Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Bagle Infection, Please Help!


  • This topic is locked This topic is locked
7 replies to this topic

#1 debbieb13

debbieb13

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 24 March 2008 - 01:36 PM

Hello. I've been reading other posts and I believe my problem is a bagle variant, which seems to be proliferating today.

It started two days ago when I downloaded a kids game from emule and foolishly opened a file without my usual care (had some frustrated grandchildren I was trying to appease at the time!). A window popped up asking which file I wanted to crack. Then I noticed my Mcafee was no longer functioning, and the "fix" option is disabled, giving an error message.

System guard says a one-time registry changes had been made, adding wintems.exe and hldrrr.exe. (I later also found mdelk.exe in my system32 file but could not delete it). When trying to run a scan, I had a blue screen shut down, and the microsoft virus alert identified the problem as winNT/Bagle.gen virus. I attempted to run Windows Live OneCare malicious software removal tool, but it kept stopping when it reached programfiles/mcafee/mcods.exe. Process Explorer showed wintems.exe and mdelk.exe as active, but I could not shut them down from Process Explorer or task manager.

After some online research, I attempted a number of solutions:
1. ran an online scan with ESET, mcafee, Trend's housecall. ESET identified a number of viruses and said they were cleaned. I also deleted registry entries as per Symantec instructions, HKCU/software/firstRRRun and /datetime4, but they return every time I reboot. Regedit and safe mode are still functional, and I can access Internet, although it is very very slow and often cancels itself. I've tried downloading Avast and AVG, and AVG anti-rootkit, but after install I get the message that it is not a valid win32 operation. Spysweeper will run, but it doesn't detect anything related. I've done a number of other things that I can't recall right now.

Today the virus started opening up the desktop.ini notepad file on start up (it appears this file was created initially but wasn't opening until today). wintems and mdelk are no longer showing as active processes, but mdelk.exe is still in system/win32 folder. I also tried running f-secure's bagle.exe cleaner, avast virus cleaner, mcafee sting, cleanbagle.exe, and elibaglia (spanish program). F-secure locks up, cleanbagle and elibaglia say they found virus and deleted, but it's still there. When I try to run these programs, I often get a blue screen shut down and Windows virus alert. I've tried re-installing AVG and f-secure from safe mode, but they won't run.

It's clear the virus/worm is deeply embedded, and even though by the end of yesterday I felt hopeful that I had cleaned up much of the problem, today it appears back with a vengeance. I've lost three days of work fighting with this thing and I'm so angry at virus-makers and myself that I can hardly see straight. I've considered paying for the Mcafee online virus removal, but I'm worried that even they won't be able to solve the problem.

My computer is less than a year old, a Dell (McAfee came packaged with it, otherwise I wouldn't be using it), running Windows Vista. I keep everything updated and run regular virus checks. I haven't had this kind of problem since I was a naive ICQ user 10 years ago and had a hacker take over my computer. Any help would be greatly appreciated!

I forgot to add that I did download combo fix/deckard and was going to run it, but got a message saying that 1/100 computers don't survive the process so I aborted it. I haven't attempted hijack this. I also did a registry search for wintems, mdelk and hldrrr and nothing came up. hldrrr deleted quite easily the first day. I'm running the AVast cleaner right now, and my next step is to try Kaspersky online scan.

Edited by debbieb13, 24 March 2008 - 02:04 PM.


BC AdBot (Login to Remove)

 


#2 Master5270

Master5270

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where am I?
  • Local time:11:39 AM

Posted 24 March 2008 - 02:58 PM

Hi, I am Master5270, I will be trying to assist you in your problem
This seems like a tough problem, even though im not very familiar with Bagle variants.



As for the combofix part of your post:
ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer.



Download and scan with SuperAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* When done, select "Scan for Harmful Software".
* There are three scanning options. Choose "Perform Complete Scan" and click "Next".
* When done, a Scan Summary will appear with potentially harmful items that were detected. Click "OK".
* Make sure they all have a checkmark next to them and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* Click Preferences and then click the statistics/logs tab.
* Click the dated log and press View log. A text file will appear so you can see the results.
* Select close to exit the program.
* Scan in SAFE MODE

Post the Safe Mode Log in here, lets see how it went.

#3 debbieb13

debbieb13
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 24 March 2008 - 03:37 PM

Thanks. Scanning right now and will post the log when complete.

#4 debbieb13

debbieb13
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 24 March 2008 - 05:28 PM

superantispyware started to run in normal mode, then blue screened and shut down. I was able to get it to run in safe mode. At the end, all items except the "Trojan unclassified" were default checked so I selected to quarantene. However, on reboot, the desktop.ini notepad files ran again, so I'm thinking nothing has changed. Internet access is still super slow.

I tried to access the windows/system32 file to see if these files were visible, and got another blue screen shut down. i was able to access the file when computer restarted, but could not see the wintem or hdlrrr files (I do have file options set to show everything).

here's the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/24/2008 at 03:48 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 00:28:00

Memory items scanned : 202
Memory threats detected : 0
Registry items scanned : 7262
Registry threats detected : 0
File items scanned : 26000
File threats detected : 11

Trojan.Unclassifed/Loader-Suspicious
C:\PROGRAM FILES\MEDIAFACEONLINEPLUGINSSERVICE\LOADER.EXE

Adware.Tracking Cookie
C:\Users\DJ\AppData\Roaming\Microsoft\Windows\Cookies\dj@2o7[2].txt
C:\Users\DJ\AppData\Roaming\Microsoft\Windows\Cookies\dj@doubleclick[2].txt
C:\Users\DJ\AppData\Roaming\Microsoft\Windows\Cookies\dj@ehg-eset.hitbox[1].txt
C:\Users\DJ\AppData\Roaming\Microsoft\Windows\Cookies\dj@ehg-kasperskylab.hitbox[2].txt
C:\Users\DJ\AppData\Roaming\Microsoft\Windows\Cookies\dj@hitbox[2].txt

Background Agent Application by Broderbund Software
C:\USERS\DJ\DOCUMENTS\DOWNLOADS\TORRENT\KIDS GAMES BURNED\(PC GAMES)KIDS GAME FISHER PRICE PLAY HOUSE & FARM\INSTALL\BRODCAST\DSSAGENT.EXE

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE
C:\Windows\Prefetch\HLDRRR.EXE-9AE4C2D2.pf

Trojan.WINTEMS
C:\WINDOWS\SYSTEM32\WINTEMS.EXE
C:\Windows\Prefetch\WINTEMS.EXE-72D52E08.pf


Also, here's the blue screen windows log:
Problem Event Name: BlueScreen
OS Version: 6.0.6000.2.0.0.768.3
Locale ID: 4105

Additional information about the problem:
BCCode: 50
BCP1: B47DF000
BCP2: 00000000
BCP3: 820849C2
BCP4: 00000000
OS Version: 6_0_6000
Service Pack: 0_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini032408-06.dmp
C:\Users\DJ\AppData\Local\Temp\WER-27752-0.sysdata.xml
C:\Users\DJ\AppData\Local\Temp\WERFFB2.tmp.version.txt

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=501...mp;clcid=0x0409

#5 debbieb13

debbieb13
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 24 March 2008 - 09:22 PM

another update. I tried doing some backups in case I have to wipe everything. I managed to burn a couple dvd's, then the third one locked up and froze, stating that it would take 13 days to burn. I shut the computer down and restarted in safe mode, ran superantispy again. This time only these two were showing:

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE

Trojan.WINTEMS
C:\WINDOWS\SYSTEM32\WINTEMS.EXE

When I rebooted the computer, the two desktop.ini files opened. I closed them and my screen went black. I opened task manager and saw that my CPU was running at 100%. This continued for about 15 minutes, at which point I control/alt/deleted to restart. I've left the destop.ini files alone and the desktop is back.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:39 PM

Posted 24 March 2008 - 10:35 PM

One or more of the identified infections is related to a nasty rootkit componet. Rootkits are very dangerous because they use advanced techniques as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?" and "Reformatting the computer or troubleshooting; which is best?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.

Please see the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. If you can't perform a step, then skip and continue with the next. In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 debbieb13

debbieb13
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 25 March 2008 - 11:50 AM

Thank you for your help. I believe at this point I will likely have to wipe everything and start over, but in the interests of trying to salvage some of my data, I'd still like to try and get rid of the virus. I've posted the hijack this log here:

http://www.bleepingcomputer.com/forums/t/138189/rootkit-bagle-variant-difficult-to-remove-virus/

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:39 PM

Posted 25 March 2008 - 11:55 AM

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Thanks for your cooperation and good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users