I believe I've been infected with the Malware Worm_Bagle.ko (need help please)

[peteproducer]

I currently have a Dell Dimension DIM 4600, pentium 4, 2.60 GHz, 1.00 GB of RAM.

basically everytime i try to open my avast anti-virus or even the AVG anti-virus, the worm seems to block it.

giving me the following error message:

"C:\Program Files\Awil Software\ashAvast.exe is not a valid Win32 application."

I cannot run ComboFix, the worm is blocking it as I get the same error message...

I ran Mgtools and got the following log:

Logfile of Trend Micro HijackThis v2.0.2


I got other logs too from Mgtools, i'll post them if needed.

I tried running the Avenger, but it is also blocked...

I successfully ran SmitFraudFix, but the anti-virus is still blocked... I don't know what else to try. I appreciate any help, thanks...

[peteproducer]

up 4 sum help, thanks again...

[TimW]

Please attach the C:\MGLogs.zip.

Also, read this:
Don't Bump! It Only Hurts You!!!

Please try doing the below:

Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then doube click on it to run it.

AVPFind.bat

It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running.


Now download and Run exeHelper

• Please download exeHelper to your desktop.
• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Also please try running the below online scan:

http://www.superantispyware.com/onlinescan.html

Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. It does not save a log.

B]Attach the below logs when finished with all of the above:[/B]

• C:\avplog.txt - from AVPfind
• log.txt - from exeHelper
• C:\MGlogs.zip - from MGtools

[peteproducer]

first of all thanks for the help Tim... I'll do everything and post what you have requested...

[peteproducer]

******************************************************************************
* AVPFind.bat - (c) 09/01/2009 By Chaslang *
* *
* Helps to identify potential AntiVirus Pro infected system DLL files and *
* and poosible replacement files to use during cleanup. *
******************************************************************************

Windows OS is

Microsoft Windows XP [Version 5.1.2600]

============= Finding copies of eventlog.dll =================================
"C:\i386\EVENTLOG.DLL" 49152 02-08-29 08:00
"C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll" 49152 02-08-29 08:00
"C:\WINDOWS\ServicePackFiles\i386\eventlog.dll" 55808 04-08-04 05:56
"C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll" 56320 08-04-13 22:11
"C:\WINDOWS\SYSTEM32\eventlog.dll" 55808 04-08-04 05:56

============= Finding copies of netlogon.dll =================================
"C:\i386\NETLOGON.DLL" 399360 02-08-29 08:00
"C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll" 408064 09-02-06 16:46
"C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll" 408064 09-02-06 16:46
"C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll" 399360 02-08-29 08:00
"C:\WINDOWS\ServicePackFiles\i386\netlogon.dll" 407040 04-08-04 05:56
"C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll" 407040 08-04-13 22:12
"C:\WINDOWS\SYSTEM32\netlogon.dll" 407040 04-08-04 05:56

============= Finding copies of scecli.dll =================================
"C:\i386\SCECLI.DLL" 174592 02-08-29 08:00
"C:\WINDOWS\$NtServicePackUninstall$\scecli.dll" 174592 02-08-29 08:00
"C:\WINDOWS\ServicePackFiles\i386\scecli.dll" 180224 04-08-04 05:56
"C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll" 181248 08-04-13 22:12
"C:\WINDOWS\SYSTEM32\scecli.dll" 180224 04-08-04 05:56

******************************************************************************

[peteproducer]

how do I attach files here on the forum ?

[peteproducer]

exeHelper by Raktor
Build 20091021
Run at 20:07:21 on 11/16/09
Now searching...
Checking for numerical processes...
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11929931
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

[peteproducer]

ok Tim so I tried the superspyware, it starts scanning but then unfortunetly i get the blue screen and have to restart my system.. damn thought we almost had it there...

[TimW]

HOW TO: Attach Items To Your Post

You said you had the C:\mglogs.zip. Please attach that.

[peteproducer]

Ok Tim, here is the attachment you requested... thanks for helping me out man...

[TimW]

You are seriously infected!!! And you should not be allowing all users to have Admin. privileges!!

None of these should be on your desktop:

Code:

C:\Documents and Settings\Marco Jr\Desktop\
~WRL0656.tmp"
~wrl0704.tmp  Sep  6 2009       26624  "~WRL0704.tmp"
~wrl1143.tmp  Sep  6 2009       25600  "~WRL1143.tmp"
~wrl1716.tmp  Sep  6 2009       25600  "~WRL1716.tmp"
~wrl1863.tmp  Sep  3 2009       26624  "~WRL1863.tmp"
~wrl1877.tmp  Sep  6 2009       25088  "~WRL1877.tmp"
~wrl2255.tmp  Sep  6 2009       24576  "~WRL2255.tmp"
~wrl2573.tmp  Sep  5 2009       27136  "~WRL2573.tmp"
~wrl3266.tmp  Sep  6 2009       25600  "~WRL3266.tmp"
~wrl4085.tmp  Sep  6 2009       25088  "~WRL4085.tmp

What is this:
C:\Anti-Virus Safety Tools

Let's start with this:

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Quote:

O2 - BHO: (no name) - {C8F3043E-556F-4AB4-AE86-28B70F5B80ED} - C:\WINDOWS\system32\KCDHELA3.DLL (file missing)
O4 - HKLM\..\Run: [11929931] C:\DOCUME~1\ALLUSE~1\APPLIC~1\11929931\11929931.exe
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\Marco Jr\Local Settings\Application Data\smss.exe"
O20 - Winlogon Notify: GbPluginBb - C:\PROGRA~1\GbPlugin\gbieh.dll
O20 - Winlogon Notify: winepi32 - winepi32.dll (file missing)
O22 - SharedTaskScheduler: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - (no file)
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\MARCOJ~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Marco%20Jr/Local%20Settings/Temporary%20Internet%20Files/Content.IE5/P04FPXCT/100_0608%5B2%5D.jpg

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\Documents and Settings\Marco Jr\Local Settings\Temp\7ZS1C.TMP     
C:\Documents and Settings\Marco Jr\Local Settings\Temp\MG11.tmp
C:\Documents and Settings\Marco Jr\Local Settings\Temp\img7.tmp      
C:\Documents and Settings\Marco Jr\Local Settings\Temp\RWI2C.tmp
C:\Documents and Settings\Marco Jr\Local Settings\Temp\rwi2d.tmp     
C:\Documents and Settings\Marco Jr\Local Settings\Temp\rwi2e.tmp     
C:\Documents and Settings\Marco Jr\Local Settings\Temp\rwi2f.tmp   
C:\Documents and Settings\marco\Local Settings\temp\YwQLd.exe
C:\Documents and Settings\marco\\Local Settings\temp\ElUvJw.exe
C:\Documents and Settings\Marco Jr\Local Settings\Application Data\smss.exe
C:\WINDOWS\SYSTEM32\srosa2.sys

Folder::
C:\WINDOWS\SYSTEM32\Datei0
C:\WINDOWS\SYSTEM32\datei1       
C:\WINDOWS\SYSTEM32\datei10       
C:\WINDOWS\SYSTEM32\datei2       
C:\WINDOWS\SYSTEM32\datei3       
C:\WINDOWS\SYSTEM32\datei4        
C:\WINDOWS\SYSTEM32\datei5       
C:\WINDOWS\SYSTEM32\datei6        
C:\WINDOWS\SYSTEM32\datei7       
C:\WINDOWS\SYSTEM32\datei8       
C:\WINDOWS\SYSTEM32\datei9       
C:\Documents and Settings\Marco Jr\Local Settings\Temp\_av_inet.tm~a01876
C:\Documents and Settings\Marco Jr\Local Settings\Temp\_av_proI.tm~a00224
C:\Documents and Settings\ALLUSErs\Application Data\11929931
C:\\Program Files\\AntivirusGolden
C:\Program Files\Common files\KeenValue
C:\Program Files\SpySpotter3

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"11929931"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winepi32]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AntivirusGolden]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ElUvJw]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ElUvJw.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KeenValue]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpySpotter]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpySpotter System Defender]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\YwQLd]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\YwQLd.exe]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C8F3043E-556F-4AB4-AE86-28B70F5B80ED}]

[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\sharedtaskscheduler]
"{dfa61db1-388e-4c87-8d56-540fa229bcb4}"=-

[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\mssmgr]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000\Control]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000\Control]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SK9OU0S]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SK9OU0S\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SK9OU0S\0000\Control]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sK9Ou0s]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sK9Ou0s\Security]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sK9Ou0s\Enum]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SK9OU0S]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SK9OU0S\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SK9OU0S\0000\Control]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sK9Ou0s]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sK9Ou0s\Security]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sK9Ou0s\Enum]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SK9OU0S]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SK9OU0S\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sK9Ou0s]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sK9Ou0s\Security]

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

[peteproducer]

Thanks for all the help Tim, i took care of it though! it was the Rontobrok.A worm

I had to backup all my data to an external HD, and format the HD that had the operating system (win xp), then win xp pro was installed with the anti-virus Avira (which is very good btw) and I put my data back, then scaned the HD and the virus was found! wow man, its been a hard couple of days... appreciate all your help! thanks again

[TimW]

You are most welcome. Good to know you got it sorted.