Bagle / Malware Infestation

I am having a similar issue as mentioned in http://forums.majorgeeks.com/showthread.php?t=153485.

As with this user, I cannot run a HiJack this, NAV will scan but has not been able to update since 3/14/08, and the only reason I know I have a problem is due to processor overload and information provided to me from Panda Scan (attached).

Most of the issues Panda found were resolved, but I have residual attacks in my SYS32 folder that I am having difficulties removing.

Could you assist, please? I may have more than one system affected by this, as it appears we received it from a customer file through email...

Thanks,
Ayara

Additional notes: We use CCleaner, Windows Cleanup, Registry Booster, Registry Mechanic, and Ad-Aware here, and all of those "appear" to have done as much as they can.

 

Hi Ayara,
Welcome to Major Geeks!

Please do as much of the READ & RUN ME FIRST as possible and let me know how this goes. It may be necessary to run some of the scans with the computer disconnected from the internet so you can disable any antivirus and antispyware software for the duration of the scans. Then be sure they are reenabled. If something doesn't work, make a note of it and continue. We need to see the logs.

abri

 

Sorry about that - my Google search took me directly to the post, so I never saw the main forum.

Attached are the log files I was able to get. Here are current statuses:

HiJack This - will not run (not a valid Win32 application)
Spybot - will not run (not a valid Win32 application)
SUPERAntiSpyware - no threats
MGTools - attached
Malwarebytes Anti-Malware - threats found, quarantined (not removed). Log attached.

System does appear to be running a little better but is obviously not clean at this point. I will start these same scans on the other compromised system on our network shortly.

Thanks in advance.

 

I was able to successfully take care of the second computer, so that's no longer an issue. I do still need help with the first computer and the logs in the post above. Unfortunately that just happens to be my system, so production is on complete hold til I'm able to get on the network again

 

Hi Ayara,

It's important to only post about one computer in one thread. If there are two computers, please start a new thread for the second one. Does your original Panda scan refer to the same computer as your most recent logs?

Based on the MGlogs which you just posted, I would like for you to do the following.


1) Go to add/remove programs and uninstall the below:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1

2) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

3) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

4) Install the current version of Sun Java from: Sun Java Runtime Environment

Whichever computer the MGlogs.zip refers to is not in normal start up mode. To correct this, please go to Start / Run and type in msconfig and click on okay. In the window that opens up you'll see some boxes next to different options. Please click on the box called normal startup and then click on apply and okay.


5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Better, but still not completely convinced that we're 100%.

The processor load is running better than it was (appears to be normal). However, I am still unable to run HiJack This and Spybot. Do you think this is still a result of this attack or should I remove these programs and reinstall?

Here are the Avenger and MGTools logs. I have fixed the startup and am in the process of reinstalling Java. Our ISP at the office is being conveniently flaky today so its taking me forever to pull the download...

Thanks for getting on top of this for me!

Ayara

 

Hi Ayara,

HijackThis did run this time as part of the MGTools. Your computer is better, but still infected. In order to continue, it has to be put into normal startup mode. Please go to Start / Run and type in msconfig and click on ok. In the window that opens up, click on normal startup mode and click on accept and ok.

Then run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O21 - SSODL: Pnpebcat - {609F74EF-D68E-449B-B95B-B65E2C273308} - C:\WINDOWS\system32\minadcab.dll

After you click fix, just close hijackthis.

After completing all of the above, please rerun the MGTools by going to the MGTools folder and finding the file called GetLogs.bat. Double click on this and allow the scans to run to completion. When finished, please attach this new set of logs.

Once you've completed this, I will have another set of instructions for you.
abri

 

Weird...I had set it to Normal Startup so not sure why that happened.

Here's the next MGTools log.

 

I'm an idiot....here's the correct log file.

Ever notice how everything always happens at once? :confused

 

Hi Araya,

Please go to post 5, step 2 and run Avenger again, only this time use the contents of this box:

Now run ATF Cleaner again.

Your computer is still not in msconfig normal startup mode. Please do as before, go to Start / Run and type in msconfig and click on ok. When you get to the window that opens, make sure that normal startup mode is checked. Then click on the startup tab and see if there is a checkmark in the box next to all the entries in the list. If not, please check them all. Accept all the changes and click on ok.

Then run GetLogs.bat again (in the MGTools folder under C) and attach a new set of MGlogs.zip.

How is your computer running now?
abri

 

I'm not sure why it keeps telling you that its not in Normal Startup. I am pretty familiar with MSCONFIG and it is set to Normal as requested.

I've been trying to attach the logs and a screenshot of the config screen, but now I'm having multiple issues doing that. If I use Firefox like I normally do, I don't have an option to add attachments (the Manage Attachments button is missing). If I use IE, I have the button but when I click on it it acts like I need to log in again. When I do, it won't link the files to this message.

Help?

 

Never mind...6th time was the charm in this case. Still acting weird, but at least they are attached.

Here's the Avenger and MGTools log, as well as a screenshot of the MSCONFIG screen. I have rebooted after ensuring it was set to Normal Startup, so I'm sure what's in this ss is correct.

 

It's showing up wrong in your runkeys log. I'll ask about how to fix this.

If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

Do you have a two-way firewall (not the one that comes with Windows)? If not, I recommend getting one.

Other than the above, I don't see any further problems in your logs. How is your computer working now? If you are not having further symptoms of malware, please follow the final cleanup instructions in the box:

abri

 

So far so good! Thanks for all the hard work Abri!

Ayara

 

Hi Ayara,
That's good to hear. The following instructions will correct the problems that are occuring in your normal startup mode and that I keep seeing in your runkeys log:

1) Download and install Erunt. Use it to create a backup of your registry.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Let me know if you get a success message with this patch.

abri

 

Yep, got the success message. Thanks!

 

Okay, I think that's all that was left.
Happy surfing!