Malware - Rootkit.Bagle? Most AV software inactivated/cannot be installed.

Hi,

Like so many, i am new to this forum, and turn to strangers for help. I apologise very much for this imposition, and would like to immediately thank folks for the information whih has allowed me to get this far.


BACKGROUND

I have a Dell Inspiron 1735, running Vista Home Premium. I had been using Norton 360 antivrus, but when this came due for renewel i decided to change to Kaspersky. However, Kaspersky does not have a password facilty built in, so i download a copy of Robo Fill to provide this function. This took place at around 14.00 GMT on 27 March 09!

I thought that the website was bona fide, and (stupidly) did not scan the executable before installing. Immediately i did, i lost internet connectivity, and Norton was disabled, along with the standard microsoft software (defender etc). The PC then crashed.

I restarted it in safe mode, but could not get Norton to run. My first action (before discovering this website) was to remove Norton completely, in the hope that i could install my newly purchased copy of Kaspersky. Removing Norton was quite a battle, and i have not been able to install kaspersky anyway.


MAJOR GEEKS ADVICE

I have attempted to read and follow the various stickies.


1. I manged to do all the steps in "Read me first".


2. I was unable to run the SuperAntiSpyware.

In normal mode, it would not install due to the Win32 error.

In safe mode, it would not install due to the windows installer not operating.

Changing the filename did not alter this situation in either mode.

I have posted this problem on the forum of the software company, and will report any advice they have.


3. I ran the MalwareBytes program, in normal mode, and have attached a log. This found 5 entries, in particular Rootkit.Bagle. I followed the fixing proceedures.


4. I was unable to run Combofix.

As with SAS, in normal mode it would not install due to the Win32 error.

In safe mode, it would not install due to the windows installer not operating.

Changing the filename did not alter this situation in either mode.


5. I ran MGtools, as directed in normal mode, and have attached a log.


CONCLUSIONS

I hope that this covers correctly the steps i was meant to take.

Any advice would be exceptionally welcome, as presently my nearly complete thesis is stuck on a seemingly diddled computer! Of course, i realise everyone will feel that their own plight is particularly severe!

Anyway,

Hope to see something here in the morning!!!!!!!

Cheers

Crawf

 

Hi,

Can't describe how relieved i was to wake up this morning (UK) and find this reply.

I have run the FindyKill scan, and attach the first .txt log.


MANY THANKS!

 

Hi,

I have now run FindKill in the kill mode, and attach the latest log. I have numbered this "2" to differentiate it from the earlier log (about the level i can contribute at!).

From memory, it found 4 infected files and a further 12 corrupted files (most of these corrupted files seemed to be the other AV programes that had failed to run).

It should be noted that the strange lysgf.exe file, or something similar, was a version of SAS which i renamed in the hope it would run.

I have now restarted the computer, and it seems much improved. Faster. The internet connection has returned, and i have allowed windows defender to update itself as it requested.

However, windows seemed remarkably sanguine about the lack of AV software. I have now installed (i hope) kaspersky. There were some errors in the unzip file, but it claims to have installed now.

I will continue to poke around, and update here. Obviously i will continue to follow all the sticky threads too.

I am keen to scan scan and scan again, to try and make sure the bugger is gone!!!

 

Hi,

Firstly, i hope that this does not appear to be an attempt to bump the thread. It is simply that i have now run a few more programs, and have a few more logs to show for it.

Essentially, having had some apparent success using FindyKill, i attempted to repeat the standard malware removal proceedures.

Disappointingly, i found that i am still unable to run either SAS or Combofix. In both cases the error messages are the same as before (normal mode, WIN32; safe mode,installer issue again).

I was, however, able to run Malwarebytes and MBTools again. I have attached logs for both of these, and would welcome any advice.

I have managed to reinstall Kaspersky, though it seems to start very late in the Vista bootup (60seconds after all others).

Not sure what to try next....

 

Right, a final post.

I have managed to get combofix to run, and attach the log. When i went to restart the computer, it bluescreened with a dump. Depressing.

Unfortunately, i am still unable to run SAS due to the WIN32 error. This must indciate that something remains, and the problem remains unsolved.

Hope someone can help - i've spent ~15 hours on this so far, and still busted!

 

Hi,

Well, a good sign is that this is the first post i've managed to make on this forum from the "busted" computer!

I have been through the steps you outlined, and things seem much better. Indeed, the system seems "snappier" than it has for a considerable time. I have not had a chance to spend much time fiddling yet, but it seems everything thing is running "A OK".

TBH i'm a little wacked for checking further right now (and, stupidly, i'd like to take a moment and feel things are sorted out!).

Anywho, the one thing during the tests was that i could not find some of the things you mentioned. I think this is because they had already been removed in my later fiddling (not sure which log report you were working from).

Those which i deleted are in bold below. Presumably the fact that things have improved means that the winupgro bugger had met its maker somehow!


REPORT

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O4 - HKUS\S-1-5-18\..\Run: [drvsyskit] C:\Windows\system32\config\systemprofile\AppData\Roaming\drivers\winupgro.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/ser...000e6.0000026d (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [drvsyskit] C:\Windows\system32\config\systemprofile\AppData\Roaming\drivers\winupgro.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/ser...000e6.0000026d (User 'Default user')

Optionally, you can fix any of the below non-malware but rather unnecessary startups.

O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler


The logs are attached.



I will spend sometime tomorrow implementing all of the housekeeping suggestions, and taking the recommended preventative measures. No way i want to go through this again!

Most of all though - CAN'T THANK YOU AND THIS FORUM ENOUGH!!!!!!!!

And yes, i know i shouted that! :-D:-D

Crawf