Good day, folks. I hope that this finds you all doing reasonably well.

I am writing to solicit assistance for helping to clean up the last few issues I am having as the result of getting infected with a Bagel variant.

I had executed an inappropriate file and fragged my system ... I immediately know that something was amiss (reasons as to why escape me now) .

At any rate, after much fighting with the darn bug, I was able to rid it of it's hooks in my system, but it had left some nasty side effects. The results of which I have nearly gotten rid of (McAfeee not running, NDIS getting vaporized, no wireless connectivity, etc.).

I was surprised at how targeted the malware was - hooking into explorer and changing executables to render them invalid (IceSword), etc.

Anyways, I have a few symptoms that after hours of trying to resolve, I am no where nearer getting them fixed, and am throwing in the towel and humbly asking for help.

The remaining symptoms, that I am aware of, are:

1. Wireless Adapter Connects, but fails to get a good IP - always results in the win32 default ip being assigned - 169.254.248.79 with subnet mask of 255.255.0.0 - Gateway, DNS, and WINS server ips are all blank (null)
2. The Service Windows Driver Foundation - User-Mode Driver Framework won't start - barfs up Error 31: A device attached to the system is not functioning...
3. Booting into safe mode yields dialog about resources being locked as read only and being unable to authenticate the copy of windows and forces a log out (the OS is legit and came installed from the OEM).

Once infected, I ended up setting IceSword and then had to rename the executable inside of the .zip before extracting it as the malware had hooks into explorer.exe and was altering the executable to render it useless. Once I got that done and extracted and running, it was a pretty short path to travel to get rid of the various top-level impacts that the variant instantiated - ShStat.exe was replaced, appdata files were present, reg keys were kicking off the malware, etc.

I was able to get rid of the executables that floated around, and removed the various reg keys that I was able to ascertain as being faulty, reinstalled McAfee VSE 7.1.0 and updated it with the latest DATs and engine. I was unable to even boot to safemode, but used Dial-a-fix to restore the corrupted keys and was able to finally get it to boot safe without a BSOD showing up. Now Safemode gives the dialog described above.

...

I have printed (to .pdf) the prep-guide from herein. I have the following tools available for use:

1. Ad-Aware SE
2. Dependancy Scanner
3. Process Explorer (from SysInternals [MS])
4. RegMon (from SysInternals [MS])
5. FileMon (from SysInternals [MS])
6. Winspector Spy
7. Trojan Remover
8. CCleaner
9. RegMech6
10. RegCleaner
11. RegCure
12. Dial-a-fix
13. Helios Lite
14. catchme
15. dss
16. gmer
17. HJT (uninstalled)
18. Filealyz.exe
19. netalyz.exe
20. regalyz.exe
21. runalyz.exe
22. KillBox
23. lspfix
24. modservices (uninstalled)
25. roguescanfix (uninstalled)
26. smitfraud & smitrem (both uninstalled)
27. submitter
28. spybotsd1.52 and the include (both uninstalled)
29. stinger from NAI (stng380.exe)
30. McAfee Virtual Tech app
31. XoftSpySE433_263(uninstalled)
32. ERUNT
33. IceSword
34. AVZ 4.29
35. AntiRookit
36. ComboFix
37. VirtumundoBeGone
38. VundoFix
39. WinPatrol PLUS v12.0.2007.6:12.0.2007.6 (runs at boot)
40. McAfee VirusScan Enterprise v7.1.0 with 5267 DATs and 5.2.00 Engine (installed as service)
41. and all of the win32 tools (MSConfig/MSInfo/GPE/etc.)

Box = XPSP2 on a Dell Latitude D600 with 1GB RAM @ 1.6MHZ with a Broadcom 570x NIC, and an Intel PRO/Wireless LAN 2100 3A Mini PCI Adapter. HDD = 60G with ~1500MB free. I do not dual-boot. My box is my professional (employer-owned) workstation and I do A LOT of development on it. I have >1.8 million files on it.

Up until I acted like a moron and kicked off the infected malware, the machine was surprisingly stable.

It is now, once again, running stable, barring the symptoms described above.

I just got done with a 16+hr AVZ deep scan on the system.

If one of the Malware experts could please take me under their wing and walk me through getting the last of these issues resolved, I'd be greatly appreciative of it, and would reciprocate in any manner appropriate.

Thank you very much, in advance, for your time, consideration, and assistance.

-Tod Wulff

Hello could you please run this scan and post back the log

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on Download_mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Acan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Thanks, boopme. I have completed the task, as requested. Log file contents follow:



Thanks again, for your taking this one on. I'll be awaitng further guidance.

-t

Sorry for the delay ...so is the PC still acting up? What is left?

No worries. I understand that most of us have a life outside of the internet - it's all good...

Yes, I still have the three same symptoms:

1. Wireless Adapter Connects, but fails to get a good IP - always results in the win32 default ip being assigned - 169.254.248.79 with subnet mask of 255.255.0.0 - Gateway, DNS, and WINS server ips are all blank (null)
2. The Service Windows Driver Foundation - User-Mode Driver Framework won't start - barfs up Error 31: A device attached to the system is not functioning... (also causes a app error on startup, if the service is set to start automagically)
3. Booting into safe mode now yields dialog consistent with incorrect passwords.

I have successfully logged onto the machine with both my cached domain credentials and my machine's local account, however when I boot to safe-mode, I can not authenticate with either account. I did type my password in the username field and I am seeing that my keyboard is not fragging up, at least when the cursor is in the username field. suspecting corrupt profile, hook to password field, or something else equally obtuse...

If it makes sense, we can focus on just one thing at a time and get that resolved - i.e. bootsafe challenges.?.

Please advise. Thanks.

-t

Hi I think it is best at this point for you to post your HJT log here HijackThis Logs and Malware Removal
Unfortunately they are quite busy but I'd rather see you e=wait a day there than any more here as they will be running the specialized tools that aren't allowed in this forum.

Understood. I will install HJT and run a full scan and start a new thread in the forum you've pointed me towards. Thanks so much, for your help. Take care.

-t

Great !! Best wishes