Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • Please log in to reply
1 reply to this topic

#1 PijavQa


  • Members
  • 1 posts
  • Local time:06:18 AM

Posted 12 February 2008 - 04:49 AM

I got a file something.exe. I was on an admin account. I opened it and I immediately noticed something's wrong. I checked it with http://virusscan.jotti.org/ and some of the scanners there showed that it is Trojan-Downloader.Win32.Bagle.jo. I couldn't boot into safe mode, windows defender was crippled and didn't start. In fact any of the antivirus programs didn't start or install. I got proccessor usage around 11-15% all the time. So I went to Kaspersky's site and checked with their online scanner. It took almost 12 hours to complete. It found out that my System Volume Information folders are infected with Infected: Trojan-Downloader.Win32.Bagle.iw and a file mdelk.exe in windows directory with Email-Worm.Win32.Bagle.of I cleaned System volume information (manually and by turning the restore off). I ran deckard system scanner and found out that I have wintems/srosa/hldrr infection. I couldnt delete them. I ran gmer but I couldn't boot it into safe mode. Then I was able to boot into safe mode by fixing registry with some reg file I found on http://blog.didierstevens.com/2007/02/19/r...ith-a-reg-file/. I ran gmer in the safe mode and killed files wintems.exe/hldrr.exe and wintems.pf. I deleted content of the folder "down".
Kaspersky found out some strange thing: Program Files\Creative\SBAudigy\Program\ADGJDet.exe Infected: Trojan-Downloader.Win32.Bagle.jo . Little googling told that it was perfectly legitimate file but Jotti's side told me opposite. So I deleted it.
I thought I was clean. Addditionaly I deleted manually keys related to srosa (megadrv3 or something) but some keys disseapeared by themselves.
"drvsyskit"="C:\WINDOWS\system32\drivers\hldrrr.exe" [2006-05-10 01:05]
"german.exe"="C:\WINDOWS\system32\wintems.exe" [2008-02-11 07:15]
Two later keys didn't appear anymore :D
The proccesor usage was about 0-1%.
I was finally able to install Hijackthis and save combofix.
Run kaspersky online scanner once again (4hours) and I found that I'm still dirty. hldrr and wintems still existed.System restore turned on by itself and there was .Trojan-Downloader.Win32.Bagle.jo in System Information Volume. But this time I was able to delete them in normal mode (??)
Once again I wasn't able to boot into Safe mode. I fixed registry again and run ComboFix. Now I am able to go into safe mode.
I don't understand combofix log file :D . So I'm here.
I apologise for my poor style but I had little sleep for last three days trying to fix the mess.
I didn't write everything I did step by step - I ran hijack this (only when I saved it under changed name I was able to run it for the first time), deckard system scanner, silent runner,gmer couple of times. I don't know if srosa/wintems infection was only a consequence of first infection or the main infection. I am posting two of my hijackthis logs: the first one and the last one, combofix log, dss logs. I'm not sure if I want to post Kaspersky log's - they contain some private informations, so I can send them to helper but I don't want them to be seen by everybody.

Attached Files

BC AdBot (Login to Remove)


#2 Blender


    I will eat your Malware

  • Malware Response Team
  • 2,363 posts
  • Location:Ontario
  • Local time:07:18 AM

Posted 20 February 2008 - 07:09 PM

Hi and welcome,

sorry for delay.

Still need help? Let me know please.. before doing anything else.
This infection requires a specific fix tool to help deal with.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users