Manny1 said:
I have a recurring Security Alert popping up every few seconds on my
laptop.
It says 204250.exe is attempting to connect to a DNS server.
Once I tell the laptop to always block connections from this program on
all
ports, the exe file goes to the temp file. This popup comes up every few
seconds. When it pops up again, there is a new number.exe but it is still
acting the same and the file always goes to my temp file.
I cannot do anything without this blasted thing popping up.
Please help!!
You have some sort of malware infection, that's creating new copies of
itself to keep you from finding the real infection. This one seems to be
called "Email-Worm.Win32.Bagle.ik" in some places, "win32.bagle" in others.
The worm itself almost certainly lives in the System32 folder. It may be
marked with hidden and system attributes to protect itself.
To start with, disconnect from all networks. shut off System Restore; the
restore points are infected and are useless. Don't turn it back on till
the system is cleaned.
Get ccleaner (
www.ccleaner.com) and clear the temp folders and browser
caches, since this is where some of the thing is hiding. You may find that
you have to restart in Safe Mode to do this successfully, as the malware is
active.
The texts below reference various versions of the worm that may or may not
match your infection, but shouldl give you a good start.
http://ca.com/us/securityadvisor/virusinfo/virus.aspx?id=38019
http://www.viruslist.com/en/viruses/encyclopedia?virusid=93858
"Removal instructions
1.. Reboot your computer in safe mode (when starting the computer, press
and hold F8, and then chose Safe Mode in the Windows boot menu.
2.. In the Windows system directory, delete the following files:
%System%\winshost.exe
%System%\wiwshost.exe3.. Delete the following keys from the system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"winshost.exe"="%System%\winshost.exe"4.. Reboot the computer in normal
mode, and check that you have deleted all infected messages from all mail
folders.
5.. If you had Kaspersky Anti-Virus installed, deinstall and then
reinstall it. Download the latest updates to the antivirus databases.
Perform a full scan of your computer."
So once you're done these, it's important to do a full scan with an A/V
program you're pretty sure is clean. I usually housecall.trendmicro.com
for this. It's online so it's a little slower, but it's not likely to be
compromised by your system. And if you've used ccleaner first, oit has a
lot fewer files, sometimes in the thousands, to scan.
http://ca.com/us/securityadvisor/virusinfo/virus.aspx?id=38323
http://www.softpedia.com/get/Antivirus/WinBagleALmm-free-removal-tool.shtml
HiJackThis is an excellent tool for identifying and chasing down viruses and
worms, but it is a fairly advanced tool.
When you are doing this, it's a really good idea to have another good system
beside you to look up the things that you find.
Comes to that, if you have another system handy - you can break the
advantage of the worm by simply running ccleaner, then taking the drive out,
attaching it to another system, and scanning it with several a/v programs.
Since the system didn't boot from that drive, none of the malware files can
be active, and can actually be deleted easily.
HTH
-pk
