It started two days ago when I downloaded a kids game from emule and foolishly opened a file without my usual care (had some frustrated grandchildren I was trying to appease at the time!). A window popped up asking which file I wanted to crack. Then I noticed my Mcafee was no longer functioning, and the "fix" option is disabled, giving an error message.
System guard says a one-time registry changes had been made, adding wintems.exe and hldrrr.exe. (I later also found mdelk.exe in my system32 file but could not delete it). When trying to run a scan, I had a blue screen shut down, and the microsoft virus alert identified the problem as winNT/Bagle.gen virus. I attempted to run Windows Live OneCare malicious software removal tool, but it kept stopping when it reached programfiles/mcafee/mcods.exe. Process Explorer showed wintems.exe and mdelk.exe as active, but I could not shut them down from Process Explorer or task manager.
After some online research, I attempted a number of solutions:
1. ran an online scan with ESET, mcafee, Trend's housecall. ESET identified a number of viruses and said they were cleaned. I also deleted registry entries as per Symantec instructions, HKCU/software/firstRRRun and /datetime4, but they return every time I reboot. Regedit and safe mode are still functional, and I can access Internet, although it is very very slow and often cancels itself. I've tried downloading Avast and AVG, and AVG anti-rootkit, but after install I get the message that it is not a valid win32 operation. Spysweeper will run, but it doesn't detect anything related. I've done a number of other things that I can't recall right now.
Today the virus started opening up the desktop.ini notepad file on start up (it appears this file was created initially but wasn't opening until today). wintems and mdelk are no longer showing as active processes, but mdelk.exe is still in system/win32 folder. I also tried running f-secure's bagle.exe cleaner, avast virus cleaner, mcafee sting, cleanbagle.exe, and elibaglia (spanish program). F-secure locks up, cleanbagle and elibaglia say they found virus and deleted, but it's still there. When I try to run these programs, I often get a blue screen shut down and Windows virus alert. I've tried re-installing AVG and f-secure from safe mode, but they won't run.
It's clear the virus/worm is deeply embedded, and even though by the end of yesterday I felt hopeful that I had cleaned up much of the problem, today it appears back with a vengeance. I've lost three days of work fighting with this thing and I'm so angry at virus-makers and myself that I can hardly see straight. I've considered paying for the Mcafee online virus removal, but I'm worried that even they won't be able to solve the problem.
My computer is less than a year old, a Dell (McAfee came packaged with it, otherwise I wouldn't be using it), running Windows Vista. I keep everything updated and run regular virus checks. I haven't had this kind of problem since I was a naive ICQ user 10 years ago and had a hacker take over my computer. Any help would be greatly appreciated!
I forgot to add that I did download combo fix/deckard and was going to run it, but got a message saying that 1/100 computers don't survive the process so I aborted it. I haven't attempted hijack this. I also did a registry search for wintems, mdelk and hldrrr and nothing came up. hldrrr deleted quite easily the first day. I'm running the AVast cleaner right now, and my next step is to try Kaspersky online scan.
Edited by debbieb13, 24 March 2008 - 02:04 PM.