Win32: bagel infection & WFSINTWQ.SYS

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dodg3r7, Nov 18, 2009.

  1. dodg3r7

    dodg3r7 Private E-2

    Hi folks

    I have Windows Home XP Service Pack 3, fully up to date.

    I turned on the PC thismorning to find that my avast antivirus had not started up with Windows as normal.
    I tried to turn it on manually, and got the dreaded "this is not a valid win32 application" error.

    After some research, it appears to be a bagel win32 virus. I don't have much experience with removing malware as I have a weekly procedure which has kept my machine clean for the 4 years ive had it without a glitch. The missus was job hunting yesterday, so guessing its been picked up then.

    I have been through the read me and the xp cleaning guide:

    1) I have carried out the basic computer maintenance except for CC Cleaner (i use this on a weekly basis but it refuses to open due to this infection).
    2) I only have avast antivirus protection - nothing else.
    3) I have removed anything that relates to viewpoint, removed all old java updates, emptied quarantied folders etc (cant run cc cleaner)
    4) enabled all hidden files, folders, opened msconfig, stopped anything that was illegitimate (flec003 was the virus name in the start up tab)
    5) there were no malware managed to install itself as a program
    6) XP Cleaning procedure:

    1) downloaded SAS
    2) everytime I tried to open the site to download malwarebytes my browser closed (this is the case for GMER aswell...it seems to recognise some sites that would help and just closes them)
    3) got combofix - wont run - not valid win32 app error
    4) downloaded rootrepeal & MGtools. will attach logs when I get home from work
    5) SAS would not run - same as cc cleaner, when you click to open nothing happens - no errors
    6) same for Malwarebytes (I could not download this as explained in step 2 but realised I already had this installed)

    I did run the SAS online scanner. This started, but then I got a blue STOP screen with a reference to WFSINTWQ.SYS which seems to be a critical file in the virus.
    I also managed to download and run the mcafee stinger, which gave me the reference to the bagel win32.

    I thank you in advance for any advice given and will attach the logs to rootrepeal & MGtools asap.

    Jamie
     
    dodg3r7, Nov 18, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Major Geeks!

    Please try doing the below:

    Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then doube click on it to run it.

    AVPFind.bat

    It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running.


    Now download and Run exeHelper

    • Please download exeHelper to your desktop.
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    Then try running these instructions: Using MGtools


    Attach the below logs when finished with all of the above:

    • C:\avplog.txt - from AVPfind
    • log.txt - from exeHelper
    • C:\MGlogs.zip - from MGtools

    The C:\ assumes that drive C is you Windows boot drive. If you boot from another drive, then use the correct drive letter above.
     
    TimW, Nov 21, 2009
    #2
  3. dodg3r7

    dodg3r7 Private E-2

    Hi Tim

    When I went home to follow your instructions my PC would not boot in any mode. Tried booting into recovery console, executing a few checkdisks etc but it wouldnt boot so I had to do a fresh install. Luckily I had backup up personal info a few weeks earlier.

    Thanks again for your time

    Jamie
     
    dodg3r7, Nov 23, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sorry to hear that. This new set of virus's are really nasty and have rendered quite a few systems unbootable. Good to know you had backups and are not clean.
     
    TimW, Nov 25, 2009
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds