Fighting against Bagle, HuPigeon ASCE, Delf CXF... need help

Here's an interesting problem for you guys.

Ok basics first. I have an Acer laptop.
OS: Windows XP Pro SP2
DVD-player doesn't work, so I can't run sfc /scannow and replace system files when it asks for CD.

On Sunday my laptop started behaving strangely, acting really slow so I took a reboot only to find out that my Wireless Zero Configuration service was stopped, meaning no access to the internet. When I tried to restart it, it said that it couldn't because its dependencies could not be started. After a little searching I found this string in the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisuio\ where the Start key had value 4, meaning it's disabled. I set it to 1 and rebooted. WZC was working again. However the key had changed back to 4 so if I reboot without setting it to 1 again my wireless will not work.

So naturally I started looking for my AVG, but no system tray icon could be found and when starting it manually it said: filename.exe is not a valid Win32 application. Spybot says the same and so does Avast. It seems like every security program won't start now. The only program that did start was Xofstpy which I ran from my U3 enabled USB stick and here is what it found (but was unable to remove)

Downloader Bagle GI Trojan C:\WINDOWS\system32\wintems.exe
Backdoor HuPigeo ASCE Trojan system\currentcontrolset\services\svkp
Backdoor HuPigeo ASCE Trojan system\controlset001\services\svkp
Bagle IX Worm software\firstrrrun
Downloader Delf CXF Trojan software\microsoft\clockadv
Downloader Bagle GI Trojan software\microsoft\windows\currentversion\run\german.exe
Downloader Delf CXF Trojan software\microsoft\clockadv\comment

So here's what I've done. Checked the malware list in add/remove programs as described here. Nothing found.

Checked that MSConfig is in Normal Startup mode (it was)

Downloaded CCleaner but it won't run. Only a little flash, then it's gone

Downloaded SUPERAntiSpyware, won't run, just the tray icon is visible

Tried Spybot, won't run.. not a valid win32 applications

Sophos Antirootkit won't wun... not a valid win32 applications

Combofix... same error

Avenger... same error

I did use HostsXpert to set back to default hosts file

installed deldomains.inf

MGTools ran fine, I've attached the mglogs.zip

In my processes I see wintems.exe, but I can't kill it, not even with Process Explorer.

I've looked through a few threads here and went through it all, but it always stops at some point, process explorer, avenger...

So what else can I do? I have no option to reinstall windows unfortunately. Please feel free to ask what I have done and not done, as I'm sure there is something I have missed. Thanks!

 

UPDATE:

I deleted the following keys in registry:

system\currentcontrolset\services\svkp
system\controlset001\services\svkp
software\firstrrrun
software\microsoft\clockadv

Rebooted the machine and it didn't disable the Wireless Zero Configuration service anymore, but wintems.exe is still in my processes. I can't find this file on my system.

Furthermore I did a search for *.exe files created in the last 10 days and found an interesting one in windows\system32 called mdelk.exe which is another trojan (although no processes called mdelk.exe is running). I can't delete it though.

Will do some googling and see what I can find out. Will keep you updated.

 

Hi bleachjt,
Welcome to Major Geeks!

You've got a number of problems and I'm working on them. If you can, please uninstall either AVG Antivirus or Avast. It's not enough to disable one or the other. You need to completely uninstall one of them. I think they can both be uninstalled via add/remove programs or have an uninstall program under Start / All Programs. I'll post you another set of instructions shortly. Please don't do anything else for the time being until I can work with your computer in the state for which I have the logs. It will just make things more difficult.

abri

 

Hi bleachjt,

See what you can do of the following:


First some questions:

1) The following are files. Do you know what they are? If not, you can right-click on them (don't left-click on them) and look at properties to see if there is any information on them.

C:\Documents and Settings\J›rn Tillnes\My Documents\121F322A742877CA
C:\Documents and Settings\J›rn Tillnes\My Documents\2D77116299DE6A00
C:\Documents and Settings\J›rn Tillnes\My Documents\4F681313

2) If you right click on the following, can you see in properties if the following folder belongs to Spybot (the company might be listed as Safer Networking)?

C:\Documents and Settings\J›rn Tillnes\Local Settings\Application Data\TeaTimer

And now, please do the following:


3) Please find these folders and delete any contents you are allowed to delete. Windows will not allow you to delete files from the current day and that is okay. Just delete everything else that you can.

C:\WINDOWS\Temp\
C:\Documents and Settings\J›rn Tillnes\Local Settings\Temp\


4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

5) Go to add/remove programs and uninstall the below:

- Java(TM) 6 Update 3


6) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.qsrch.com/
O2 - BHO: Mp3 Video - {6FFE49B7-F475-4EAB-8E80-E5D74C4E8D5F} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - Startup: Locate32 Autorun.lnk = ?
O4 - Startup: YouTube Uploader.lnk = ?
O4 - Startup: YPOPs.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZU

Is there any reason why the following is in your trusted zone? If not, please fix it as well.

O15 - Trusted Zone: http://vttv.myvnc.com

Does the following belong to a program you know or want to keep? If not, please fix it as well.

O23 - Service: XobniService - Xobni Corporation - D:\Program Files\Xobni Insight\XobniService.exe


After you click fix, just close hijackthis.


7) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

8) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

9) Install the current version of Sun Java from: Sun Java Runtime Environment


10) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi Abri.

I just did the following. I downloaded the ComboFix application again, but this time I saved it as Combo-Fix.exe on the desktop which allowed me to finally run it. After a lengthy and gruelling process it finished, then rebooted my computer and created a logfile which I have attached now. It seems like it deleted a lot of files in C:\WINDOWS\system32\drivers\down and also these:
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\msvcsv60.dll
C:\WINDOWS\system32\wintems.exe

I can finally run CCleaner and other security tools and Wintems.exe is gone from services. Internet still running good.

It seems that these folders are now gone:
C:\Documents and Settings\J›rn Tillnes\My Documents\121F322A742877CA
C:\Documents and Settings\J›rn Tillnes\My Documents\2D77116299DE6A00
C:\Documents and Settings\J›rn Tillnes\My Documents\4F681313

The only file in C:\Documents and Settings\J›rn Tillnes\Local Settings\Application Data\TeaTimer is called General.config and I am unable to see if they belong to spybot

Deleted everything here:
C:\WINDOWS\Temp\
C:\Documents and Settings\J›rn Tillnes\Local Settings\Temp\ (3 files left .tmp files)

I have run Disable/Remove Windows Messenger, but what options should I choose?

I have uninstalled Java(TM) 6 Update 3

Ran C:\MGtools\analyse.exe (Do A system scan only) and selected the following and clicked FIX after closing all browser windows (including this one):
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.qsrch.com/
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - Startup: Locate32 Autorun.lnk = ?
O4 - Startup: YouTube Uploader.lnk = ?
O4 - Startup: YPOPs.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZU

These weren't there anymore:
O2 - BHO: Mp3 Video - {6FFE49B7-F475-4EAB-8E80-E5D74C4E8D5F} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O15 - Trusted Zone: http://vttv.myvnc.com

I wish to keep this one:
O23 - Service: XobniService - Xobni Corporation - D:\Program Files\Xobni Insight\XobniService.exe

It's an Outlook addon I am testing http://www.xobni.com/

Should I do step 7 after I did the Combofix? Check the log I attached. The good thing is that Avenger is able to run again.

Ran ATF Cleaner and it freed 30.867 MBs, however the Firefox button is greyed out, only Opera and Main is clickable so I did this on Main. I use Firefox 2.

Installed the latest Java from your link.

ran C:\MGtools\GetLogs.bat and attached the new mglogs.zip

Things are looking a lot better after ComboFix I can tell you that, but is the computer really clean?

Thanks for your help Abri. I really appreciate it!

 

Hi bleachjt,
Please run Avenger only instead of the contents of the box in Step 4, please use the contents of this box:

After this run CCleaner.

Finally, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi Abri,

Done as you asked. The logs are attached.

Things are still running good.

 

Hi bleachjt!

I'm going to post the final cleanup instructions. Please run CCleaner for awhile everytime you get out of your browsers. There are still some temp files I would like for you to get rid of. You can usually not delete files from the current day.

abri

 

Hi Abri,

Sounds great. Thanks for the advice! I think I am a little more paranoid after this incident (maybe it's a good thing)

Anyway, I hope this is the end of my malware trouble.

Thanks for your time and masterful support Abri.

 

You're welcome bleachjt,
Do take the time to read through the How to protect yourself from malware. It's a good read and I think you'll find some extra protection, especially with Spyware Blaster. Also, keep your eyes open for any further malware signs.
Best of luck to you and your computer.
abri