and paste the following line into the box and click ok.

ComboFix /u


* Please download
 OTMoveIt2 by OldTimer.


Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

* Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

* Remove old restore points

- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.


* Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".

Click the download button on the right.

 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

 You do not have to install the Java Web Start ActiveX Control


Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it. Do not install it yet.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.



* Download and run this clean up utility. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp by Steven Gould

http://www.stevengould.org/downloads/cleanup/


* If you are using windows firewall, please note that it doesn't provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0



Take care and keep safe.

[Boggy]

Safe mode works, Kazaa isn't detected anymore, not to say Beagle. Thanks a lot for your help. I think my computer is cleaner that a formatted pc .

I hope everyone else who had a Beagle infestation problem, will read this thread!

Again, thanks a lot for your help!

Regards,
Bogdan

[oldman]

You're welcome, happy to help.