Help - Malware Infection

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dalama32, Oct 29, 2007.

  1. dalama32

    dalama32 Private E-2

    I strongly suspect my computer has been infecteted by some form of the BAGLE virus. (only a guess)

    It stopped my up-to-date Mcafee "total protection" product
    I cannot reinstall Mcafee
    I can install but not run "spy-bot search and repair" SpybotSD.exe is missing
    I have tried to install other virus removal (avg & bitdefender) tools but all have failed to either install or run.
    I cannot boot up in safe mode - computer keeps resetting
    I have read and tried to follow READ & RUN ME FIRST. Malware Removal Guide but am unable to attach some of the files because of already mentioned problems.

    attaching hijack, getrunkey and shownew logs

    Someone, Please Help

    ra
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Use windows explorer to find and delete:
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking fix, exit HJT.

    Let me know how things are running and if you can now do any of the online scans.
     
  3. dalama32

    dalama32 Private E-2

    Thanxs so far...

    I am unable to delete MDM.exe - "access denied" message

    should I go ahead with hjt anyway?
     
    Last edited: Oct 29, 2007
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do the HJT ..then attach a new HJT log.
     
  5. dalama32

    dalama32 Private E-2

    new hjt log
     

    Attached Files:

  6. dalama32

    dalama32 Private E-2

    looks like counterspy is installed and running now... i'll post log when complete

    ra
     
  7. dalama32

    dalama32 Private E-2

    Okay, I managed to get Counterspy installed and did a full scan and deleted the reported viruses (log is attached).

    Still cannot boot in safe mode and still cannot install any "other" anti virus programs (mcafee, spybot).

    attached is log for Counterspy and new hjt.
     

    Attached Files:

  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You may uninstall Counterspy as we are finished with the trial version.

    NOw:
    Download this trial version of Ewido Anti-Malware
    • Install Ewido Anti-Malware
    • Double-click the icon on Desktop to launch Ewido
    • Now update Ewido to the latest definition files.
      • On the top of the main screen click Shield
      • Click the word active to change it to inactive
      • On the top of the main screen click Update.
      • Then click on Start Update.
      If you have any problems with the updater, you can use the below link to manually update Ewido
      http://download.ewido.net/ewido-sign...ll-current.exe
    • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    • Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
    • Now click Scanner & select the Scan tab
    • Click Complete System Scan to begin scanning.
    • If any infections are found you will prompted, then select "Apply all actions"
    • Once finished, click the Save report button, then click Save Report As and save it to your desktop or someplace else that you know you will be able to find it later to upload here as an attachment.
    Be patient while waiting for the scan to complete. It would be best to not do anything else while scanning as it would only slow down the scan and could potentially interfere with some aspects of the scan.

    After the the scan has completed and you have saved your log. Reboot your PC!


    Now post the Ewido log as an attachment to the thread where your problem is being worked.
     
  9. dalama32

    dalama32 Private E-2

    I installed Ewido but it could not do the update "failed to save package" error.
    I followed your link to download the update and installed.
    I ran a "full scan" - it seemed to be progressing - it got thru the c: drive with out detecting anything but it then just seemed to quit without any error messages and produced no log - nothing quarantined.
    I repeated with the same result.
    Note - I ran with shield disabled as per instructions but now I cannot turn the sheild on "failed to activate resident shield".
    I can run a "fast system scan" - nothing detected.
    All other programs (non anti-malware) on the computer seem to be working okay.

    I have been able to get "safe boot" to work now by updating the registry keys (see attached file) My safe boot keys had been wiped out. If you want I can roll back to before registry update.

    ra
     

    Attached Files:

  10. dalama32

    dalama32 Private E-2

    One last observation - task manager is reporting explorer.exe is using 1-2% cpu when the system is sitting idle - I don't think I have seen this before?

    ra
     
  11. dalama32

    dalama32 Private E-2

    I have just run ms "windows live one safty scanner" and it reported a WinNT/Bagle.gen in c:\windows\system32\drivers\srosa.sys but it could not remove it.

    ra
     
  12. dalama32

    dalama32 Private E-2

    I believe my problem is now resolved. I assume the ms "windows live safety scanner" was able to remove srosa.sys on the next reboot. After a reboot I was able to finally run the anti virus/spyware tools as outlined in the guidelines and get rid of the remnants.

    ra
     
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Interesting since that file was not in your ShowNew log.....

    If you think you are malware free, but would like me to look at your logs, please attach new ShowNew, GetRunkeys and HJT logs.

    Otherwise:
    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
    * go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
  14. dalama32

    dalama32 Private E-2

    Logs attached.

    Note that I have now installed NOD32 anti-virus and COMODO firewall

    ra
     

    Attached Files:

  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Uninstall ewido ...
    J2SE Runtime Environment 5.0 Update 10"
    J2SE Runtime Environment 5.0 Update 11"
    J2SE Runtime Environment 5.0 Update 6"
    J2SE Runtime Environment 5.0 Update 9
    Reboot

    Run HJT and have it fix these items:
    O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hidr.exe
    O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe

    Then:
    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now install:
    Java Runtime 6

    Re-run Counterspy

    Attach new logs for:
    HJT
    GetRunkeys
    counterspy
     
  16. dalama32

    dalama32 Private E-2

    ewido is not installed
    uninstalled java 5
    reboot
    fixed entries with hjt
    merged fixMe.reg
    reinstalled Counterspy (we uninstalled at some point)
    ran counter spy - log attached (nothing important found)
    logs attached
     

    Attached Files:

  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Ok...Counterspy didn't find anything of use...so uninstall it again ...:D

    Now turn off your active protection from Nod and any anti-spyware you have running and do the Registry patch again....it's still showing.

    after it runs, reenable the anti-virus and anti-spyware and attach a new GetRunKeys log.
     
  18. dalama32

    dalama32 Private E-2

    Disabled NOD's AMON and reran patch.
    Log attached.

    I could not see the bad keys in the last getrunkeys log?

    ra
     

    Attached Files:

  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That did it .....how are things running now?
     
  20. dalama32

    dalama32 Private E-2

    The system is running well - and snappier too now that I ditched McAfee.

    Thank you so much for your help!

    Do you think I need to be concerned that personal data was compromised while this malware was active? My hardware router was a built in firewall.

    ra
     
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I don't think you were compromised ...but do follow the suggestions in the link I gave you on How to protect yourself from malware ....:)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds