Need help - infected with Win32/Bagle.of

Discussion in 'Malware Help (A Specialist Will Reply)' started by Ovisnik, Mar 25, 2008.

  1. Ovisnik

    Ovisnik Private E-2

    I got infected with Win32/Bagle.of!

    Symptoms typical, Safe mode not working, lots of programs not working, and almost any antivirus, anti-malware, anti-spyware software says it's not a valid win32 application!

    How do I get rid of it?

    Below is Kaspersky's online scan report.

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Monday, March 24, 2008 5:11:14 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 24/03/2008
    Kaspersky Anti-Virus database records: 657305
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - Critical Areas:
    C:\WINDOWS
    C:\DOCUME~1\User\LOCALS~1\Temp\

    Scan Statistics:
    Total number of scanned objects: 27205
    Number of viruses found: 1
    Number of infected objects: 1
    Number of suspicious objects: 0
    Duration of the scan process: 01:09:46

    Infected Object Name / Virus Name / Last Action
    C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe Object is locked skipped
    C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe Object is locked skipped
    C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe Object is locked skipped
    C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe Object is locked skipped
    C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB832353$\msdxm.ocx Object is locked skipped
    C:\WINDOWS\$NtUninstallKB832353$\wmpcore.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
    C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
    C:\WINDOWS\$NtUninstallKB885835_0$\ntoskrnl.exe Object is locked skipped
    C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe Object is locked skipped
    C:\WINDOWS\$NtUninstallKB890859_0$\ntoskrnl.exe Object is locked skipped
    C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe Object is locked skipped
    C:\WINDOWS\$NtUninstallQ811493$\ntoskrnl.exe Object is locked skipped
    C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
    C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\mdelk.exe Infected: Email-Worm.Win32.Bagle.of skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\DOCUME~1\User\LOCALS~1\Temp\~DF24C8.tmp Object is locked skipped

    Scan process completed.
     
    Ovisnik, Mar 25, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Mar 25, 2008
    #2
  3. Ovisnik

    Ovisnik Private E-2

    I read a ton and tried a ton of stuf on that Bagle malice.

    However nothing really works the trick.

    What I managed to find is tool called Elibagla http://www.zonavirus.com/datos/descargas/95/elibagla.asp

    which was the only one that correctly identified files infected!
    Kaspersky's, BitDefender's and Sophos's bagle removal tools failed.

    After running Elibagla few things have changed:

    1. My CPU is not running at 100% all the time
    2. I am able to reboot computer in safe mode
    3. When I start computer pop-up comes up saying "Select file to crack" meaning that trojan/worm is trying to reactivate itself!

    Now, I can't be far away from solution, I probably need to delete a few files and change back some registry keys after regaining possibility to boot in safe mode.

    Can you point me in the right direction from there?
     
    Ovisnik, Mar 25, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The right direction is in what I already gave you and those steps would have helped us to identify your problem files which are quite typical. If you follow directions from anywhere else we cannot help you if things go wrong.
     
    chaslang, Mar 25, 2008
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds