Chaslang ~ I've done it again.....

Get ready ~ this is a long painful story.


Yesterday my husband opened an email that stated it was from me ~ of course it wasn't. The email was blank with an attachment. He viewed the attachment but did not save it to disk. It was an exe file but that's all I can tell you about it.

I ran AVG but found nothing. I tried to update AVG ~ stated that AVG was damaged and to DL a new one. I haven't done that yet.

Next I ran spybot. There were 5 DOS exploits and one Hijacker ~"redirect Host www.grisoft.com=127.0.0.1"

I went to the help thread here and began to follow the directions. I made a mistake and booted in safe mode instead of safe mode with networking support. As you probably know I couldn't access the internet so I rebooted in normal mode. I ran house call and found 5 infected files.
2 ~ c:\documents and settings
1 ~ c:\windows\system32\wins
1 ~ c:\windows\system32\wiwshost.exe

All stated they were uncleanable. I'm hard headed so I ignored that part. I double clicked on "c:\windows\system32\wiwshost.exe". That is when it showed the full location of the file. This file was in use and could not be accessed.

This is where the really painful part comes in....
I highlghted the other 3 and tried to clean them to see if I could get more info on a them. My 2 year old grabbed my arm and I hit delete instead. I didn't notice right away so if it asked me "are you sure" I must have answered yes.....boo hoo hoo.

I know know that I have to go back and run the scans in safe mode with network support.

I have screwed things up so badly that I don't know what to do now. I am really upset that I have deleted these files ~ heck I don't even know what they were..

I am going to wait for your advice before I go any further.

Thank!

Cora

 

I forgot that poast that the 4 infected files were "TROJAN.BEAGLE.BH

 

See what symantec has to say.

http://securityresponse.symantec.com/avcenter/venc/data/trojan.tooso.f.html

Related to W32.BEAGLE.BH
http://securityresponse.symantec.com/avcenter/venc/data/trojan.tooso.b.html

 

Thanks!

I will go and check those sites out.

I did run the symantec security scan and the virus detection earlier but no virus was found.

I am really concerned about the files I accidently deleted...
I don't know how to go about finding out what they were or what problems the lack of them will cause.

 

Chaslang,

Ok, I went back to the beginning and followed all the steps in safe mode with networking support and then ran the scan again. House call found the same file ~ I did some clicking and down loaded the program they suggested to fix the problem ~ damage cleanup engine\template. I couldn't see where it was able to remove or repair the damaged file.

The next scan to find it was Stinger ~ found the bagle.dll.gen virus ~ I hope I have that right.

I kept going down the list and running all the scans.

I now have 500 post it thingys on my desk

I completed all of these steps and found nothing.

I logged into a couple of sites I needed info from & checked my email.
Now I am worried about my passwords....

I came back here and decided it couldn't hurt to run the other scans listed on the lower section of the page.


The first one on the list found 2 infected files ~ 1 virus

I ran HJT and have attached to log. I know I should have waited until you asked but I am afraid I won't have time to do it tomorrow so don't fuss at me

Thanks!!

 

I don't see my HJT log attached ~ did I muck that up too?


The last scans I ran were

Bitdefender- 0 found
RavAntivirus- 1 virus found - 2 infected files
TrojanScan- 0 found

I am going to go back and try to run the others now.

 

I just ran HJT again ~ it looks like it was in the wrong format.

 

Sorry about that.

That is the version I had from the last time we did this....

Hope I have it right this time!

 

I have to go now ~ I wil check back in the morning.

I bet ya wanna smack poeple like me for not listening\reading as well as we should....

My excues is ....well I just can't come up with one right now.

Thanks so much for your help!

 

Here are the results from Rav antivirus ~

Scan started at 4/18/2005 8:35:24 AM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\My Name\Application Data\Thunderbird\Profiles\db9ez90g.default\Mail\mail.bellsouth.net\Inbox->(part2229rice_new_16_04_05.zip)->Result.exe - Win32/Bagle.BJ@mm -> Infected
C:\Documents and Settings\My Name\Application Data\Thunderbird\Profiles\db9ez90g.default\Mail\mail.bellsouth.net\Trash->(part1743rice_new_16_04_05.zip)->Result.exe - Win32/Bagle.BJ@mm -> Infected

Scanned
============================
Objects: 34517
Directories: 3908
Archives: 2598
Size(Kb): 1951593
Infected files: 2

Found
============================
Viruses found: 1
Suspicious files: 0
Disinfected files: 0
Mail files: 171

I see these are in my mail and trash. I know I deleted the mail and then deleted it from the trash


I cannot find that file. That is the one that stinger deleted.

AVG wasn't working before I deleted any files. I couldn't launch the control panel or update the files. Last night I uninstalled it and then installed a new one. It seems fine now.

I use thunderbird mail. I guess I will go check and see it the mail is still there.

 

I checked my mail and the emails have been deleted. I went back into thunderbird and deleted everything that I could except for about 10-15 that I have saved that I need. I am now showing only one infected file.

an started at 4/18/2005 8:19:19 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\My Name\Application Data\Thunderbird\Profiles\db9ez90g.default\Mail\mail.bellsouth.net\Inbox->(part2229rice_new_16_04_05.zip)->Result.exe - Win32/Bagle.BJ@mm -> Infected

Scanned
============================
Objects: 33870
Directories: 3906
Archives: 2597
Size(Kb): 1968013
Infected files: 1

I started over with the scans just incase I didn't do it right the first 20 times . I stopped with RAV when I found this infected file. Should I do the next scans?

I haven't went directly to my mail server ~ Do I need to?

What next?

Thanks!!

 

I have checked my in box both on my server and thunderbird ~ both are empty.

I ran all the scans in safe mode except RAV (ran that in normal mode) before my last post.

I just went back and ran RAV in safe mode ~ same results.

My mail program hasn't been open during any of this.

Can I search my computer for this file? Would that do any good?


Thanks!!

 

I have no idea what that is. How do I search for it ~ excatly what do I search for?

Thanks!!

 

I did a search using

C:\Documents and Settings\My Name\Application Data\Thunderbird\Profiles\db9ez90g.default\Mail\mail.bellsouth.net

I found one foulder ~ mail.bellsouth.net When I tried to open the inbox file I am asked what program to use. I didn't know so I clicked on "use the web service to find the program". I received "the page cannot be displayed"

I tried searching just for db9ez90g.default. I found 1 folder (profiles) & 1 file (profiles.ini). The folder lead to the folder db9ez90g.default which lead to more files and folders. I tried to copy and paste these but couldn't get it to work.

I'm getting discouraged I wish I understood more of this....


Thanks!!

 

i went to thunderbird right clicked and did a search for db9ez90g.default ~ that turns up nothing.

i haven't been able to locate account setup.

when I search by going to the search on the start menu i find a folder with the db9ez90g.default there but can't find any file wwhich file I need to delete...


i have to get online to ship some items ~ not sure what to do...

Thanks!

 

OK, I am finally getting it! I followed the trail to the inbox file. After the mail file there is one .Is this because I have an alias? I can't open it. When i try to open the file i click ~ use web service to help open the file ~ I get page cannot be displayed.


If I can get this file open I think I can FINALLY get this done.

I have deleted everything from my mail ~ I guess it's hiding...

Thanks!!

 

Now I see that these mail folders are both for the same account.

The folder with the 1 in the has 0 in the inbox ~ as it should be.

The folder without the 1 has 33,363 KB ~ it should be empty.

Should I delete this folder? What is the safest way to do this?

Thanks!!

 

THAT'S IT!!!

I scanned the inbox file that was in the mail folder with RAV>
I'm not sure if I should delete the entire foler or just that file.

WEEEEEEE!!! I so excited!!

 

SCG_GEEK ~ Thanks for the links. There was great info there but thier tool woun't remove the file.

 

OK, I couldn't wait so I deleted the file. Let me know if I should delete the entire folder.

I swear I'm not as loopy as my post have made me look. I have been trying to do this while caring for my very active 4 year old and 19 month old.....

 

I think that's it for now.

I am off to install a firewall...

Thanks so much for all your help!!!!