not a valid Win32 application...nasty virus

Welcome to Major Geeks!

Bagle infections like this are quite difficult to remove especially since there are no tools available that seem to be able to remove all the components of this infection which includes rootkits.

Do you have bootable copy of your Windows CD so we can get to the Recovery Console? If not, you need to get one, otherwise your alternative my be a clean reinstall from scratch.

 

That's because you also have a bunch of other infections. Most likely due to the fact that it appears you have been running this PC with no protection. The ClamAV you just recently installed is not going to help you and provides no protection. I suggest you uninstall it now. And then try doing some of the below. Some of this has nothing to do with the infection. It is just necessary things you should do. This infection has opened up about 500 connections on your ethernet port to the internet.


Uninstall the below software:
Ad-Aware SE Personal <-- too old and of no use
eMule
iMeshBar
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2
Java 2 Runtime Environment, SE v1.4.2_06
Viewpoint Manager (Remove Only) <-- should have been uninstalled in step 1 of the READ ME
Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME
Viewpoint Toolbar <-- should have been uninstalled in step 1 of the READ ME

I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.



Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
E:\WINDOWS\Temp
E:\Documents and Settings\Joe\Local Settings\Temp

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.


NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

I expected yo may have problems with getting Avenger to run since this infection attempts to block all removal tools. Don't worry about ATF-Cleaner either.

Please attach a new MGlogs.zip file after running GetLogs.bat again. I want to see the status now that you tried to remove some items manually. Some may have come back after a reboot which is normal for this infection.

Also do the below which will be tedious but I want to see if anything is reported here that could help us:

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices

• Scroll down to Non-plug and Play Drivers and click the plus icon to open those drivers.
• Then list all items you see here for me.
• If you see anything saying srosa, right click on it and select Uninstall.

 

I assume this was done after getting the new MGlogs.zip file??

Can you now run SUPERAntiSpyware? ComboFix?
Check to make sure the srosa driver has not come back. If it has then this time do not uninstall it, just disable it.


Also see if you can delete the below files:
E:\Documents and Settings\Joe\Application Data\m\data.oct
E:\Documents and Settings\Joe\Application Data\m\list.oct
E:\Documents and Settings\Joe\Application Data\m\srvlist.oct
E:\WINDOWS\system32\dllcache\register.exe

Also delete the below folder:
E:\Documents and Settings\Joe\Application Data\m


Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
E:\WINDOWS\Temp
E:\Documents and Settings\Joe\Local Settings\Temp


Now open run the C:\MGtools\FixBagle.bat file by double clicking on it.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

I guess you already forgot what I had you do in msg # 6?

First you must disable Spybot's Teatimer as requested in the READ & RUN ME. See this: How to disable Spybot's TeaTimer


Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {3BD91C7D-C867-79B7-8720-165508832910} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {9DB25D91-C52A-FAF4-7243-BAA93DED5BCE} - (no file)
O2 - BHO: (no name) - {9DBB5F91-C52A-FAF4-7243-BAA93DED5BCE} - (no file)
O2 - BHO: (no name) - {9DBF5A91-C52A-FAF4-7243-BAA93DED5BCE} - (no file)
O2 - BHO: (no name) - {9DCA5891-C52A-FAF4-7243-BAA93DED5BCE} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - E:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKCU\..\Run: [drvsyskit] E:\Documents and Settings\Joe\Application Data\drivers\winupgro.exe
O4 - HKCU\..\Run: [mule_st_key] E:\Documents and Settings\Joe\Application Data\m\flec006.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\system32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - AppInit_DLLs:

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Now reboot and see if you can find and delete the below files:
E:\Documents and Settings\Joe\Application Data\drivers\winupgro.exe
E:\Documents and Settings\Joe\Application Data\m\flec006.exe
E:\WINDOWS\system32\winupgro.exe

Also delete the below folder[/b]:
E:\autorun.inf

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
E:\WINDOWS\Temp
E:\Documents and Settings\Joe\Local Settings\Temp

Now run Ccleaner!

Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe to get the new program and files extracted and let it run thru to completion. But do not attach this log yet. First run the new version of C:\MGtools\FixBagle.bat by double clicking on it. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Let it finish running and then attach the below logs:[/B]

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Have you downloaded and used Flash Disinfector at some time?


The below file is still present. Did you try to delete? What happen?
E:\WINDOWS\system32\winupgro.exe

The above file is one (of many) key components of the infection.

 

Okay now use Windows Explorer to navigate to the C:\MGtools folder and run the FixBagle.bat file by double clicking on it. Now run the GetLogs.bat file by double clicking on it. This will take a little while to run all the MGtools scans. When it finishes, attach the new C:\MGlogs.zip file.

 

Yes FixBagle.bat runs very quickly as it is just a registry patch.


It is starting to look like the only way to fix your problem will be one of the below:

1. Possibly using the Recovery Console but we need a bootable copy of your Windows CD to do this.
2. Reinstall! You either need your Windows CD or a Recovery CD or Recovery Partition to do this.

However let's try another set of steps.

Run this procedure:Resetting Registry and File Permissions

After the reboot, see if you can disable the srosa driver again from the non-plug and play entries like we previously did. Then run the FixBagle.bat program again.

Now see if you can delete the below files

Code:

                                                                 
"E:\WINDOWS\Temp\"
gnserv.dat    Jan 28 2009        1024  "gnserv.dat"
spnserv.dat   Jan 28 2009        1024  "spnserv.dat"
spserv.dat    Jan 28 2009        1024  "spserv.dat"

Please delete the below folders? Note that the Questionmarks represent unprintable characters that were found during the scans, but they may appear to you as normal characters when you locate them using Windows Explorer. I will add comments in RED next to each item. Note the date of the folders which will help you to locate them:

Code:

"E:\WINDOWS\"
CROSOF~2.NET Feb 20 2008  "??crosoft.NET"[B][COLOR=red]<-- may look like Microsoft.NET [/COLOR][/B][B][COLOR=red]and there may be a real valid folder with the same name.[/COLOR][/B]
ICROSO~2     Feb 19 2008  "?icrosoft"  [B][COLOR=red]<-- may look like Microsoft.[/COLOR][/B]
SMANTE~1     Feb 15 2008  "S?mantec" [B][COLOR=red]<-- may look like Symantec[/COLOR][/B]
àDOBE        Mar 10 2008  "àdobe"   [B][COLOR=red]<-- may look like adobe or Adobe[/COLOR][/B]
SKS~1        Apr 25 2008  "ç?sks"   [B][COLOR=red]<-- may look like Tasks[/COLOR][/B]
CURITY~1     Mar  6 2008  "??curity"[B][COLOR=red]<-- may look like Security[/COLOR][/B]
MBOLS~1      Jun 12 2008  "??mbols" [B][COLOR=red]<-- may look like symbols[/COLOR][/B]
SEMBLY~1     Apr 13 2008  "??sembly"[B][COLOR=red]<-- may look like assembly[/COLOR][/B]
RACLE~2      Mar 24 2008  "?racle"  [B][COLOR=red]<-- may look like Oracle[/COLOR][/B]
ASKS~2       Jun  5 2008  "?asks"   [B][COLOR=red]<-- may look like Tasks[/COLOR][/B]
SKS~2        Jun 10 2008  "??sks"   [B][COLOR=red]<-- may look like Tasks[/COLOR][/B]

Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - E:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

After clicking Fix, exit HJT.


Now run Malwarebytes and make sure you update it first and then run select Perform full scan. Fix what it finds and if it does find anything, do an immediate reboot!!!!

After reboot, see if you can run SUPERAntiSpyware, ComboFix and Avenger. Let me know.

Either way goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.



Run MGtools.exe then attach the below log:

• the new Malwarebytes log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

Also if SUPERAntiSpyware or ComboFix ran, attach the logs from them.