Bagle removal, the other way

Hi!

I just want to say thank you to all posters who helped me getting rid of the bagle.of infection of my system. I didn't have an account in this board and I didn't had any infections for years.
However, I want to leave a present for all those help by a small explanation of the way I did it.

The infection was a win23.bagle.of and it slowed down my system, modified the explorer settings by hiding file extensions and hidden directories. It downloaded lots of additional files in WINNT/system32/drivers/down and all the other hidden signs of infection came true.
The first sign I got was a bluescreen after a reboot stating that srosa.sys made some ugly things. Googling for that brought me to this board very fast and gave me thin hints of what this thingy does:
- creates mdelk.exe, wintems.exe, srosa.sys and some more
- creates HKLM/.../Windows/Run/germany.exe entry
- hides removal tools from explorer and alos from system
- prevents AVG, McAffe, Kaspersky, S&D and lots of other Scanner from start

1) How to get the system started without bluescreen:
Start a linux recue cd and login as root. Mount the drive of your windows. As windows crashed before, the disc isn't clean and therefore you have to mount it forced: mount -t ntfs /dev/hda1 /media -o force
cd to /WINNT/System32/drivers and rm srosa.sys mdelk.exe and rm -rf down
reboot

2) Now your back in windows and you have two problems.
b) Taskmanager states that it cannot kill the processes wintems.exe and mdelk.exe which are part of the troian
Solution: Get ProcessExplorer from www.sysinternals.com, it will kill them.
a) The service hiding your scanners from itself ( and you) is still active and it will reinstall all those deleted files right with the next reboot cycle.
Identify all the files around the virus derivate you got. Replace them by files not harming your system:
I replaced and wintems.exe by simply copying arp.exe two times and renaming it to the filenames of the virus.
I grabbed one .sys file, copied and renamed it to srosa.sys
Then I did a right-click/properties on all these dummy-files and set massive restrictions by revoking almost any access-rights for main users, system user and all other except administrator ( I need to access the files again for killing them). And even for administrator I revoked as many rights as possible ( write modify delete).

3) Reboot and see all those scanners popping up again that failed while trying to remove the virus in the first run. I mean I installed Kaspersky trial, I installed AVG trial and even the free edition of Spybot S&D and they all popped up right after the next start fighting who's first on killing that ugly bagle.
My assumption was, that the bagle service cannot start if its files are not existent. Not existent means in this case, they were already existent but replaced and locked to harmless exe or sys files. Hm, I was right

4) Let the scanners identfy the files and unrestrict the access to the files step by step as even the scanners cannot delet a file that is restricted from User or System access in the ACL. Scan again until nothing is found anymore and be happy with a running machine that did not need to be reinstalled.

Ok, so far, thanks again to all posters around here giving me so much details about this idiot work of bagle and leading me to this 4 hour repair instead of loosing several days of reinstalling.

Cheers, Astralix

 

Hi astralix!
Welcome to Major Geeks!

Thanks for sharing your information.
abri