Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Trojans, Worms


  • This topic is locked This topic is locked
5 replies to this topic

#1 whatsup

whatsup

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 18 August 2008 - 04:04 PM

Misposted this as reply to Smithfraud advice. Reposting here. Very sorry.

Regarding the instructions from Bleeping Janitor for Smithfraud. Forgive my ignorance

1. Does MsnCleaner.zip instructions also apply to smithfraud.c and trojans, worms listed below?

2.After Kaspersky free on line scan, along with smithfraud.c, the following were also found:
Trojan spy-bankfraud.ci, email-worm-bagle.pac, bagle.ds, bagle cs, bagle.ee, bagle.eg, trojan spy-fraud.gen, trojan spy-bayfraud.hn, trojan-spy-fraud.av

3. 2002 Compac presario 6000, xp, norton internet security (run nightly), spybot (run weekly), adaware (run at each startup), windows defender, bi-weekly trendmicro housecall on line free scan (which found and deleted MEM_WATCHER but not the above). Hard drive 80% free. 1G ram.

5. File name for all of above was C:\Documents and Settings\Diane and John\Application Data\Thunderbird\Profiles\2zb23qo5.default\Mail\Local Folders\Inbox or\Junk
6. Computer is still running with no hangups or slowdowns at this point.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:25 PM

Posted 18 August 2008 - 09:50 PM

Hello and welcome to BC. You have here a serious ,multiple bagle infection. I feel the best course of action with this is go directly thru the HiJackThis team. As I think no matter what we try we will be there eventually .

The tools needed to remove this are available under supervision here.
Please follow the instructions in this tutorial for posting a HijackThis Log.
Preparation Guide for use before posting a HijackThis Log


After you have created it,post the log here HijackThis Logs and Malware Removal and NOT in this topic,thanks.

Click on New Topic and copy/paste the entire log into the reply. Give it a relevant title.
Once you have posted the log DO NOT reply to it or change it until contacted or advised to do so by the HJT Team tech.
Should you have any other questions about this ask those here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 whatsup

whatsup
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 20 August 2008 - 10:36 AM

Thank you so much, Boopme.
I am following the instructions in the guide. It is taking sometime because we have dialup and downloading the updates has failed for each scanner the first time. But we repeat and succeed. Panda is the only one so far that found bagel, along with 10 others i镠nfected files, but their registration process had a glitch, and we could not delete. The program is inexpensive so will get it today, as long as it does not conflict with Norton Internet Security. Do you know? We will start over today with panda's active scan. I am so grateful for your response and help. I will continue to follow the directions you sent.
Thank you again so much. Diane
Diane

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:25 PM

Posted 20 August 2008 - 01:03 PM

Thank you. There is no need to purchase Panda active scan,not that it isn't agreat product.
We only need the log from the scan.. .

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.


If you have already that is fine. Use it to remove what it found.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 whatsup

whatsup
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 23 August 2008 - 01:39 PM

Howdy Boobme
Followed instructions of guide to hijack and posted
Unable to purchase Active Scan as login is not working for purchase or further deletion. Last Active scan had 1 low risk along with Firefox\plugins\NPMySrWB.dll not-a-virus infection and C:\Windows\Downloaded Program Files\popcaploader.dll. Would like to get rid of these. Previous active scan had the following.

Scan had Threats with free disinfection (3)
Medium danger level (1)


Low danger level (2)

W32/Bagle.EN.w... Virus Latent Hide
+ Info
Disinfected
1. C:\Documents and Settings\Diane and John\Appl...Folders\Inbox[newprice.zip][09.exe]

W32/Bagle.CA.w... Virus Latent Hide
+ Info
Disinfected
1. C:\Documents and Settings\Diane and John\Appl...Folders\Inbox[Make.rar][123456.exe]
2. C:\Documents and Settings\Diane and John\Appl... Folders\Junk[Make.rar][123456.exe]
Threats disinfected with the paid version (1)
Low danger level (1)

Application/My... Tracking Application Latent Hide
+ Info

1. C:\Program Files\Mozilla Firefox\plugins\NPMySrWB.dll
Only available in paid version.
Buy - I am a client
Suspicious files (5)

C:\Documents and Settings\Diane and John\Appl...ers\Junk[Info_prices.zip][text.exe] Sending


C:\Documents and Settings\Diane and John\Appl...cal Folders\Junk[price2.zip][1.cpl] Sending


C:\Documents and Settings\Diane and John\Appl...22-421-683.zip][TT-022-421-683.exe] Sending


C:\Documents and Settings\Diane and John\Appl...rs\Inbox[Info_prices.zip][text.exe] Sending


C:\Documents and Settings\Diane and John\Appl...al Folders\Inbox[price2.zip][1.cpl] Sending



Terms and conditions of use - Panda


Should I wait to pursue this until I hear from the HJT folks?
Looks like now would be a good time to bake cookies and go fishing.
Thankyou thankyou for your help so far.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:25 PM

Posted 23 August 2008 - 04:11 PM

No do not make any further changes to th PC. When th HJT team replies you can tell them you have this log and post it. They will reply what is next. By BC rule I will close this topic with a reply. Should you need anything else please feel free to PM me.
Enjoy the fihing and Uhhmmm!! Cookies....

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic.

Edited by boopme, 23 August 2008 - 04:12 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users