Malware Worm_Bagle.ko

Welcome to Majorgeeks!

Do please see how much of the below you can complete as these logs will tell where this malware is hiding and how to remove via some manual instrcutions our malware experts will provide.

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

Please Disable Spybot's TeaTimer as requested in the READ & RUN ME

• Run Spybot and click Mode
• Select Advanced Mode.
• Then click Tools and select Resident.
• Now in the right window pane, uncheck TeaTimer.
• Also while this is open, in the left column now select IE Tweaks
• and then in the right pane make sure all the Miscellaneous locks are unchecked.
• Now quit Spybot!

If you cannot run Spybot due to the error message you mentioned then just uninstall Spybot.

Uninstall the below old versions of software:
Free Window Registry Repair
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) SE Runtime Environment 6

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment
Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

I'm not sure what you are talking about. I did not ask you to run MGtools again. I did ask you to run analyse.exe which is in the C:\MGtools folder. Is that what you meant? If so, it does not say fix. You need to select the lines I listed and then you need to click the Fix checked button. It does not look like you did this so we will try again at the end of this message.

Then did you run it another way? Have you tried using right click and select Open.

Are you saying that no EXE files will run? You logs do not show any malware reasons for having a problem.

No you should be running GetLogs.bat which is in the MGtools folder.



Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)

After clicking Fix, exit HJT.

Please delete the below folder:
C:\WINDOWS\system32\drivers\down

Now run Ccleaner! If you cannot run CCleaner, uninstall it! Re-download and install it from the below link and try to run it again:

CCleaner


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created.


Make sure you tell me how things are working now!

 

It's already gone.

Why/what are you right clicking on? Ccleaner adds an icon to your Desktop to make it easy to run. Just double click like any icon to run.

Your logs are clean. Now you need to get properly protected. You don't even have an antivirus installed. The below instructions will cover this and more.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN
   • Now type combofix /u in the runbox and click OK.
   • Note: The space between the X and the /U, it must be there.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Please do not post duplicate messages!

But according to the last logs you attached, it was not properly installed. I suggest that you unintall Avast. Reboot and delete the C:\Program Files\AWIL Software folder and then reinstall it from the below link:

Avast! Home Edition

These are not protection programs especially CCleaner. They are just scanners and they are not antivirus program either. The trial version AVG Antispyware does provide protection for only 15 days and then it is only a scanner.

Do other programs run when you double click on them? Windows Update problems are not always due to malware. They are more frequently due to problems within your OS which most of your problems sound like too.

As stated above your installation of Avast is most likely broken and you need to reinstall it.

Uninstall it reboot and then do not reinstall it yet. You could have other issues with your Winodws at play. Let's see how the reinstall of Avast goes.

These still do not appear to be malware issues.

Please do the below.

Click Start, Run, and enter cmd and click OK. This will open a command prompt Window. In the command prompt window type the below command and hit enter (note there is a space after the sfc )

sfc /scannow

Running this command may result in a request for your Windows CD, so be prepared to put it in your CD drive if requested.

Did it ask for your CD? Did you notice any messages about missing or corrupt files.

 

Does Avast run now?

Are you saying AVG AS, AVG Rootkit, Avast, and Ad-Aware do not run when you double click on them or are you saying they run but cannot get updates. How are you running them if not by double clicking?

Most Windows Update issues have nothing to do with malware. They are normally cause by issues within your OS.

Well since it asked for your CD it does mean that it found some problems in your Windows OS and it attempted to fix them by getting replacement files from your CD. Have you rebooted after doing this? If not, please reboot and see if there is any change to your PC's behavior.

Also do the below.

Now please download DelDomainsand unzip it to your desktop. Do not run it yet.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

(Now you will need to "Immunize" with Spybot again because deldomains will remove all of the sites Spybot adds.)



Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
  [*]It will create a folder named HostsXpert in whatever folder you extract it to.
  [*]Run HostsXpert.exe by double clicking on it.
  [*]click the Make Writeable? button.
  [*]click Restore Microsoft's Hosts File and then click OK.
  [*]Click the X to exit the program

Also run this procedure Using Sophos Anti-Rootkit and attach the requested log.



What is your status now? If you are still getting errors/popup messages, please do not translate them. Give us the exact word for word message.

 

So are you saying that you can double click on some programs but not others. And the ones specifically that do not work are antivirus or antispyware type programs?

If your SysClean scan is current, it indicates that some items I already had you fix back in message # 5 have come back. But it looks like you also had SysClean fix them. Are you still having problems after running SysClean?

Please complete the below instructions.


Run avenger.exe by double-clicking on it.

• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Please run C:\MGtools\GetLogs.bat by double clicking on it and then attach the new C:\MGlogs.zip file that is created.
Also attach the new C:\avenger.txt log just created above.

 

Okay that last procedure found and fixed a few more hidden items.

Now uninstall Avast and AVG Antispyware. Then Reboot. Do not skip this reboot.

Then immediately after reboot run C:\MGtools\GetLogs.bat by double clicking on it and then attach the new C:\MGlogs.zip file that is created.

Then download Avast! Home Edition use this link!!!! Do not reinstall from anything you may already have. Then install this new copy of Avast and update it.

Now can you run Avast by double clicking on it?

What other programs remain that you cannot double click on?

 

Many of the files we previously removed have come back again. Please be very careful not to download or run anything unless I ask you to do it. I'm not sure what brought all of these back again but you are reinfected. Let's try fixing again but this time we will make use of ComboFix to fix things. You must have ComboFix on your Desktop as requested in the READ ME and I do not see it on your Desktop so please download the current version from the below link now and save it to your Desktop or the below steps will not work:

combofix.exe

Make sure you download the above version even if you already have ComboFix.exe on your PC. We must make sure you have the most recent version.


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.orange.fr (file missing) (HKCU)

After clicking Fix, exit HJT.


Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

Driver::
srosa
hidr
hldrrr
 
File::
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe
C:\Documents and Settings\adie\Application Data\m\flac006.exe
C:\Documents and Settings\adie\Application Data\hidires\hidr.exe
C:\WINDOWS\system32\dllcache\register.exe
C:\WINDOWS\system32\dllcache\sysinfo.exe
C:\WINDOWS\system32\drivers\down\14576299.exe
C:\WINDOWS\system32\drivers\down\14586243.exe
C:\WINDOWS\system32\drivers\down\14588196.exe
C:\WINDOWS\system32\drivers\down\14590469.exe
C:\WINDOWS\system32\drivers\down\14597680.exe
C:\WINDOWS\system32\drivers\down\14603899.exe
C:\WINDOWS\system32\drivers\down\14620192.exe
C:\WINDOWS\system32\drivers\down\14620793.exe
C:\WINDOWS\system32\drivers\down\14625410.exe
C:\WINDOWS\system32\drivers\down\14627933.exe
C:\WINDOWS\system32\drivers\down\14631689.exe
C:\WINDOWS\system32\drivers\down\14633722.exe
C:\WINDOWS\system32\drivers\down\14634823.exe
C:\WINDOWS\system32\drivers\down\14642865.exe
C:\WINDOWS\system32\drivers\down\14645679.exe
C:\WINDOWS\system32\drivers\down\14646380.exe
C:\WINDOWS\system32\drivers\down\14647842.exe
C:\WINDOWS\system32\drivers\down\14648833.exe
C:\WINDOWS\system32\drivers\down\14652419.exe
C:\WINDOWS\system32\drivers\down\14654842.exe
C:\WINDOWS\system32\drivers\down\14681951.exe
C:\WINDOWS\system32\drivers\down\14685757.exe
C:\WINDOWS\system32\drivers\down\14691274.exe

Folder::
C:\Documents and Settings\adie\Application Data\m
C:\Documents and Settings\adie\Application Data\hidires
C:\WINDOWS\system32\drivers\down
C:\Documents and Settings\adie\Local Settings\Temp\2S95Q6NF
C:\Documents and Settings\adie\Local Settings\Temp\2S95SS5T
C:\Documents and Settings\adie\Local Settings\Temp\2S9608A3
C:\Documents and Settings\adie\Local Settings\Temp\2S964K62
 
Registry::
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srosa]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\srosa]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\srosa]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SROSA}

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Uninstall eMule now. I worried that it could be causing you to get reinfected.


Locate the below shorcuts on your Desktop and right click on each (one at a time) and select Properties. For each one, tell me what information you see in the Target: and Start in: boxes.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [mule_st_key] C:\Documents and Settings\adie\Application Data\m\flec006.exe



After clicking Fix, exit HJT.


Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!


Now we need to use ComboFix again to repeat removal of the malware ( just to be sure it did not come back )and also to remove some unnecessary items from previous antivirus and antispyware programs you have already uninstalled..

• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

Driver::
srosa
hidr
hldrrr 
 
File::
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\dllcache\register.exe
C:\WINDOWS\system32\dllcache\sysinfo.exe
C:\Documents and Settings\adie\Application Data\hidires\hidr.exe
C:\install.dat
 
Folder::
C:\Documents and Settings\adie\Application Data\m
C:\Documents and Settings\adie\Application Data\hidires
C:\WINDOWS\system32\drivers\down
C:\Documents and Settings\adie\Application Data\PC Tools
C:\Documents and Settings\adie\Application Data\SUPERAntiSpyware.com
C:\Documents and Settings\adie\Application Data\Symantec
C:\Documents and Settings\adie\Local Settings\Application Data\Symantec_Corporation
C:\Documents and Settings\All Users\Application Data\addr_file.html
C:\Documents and Settings\All Users\Application Data\Avira
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Program Files\Common Files\Symantec Shared
C:\WINDOWS\McAfee.com
 
Registry::
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srosa]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SROSA]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Why do you keep posting your messages twice?

If the above information was copied correctly, it explains why you cannot run Avast. When you click on your Avast icon your are trying to run AVG Anti-Rootkit.

And the Start in folder for AVG Anti-Rootkit appears to be incorrect.

At this point I suggest that you uninstall AVG Anti-Rootkit, Avast AntiVirus, and Ad-Aware (which is not very useful anyway). Then delete all related folders and shortcuts and desktop icons related to these programs. Then I suggest that you no longer attempt to use Avast because for some reason you do not be able to get it to work properly. Instead download and install the below antivirus program:

AVG Free Edition

Now update and run a full scan with AVG Free Antivirus. Does it run okay? Did it find any problems?

 

Your logs were posted on the first post not the second. See for yourself.

I don't need a log. I would assume much of what was found were cookies or other minor issues. You are not longer having malware problems. You have problems within your Windows OS and that is also the reason for your problems with Windows Update.

You should post about your Windows Update issues in the Software Forum.

As far as what you need for protection, that information is included in my final instructions below which also does mention Windows Update.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN
   • Now type combofix /u in the runbox and click OK.
   • Note: The space between the X and the /U, it must be there.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf Safely!

The link to your website has been removed as we do not provide free advertising. Also your main page contains content that is not acceptable.