Removing Bagle Infections

Discussion in 'Malware Removal FAQ' started by chaslang, Mar 20, 2009.

Thread Status:
Not open for further replies.
  1. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This procedure will make use of FindyKill written by Chiquitine29. This tool attempts to remove the files, folders, and registry keys related to Win32.Bagle infections.

    Background Info

    Common symptoms of Bagle infections can be:
    • Inability to run any security type programs. An error like "not a valid Win32 application" may keep appearing while trying to run these programs. In addition security programs may be broken and require a reinstall after Bagle has been removed.
    • Inability to boot in Safe Boot mode
    • The PC may seem very slow.
    Files like the below may be seen depending on your Windows version ( where UserName is the user account name )
    C:\WINDOWS\system32\drivers\hldrrr.exe
    C:\WINDOWS\system32\drivers\srosa.sys
    C:\WINDOWS\system32\mdelk.exe
    C:\WINDOWS\system32\wintems.exe
    C:\Windows\system32\config\systemprofile\AppData\Roaming\drivers\winupgro.exe
    C:\Windows\system32\config\systemprofile\AppData\Roaming\drivers\srosa2.sys
    C:\Windows\system32\config\systemprofile\AppData\Roaming\drivers\wfsintwq.sys
    C:\Users\UserName\AppData\Roaming\drivers\srosa2.sys
    C:\Users\UserName\AppData\Roaming\drivers\wfsintwq.sys
    C:\Users\UserName\AppData\Roaming\drivers\winupgro.exe
    AppData folders like below ( where UserName is the user account name )
    C:\Documents and Settings\UserName\Application Data\drivers
    C:\Documents and Settings\UserName\Application Data\hidires
    C:\Documents and Settings\UserName\Application Data\hidn
    C:\Documents and Settings\UserName\Application Data\m
    C:\Users\Winlove\AppData\Roaming\drivers\downld
    C:\Users\Winlove\AppData\Roaming\drivers
    System32 drivers folders like below will be seen depending on your Windows version:
    C:\WINDOWS\system32\drivers\downld
    C:\WINDOWS\system32\drivers\down
    C:\Windows\system32\config\systemprofile\AppData\Roaming\drivers
    C:\Windows\system32\config\systemprofile\AppData\Roaming\drivers\downld

    These folders may contain dozens of randomly named files like: 171750.exe 175906.exe, 314500.exe 328484.exe, ...etc
    Removing The Infection- Installing FindyKill
    • Download FindyKill and save it to your Desktop. If the first link does not work, use this one: FindyKill-mg
    • You will see this icon [​IMG]
    • Double-click the FindyKill.exe icon on your Desktop and the installation program will run. You will see the below
    [​IMG]


    • Click the Next button to install FindyKill
    • On the next form select the I agree with the above terms and conditions radio button and then click the next button
    [​IMG]


    • It defaults to installing in the root folder of your Windows boot drive. Normall this would result in a C:\FindyKill folder. Just accept this by clicking the Next button
    [​IMG]
    • You will see a message that the Directory does not exist. Click Yes to allow it to be created.
    [​IMG]
    • You are now ready to installed FindyKill so on the next form, click the Start button.
    [​IMG]
    • When you see the message that FindyKill has been successfully installed, click the Exit button
    [​IMG]




    Searching for the Infection with FindyKill
    • Your Desktop will now have two icons for FindyKill on it. [​IMG]
    • Click the one that looks like the one on the right in the above image to run the program.
    • You will see the below window appear for a few seconds and it will continue to the next window on its own
    [​IMG]
    • After the above window goes away you will be on the main menu of FindyKill. Here you will be able to choose a language. Type E and hit the Enter key to choose English
    [​IMG]
    • You will now see the English menu. ​
    [​IMG]



    • Choose 1. # Research which will search for infected files and then hit the enter key.
    • You will now see the below window asking you to connect (insert) all USB drives and to put a CD into any CD drives. If you don't have any of these, just click OK to continue
    [​IMG]
    • Your Desktop and Start Menu and icons may disappear. This is normal. Do not try to run anything and do not click your mouse. Just wait for it to finish. The FindyKill window will look like below for a short time​
    [​IMG]



    • It will the show a window similar to below which will constantly update/change while searching thus I just show it as blank since it changes quickly
    [​IMG]
    • When it finishes searching, you will see the below window althought it may be covered by a notepad window with a log in it from the search.
    [​IMG]
    • The notepad window will have the FindyKill.txt log in it.​
    [​IMG]
    • This log is already save in the root folder of your Windows boot drive ( normally this would be C:\FindyKill.txt ). The above window will also tell you where the report was saved. Thus you can just close this notepad window now. And when you close this notepad window, the above search window from FindyKill will also terminate, thus ending the FindyFix session.​
    • You should attach this first C:\FindyKill.txt log to your thread now before continuing. This log will show us what was found.​
    • Then you will move on to the next step below. ​





    Cleaning the Infection with FindyKill
    • Now run FindyKill again by double clicking the icon on your Desktop.​
    • Select your language again ( E for English and hit the Enter key)​
    • This time choose 2. # Deletion and then hit the enter key. You will now see the below window again asking you to connect (insert) all USB drives and to put a CD into any CD drives. If you don't have any of these, just click OK to continue​
    [​IMG]

    • You will see the below warning window. Make sure you read all of the following text before clicking the OK button. When you click the OK button your PC will shutdown and reboot within a few seconds. You will see a Shutdown windows for a few seconds before it does. After reboot and you login, the scanning will immediately begin. You will see couple of windows for FindyKill popup and no Windows Desktop will show which is normal. One window will say something like This scan may take over 5 minutes but it can easily take more. It will usually take quite a lot longer. Plan on it being around 45 minutes. It depends on how many disks, files, folders....etc that you have to be scanned. Just BE PATIENT and do not do anything.
    [​IMG]





    • When the scan finishes the below windows should open and one is the new cleaning log from FindyKill.txt.
    [​IMG]

    [​IMG]

    • Now come back to the forum and attach this new C:\FindyKill.txt log

    • Also make sure you tell us how things are working.

    • You may need to reboot your PC one more time since running this cleaning procedure can cause your antivirus and other startups not to be running.
    • Also note if it should happen that the final windows do not show up and you just have a blank screen. Press CTRL-ALT-DEL to bring up Task Manager. And then select the Shutdown menu and choose Restart.
     
    Last edited: Oct 22, 2009
    chaslang, Mar 20, 2009
    #1
Thread Status:
Not open for further replies.

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds