Majorproblem

You attached one of the scans within the MGLogs.zip.....I need you to attach the entire C:\MGLogs.zip.

 

You have the logs exactly where I said it was:

C:\MGLogs.zip

 

You are not running any anti-virus program....which is probably why you are infected!

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the "Input script here:"
part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it, but this time make the agreement for running HJT and let the program run until it tells you it is finished! Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

 

Did you download ComboFix as instructed? Does it run?

Can you access the registry or would you prefer not to?

Those items need to be removed.

If you have combo on the desktop:

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::


Drivers::
srosa

Folder::
C:\Documents and Settings\df\Application Data\m

Registry::
[=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000\Control]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000\Control]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SROSA]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SROSA\0000]

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Get me the log as well as a new MGlogs.zip

 

OK.....first go to start / run / regedit.....now you will expand:
HKEY_LOCAL_MACHINE

then expand:
System

Next:
CurrentControlSet

Next :
Enum

Then:
Root

Now right click the LEGACY_SROSA and delete it.
Do the same for: LEGACY_SROSA\0000

Let me know if you have a problem with this.


The other approach is to download and install Registrar Lite

Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SROSA\0000

To take ownership of the key do the following:

* Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
* Click-on Security in the top Menu
* Select Take Ownership
* Repeat these steps for all of the registry keys given above before continue to the next steps below.
* Now leave RegistrarLite running and continue
* Now run the fixME.reg REGISTRY PATCH below in this message.
* Tell me the results. Any error messages?
* Now in RegistrarLite click View and then Refresh
* Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
* If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.


Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

PART 2 - Setting Permissions for Everyone

Run the below if some of the registry keys still exist after running the above steps.

Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to everyone ( I describe this down below the list of registry keys).

After click Edit Permissions , here is what I expect you to see in the Group or user names area of the form:

Everyone
SYSTEM

Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

Then reboot your PC!

 

Re-try doing the Registry patch I gave you.

Then run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.

 

Can you manually remove this folder:
C:\Documents and Settings\df\Application Data\m

Have you tried renaming SAS, Combo and Avenger?

Have you tried running both Combofix and / or Avenger in safe mode?

Try running this:
Resetting Registry and File Permissions

Can you open the MGTools folder and double click the analyse.exe? It will produce a log for you to attach.

 

What I want you to do is to double click the analyse.exe inside the MGTools folder. It will open, do a scan only...then click save log.....save it to yur desktop. Attach that.

 

Look at what you attached. Do you see a HJT log within the MGLogs.zip? Are you not making the agreement to the license for HJT when you run the tool?

C:\Documents and Settings\df\Application Data\m --> still exists.

C:\MGtools\analyse.exe ---> this is what you need to double click and attach the resultant log.

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser

* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Do you have your xp cd, as we may need to use it to remove items from the recovery console.

 

Let's start by copying the bold text below to notepad. Save it as fixMe.reg to your desktop. Be sure the "Save as" type is set to "all files".

* Please go to this link:http://live.sysinternals.com/
* find the psexec.exe file listed in the list and click on it and download and save it to your Desktop. Doing this properly is critical for other steps below.
* Now click Start, Run, and enter cmd and click OK. This will open a command prompt window with a prompt that shows the current folder you are in.
* For you the prompt should show C:\Documents and Settings\User>
* Now type cd Desktop and hit the enter key. There is a space after the cd.
* If you do this properly, your prompt will change to C:\Documents and Settings\User\Desktop>
* Type the below bold text and hit the enter key. This will open the Window Registry Editor. You will have to agree to the SysInternals License Agreement first that pops up.
psexec -s -i regedit
* In the Registry Editor click File, Import and then navigate to the fixDNSC.reg file on your Desktop from the previous fix and double click on it to import it into your registry. If it works properly you should get a success message.
* If you get a success message continue on with the below, otherwise stop and explain to me any problems you had.

Now, download a fresh copy of ComboFix and attach the new log, also run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* ComboFix Log
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Let's try this again......

Let's start by copying the bold text below to notepad. Save it as fixDNSC.reg to your desktop. Be sure the "Save as" type is set to "all files".

* Please go to this link:http://live.sysinternals.com/
* find the psexec.exe file listed in the list and click on it and download and save it to your Desktop. Doing this properly is critical for other steps below.
* Now click Start, Run, and enter cmd and click OK. This will open a command prompt window with a prompt that shows the current folder you are in.
* For you the prompt should show C:\Documents and Settings\User>
* Now type cd Desktop and hit the enter key. There is a space after the cd.
* If you do this properly, your prompt will change to C:\Documents and Settings\df\Desktop>
* Type the below bold text and hit the enter key. This will open the Window Registry Editor. You will have to agree to the SysInternals License Agreement first that pops up.

* In the Registry Editor click File, Import and then navigate to the fixDNSC.reg file on your Desktop from the previous fix and double click on it to import it into your registry. If it works properly you should get a success message.
* If you get a success message continue on with the below, otherwise stop and explain to me any problems you had.

Now, download a fresh copy of ComboFix and attach the new log, also run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* ComboFix Log
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

@Tim and BJ,

Has anyone tried to remove the below from the infection?????

Code:

"C:\WINDOWS\system32\dllcache\"
register.exe  Jan 18 2009       14848  "register.exe"
sysinfo.exe   Jan 18 2009       68096  "sysinfo.exe"

They are part of the problem. You may need to use the Recovery Console or a special boot disk like UBCD4Win or a Linux/Knoppix type disk to get anywhere with this. It seems like commercial programs really just cannot get around to being able to remove Bagle infections. They say they do but none of them really do..... at least not consistently.


The below files and the SROSA registry keys are all part of the infection:

Code:

"C:\Documents and Settings\df\Application Data\m\"
list.oct      Jan 19 2009        4102  "list.oct"
data.oct      Jan 19 2009      864256  "data.oct"
srvlist.oct   Jan 19 2009         631  "srvlist.oct"

Additional other files may be hidden by the rootkit.

 

Have you tried to manually delete these files?

Description of the Windows XP Recovery Console for advanced users

See this UBCD4Win

You still need a your Windows XP boot CD to use the Recovery Console or to create the UBCD4Win. Do you have your CD? TimW asked you this quite awhile ago but I did not see you answer. If you do not have your CD and cannot borrow one that matches your version of Window, you are in trouble amd may have to do a factory restore or you will have to investigate making a CD like this: SystemRescueCd


It is not in the scope of this forum to provide detail instructions on creating special CDs like this nor how to use them which can be complicated if you are not an expert.