Free Malware Removal Forum

[Saeed]

Hello

I think i open a zipped file and after that the computer shutdown automatically.

When i restarted the computer, my antivirus, my firewall were disabled. When i tried to run them manually from the Start Menu, it displayed the following message:

D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe is not a valid Win32 application.

D:\Program Files\Agnitum\Outpost Firewall Pro\op_mon.exe is not a valid Win32 application.

I tried to run Spybot - Search & Destroy, but the program did not open.

I tried running Trendmicro HouseCall Online, but when it was scanning, it displayed message that certain files are not able to upload.

Then i tried to run HijackThis, it displayed the same message:

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe is not a valid Win32 application.

I tried System Restore, it did not work.

I tried to go in Safe Mode, it did not work

I really dont know what to do, I am sure that my computer is infected.


im running Windows XP SP3.

[Saeed]

Just ran Malwarebytes Anti-Malware

Malwarebytes' Anti-Malware 1.32
Database version: 1633
Windows 5.1.2600 Service Pack 3

1/9/2009 1:04:10 PM
mbam-log-2009-01-09 (13-04-10).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 706142
Time elapsed: 1 hour(s), 55 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sk9ou0s (Worm.Bagel) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sk9ou0s (Worm.Bagel) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sk9ou0s (Worm.Bagel) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mule_st_key (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\IbnSaeed\Application Data\m (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\Documents and Settings\IbnSaeed\Application Data\drivers\srosa2.sys (Worm.Bagel) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1BA1300B-354C-4703-ACE1-66C7993F0AA7}\RP412\A0064332.sys (Worm.Bagel) -> Quarantined and deleted successfully.
C:\Documents and Settings\IbnSaeed\Application Data\m\data.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\IbnSaeed\Application Data\m\list.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\IbnSaeed\Application Data\m\srvlist.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mdelk.exe (Trojan.Spammer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wintems.exe (Trojan.Spammer) -> Delete on reboot.
C:\Documents and Settings\IbnSaeed\Application Data\m\flec006.exe (Trojan.Agent) -> Delete on reboot.

[NonSuch]

In order for us to help you it is necessary that you provide us with a HijackThis log. A HijackThis log, as well as other logs that may be requested, provide us with a guideline for removing whatever malware is infecting your system. We cannot proceed without such logs for guidance.

Please follow the guideline at the link below to start a new topic and post your HijackThis log. Do not reply to that topic until you have received a response from a helper. If you are unable to create and post a HijackThis log, then your only option may be to reformat your computer and reinstall the operating system.

This topic is now closed. Please start a new topic by following the HijackThis Guideline posted here: >Guideline for posting your HijackThis log<