Uh Oh, I Have the Bagle! (Virus Against Removal Tools)

I have figured out due to Googling and confirmation with BitDefender that I have the Bagle. I have done the READ AND RUN ME FIRST/MALWARE REMOVAL threads, but naturally can't even run half of the removal programs...

The sordid history, if this helps:

I had been getting notifications with my AV program PCCillin, about files that had virus/trojans, it tried to quarantine or delete them, but some were unsuccessful. Previously I had been having rond.starsdoor popups as well, and never got that eradicated completely either.

So....I was browsing in WIndows Explorer, and got a blue screen that said "stop error". My Internet connection stopped working as well. I tried to do System Restore, it did not work, for any restore point, it was the same thing, told me it could not restore to that time.

I noticed my virus software wouldn't even start up for me to do a scan...I unstalled Trend Micro PCCillin, obviously it was corrupted, and found out it had been blocking my Internet connection somehow - it is off my system, and my Internet works properly.

So then, to really try to get rid of the problem. Well, I knew about HijackThis, downloaded and tried to run a scan, got the "not a valid Win32 application" error. I had been using CCleaner before, so tried to open it, it closed out immediately.

Downloaded Spybot S&D, tried it, same "not valid Win32" error, would not run. At that point I found the MG forums and the malware removal procedures. I diligently tried to follow all the steps, but half of the steps I don't have the ability to do with this virus, so many of my defender type programs are not allowed to run with this infection.

My computer is running basically, a bit slow, but the worst are the constant annoying hangs and crashes happening anytime browsing files in Windows Explorer.

I did get an SAS log, and got it, I think, to remove what it found. And it seems MGTools did run, I got the zip file with the usual logs. ComboFix does not run, it gets the same error message as the other programs.

Ran the BitDefender Scan - it says I definitely have Bagle.GQ, Trojan.Winbomb, Trojan.Retapu. I think it tried to remove them, but had no luck, all the same problems are still present.

This thing is driving me nuts!! Attached are the SASlog, the MGTools zip file, and the BitDefender scan saved as a txt file.

Where could I go from here? :confused

 

Hi Oceanides,
Welcome to Major Geeks!

You have a lot of stuff in your temp folders and this is a problem, because if you ran CCleaner as we ask, all of this should be deleted. Please look in the following folder and see if any of the files in there look like something you put there yourself and want to keep. Do not open any files. You can find out more about most of the files by right-clicking on them in Windows Explorer and looking at Properties.

C:\Documents and Settings\Greta\Local Settings\TEMP

After you've removed anything which you may have put in there yourself and which might be in danger like photos, please install and run CCleaner at the default setting with the Windows tab as the one on top. Lots of malware ends up in the temp files and this is why we clean out these folders before we do anything else.

Then I want you to do the following:

Download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run CCleaner again as before.

And finally, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

I tried to run CCleaner, as asked, but it is not allowed to run because of the infection, it immediately closes before it is able to do anything.

I tried to run Avenger as per instructions, it will not run - it gets the same error "not a valid Win32 application".

Should I try to clear out my Temp files manually? Or rename Avenger possibly?

 

A smidgen of good news...

I renamed ComboFix to Combo-Fix.exe, and got it to run. It hung at "Creating Log Report..." but I found the log, which it looks like is completed. It is attached.

CCleaner now runs - I used the "Cleaner" to delete whatever it found in Temp files, etc, and saved the log of what it deleted as a .txt file, I'll go ahead and attach that below.

I ran MGTools again finally, and have attached the new MG zip.

I wanted to run Avenger, but it is still getting the "not a valid Win32 application" error, and ditto on the other programs that got that error, I checked them. No improvement in that area.

I was going to try to run Avenger from Safe Mode, but I can't even get to Safe Mode right now, when it tries to boot into it it gets the blue screen "stop error".

So...some good...and some bad... :-/

 

Okay, I got Avenger to run finally by renaming it as well. Attached is the log.

The folder named "down" had already been deleted in one of the steps, and Avenger took care of the other offending folder with the long name.

I ran CCleaner one more time, which was almost empty, and ran another MGTools, and have included that log also.

No changes in the problems much yet, things like Spybot still get the error and will not run, Windows Explorer is still hanging.

 

Hi Oceanides,

Good thinking. Renaming the programs seems to have helped. Your Combofix doesn't show any results for the GMER rootkit scan so I want to send you off and have you look for that. Please go to Alternate Scans and scroll about halfway down the page to the list of rootkit scans. Run the one called GMER. There's an extra link for the instructions. When you finish all the instructions here, please attach the GMER log with the other log I will request.

Then download Silent Runners . Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a log file will have been created on the desktop called "Startup Programs". Please attach the entire contents of this logfile in your next reply.

Thanks.
abri