Hmm I assume you talk about the file uploaded to bleepingcomputer? was it winlicense.zip or you got a winlicense.exe as 0 ? I ask as at the time I was a bit tired in my head ;-) and first tried to upload the exe twice with error result before my brain kicked in and told me to zip it.Originally Posted by steamwiz
The latter is my legit, the other is the official demo I downloaded just to compare.
It's their trojan scan and remover tool, pretty useless actually and it has been deleted. Actually I removed Avast completely in favour of AVG Free as it (together with VBA32 and RegRun) was the only scanners that picked up the original infection.
It's more of my private temp folder actually were I put anything new or unknown unless they have a proper place already. But you are right, maybe I should rename it to something else as this is files I want to control myself when to delete.
I also found in system32 this file: adffbdceebefb3_r.ocx 1kb and it looks to me as a candidate for deletion as well?
Then I have one C:\LogFile.Etl with the enourmous size of almost 2 gb and it has a time stamp of 2008-02-24 10:21 which is about the time I got back to the computer having had some hours of sleep after finally killing the thing. I just thought if you know anything about this file before I delete it?
Well maybe I expressed myself unclear as english isn't my native lang... What I meant actually was that I didn't have all of the keys listed in that write up. Now it's all gone so I cannot check back but I think the keys as such I had was the same. When I google it I found them to match Bagle.hi and Bagle.iw (or if it was .wi) but if you get the original infector it should be possible to study it in a secure env in more detail I guess.
Things are a bit unclear as I realize I been struggling with this for 10 days (when I really should have done other things, like work) and the first 2-3 days I did it totally on my own as I though I was capable to fix itbut at least I managed to stop its propagation.
Well here I think this variant act differently, appreantly it doesn't delete the Safe Mode keys but add junk to them - but I am not sure about that. Originally I couldn't boot into safe more but then somehow it got fixed. At the time I couldn't run almost anything security related but then I managed to get rid of the LEGACY_SROSA keys and I think it was after that I could get into safe mode. However, I later come to realize that somehow (at least certain parts of) the computer belived to still run in safe mode while it actually was in normal mode - got messages like "this service cannot be started in safe more" and similar when trying to install or uninstall certain programs (using services I assume).
I now seem to have fixed this, I did it with help of this url http://blog.didierstevens.com/2007/0...th-a-reg-file/
Do you think I still should run Safeboot repair?
I haven't run a kav scan yet as I thought of manually clean up a bit in my old files as there probably is much that doesn't serve its purpose anymore. I did run a full AVG scan and it found a couple of type trojan.generic and obfustat in my old files, but this is stuff that haven't been touched for years except when it has been moved from an older small HDD to my new big one. It should really have been put on dvd's or deleted but you know how it is with time and computer work.
So now I will reboot with the fixed reg key you gave me as well and I will start to run programs again to see if things works or not. So far I have not run anything except for the most absolute necessary. Then I will reinstall my Outpost Firewall, maybe I will do that first actually to catch any attempt to escape out.
I did uninstall my firewall some month ago as I found it a bit of a resourse hog, and I have another firewall higher up anyway blocking most incoming but nothing outgoing actually. Now there is a new release though so I will give it a chance as I still have a valid license for it. Ok I will get to works with it then... and I haven't had time for the other logs yet, but I will come to it, felt a bit exhousted before after 10 days with too long ours
