Nasty maleware deletes all my antispyware

drama · Mar 26, 2008

Hi,
I didn't know about you guys until I got infected with this really nasty virus.
I spend this week trying to remove it using antivirus, antispyware and trojan removal software but with no luck. Finally during my search I found you which I think you are my last hope.
The problem:
Every time I try to install an antivirus the virus blocks the installation or deletes the .exe. I tried a little experiment and saved an empty notepad file as nod32.exe whithin a second the virus deletes it. This happens with avg, avast, spy-bot and so on.
I'm really in desperate situation because I don't want to do another format in my laptop.
I have read many of the posts in this forum and I believe that the virus I have is a combination of mdelk.exe , srosa.sys, wintems.exe.
After all this time one of the antivirus tools(lost count which one was it) removed wintems.exe and I don't see it in the task manager any more, although I beleive it is still somewhere in my pc.
I tried to copy some of the removal procedures you used but I failed. Finally I realized that the advise you offer is specific to the individual problem.
Could you please help me?
Nik Drama

chaslang · Mar 26, 2008

Welcome to Major Geeks!

Please follow the instructions in the below link as best as you can. Try all steps and for any that cannot be run, note what happens and tell us later, but continue on thru all steps. When finished attach the requested logs mentioned in these instructions.

READ & RUN ME FIRST. Malware Removal Guide

drama · Mar 27, 2008

Excellent!!!!!!!! Success – finally!

Just one thing left but may not be important.

Sorry for taking me so long to reply but I had a lot of anti-virus, anti-trojan etc software to remove and it took me some time to go through the “Read & Run Me First” procedure.

-Super Antispyware ran successfully.
-Spybot didn’t run at first because the virus was active. So I went to next step.
-Malwarebytes ran successfully.(I think that was the one that did the job.)
-MGTools ran successfully

Then I did this little test of mine to see if the virus was still in my PC. I created a text file named nod32.exe and saved it. And success! The virus did not erase it.
Then I went back to install Spybot and this time it was successful.
It found more stuff but it could not disinfect one of them. Spybot ran again at start up but still could not remove this item:

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srosa
that belongs to WIN32.Bagle.hi
You think it's a problem still?

Also in \system32\ I manually removed mdelk.exe. There was no access denied this time.

I'm attaching the logs in case you need them.

Thank you very much for your help!
Really appreciated.
Nik Drama

chaslang · Mar 28, 2008

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 4

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F3 - REG:win.ini: load=
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O9 - Extra button: (no name) - AutorunsDisabled - (no file)

After clicking Fix, exit HJT.

Delete the below which showed as a 0 byte size file in your logs
C:\WINDOWS\system32\mdelk.exe

Now we need to Reset Web Settings:

If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.

Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created.

Make sure you tell me how things are working now!

drama · Mar 28, 2008

Thank you Chaslang.

Couldn't find O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" in the HJT results. I did the rest though without any problems.

Everything works fine now!
Do I need to toggle Restore Point off and on?

This malware I had in my pc is it a new one and what it does apart from deleting all antivirus software?
I read the "Basic PC Maintenance" thread in MajorGeeks and found it very useful. Is there something similar or information about managing services, processes and strart-ups in my pc.

And by the way this phrase you posted "There are 10 types of people......" was the cleverest thing I've read the past year or so. It took me a minute to understand but it is really clever.

Thank you again for your help.
Nik Drama

chaslang · Mar 29, 2008

You're welcome.

drama said: ↑

This malware I had in my pc is it a new one and what it does apart from deleting all antivirus software?
Click to expand...

Actually it is a fairly recent form of an old trojan. Things like this change all the time. See the below which are all related in one way or another:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FMITGLIED%2EAA&VSect=P

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbagledlbr.html

http://www.eset.com/msgs/baglecu.htm

http://www.bitdefender.com/VIRUS-1000108-en--Win32.Bagle.%7BCUFGGLGU%7D@mm.html

drama said: ↑

I read the "Basic PC Maintenance" thread in MajorGeeks and found it very useful. Is there something similar or information about managing services, processes and strart-ups in my pc.
Click to expand...

Step 1 of the READ ME gave you this: Dealing with Startup Processes

You're logs are clean. If you are not having any other malware problems, it is time to do our final steps:

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Log in or Sign up

Nasty maleware deletes all my antispyware

drama Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

drama Private E-2

Attached Files:

mbam-log-3-27-2008 (20-26-17).txt

MGlogs.zip

SASlog.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

drama Private E-2

Attached Files:

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member