I-Worm/Bagle...oh dear god...

Discussion in 'Malware Help (A Specialist Will Reply)' started by KoadMunki, May 11, 2005.

  1. KoadMunki

    KoadMunki Private E-2

    Ok, at work I have this computer for a guy. He's got the Bagle/Bagel worm/trojan thing. I've heard it referenced as about 1,000 different things in the past day or so...

    Anyway....my problem is this;

    I know the worm/trojan is on the computer. and I know it's in the file c:/System Volume Information

    I have the tools to delete the durn thing ( I have used several....Symantec/AVG/other varying brands and companies)

    The tools say they cannot find any instance of the file on the computer....but once I look in the log file that's created...it specifically says "did not search folder: C:/System Volume Information."

    Am I going insanse? I've tried pretty much my entire bag of tricks...I have a few more, but in the mean time, anyone who has experience with this thing, or just has a freakin' clue would be welcome to throw their 2 cents in.

    Thank a lot in a advance guys.

    :eek:
     
    KoadMunki, May 11, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must disable system restore to remove viruses or trojans that are in there. You can find the steps we use to perform full cleaning below. System Restore is disable in the very first step.


    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, May 11, 2005
    #2
  3. KoadMunki

    KoadMunki Private E-2

    Ok, to begin with, I Should have read that articel before I proceeded...however, I already did most everything on it. Just to make sure I did finish the list, and am still having a problem.

    *All the tools that are on the "please read this before asking for support" thread reported that there are no problems with the computer.*

    Norton Anti Virus Says different (Internet Security 2005) I have the system in safe mode and System Restore went bye bye looooong ago, so that's not it.

    I have the log file for HJT attached to this post, and I can't seem to find too much wrong with it (though I haven't been working with it long enough to trust that judgement yet)

    Also, as a side note, when I installed Norton Internet Security...I had quite some trouble with the installation. I had to uninstall and Re install about 6 times before I got the program to run...and I see now that it wont actually load anything except norton antivirus to tell me the computer is infected. I'm not worried about the installation, but I do wonder if it's possible for a program such as that to report a false infection when it's not working properly?

    Anyway, Thank you for your help.

    -Koadmunki

    LogFile.doc
     

    Attached Files:

    KoadMunki, May 11, 2005
    #3
  4. tblue

    tblue Corporal

    Hi KoadMunki,
    You might want to run HJ again and attach it as a .log or .txt file. Word files are really difficult to read.
    Good Luck, :D
    T.Blue
     
    tblue, May 11, 2005
    #4
  5. KoadMunki

    KoadMunki Private E-2

    Ah...yes.. it told me .txt files were not a valid file type, which I realize is incorrect, but I wanted to make sure others could get the attachment....let me try to put it in as a log or txt file for you.

    (I think it worked this time http://forums.majorgeeks.com/images/smilies/eek.gif (god this machine is a piece of crap...)


    -koadmunki
     

    Attached Files:

    KoadMunki, May 11, 2005
    #5
  6. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    KoadMunki,

    This log appears to be from Safe Mode. If so, attach a fresh HJT log from Normal Mode.
     
    bjgarrick, May 11, 2005
    #6
  7. KoadMunki

    KoadMunki Private E-2

    so sorry....brain....slowly....oozing out ear..... here ya go safe mode... .log file....I think this is right....;)
     

    Attached Files:

    KoadMunki, May 11, 2005
    #7
  8. KoadMunki

    KoadMunki Private E-2

    *normal mode* hehe...again..my apologies for all this.
     
    KoadMunki, May 11, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have multiple antivirus applications installed. You must use only one. Pick the one you want and uninstall the other.


    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [sm] C:\WINDOWS\sa_exe.exe


    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\sa_exe.exe
    C:\WINDOWS\sa_exe.exe.dll


    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.


    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, May 11, 2005
    #9
  10. KoadMunki

    KoadMunki Private E-2

    ok...followed directions to the "T" system isn't done yet, but it seems to be rid of the worm/trojan. Thank you...to everyone who helped :D Here is the updated/fixed HJT log file..- koadmunki
     

    Attached Files:

    KoadMunki, May 11, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What do you mean by not done yet? You log is clean. Are you having some other problems?
     
    chaslang, May 11, 2005
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds