Infected with Trojan-Downloader.Win32.Bagle.xz

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by advanced, Aug 13, 2008.

  1. advanced

    advanced Private E-2

    Yup, just as the title says.

    I've been browsing for some software and found a site (don't remember), that among countless of little progs offered one, which I later found out was non-free. In other words, the file, I dled was a (cracked?) version containing a virus.

    VirusTotal (http://www.virustotal.com/) says it's Trojan-Downloader.Win32.Bagle.xz (different antiviruses call it differently, this is the most common name).

    The said virus disabled my firewall (COMODO) and I can't install any ANY anti-virus sofware (with the exception of Malwarebytes Anti-Malware).

    No Kasperky, AVG, AntiVir, SpyBot, SuperAntiSpyware... Even ComboFix.
    If they don't freeze, crach, they report : "not a valid Win32 application" or "Error 193: 0xc1"

    Malwarebytes Anti-Malware supposedly found some infected files, I deleted them, but it didn't change anything.

    --Log:--

    Malwarebytes' Anti-Malware 1.24
    Database version: 1047
    Windows 5.1.2600 Service Pack 2

    15:31:57 2008.08.13.
    mbam-log-8-13-2008 (15-31-57).txt

    Scan type: Quick Scan
    Objects scanned: 107324
    Time elapsed: 8 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 9

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\WINDOWS\system32\drivers\downld (Trojan.Agent) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\system32\drivers\downld\210015.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\218781.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\229500.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\257656.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\263359.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\888484.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\897453.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\youtubex.dll (Trojan.Agent) -> Quarantined and deleted successfully.

    ------------

    Any help? Is it possible to get rid of this thing or is it easier just to backup, reformat and reinstall? :(

    EDIT: I've followed the instructions from http://www.viruslist.com/en/viruses/encyclopedia?virusid=21780028 (and I do remember that a file hidr.exe tried to access something, made my firewall alert, I blocked it, but, it appears, to no avail). But I found no such files and registry entries.
     
    Last edited: Aug 13, 2008
  2. advanced

    advanced Private E-2

    EDIT2: Avenger doesn't work as well
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Actually in many cases with this infection it is faster to format and reinstall because none of the tools available (not even paid programs) will properly removed this infection even though some of them say they do. In many cases the only way to remove this is to boot to the recovery console and manually delete the files and folders from the infection while Windows is not running. If you want to do this instead of reinstalling, we can instruct you on how to.
     
  4. advanced

    advanced Private E-2

    Thank you for replying!

    Indeed, reinstalling might actually be the best solution, however, right now I can't afford it, if something goes wrong during the process. Luckily, I have an external HDD with just enough space for all my bakups, but at this point I need my PC atleast half functioning. Reinstalling seems like a more drastic measure.

    That's why I'm ready to hear your instructions :)
    (But I will be able to give an answer only in 2 days)
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We shall see! This infection is very nasty and problematic to remove.

    First to possible simplify some of your manual steps, please run Malwarebytes again but make absolutely sure that you first update to the current detections which could help remove more files from this infection. Save the log and attach it later.

    We will be booting to the Recovery Console in a moment, but first I want to do a little initial cleaning. If anything does not run/work for any reason, just continue.

    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.



    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.


    Manually delete as many files as it will let you delete from the C:\Windows\system32\downld folder to simplify later steps.



    Now read thru the below to familiarize yourself with it and print it so you can refer to it while offline since you will not be able to browser once starting the below.
    1. Put the Windows XP CD into the CD ROM tray and close the tray. You may get a popup window asking about installing Windows XP. If you do, just close that window.
    2. Then restart your computer
    3. This should cause your computer to boot from the CD instead of the hard drive..(if not your you'll need to enter the BIOS and set the boot order so the CD ROM is first in the list.)
    4. You should get a "Press any key to boot from CD" message! Press a key to do that otherwise it will by pass the CD boot.
    5. After it boots up, you will see it load a bunch of files (be patient it can take a little while) and eventually you will see a menu where you can select the Recovery Console by pressing R It is normally the middle item in the list. Press R
    6. You will see a list of possible Windows partitions with numbers next to them. Select your Windows Installation (which is C:\Windows) by typing the number next to it (which should be 1) and press enter.
    7. It will ask you for the Administrator password is next (so make sure you know it). It you never gave it a password it is probably blank. If it is blank, just press enter. If you have set one then type it in and hit enter. It will tell you if you enter the wrong password.
    8. When you enter the correct password you will get a prompt that looks like this: C:\WINDOWS>
    Now from this command prompt window, here are some things I want you to do. Enter the below commands (the commands are in bold black) in the order given. I will add comments in purple. In the below commands there are spaces after commands like cd, attrib, del, and rd


    cd system32 <-- the prompt should change to C:\WINDOWS\SYSTEM32>
    attrib -r-s-h mdelk.exe <-- there is a space after the attrib and after the -r-s-h
    attrib -r-s-h WINTEMS.EXE
    del mdelk.exe
    del WINTEMS.EXE

    cd system32\drivers <-- the prompt should change to C:\WINDOWS\SYSTEM32\DRIVERS>
    attrib -r-s-h hldrrr.exe
    attrib -r-s-h srosa.sys
    del hldrrr.exe
    del srosa.sys
    cd downld <-- the prompt should change to C:\WINDOWS\SYSTEM32\DRIVERS/downld>
    dir <-- this will give you a list of all files in the downld folder. For each file in this folder you need to execute the below del command and replace the file.bat or file1.exe with the real file names.
    del file1.bat
    del file1.exe
    etc

    After you get all of the files deleted (double check by executing the dir command as often as necessary) then continue with the below.

    cd .. <-- there is a space after the cd. The prompt should change back to C:\WINDOWS\SYSTEM32\DRIVERS>
    cd downld <-- the prompt should change back to C:\WINDOWS\SYSTEM32\downld>
    dir <-- this will list all files in the downld folder. You need to delete them one at a time using the del filename command where filename is the full filename like 218781.exe Keep using the dir command to show you what is left until all files are gone. Once all files are deleted continue with the below.
    cd .. <-- the prompt should change back to C:\WINDOWS\SYSTEM32>
    rd downld

    If the del commands do not work just type exit to leave the Recovery Console and boot into Windows and just come back here and tell me exactly what happened. Do not do any of the below!

    If the above worked then continue with the below.

    • Make sure your cable that connects you to the internet is unplugged
    • Take the CD out of your drive (if may not let you until you type exit and reboot begins) and type Exit to reboot; however, reboot into safe boot mode.
    • In safe boot mode run SUPERAntiSpyware and save a log if it runs.
    • In safe boot mode run Malwarebytes Anti-Malware and save a log if it runs.
    • Now reboot into normal boot mode, and run C:\MGtools\GetLogs.bat by double clicking on it.
    Now plug your cable back in and come here and attach the below 3 logs
    • SUPERAntiSpyware
    • Malwarebytes
    • C:\MGlogs.zip
     
  6. advanced

    advanced Private E-2

    Reporting:
    =========


    Ran Malwarebytes (updated). Log:
    --------

    Malwarebytes' Anti-Malware 1.24
    Database version: 1060
    Windows 5.1.2600 Service Pack 2

    11:34:37 2008.08.17.
    mbam-log-8-17-2008 (11-34-37).txt

    Scan type: Quick Scan
    Objects scanned: 107795
    Time elapsed: 7 minute(s), 9 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 2
    Files Infected: 56

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mule_st_key (Trojan.Agent) -> Delete on reboot.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\WINDOWS\system32\drivers\downld (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m (Trojan.Agent) -> Delete on reboot.

    Files Infected:
    C:\WINDOWS\system32\drivers\downld\1105781.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\1112265.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\1120187.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\1127687.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\1130390.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\1206718.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\1244531.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\149562.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\152953.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\155781.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\162562.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\172968.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\178062.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\1811125.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\1828781.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\1859281.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\1862281.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\186359.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\187828.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\188281.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\193203.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\193515.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\1947000.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\1957250.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\197953.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\202406.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\204609.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\205500.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\206203.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\206812.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\212765.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\215984.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\225359.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\228062.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\228359.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\234328.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\240078.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\242406.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\242578.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\256250.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\283640.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\286015.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\303953.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\327203.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\346859.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\347828.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\369171.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\369656.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\370500.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld\396953.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\data.oct (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\list.oct (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\srvlist.oct (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\mdelk.exe (Trojan.Spammer) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\wintems.exe (Trojan.Spammer) -> Delete on reboot.
    C:\Documents and Settings\<name>\Application Data\m\flec006.exe (Trojan.Agent) -> Delete on reboot.

    -----------------

    Could not start ATF Cleaner. I saw how it appeared in my list of processes for a second and disappeared.

    Successfully deleted all mentioned files using Recovery Console.

    However, I could not reboot into safe mode. (I saw all related registry entries blank earlier and restoring them did not work). So I started in normal mode and this time I could import safeboot registry entries, since none of the malware drivers and executables were loaded.

    Restarted in safe mode, ran Malwarebytes and then SUPERAntiSpyware.
    (the latter didn't give me any log).
    Malwarebytes:
    ---------------

    Malwarebytes' Anti-Malware 1.24
    Database version: 1060
    Windows 5.1.2600 Service Pack 2

    13:46:43 2008.08.17.
    mbam-log-8-17-2008 (13-46-43).txt

    Scan type: Quick Scan
    Objects scanned: 106865
    Time elapsed: 10 minute(s), 45 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 2
    Files Infected: 131

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\<name>\Application Data\m (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared (Trojan.Agent) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\<name>\Application Data\m\data.oct (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\flec006.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\list.oct (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\srvlist.oct (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Externalize strings 0.0.5.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\eXternalTest 2.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\eXTexture 1.0.0.2.568.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\EXTIF pro 2.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\ExtMania 0.8.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\eXtra Buttons 1.22.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra Clock 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra Desk Basic 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra Dialer 1.08.6.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra Dialer Pro 3.0.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra Drive Creator Professional 7.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD Copy + Ripper 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD Copy 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD Copy Creator 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD Copy Free 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD Copy Ripper + Video Converter 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD Creator 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD Ripper + Video Converter 4.51.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD Ripper Express 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD Ripper Free 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD Ripper Professional 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD to 3GP Ripper 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD to All MP4 Ripper 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD to Audio MP3 Ripper 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD to AVI Ripper 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD to DVD Clone 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD to FLV + FLV Video Converter 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD to FLV Ripper 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD to iPhone Ripper 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD to iPod Converter 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD to iPod Ripper Express 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD to MPEG Ripper 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD to Pocket PC Ripper 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD to Sony PSP PS3 Ripper 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD to WMV Ripper 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD to Zune Ripper 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra DVD Video to iPod Converter 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra FLV SWF Video Converter 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra GIF Animator 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra GUI ActiveX 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra Headers Plugin 1.4.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra Photo SlideShow Free 4.24.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra Photo to Video Converter Free 4.25.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra Subst 3.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra Utility Tools For Microsoft Excel 3.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra Video Converter 5.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra Video Creator 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra Video to Audio MP3 Converter Free 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extra Video to iPod MP4 Converter 4.52.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Data & Text From Multiple Files Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Data & Text From Multiple PDF Files Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Data & Text From Multiple Web Sites Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Data & Text From MySQL Tables Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Data & Text In Multiple Files Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Domain From URLs Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Email Addresses From Multiple PDF Files Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted

    successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Email Addresses From Multiple Sites Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Email Addresses From Multiple Web Sites Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted

    successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Email Addresses From Newsgroup Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Email Addresses From Outlook Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Email Addresses From Text & HTML Files Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted

    successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Email Addresses In Multiple Files Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Email Data From Outlook Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract HTML Links From Multiple Web Sites Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Icon Tool 1.80.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Link 2.5.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Message Action for InboxRULES 2.01.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Name & Address Contacts From Multiple Text & HTML Files Software 7.0.zip (Trojan.Agent) -> Quarantined and

    deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract or Remove Text Between Any Two Fields (Tags) Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted

    successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Phone Numbers From Multiple Text & HTML Files Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted

    successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Plain Text From PDF Software 7.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract proxy program 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract URL 1.5.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extract Web Info 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\ExtractNow 4.39.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\ExtraMp3 Renamer 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\ExtraNotes 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\eXTransparent 1.0.0.1.95.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extraordinary Perception 1.00.00.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\ExtraPuTTY 0.22.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\ExtraRenamer 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\ExtraSearch FREE 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\ExtraSMS 1.7.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\ExtraTorrent Toolbar for Internet Explorer 2.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\ExTray 1.0.143.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\eXTree 4.0.0.4.8076.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\eXTree Lite 4.0.0.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extreme Cleaner 2.1.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extreme Exe Morning Coffee 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extreme Messenger for AIM 1.7.5.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\eXtreme Movie Manager Deluxe Edition 6.2.2.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extreme Password Generator Pro 1.5.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extreme Picture Finder 3.6.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extreme Processing 1.06.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extreme Punch 2.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extreme Scientific Calculator 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extreme Sport Bet Odds Converter 7.2.4.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extreme Sports Physics RSS Feed 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extreme Thumbnail Generator 1.11.0.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extreme Translator 1.84.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extreme Units Converter 1.2.1.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extreme URL Generator 1.3.0.4.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extreme Validator 1.31.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extreme Warmth 1.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\ExtremeCars 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Extremely Simple Desktop Lock 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\ExtremePlanner Starter Edition 2.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\ExTuber 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Exult Professional Edition for MySQL 1.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Exult Professional Edition for Oracle 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Exult Professional for SQL Server 1.4.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Exult XML Conversion Wizard 2.5.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Exybar 1.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\eXZoom 1.0.0.1.1281.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Eye Candy 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Eye Candy 5 (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Eye Candy for After Effects 3.1.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Eye Care 8.04g.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Eye Clock Screensaver 2.4.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Eye Illusion Screen Saver.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Eye in the Sky 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Eye of Horus 1.0.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Eye of the Storm 1.0 build 548.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Eye of the Storm Screensaver 2.3.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Eye Relax 1.2.zip (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\<name>\Application Data\m\shared\Eye Rest Reminder 1.01.zip (Trojan.Agent) -> Quarantined and deleted successfully.


    -----------------------

    SUPERAntiSpyware reported some Mozilla cookies and mdelk.exe, again.
    I clicked to remove them.


    Now I'm in normal mode. The virus modified the Folder options window, so that I can't order explorer to show hidden files. Found a registry fix and now i see them. There are no files that I deleted using Recovery Console (i.e. none reappeared yet).
    But I still can't install any antivirus.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please remember that logs need to be attachments. Do not post them inline like you did.

    You need to attach the other logs I requested from SUPERAntiSpyware (it always produces a log unless it crashes. It just may not have shown it to you but the instructions show how to see it). and also I need the MGlogs.zip file.
     
  8. advanced

    advanced Private E-2

    Actually, everything started to work fine for some reason.
    There are no unknown processes, none of the malicious files have reappeared.

    Thank you for your help! (But I shall take your advice and make a clean reinstall very soon)

    P.S. I'm glad I found out about Recovery Console and learnt to use it, because I already had an idea which files to get rid of, just didn't know how to delete them without loading Windows and the malware along with it
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay so are you saying everything is alright now?

    It would be a good idea to run ComboFix and MGtools and attach the requested logs to be on the safe side.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds