Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-downloader.win32.bagle.jo


  • Please log in to reply
1 reply to this topic

#1 PijavQa

PijavQa

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 12 February 2008 - 04:49 AM

I got a file something.exe. I was on an admin account. I opened it and I immediately noticed something's wrong. I checked it with http://virusscan.jotti.org/ and some of the scanners there showed that it is Trojan-Downloader.Win32.Bagle.jo. I couldn't boot into safe mode, windows defender was crippled and didn't start. In fact any of the antivirus programs didn't start or install. I got proccessor usage around 11-15% all the time. So I went to Kaspersky's site and checked with their online scanner. It took almost 12 hours to complete. It found out that my System Volume Information folders are infected with Infected: Trojan-Downloader.Win32.Bagle.iw and a file mdelk.exe in windows directory with Email-Worm.Win32.Bagle.of I cleaned System volume information (manually and by turning the restore off). I ran deckard system scanner and found out that I have wintems/srosa/hldrr infection. I couldnt delete them. I ran gmer but I couldn't boot it into safe mode. Then I was able to boot into safe mode by fixing registry with some reg file I found on http://blog.didierstevens.com/2007/02/19/r...ith-a-reg-file/. I ran gmer in the safe mode and killed files wintems.exe/hldrr.exe and wintems.pf. I deleted content of the folder "down".
Kaspersky found out some strange thing: Program Files\Creative\SBAudigy\Program\ADGJDet.exe Infected: Trojan-Downloader.Win32.Bagle.jo . Little googling told that it was perfectly legitimate file but Jotti's side told me opposite. So I deleted it.
I thought I was clean. Addditionaly I deleted manually keys related to srosa (megadrv3 or something) but some keys disseapeared by themselves.
Like
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"drvsyskit"="C:\WINDOWS\system32\drivers\hldrrr.exe" [2006-05-10 01:05]
"german.exe"="C:\WINDOWS\system32\wintems.exe" [2008-02-11 07:15]
Two later keys didn't appear anymore :D
The proccesor usage was about 0-1%.
I was finally able to install Hijackthis and save combofix.
Run kaspersky online scanner once again (4hours) and I found that I'm still dirty. hldrr and wintems still existed.System restore turned on by itself and there was .Trojan-Downloader.Win32.Bagle.jo in System Information Volume. But this time I was able to delete them in normal mode (??)
Once again I wasn't able to boot into Safe mode. I fixed registry again and run ComboFix. Now I am able to go into safe mode.
I don't understand combofix log file :D . So I'm here.
I apologise for my poor style but I had little sleep for last three days trying to fix the mess.
I didn't write everything I did step by step - I ran hijack this (only when I saved it under changed name I was able to run it for the first time), deckard system scanner, silent runner,gmer couple of times. I don't know if srosa/wintems infection was only a consequence of first infection or the main infection. I am posting two of my hijackthis logs: the first one and the last one, combofix log, dss logs. I'm not sure if I want to post Kaspersky log's - they contain some private informations, so I can send them to helper but I don't want them to be seen by everybody.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:03:12 PM

Posted 20 February 2008 - 07:09 PM

Hi and welcome,

sorry for delay.

Still need help? Let me know please.. before doing anything else.
This infection requires a specific fix tool to help deal with.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users