Any help with removal of worm_bagle.ko please?

Discussion in 'Malware Help (A Specialist Will Reply)' started by andy woods, Feb 25, 2008.

  1. andy woods

    andy woods Private E-2

    Can anybody please help?

    My virus software (AVG), firewall, Microsoft updates have just stopped working. I did an online virus scan using Trendmicro and discovered that I had a worm_bagle.ko virus which was causing these problems. When I try to use programs like AVG, combofix and avenger I get the message '....is not a valid win32 application'.

    I cannot seem to remove the virus though?? I am running XP...

    I would be grateful for any help. Thanks in advance!
     
    andy woods, Feb 25, 2008
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please see this for dealing with the error messages:
    Using MGtools

    We need at least the logs from that scan: MGlogs.zip
     
    TimW, Feb 25, 2008
    #2
  3. andy woods

    andy woods Private E-2

    Thanks for your reply!

    I have performed all of the operations in 'Run and read me first'...

    When I try to run Combofix and avenger I get the message '....is not a valid win32 application'.

    Spybot S&D will not run and when I run Superantispyware, the icon appears in the taskbar but nothing happens when I double-click it.

    Ccleaner tries to start, but then disappears straight away.

    I have attached my MGtools logs...
     

    Attached Files:

    andy woods, Feb 26, 2008
    #3
  4. andy woods

    andy woods Private E-2

    ...I've managed to perform a Hijackthis log:
     
    Last edited by a moderator: Feb 26, 2008
    andy woods, Feb 26, 2008
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Feb 26, 2008
    #5
  6. andy woods

    andy woods Private E-2

    When I try to run Avenger I get the message '....is not a valid win32 application'.

    I've deleted the files:
    C:\1a7.tmp
    C:\342.tmp
    C:\3ba.tmp
    C:\425.tmp
    C:\WINDOWS\system32\Suchspur.dll

    I can't find the folder:
    C:\WINDOWS\system32\drivers\down

    and nothing seems to get rid of:
    C:\WINDOWS\system32\mdelk.exe
    Spyware and virus scans just reset the PC when they find this file.
     
    andy woods, Feb 27, 2008
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Right click start / click explorer ...scroll down to C:\WINDOWS\system32\drivers ..if you have hidden system files showing ...the "down" folder is full of malware and the whole thing needs to go ....all the files in that folder and the folder itself.

    And if you cannot use ComboFix or avenger ...go to Bitscan link: agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

    Click-on the Detected Problems tab. Then select Click here to export the scan report

    When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.
     
    TimW, Feb 28, 2008
    #7
  8. andy woods

    andy woods Private E-2

    Thanks for all your help! My system is now back to normal.

    I managed to download a different version of Combofix which finally got rid of that mdelk.exe file.

    Your site is great and I feel much better equiped for fighting malware in future!

    :)
     
    andy woods, Feb 28, 2008
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please attach the combofix log.....you need to remove all the crap in the C:\WINDOWS\system32\drivers\down folder!

    I'm wondering if you have the Microsoft .NetFramwork Software installed from MS update?
     
    TimW, Feb 28, 2008
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds