Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infected by Bagle.LY

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Infected by Bagle.LY

Unread postby ashanta » February 23rd, 2008, 4:30 am

Hi...I'm seriously infected by Bagle.LY. like arengajojo. I open a file downloaded stupiditly from Lphant... it was about 800kb .... then my antivirus stoped working and also all the anti sypware (nod32, superantispyware, a2anti-squared malware) ... I tried to install them again and give the error "filename..exe is not a valid win32 aplication"

Sorry, but I can not give you a HJ log file because the virus detect the application with the same error file: "filename..exe is not a valid win32 aplication". I'm on Vista OS.

How to do it ? Who can help me ? :roll:
ashanta
Regular Member
 
Posts: 24
Joined: February 22nd, 2008, 1:59 pm
Advertisement
Register to Remove

Re: Infected by Bagle.LY

Unread postby random/random » February 23rd, 2008, 8:00 am

During this fix you may get some user account control (UAC) prompts

If you do, then please click continue/allow to allow the changes

The infection you has attacks any antivirus that you install. You won't be able to install an antivirus or run HijackThis until we remove it

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Image


Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Infected by Bagle.LY

Unread postby ashanta » February 23rd, 2008, 9:28 am

I launched combofix and then, I restarted the computer to get the combofix file.

After that, as I loose my Internet connection, I restored the system again, because combofix could not restored my Internet connection. Even, manually, I couldn't restore my Internet connection.


Do I have to launch again combofix ? on the safe mode ? I did on the normal Vista restart.

I've got the online Totalscan log of this morning if you need it .

This was the log file before restoring the system (to get the Internet connection again)

ComboFix 08-02-23.2 - Windows 2008-02-23 13:50:11.1 - NTFSx86
Microsoft® Windows Vista™ Professionnel 6.0.6000.0.1252.1.1036.18.506 [GMT 1:00]
Endroit: C:\Users\Windows\Desktop\lolita.exe
* Création d'un nouveau point de restauration
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\drivers\down
C:\Windows\system32\drivers\down\101010.exe
C:\Windows\system32\drivers\down\107281.exe
C:\Windows\system32\drivers\down\117749.exe
C:\Windows\system32\drivers\down\125596.exe
C:\Windows\system32\drivers\down\128966.exe
C:\Windows\system32\drivers\down\134628.exe
C:\Windows\system32\drivers\down\143208.exe
C:\Windows\system32\drivers\down\14671410.exe
C:\Windows\system32\drivers\down\14672830.exe
C:\Windows\system32\drivers\down\14674280.exe
C:\Windows\system32\drivers\down\14686074.exe
C:\Windows\system32\drivers\down\14686230.exe
C:\Windows\system32\drivers\down\14690957.exe
C:\Windows\system32\drivers\down\14692283.exe
C:\Windows\system32\drivers\down\14694436.exe
C:\Windows\system32\drivers\down\14696417.exe
C:\Windows\system32\drivers\down\14702298.exe
C:\Windows\system32\drivers\down\14704747.exe
C:\Windows\system32\drivers\down\14705028.exe
C:\Windows\system32\drivers\down\14705293.exe
C:\Windows\system32\drivers\down\14710005.exe
C:\Windows\system32\drivers\down\14711268.exe
C:\Windows\system32\drivers\down\14737835.exe
C:\Windows\system32\drivers\down\14740612.exe
C:\Windows\system32\drivers\down\155704.exe
C:\Windows\system32\drivers\down\158216.exe
C:\Windows\system32\drivers\down\159729.exe
C:\Windows\system32\drivers\down\162085.exe
C:\Windows\system32\drivers\down\164300.exe
C:\Windows\system32\drivers\down\166219.exe
C:\Windows\system32\drivers\down\166733.exe
C:\Windows\system32\drivers\down\169791.exe
C:\Windows\system32\drivers\down\169853.exe
C:\Windows\system32\drivers\down\183831.exe
C:\Windows\system32\drivers\down\184564.exe
C:\Windows\system32\drivers\down\193768.exe
C:\Windows\system32\drivers\down\196093.exe
C:\Windows\system32\drivers\down\197918.exe
C:\Windows\system32\drivers\down\200601.exe
C:\Windows\system32\drivers\down\201366.exe
C:\Windows\system32\drivers\down\207621.exe
C:\Windows\system32\drivers\down\209556.exe
C:\Windows\system32\drivers\down\212270.exe
C:\Windows\system32\drivers\down\212754.exe
C:\Windows\system32\drivers\down\213190.exe
C:\Windows\system32\drivers\down\220538.exe
C:\Windows\system32\drivers\down\223689.exe
C:\Windows\system32\drivers\down\39561.exe
C:\Windows\system32\drivers\down\58718.exe
C:\Windows\system32\drivers\down\69311.exe
C:\Windows\system32\drivers\down\73554.exe
C:\Windows\system32\drivers\down\83226.exe
C:\Windows\system32\drivers\hldrrr.exe
C:\Windows\system32\drivers\srosa.sys
C:\Windows\system32\mdelk.exe
C:\Windows\system32\wintems.exe
C:\Windows\system32\x64
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA
-------\srosa


((((((((((((((((((((((((((((( Fichiers créés 2008-01-23 to 2008-02-23 ))))))))))))))))))))))))))))))))))))
.

Pas de nouveau fichier créé dans cet espace de temps

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 00:23 --------- d-----w C:\Users\Windows\AppData\Roaming\uTorrent
2008-02-23 00:23 --------- d-----w C:\Program Files\EsetOnlineScanner
2008-02-23 00:23 --------- d-----w C:\Program Files\ESET
2008-02-22 18:04 --------- d-----w C:\Program Files\Trend Micro
2008-02-22 15:57 --------- d-----w C:\Program Files\Panda Security
2008-02-22 14:06 --------- d-----w C:\Users\Windows\AppData\Roaming\SUPERAntiSpyware.com
2008-02-22 14:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-21 23:30 --------- d-----w C:\Users\Windows\AppData\Roaming\Skype
2008-02-15 00:54 --------- d-----w C:\Users\Windows\AppData\Roaming\dvdcss
2008-02-13 20:01 298,104 ----a-w C:\Windows\System32\imon.dll
2008-02-13 19:14 --------- d-----w C:\ProgramData\ESET
2008-02-13 13:57 --------- d-----w C:\Program Files\%temp&
2008-02-11 22:46 --------- d-----w C:\ProgramData\Arovax
2008-02-11 08:39 253,952 ----a-w C:\Windows\System32\OnlineScannerDLLA.dll
2008-02-11 08:39 237,568 ----a-w C:\Windows\System32\OnlineScannerDLLW.dll
2008-02-08 12:53 110,592 ----a-w C:\Windows\System32\OnlineScannerLang.dll
2008-02-05 07:48 77,824 ----a-w C:\Windows\System32\OnlineScannerUninstaller.exe
2008-02-04 12:07 73,216 ----a-w C:\Windows\ST6UNST.EXE
2008-02-04 12:07 249,856 ------w C:\Windows\Setup1.exe
2008-01-30 17:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-23 00:30 --------- d-----w C:\Program Files\Java
2008-01-23 00:29 --------- d-----w C:\Program Files\Common Files\Java
2008-01-16 16:38 319,984 ----a-w C:\Windows\DIFxAPI.dll
2008-01-16 16:38 --------- d-----w C:\Program Files\Realtek
2008-01-14 18:46 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-12 01:52 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-12 01:52 --------- d-----w C:\Program Files\Windows Mail
2008-01-12 01:18 --------- d-----w C:\Program Files\ffdshow
2008-01-11 21:20 802,816 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-01-11 21:20 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-01-11 21:20 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-01-11 21:20 216,760 ----a-w C:\Windows\system32\drivers\netio.sys
2008-01-11 21:20 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-01-11 21:19 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-11 21:19 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-11 21:19 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-11 21:19 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-11 21:19 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-11 21:19 1,686,016 ----a-w C:\Windows\System32\gameux.dll
2008-01-11 21:18 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-01-11 21:18 25,656 ----a-w C:\Windows\system32\drivers\msahci.sys
2008-01-11 21:18 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-11 21:18 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-01-11 21:18 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-01-11 21:18 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-01-11 21:18 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-11 21:18 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-01-11 21:18 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-08 20:33 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2008-01-08 20:33 60,273 ----a-w C:\Windows\System32\pthreadGC2.dll
2008-01-03 19:09 --------- d-----w C:\Users\Windows\AppData\Roaming\Nero
2008-01-03 19:08 --------- d-----w C:\ProgramData\Nero
2008-01-03 19:08 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-31 14:48 174 --sha-w C:\Program Files\desktop.ini
2007-12-31 14:44 --------- d-----w C:\Program Files\Windows Defender
2007-12-31 14:44 --------- d-----w C:\Program Files\Windows Calendar
2007-12-31 14:36 87,040 ----a-w C:\Windows\System32\msoert2.dll
2007-12-31 14:36 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2007-12-31 14:36 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2007-12-31 14:34 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2007-12-31 14:34 376,320 ----a-w C:\Windows\System32\winsrv.dll
2007-12-31 14:31 414,208 ----a-w C:\Windows\System32\msscp.dll
2007-12-31 14:31 374,456 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2007-12-31 14:28 104,448 ----a-w C:\Windows\System32\DWWIN.EXE
2007-12-31 14:28 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2007-12-31 14:27 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2007-12-31 14:27 8,704 ----a-w C:\Windows\System32\hccoin.dll
2007-12-31 14:27 5,888 ----a-w C:\Windows\system32\drivers\usbd.sys
2007-12-31 14:27 38,400 ----a-w C:\Windows\system32\drivers\usbehci.sys
2007-12-31 14:27 23,040 ----a-w C:\Windows\system32\drivers\usbuhci.sys
2007-12-31 14:27 224,768 ----a-w C:\Windows\system32\drivers\usbport.sys
2007-12-31 14:27 192,000 ----a-w C:\Windows\system32\drivers\usbhub.sys
2007-12-31 14:26 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-31 14:25 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-31 14:25 82,432 ----a-w C:\Windows\system32\drivers\sdbus.sys
2007-12-31 14:25 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-31 14:24 57,856 ----a-w C:\Windows\System32\SLUINotify.dll
2007-12-31 14:24 566,784 ----a-w C:\Windows\System32\SLCommDlg.dll
2007-12-31 14:24 39,936 ----a-w C:\Windows\System32\slcinst.dll
2007-12-31 14:24 351,232 ----a-w C:\Windows\System32\SLUI.exe
2007-12-31 14:24 33,280 ----a-w C:\Windows\System32\slwmi.dll
2007-12-31 14:24 268,288 ----a-w C:\Windows\System32\mcbuilder.exe
2007-12-31 14:24 223,232 ----a-w C:\Windows\System32\SLC.dll
2007-12-31 14:24 2,605,568 ----a-w C:\Windows\System32\SLsvc.exe
2007-12-31 14:24 186,368 ----a-w C:\Windows\System32\SLLUA.exe
2007-12-31 14:23 1,335,296 ----a-w C:\Windows\System32\msxml6.dll
2007-12-31 14:21 84,480 ----a-w C:\Windows\System32\INETRES.dll
2007-12-31 14:21 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2007-12-31 14:20 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-31 14:20 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-31 14:20 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-31 14:20 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-31 14:20 53,760 ----a-w C:\Windows\system32\drivers\hdaudbus.sys
2007-12-31 14:20 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-31 14:20 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-31 14:20 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-31 14:20 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-31 14:18 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2007-12-31 14:18 5,120 ----a-w C:\Windows\System32\wmi.dll
2007-12-31 14:18 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-11 22:18 1232896]
"ares ultra"="F:\Program Files\Ares Ultra\Ares Ultra.exe" [2006-12-18 14:08 2776064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-12-31 15:33 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 10:57 3784704 C:\Windows\RtHDVCpl.exe]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2006-11-06 09:02 98304]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2006-11-06 09:05 106496]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2006-11-06 09:02 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"InvisibleBrowsing"="F:\Program Files\Invisible Browsing\InvisibleBrowsing.exe" [2008-02-15 19:16 8454144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{C1B20507-4256-4496-AF5B-098354644271}C:\program files\skype\phone\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. The whole world can talk for free.|Desc=Skype. The whole world can talk for free.
"UDP Query User{4BCA48A6-B23A-44CC-9A7E-8CC4147F003F}C:\program files\skype\phone\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. The whole world can talk for free.|Desc=Skype. The whole world can talk for free.
"TCP Query User{D68DF6B1-6D88-4F74-A33D-214F1208EC78}F:\program files\sopcast\adv\sopadver.exe"= UDP:F:\program files\sopcast\adv\sopadver.exe:SopCast Adver|Desc=SopCast Adver
"UDP Query User{A883F2AA-AA67-45C8-B57E-835900CE736A}F:\program files\sopcast\adv\sopadver.exe"= TCP:F:\program files\sopcast\adv\sopadver.exe:SopCast Adver|Desc=SopCast Adver
"TCP Query User{A370017D-6DDD-4CE4-B0E5-86483B0DB0AA}F:\program files\sopcast\sopcast.exe"= UDP:F:\program files\sopcast\sopcast.exe:SopCast Main Application|Desc=SopCast Main Application
"UDP Query User{3BB68EAD-1D69-4781-B6AA-C88E2DFCF7EB}F:\program files\sopcast\sopcast.exe"= TCP:F:\program files\sopcast\sopcast.exe:SopCast Main Application|Desc=SopCast Main Application
"TCP Query User{FB354315-6BD9-46B6-9700-6368B748601C}F:\program files\sopcast\sopvod.exe"= UDP:F:\program files\sopcast\sopvod.exe:sopvod|Desc=sopvod
"UDP Query User{1DFFFFBB-8CA1-4224-88E4-65E092F9C65D}F:\program files\sopcast\sopvod.exe"= TCP:F:\program files\sopcast\sopvod.exe:sopvod|Desc=sopvod
"TCP Query User{8316D59B-CC7C-4B31-B654-EACE09DEC2D3}F:\program files\tvants\tvants.exe"= UDP:F:\program files\tvants\tvants.exe:TVAnts|Desc=TVAnts
"UDP Query User{668AA61C-60C1-4A82-8547-450215006096}F:\program files\tvants\tvants.exe"= TCP:F:\program files\tvants\tvants.exe:TVAnts|Desc=TVAnts
"TCP Query User{B592F12D-135A-437E-B8D1-7A8ED5066B1A}F:\program files\zattoo\zattood.exe"= UDP:F:\program files\zattoo\zattood.exe:zattood|Desc=zattood
"UDP Query User{1479A237-5C43-46AA-AA1B-7B5726D2B81C}F:\program files\zattoo\zattood.exe"= TCP:F:\program files\zattoo\zattood.exe:zattood|Desc=zattood
"TCP Query User{F2F72BF4-1369-422C-A631-00E52564B8BC}F:\program files\zattoo\zattoo.exe"= UDP:F:\program files\zattoo\zattoo.exe: |Desc=
"UDP Query User{22600E97-3F4E-4D9B-BD0D-2167A18AFAC5}F:\program files\zattoo\zattoo.exe"= TCP:F:\program files\zattoo\zattoo.exe: |Desc=
"TCP Query User{A7D67ABA-6C84-419B-BC98-5498E229ACFC}F:\program files\adsltv\adsltv.exe"= UDP:F:\program files\adsltv\adsltv.exe:adsltv|Desc=adsltv
"UDP Query User{3D93F162-8256-4F97-BBEA-727A7F2B54E8}F:\program files\adsltv\adsltv.exe"= TCP:F:\program files\adsltv\adsltv.exe:adsltv|Desc=adsltv
"{03337BF2-A7E4-4269-A9A3-E49EC8E4DC3B}"= UDP:F:\Total Uninstall 4\Tu.exe:Total Uninstall 4
"{8E16F306-53F8-4091-863B-E68ED5D3DC79}"= TCP:F:\Total Uninstall 4\Tu.exe:Total Uninstall 4
"{9AE0341F-4002-459C-9B51-2B633EFB13B5}"= UDP:C:\Users\Windows\Desktop\utorrent-1.7.5-4602.exe:µTorrent
"{50C28577-1D05-400D-B57F-1A3BC6D88138}"= TCP:C:\Users\Windows\Desktop\utorrent-1.7.5-4602.exe:µTorrent
"TCP Query User{FFC24BDB-7422-434C-B7BA-D11C8D2C87AF}F:\program files\ares ultra\ares ultra.exe"= UDP:37821|RPort=37821|F:\program files\ares ultra\ares ultra.exe:Ares Ultra p2p for windows|Desc=Ares Ultra p2p for windows
"UDP Query User{0301908C-5283-4FB1-9103-E4DD7647473A}F:\program files\ares ultra\ares ultra.exe"= TCP:37821|RPort=37821|F:\program files\ares ultra\ares ultra.exe:Ares Ultra p2p for windows|Desc=Ares Ultra p2p for windows
"TCP Query User{11AC9C92-1DF6-4A3E-B03D-8857BE5DBA52}F:\program files\lphant\elephantclient.exe"= UDP:1755|RPort=1755|LA4=127.0.0.1:127.0.0.1|F:\program files\lphant\elephantclient.exe:lphant Client|Desc=lphant Client|Edge=TRUE|
"UDP Query User{36522A54-4009-488B-963C-9511E8B80F7E}F:\program files\lphant\elephantclient.exe"= TCP:1756|RPort=1756|LA4=127.0.0.1:127.0.0.1|F:\program files\lphant\elephantclient.exe:lphant Client|Desc=lphant Client|Edge=TRUE|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 IBService;IBService;F:\Program Files\Invisible Browsing\servers\IBService.exe [2007-01-09 15:38]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-11-06 10:29]
R3 NETw3v32;Pilote de carte Intel(R) PRO/Wireless 3945ABG pour Windows Vista 32 bits;C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-11-02 08:30]
R3 yukonwlh;Pilote miniport NDIS6.0 pour contrôleur Ethernet Marvell Yukon;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 08:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 13:55:48
Windows 6.0.6000 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
F:\Program Files\Invisible Browsing\servers\Socks\IBSocksManager.exe
F:\Program Files\Invisible Browsing\servers\Http\ibhttp.exe
F:\Program Files\Invisible Browsing\servers\Socks\IBSocks.exe
C:\Windows\system32\conime.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-02-23 13:57:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-23 12:57:44
.
2008-01-11 21:22:24 --- E O F ---
ashanta
Regular Member
 
Posts: 24
Joined: February 22nd, 2008, 1:59 pm

Re: Infected by Bagle.LY

Unread postby random/random » February 23rd, 2008, 5:18 pm

It looks like combofix was able to remove the infection. You should be able to install and run HijackThis now

Please do the following to download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:
  1. Save HJTInstall.exe to your desktop.
  2. Double-click on HJTInstall.exe to run the program.
  3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  4. Accept the license agreement by clicking the "I Accept" button.
  5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  6. Click "Save log" to save the log file and then the log will open in Notepad.
  7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  8. Come back here to this thread and paste the log in your next reply.
  9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Infected by Bagle.LY

Unread postby ashanta » February 24th, 2008, 5:56 am

1. Concerning HJT:

When running, the HJT program is not responding.


2. About Combofix:

I'd like to mention that the files were not deleted with Combofix.

Only the extension of files are changed in "filename.exe.vir" and they are located on c:\QooBox\Quarantine\

Is that normal ? Do I have to deleted those files manually ?

Also I remind you, that I did systeme restored point after running Combofix to get my Internet Connection again, because Combofix was enable to do it. Even manually, It was not possible for me to have an Internet connection.

Thanks in advance for your help and your time :)

Waiting for the next instructions...




random/random wrote:It looks like combofix was able to remove the infection. You should be able to install and run HijackThis now

Please do the following to download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:
  1. Save HJTInstall.exe to your desktop.
  2. Double-click on HJTInstall.exe to run the program.
  3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  4. Accept the license agreement by clicking the "I Accept" button.
  5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  6. Click "Save log" to save the log file and then the log will open in Notepad.
  7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  8. Come back here to this thread and paste the log in your next reply.
  9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
ashanta
Regular Member
 
Posts: 24
Joined: February 22nd, 2008, 1:59 pm

Re: Infected by Bagle.LY

Unread postby random/random » February 24th, 2008, 5:34 pm

2. About Combofix:

I'd like to mention that the files were not deleted with Combofix.

Only the extension of files are changed in "filename.exe.vir" and they are located on c:\QooBox\Quarantine\

Is that normal ? Do I have to deleted those files manually ?


Yes, that's normal. We'll clear out all of combofix's backups once you're clean

Also I remind you, that I did systeme restored point after running Combofix to get my Internet Connection again, because Combofix was enable to do it. Even manually, It was not possible for me to have an Internet connection.


Combofix does disconnect you from the internet but it should reconnect you and even if it doesn't, a restart should restore connectivity.

1. Concerning HJT:

When running, the HJT program is not responding.


OK, we'll try a different tool:

  • Download Autoruns from here
  • Unzip/extract it to a folder on your desktop
  • Double click on autoruns.exe to start Autoruns
  • Wait for it to finish scanning
  • Under Options make sure the following options are slected
    • Verify Code Signatures
    • Hide Signed Microsoft Entries
  • Click File > Refresh
  • Click File > Save As
  • Save it to the desktop as autoruns.txt
  • Post the contents of autoruns.txt as a reply to this topic
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Infected by Bagle.LY

Unread postby ashanta » February 24th, 2008, 8:33 pm

Here you are the Autoruns.txt file:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ InvisibleBrowsing Invisible Browsing 6.5 Application f:\program files\invisible browsing\invisiblebrowsing.exe
+ SunJavaUpdateSched Java(TM) Platform SE binary (Verified) Sun Microsystems, Inc. c:\program files\java\jre1.6.0_03\bin\jusched.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ ares ultra Ares Ultra (Not verified) Ares Ultra Development Team f:\program files\ares ultra\ares ultra.exe
+ SUPERAntiSpyware File not found: F:\SUPERAntiSpyware\SUPERAntiSpyware.exe
HKLM\SOFTWARE\Classes\Protocols\Handler
+ skype4com Skype for COM API (Verified) Skype Technologies SA c:\program files\common files\skype\skype4com.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ SABShellExecuteHook Class File not found: F:\SUPERAntiSpyware\SASSEH.DLL
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
+ SASContextMenu Class File not found: F:\SUPERAntiSpyware\SASCTXMN.DLL
+ WinRAR f:\winrar\rarext.dll
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
+ WinRAR f:\winrar\rarext.dll
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
+ SASContextMenu Class File not found: F:\SUPERAntiSpyware\SASCTXMN.DLL
+ WinRAR f:\winrar\rarext.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
+ NeroDigitalColumnHandler Class Nero Digital Shell Extension (Verified) Nero AG c:\program files\common files\nero\lib\nerodigitalext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ NeroDigitalIconHandler Nero Digital Shell Extension (Verified) Nero AG c:\program files\common files\nero\lib\nerodigitalext.dll
+ NeroDigitalPropSheetHandler Nero Digital Shell Extension (Verified) Nero AG c:\program files\common files\nero\lib\nerodigitalext.dll
+ WinRAR shell extension f:\winrar\rarext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ SSVHelper Class Java(TM) Platform SE binary (Verified) Sun Microsystems, Inc. c:\program files\java\jre1.6.0_03\bin\ssv.dll
HKLM\Software\Microsoft\Internet Explorer\Extensions
+ Uninstall BitDefender Online Scanner v8 c:\windows\bdoscandel.exe
HKLM\System\CurrentControlSet\Services
+ IBService f:\program files\invisible browsing\servers\ibservice.exe
HKLM\System\CurrentControlSet\Services
+ AnyDVD AnyDVD Filter Driver (Verified) SlySoft Inc. c:\windows\system32\drivers\anydvd.sys
+ ElbyCDIO ElbyCD Windows NT/2000/XP I/O driver (Verified) Elaborate Bytes AG c:\windows\system32\drivers\elbycdio.sys
+ IpInIp IP in IP Tunnel Driver File not found: system32\DRIVERS\ipinip.sys
+ NwlnkFlt IPX Traffic Filter Driver File not found: system32\DRIVERS\nwlnkflt.sys
+ NwlnkFwd IPX Traffic Forwarder Driver File not found: system32\DRIVERS\nwlnkfwd.sys
+ SASDIFSV File not found: F:\SUPERAntiSpyware\SASDIFSV.SYS
+ SASENUM File not found: F:\SUPERAntiSpyware\SASENUM.SYS
+ SASKUTIL File not found: F:\SUPERAntiSpyware\SASKUTIL.sys
+ srosa c:\windows\system32\drivers\srosa.sys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ !SASWinLogon File not found: F:\SUPERAntiSpyware\SASWINLO.dll
ashanta
Regular Member
 
Posts: 24
Joined: February 22nd, 2008, 1:59 pm

Re: Infected by Bagle.LY

Unread postby random/random » February 25th, 2008, 2:57 pm

You are running a P2P filesharing programme.
  • Many of these programmes come with unwanted components bundled with them.
  • If you wish to find out whether the one you're using does click here.
Please note: Even if you are using a "safe" P2P programme, it is only the programme that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.


My recommendation is you uninstall it.

  • Download avz4.zip from here
  • Unzip it to a folder on your desktop
  • Right click on AVZ.exe and click Run as administrator
  • Click Allow
  • Click File > Custom scripts
  • Copy & paste the contents of the following codebox in the box in the program
    Code: Select all
    begin
    BC_DeleteSvc('srosa');
    BC_DeleteFile('C:\Windows\system32\drivers\hldrrr.exe');
    BC_DeleteFile('C:\Windows\system32\drivers\srosa.sys');
    BC_DeleteFile('C:\Windows\system32\mdelk.exe');
    BC_DeleteFile('C:\Windows\system32\wintems.exe');
    BC_Activate; 
    RebootWindows(true);
    end.
    
  • Note: When you run the script, your PC will be restarted
  • Click Run

  • Double click on autoruns.exe to start Autoruns
  • Wait for it to finish scanning
  • Under Options make sure the following options are slected
    • Verify Code Signatures
    • Hide Signed Microsoft Entries
  • Click File > Refresh
  • Click File > Save As
  • Save it to the desktop as autoruns.txt
  • Post the contents of autoruns.txt as a reply to this topic
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Infected by Bagle.LY

Unread postby ashanta » February 25th, 2008, 3:34 pm

I uninstalled 2 P2P programs: Ares and Lphant (like Emule).

I could not installed Avz4, I've get the same error that HJT. AVZ is not responding

Do you have another program ?
ashanta
Regular Member
 
Posts: 24
Joined: February 22nd, 2008, 1:59 pm

Re: Infected by Bagle.LY

Unread postby random/random » February 25th, 2008, 4:55 pm

Let's try a rootkit scanner:

  • Download GMER by GMER from here
  • Unzip it to a folder on your desktop
  • Right click on gmer.exe and click Run as administrator to run GMER
  • If asked, allow the gmer.sys driver load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning then
    • Click the rootkit tab
    • Click Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerrk.txt
  • Click on the >>> tab
  • This will open up the rest of the tabs for you
  • Click on the Autostart tab
  • Click on Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerautos.txt
  • Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Infected by Bagle.LY

Unread postby ashanta » February 25th, 2008, 6:08 pm

I have 2 error messages with Gmer.exe :

1. C:/wndows/gmer.dll can't execute under Windows or it contains an error. Try to install...

2. LoadLibrary "gmer.dll":Error:87

I remind you I"m working under a Vista platform.

Maybe could I delete the following files manually ?

'C:\Windows\system32\drivers\hldrrr.exe
C:\Windows\system32\drivers\srosa.sys
C:\Windows\system32\mdelk.exe
C:\Windows\system32\wintems.exe'
ashanta
Regular Member
 
Posts: 24
Joined: February 22nd, 2008, 1:59 pm

Re: Infected by Bagle.LY

Unread postby random/random » February 25th, 2008, 6:13 pm

I know that you're working on Vista, and GMER is meant to be compatible

You could try deleting those files manually, but you're not likely to be successful, because some of them are hidden by the infection and the others are protected by the infection

Do you have access to another PC?
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Infected by Bagle.LY

Unread postby ashanta » February 25th, 2008, 7:02 pm

I've got another computer working on W98SE.
ashanta
Regular Member
 
Posts: 24
Joined: February 22nd, 2008, 1:59 pm

Re: Infected by Bagle.LY

Unread postby ashanta » February 25th, 2008, 7:18 pm

I deleted manually all the 4 files

Here you are the Autoruns.txt:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ InvisibleBrowsing Invisible Browsing 6.5 Application f:\program files\invisible browsing\invisiblebrowsing.exe
+ SunJavaUpdateSched Java(TM) Platform SE binary (Verified) Sun Microsystems, Inc. c:\program files\java\jre1.6.0_03\bin\jusched.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ drvsyskit File not found: C:\Windows\system32\drivers\hldrrr.exe
+ german.exe File not found: C:\Windows\system32\wintems.exe
+ SUPERAntiSpyware File not found: F:\SUPERAntiSpyware\SUPERAntiSpyware.exe
HKLM\SOFTWARE\Classes\Protocols\Handler
+ skype4com Skype for COM API (Verified) Skype Technologies SA c:\program files\common files\skype\skype4com.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ SABShellExecuteHook Class File not found: F:\SUPERAntiSpyware\SASSEH.DLL
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
+ SASContextMenu Class File not found: F:\SUPERAntiSpyware\SASCTXMN.DLL
+ WinRAR f:\winrar\rarext.dll
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
+ WinRAR f:\winrar\rarext.dll
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
+ SASContextMenu Class File not found: F:\SUPERAntiSpyware\SASCTXMN.DLL
+ WinRAR f:\winrar\rarext.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
+ NeroDigitalColumnHandler Class Nero Digital Shell Extension (Verified) Nero AG c:\program files\common files\nero\lib\nerodigitalext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ NeroDigitalIconHandler Nero Digital Shell Extension (Verified) Nero AG c:\program files\common files\nero\lib\nerodigitalext.dll
+ NeroDigitalPropSheetHandler Nero Digital Shell Extension (Verified) Nero AG c:\program files\common files\nero\lib\nerodigitalext.dll
+ WinRAR shell extension f:\winrar\rarext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ SSVHelper Class Java(TM) Platform SE binary (Verified) Sun Microsystems, Inc. c:\program files\java\jre1.6.0_03\bin\ssv.dll
HKLM\Software\Microsoft\Internet Explorer\Extensions
+ Uninstall BitDefender Online Scanner v8 c:\windows\bdoscandel.exe
HKLM\System\CurrentControlSet\Services
+ IBService f:\program files\invisible browsing\servers\ibservice.exe
HKLM\System\CurrentControlSet\Services
+ AnyDVD AnyDVD Filter Driver (Verified) SlySoft Inc. c:\windows\system32\drivers\anydvd.sys
+ ElbyCDIO ElbyCD Windows NT/2000/XP I/O driver (Verified) Elaborate Bytes AG c:\windows\system32\drivers\elbycdio.sys
+ IpInIp IP in IP Tunnel Driver File not found: system32\DRIVERS\ipinip.sys
+ NwlnkFlt IPX Traffic Filter Driver File not found: system32\DRIVERS\nwlnkflt.sys
+ NwlnkFwd IPX Traffic Forwarder Driver File not found: system32\DRIVERS\nwlnkfwd.sys
+ SASDIFSV File not found: F:\SUPERAntiSpyware\SASDIFSV.SYS
+ SASENUM File not found: F:\SUPERAntiSpyware\SASENUM.SYS
+ SASKUTIL File not found: F:\SUPERAntiSpyware\SASKUTIL.sys
+ srosa File not found: C:\Windows\system32\drivers\srosa.sys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ !SASWinLogon File not found: F:\SUPERAntiSpyware\SASWINLO.dll
ashanta
Regular Member
 
Posts: 24
Joined: February 22nd, 2008, 1:59 pm

Re: Infected by Bagle.LY

Unread postby random/random » February 26th, 2008, 2:01 pm

  • Open a new notepad window (Start>All Programs>Accessories>Notepad)
  • Copy & paste the contents of the following codebox into the notepad window
    Code: Select all
    sc delete srosa
    reg.exe delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v drvsyskit /f
    reg.exe delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v german.exe /f
    
  • Click File > Save as
  • In the box labelled File name copy and paste cleanup.bat
  • Change Save as type to All Files
  • Save it to your desktop
  • Close the notepad window
  • Right click on cleanup.bat and click Run as administrator
  • If windows tells you that it needs your permission to continue, click Continue
  • A DOS window will come up briefly and then disappear, this is normal

You should now be able to download and run HijackThis

Delete all copies of HijackThis you previously downloaded.

CLICK HERE to download the HijackThis Installer:
  1. Save HJTInstall.exe to your desktop.
  2. Double-click on HJTInstall.exe to run the program.
  3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  4. Accept the license agreement by clicking the "I Accept" button.
  5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  6. Click "Save log" to save the log file and then the log will open in Notepad.
  7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  8. Come back here to this thread and paste the log in your next reply.
  9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 17 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware