Rootkit.bagle and Rootkit.Agent - No Internet, No Safe Mode, No Antivirus

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by raremedium, Apr 15, 2008.

  1. raremedium

    raremedium Private E-2

    Hi guys.
    I am having serious trouble removing what seems like two visuses from my laptop. When they first attacked they shut down wireless netowrking, and then proceeded to start blocking all my antivirus.

    I went through the READ & RUN ME FIRST Malware Removal Guide and the Windows XP Cleaning Procedure, and here are the results. I'm afraid to use a flash drive to get the log off my laptop because it's already infected one of my other computers by transfer via flash memory. Fortunately before the flash was corrupted I was able to save most of the reccomended antivirus software to it and got a lot of it onto the laptop, including MGTools.

    - The wireless connection to my laptop is disabled, not by my doing.
    - When I attempt to boot to Safe mode (or any non-standard mode) I get a blue screen and failure.
    - When I attempt to run Hijack this, Spybot, Combofix.exe, etc. I get an error telling me it is not a valid win32 application
    - When I attempt to run the MGTools analyse.exe from the MGTools folder and using a command prompt it gets half way through and then is shut down
    - When I run SuperAntiSpyware it crashes windows with a blue screen reporting problems with srosa.sys
    - When I run Malwarebytes it detected and cleaned about 7 bad files, but two remain even after the reccomended reboot:
    Rootkit.Bagle C\WINDOWS\system32\drivers\srosa.sys
    Rootkit.Agent C\WINDOWS\system32\drivers\hldrr.exe
    Both detected during the final heuristic portion of the Malwarebytes scan.

    Any help would be appreciated, I am a desperate man at this point.
    Thanks,
    Chris
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please try the below doing the below.

    Run SuperAntiSpyware

    • In SUPERAntiSpyware under Configuration and Preferences, click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options uncheck the below two options
      • Use Kernel Direct File Access (recommended)
      • Use Kernel Direct Registry Access (recommended)
    • Then try doing a new full scan and tell me if it still crashes.
     
  3. raremedium

    raremedium Private E-2

    Okay, I did that, ran the scan, and it caught the two (or one) problems. I attached a screen shot of the confirmation window in SuperAntispyware. What happens is that it requests a reboot, and the reboot fails. The only way to reboot to a non-bluescreen of death is to reboot to the last known good configuration, which no doubt reloads the registry entries that activate the virus. Pretty slick. I have a feeling that if we can get to the removal point in SuperAntispyware, and before reboot remove those registry files, then reboot to safe, we can get through this... maybe?

    I did manage to risk infecting my one good machine by using a jump drive to get log files from Malwarebytes and the MGTools getlogs batch file. Those are also attached.

    Thank you for your time, and I'm here all day to try and work with you to fix this. It has infected two of my home office machines and completely shut down my work operation.
     

    Attached Files:

  4. raremedium

    raremedium Private E-2

    Okay, I got Malwarebytes and SuperAntiSpyare to both run and both do their quarrentines of the two hldrr.exe related files, and SUCESSFULLY rebooted without incident, yeah, stull screwed up though in the same fashion, but this time I got the MGTools analyse.exe (hijackthis) to run and COMPLETE!!!
    I attached the logs. The application is still open, waiting for my command. Looks like I should start by cleaning up things like this:

    O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe

    ...but I'm waiting for you guys to give me your analysis.
    I sure am getting an education here.
    Thanks ahead of time for your help.
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's possible that you have a new form of this infection. I want to look for rootkits using the below.

    Please run this Running GMER to detect rootkits and then attach the requested log.
     
  6. raremedium

    raremedium Private E-2

    GMER scan attached.
    Thank you for all your help.
    I am desperate here, it's on all my Windows machines at home and they are all kicked offline and it's killing my ability to work from home, which means $$ out the window.
    -Chris
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Nothing was found with GMER. Let's see if we can get the below to work. By the way do you have a copy of your Windows boot CD?

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) SE Runtime Environment 6 Update 1


    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
    O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now look (with Windows Explorer) in the C:\Windows\Prefetch folder for any file names similiar to what we were deleting with Avanger above. If you find any then delete them.


    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Chris Harber\Local Settings\Temp

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  8. raremedium

    raremedium Private E-2

    I do not have a Windows XP boot CD for the laptop, but might for the PC. The laptop came with a system restore, where they loaded everything onboard and gummed up 8 gigs of my hard drive. Don't ask, I didn't order the machine.

    I'm gonna try everything below and get back to you asap.
    Thank you so much again,
    Chris
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Any Windows XP SP2 CD may be fine. We are not going to install anything from it, or use it to do a Windows Repair. My thought is that it may become necessary to try booting to the Recovery Console and doing manual removal of these files if necessary.
     
  10. raremedium

    raremedium Private E-2

    Gotcha, I can find one around the office if necessary.
    I just got through the Avenger part of the operation and the machine rebooted, then right before the login screen rebooted again. The second time I was able to log in.

    Avenger script came up successfully.
    Sun JRE Installed without incident.

    I did not have this directory:
    C:\Documents and Settings\Chris Harber\Local Settings\Temp
    So I skipped that step.

    Everything else ran fine.

    I attached the avenger log.
    I attached the MGlogs log.

    Things are definitely faster, but I'm sure that is because processes like wmiprvse.exe aren't pegging my CPU at 100%.

    With your approval, I'm going to try and install a fresh copy of Norton 2008.
    But only when you think things are safe. I have not yet tried to restore my wireless settings, which are still disabled, which is either the virus or I just need to rehook them back up.
    -Chris
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not True! Check again and make sure you still have viewing of hidden files/folders enabled. This folder is loaded with old junk. The newfiles.txt log inside of MGlogs.zip shows 261 files in this folder. I still suggest that you clean this up and then empty your Recycle Bin or run CCleaner.

    Your logs are clean now. Thus if you are not having any other malware issue, it would be best to first go thru the below.

    It is time to do our final steps:
    1. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\cf" /u
        • Notes: The space between the cf" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\cf folder from combofix.
    2. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    4. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    5. If we had you run Avenger, you can delete all files related to Avenger now.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
    After doing all of the above and make sure you have removed all the backups from the tools we ran or Norton will complain about them and also make sure that System Restore has been toggle, then you can re-install Norton.
     
  12. raremedium

    raremedium Private E-2

    Okay, first of all, thank you so much for your help. The laptop is clean of malware and back to operating as usual. I appreciate your time, and it has been a very good experience.

    I went through your cleanup list, and got rid of all the logs and stray software. Yes, I did have that directory, no idea why I couldn't see it before, but I gutted it.

    The only thing left is that the hldrr.exe rootkit virus has completely fouled up my wireless settings so I am still offline. Can you direct me to a place I could go or somehow help me reset them to their default settings?

    I can not restart my Wireless Zero Configuration, I get an error 1068, which I researched at microsoft.com and pretty much got nothing. It's telling me that another program might be managing the wireless connection, but have no idea how to release that.
    It looks like my TCP/IP settings took the worst hit, but I'm not a networking guy, so I can't really figure out what to do?

    So once again, thank you, and I'll be applying the fixes to the rest of my machines on my home network.
    You guys rule.
    -Chris
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you have not already tried the below, give it a try:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;827328

    Or this one:

    http://support.microsoft.com/kb/871122


    If that does not work, I suggest posting in the Networking Forum.
     
  14. raremedium

    raremedium Private E-2

    It turns out that the bagle virus is still in there. I had most instances of it removed yesterday and wireless came right back up. I rebooted and bam, AVG 7.5 Ativirus (which I was able to install and update when I had it at bay) caught Bagle infecting APoint.exe and a few other executables. It seems like this sucker just will NOT go away. I know it's still in there because when I try to run the ACTUAL Hijackthis.exe, I get the all too familiar "HJT.exe is not a valid win32 application. Same thing goes for Spybot, just like at the beginning.

    Frustrated as hell.
    I attached my Malwarebytes, MGTools, and Analyse logs just for review, maybe we can try something else?
    -Chris
     

    Attached Files:

  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now just to be safe, let's run a couple other scanners to see if the locate anything else. Run the below!

    Using BitDefender Online Scan
    Trend Micro Housecall


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\avenger.txt
    • BitDefender log ( if you follow the instructions, it is an HTML file that has been renamed)
    • HouseCall log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds