Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91733 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Urgent Help Needed!


  • This topic is locked This topic is locked
5 replies to this topic

#1 5ifty1

5ifty1

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 12 April 2008 - 01:38 AM

Hello all. This is my first post. I'm sorry I didn't have time to go into a general part of the forum and introduce myself. I am at a complete loss right now.

Here is the situation. I have been infected by what I believe is the W32.Bagle worm/virus. I have the wintems.exe file in my system32 folder, and in TaskManager appear the random number.exe files (035903.exe, etc.) I've been trying to find a solution that works for the past FIVE HOURS to no avail. I classify myself to be somewhat computer literate since I spend my whole life on the thing. :pullhair:

My CPU usage is staying 50%-100% no matter what. I am also getting BSOD every hour or so (4x already). My system will not boot into Safe Mode, instead I get blessed with another BSOD.

Here's my current situation of what works and what doesn't:

HJT - Will not run. Errors with "not a valid win32 app".
Spybot S&D - Will not run. No errors, nothing.
DSS - Will not run. It starts, I hit the first 2 OK screens, then as it tries to run a sys restore it just shuts off mid-way. If I try to run it again it freezes up windows and I have to hit the reset button on my tower.
ComboFix - Will not run. Starts to show the loading bar, then nothing. (I know, I'm sorry for trying to use this before getting advice)

So, from what I can tell right now, I cannot even get you guys a log at this point. One interesting thing is that I have an app called Eraser installed on my sys, and I right clicked on wintems.exe and performed a "secure move". This made the original wintems.exe zero out (0kb) and moved (I think) the other to the Desktop. It cannot be seen no matter what I try. The thing is now wintems.exe doesn't show up in TaskManager... which I think is a good thing.

Also, when trying to view hidden files and folders through the folder options dialog, the radio button is just... gone. I can't really explain it. It just is completely gone so I can't view hidden files although I had hidden files viewable normally.

I need some help really bad. This is my work computer and although I have another, I must try and save this install of windows and everything on the drive. I have read through numerous forum posts and threads regarding this virus, but I have had zero luck with anything yet since I can't get anything to run or boot into Safe Mode.

So, if anyone can help it is much appreciated. Thanks. :(

Edited by 5ifty1, 12 April 2008 - 01:40 AM.

    Advertisements

Register to Remove


#2 5ifty1

5ifty1

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 12 April 2008 - 03:28 AM

Ok I got ONE THING to run. A rootkit detector by Gmer called catchme 0.2.

Here's the log:

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

? [496]

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\srservice 3.0.0.0ce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRVce 3.0.0.0ce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\StarWindServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\stisvcndServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\streamipServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\swenumipServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\swmidiipServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\SwPrviipServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\symc810pServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\symc8xxpServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\sym_hixpServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\sym_u3xpServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\sysaudioServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\SysmonLogerviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TapiSrvogerviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TcpiprvogerviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TDPIPEvogerviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TDTCPEvogerviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TermDDvogerviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TermServiceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\ThemesrviceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvrviceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TosIderviceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TrkWksrviceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TSDDDsrviceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\UdfsDsrviceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\ultrasrviceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\UpdaterviceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\upnphosticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\UPSphosticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\usbphosticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\USBAAPLticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\usbehciticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\usbhubiticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\usbprinticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\usbscanticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\USBSTORticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\usbuhciticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\usnjsvcticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\VgaSaveticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\VHZOaveticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\ViaIdeeticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\VolSnapticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\VSSSnapticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\W32TimeticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\W3SVCmeticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\WanarpeticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\WBHWDOCTiceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\Wdf01000iceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\WDICA000iceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\wdmaud00iceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\WebClientceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\winmgmt Workflow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\Winsock Workflow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2Workflow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WinTrustWorkflow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSNWorkflow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WmimPmSNWorkflow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WmiApRplWorkflow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WmiApSrvWorkflow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WMPNetworkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WS2IFSLorkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\wscsvcLorkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WSTCODECrkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\wuauservrkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WudfPfrvrkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WudfRdrvrkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WudfSvcvrkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WZCSVCcvrkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\xmlprovvrkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\xusb21vvrkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\agd3m2kbF-65AF-4331-B80F-304BE8EC37CA}

scanning hidden autostart entries ...

scanning hidden files ...

C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\Connections\Shared
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\Connections\Shared\ASP.NET
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\Connections\Shared\Connection_common.js 8192 bytes
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\DataSources\Shared
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\DataSources\Shared\ASP.Net
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\ServerFormats\Shared
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\ServerFormats\Shared\ASP.Net
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\ServerModels\Shared
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\ServerModels\Shared\ASPNetShared.js 8192 bytes
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\ServerModels\Shared\ServerSettingsDefault.xml 4096 bytes
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\shared
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\shared\webengines
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\downld\101656.exe 73728 bytes
C:\WINDOWS\system32\drivers\downld\102968.exe 73728 bytes
C:\WINDOWS\system32\drivers\downld\105859.exe 4096 bytes
C:\WINDOWS\system32\drivers\downld\119093.exe 20480 bytes
C:\WINDOWS\system32\drivers\downld\122656.exe 16384 bytes
C:\WINDOWS\system32\drivers\downld\124078.exe 4096 bytes
C:\WINDOWS\system32\drivers\downld\136875.exe 28672 bytes
C:\WINDOWS\system32\drivers\downld\139609.exe 28672 bytes
C:\WINDOWS\system32\drivers\downld\140156.exe 4096 bytes
C:\WINDOWS\system32\drivers\downld\147343.exe 28672 bytes
C:\WINDOWS\system32\drivers\downld\152015.exe 28672 bytes
C:\WINDOWS\system32\drivers\downld\155484.exe 49152 bytes
C:\WINDOWS\system32\drivers\downld\159812.exe 49152 bytes
C:\WINDOWS\system32\drivers\downld\163984.exe 20480 bytes
C:\WINDOWS\system32\drivers\downld\186265.exe 28672 bytes
C:\WINDOWS\system32\drivers\downld\198234.exe 28672 bytes
C:\WINDOWS\system32\drivers\downld\206984.exe 49152 bytes
C:\WINDOWS\system32\drivers\downld\264703.exe 20480 bytes
C:\WINDOWS\system32\drivers\downld\280765.exe 28672 bytes
C:\WINDOWS\system32\drivers\downld\294015.exe 28672 bytes
C:\WINDOWS\system32\drivers\downld\322359.exe 49152 bytes
C:\WINDOWS\system32\drivers\downld\45812.exe 69632 bytes
C:\WINDOWS\system32\drivers\downld\48500.exe 69632 bytes
C:\WINDOWS\system32\drivers\downld\49890.exe 40960 bytes
C:\WINDOWS\system32\drivers\downld\52281.exe 69632 bytes
C:\WINDOWS\system32\drivers\downld\59453.exe 69632 bytes
C:\WINDOWS\system32\drivers\downld\63031.exe 73728 bytes
C:\WINDOWS\system32\drivers\downld\64656.exe 73728 bytes
C:\WINDOWS\system32\drivers\downld\65828.exe 716800 bytes
C:\WINDOWS\system32\drivers\downld\66343.exe 716800 bytes
C:\WINDOWS\system32\drivers\downld\88875.exe 16384 bytes
C:\WINDOWS\system32\drivers\downld\92046.exe 4096 bytes
C:\WINDOWS\system32\drivers\downld\95203.exe 4096 bytes
C:\WINDOWS\system32\drivers\downld\97687.exe 69632 bytes
C:\WINDOWS\system32\drivers\downld\99562.exe 69632 bytes
C:\WINDOWS\system32\drivers\hldrrr.exe 679936 bytes
C:\WINDOWS\system32\drivers\mdelk.exe 679936 bytes
C:\WINDOWS\system32\drivers\srosa.sys 94208 bytes
C:\WINDOWS\system32\mdelk.exe 69632 bytes

scan completed successfully
hidden processes: 1
hidden services: 72
hidden files: 52

#3 5ifty1

5ifty1

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 12 April 2008 - 03:34 AM

So far, I've gone through and deleted all the numbered exe files as well as deleted the "downld" folder through DOS. I dunno if this stuff will stick though... When I try to delete hldrrr.exe, mdelk.exe, and srosa.sys through DOS, I get the message "A device attached to the system is not functioning." in the cmd window.

#4 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 19 April 2008 - 02:47 AM

Hi 5ifty1,

I'm sorry it's taken so long for you to get a response, if you still need help please do as follows:

Download SDFix and save it to your Desktop.
  • Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)
  • Navigate to the C:\SDFix folder using Windows Explorer (right-click Start and select Explore) and double-click RunThis.bat to start the script
  • Press C and enter to choose Create Catchme Log
  • Wait for the scan to complete.
  • A log will appear in Notepad, also located here: C:\SDFix\catchme.log, please post the contents in your next response.

Download Autoruns from here
  • Unzip/extract it to a folder on your desktop
  • Double click on autoruns.exe to start the program
  • Wait for it to finish scanning
  • Under Options make sure the following options are selected
    • Verify Code Signatures
    • Hide Signed Microsoft Entries
  • Click File > Refresh
  • Click File > Save As
  • Save it to the desktop as autoruns.txt
  • Post the contents of autoruns.txt in your next response

Once complete, please post the catchme.log and the autoruns.txt report.
ASAP & UNITE Member

#5 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 22 April 2008 - 08:20 AM

Do you still need help with your machine? If the instructions are unclear or something isn't working, please let me know before proceeding.
ASAP & UNITE Member

#6 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 24 April 2008 - 09:13 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
ASAP & UNITE Member

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users