Major Problem (wintems/bagle related)

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

5ifty1

Thread Starter
Joined
Apr 12, 2008
Messages
9
Hello all. This is my first post. I'm sorry I didn't have time to go into a general part of the forum and introduce myself. I am at a complete loss right now.

Here is the situation. I have been infected by what I believe is the W32.Bagle worm/virus. I have the wintems.exe file in my system32 folder, and in TaskManager appear the random number.exe files (035903.exe, etc.) I've been trying to find a solution that works for the past FIVE HOURS to no avail. I classify myself to be somewhat computer literate since I spend my whole life on the thing.

My CPU usage is staying 50%-100% no matter what. I am also getting BSOD every hour or so (4x already). My system will not boot into Safe Mode, instead I get blessed with another BSOD.

Here's my current situation of what works and what doesn't:

HJT - Will not run. Errors with "not a valid win32 app".
Spybot S&D - Will not run. No errors, nothing.
DSS - Will not run. It starts, I hit the first 2 OK screens, then as it tries to run a sys restore it just shuts off mid-way. If I try to run it again it freezes up windows and I have to hit the reset button on my tower.
ComboFix - Will not run. Starts to show the loading bar, then nothing. (I know, I'm sorry for trying to use this before getting advice)

So, from what I can tell right now, I cannot even get you guys a log at this point. One interesting thing is that I have an app called Eraser installed on my sys, and I right clicked on wintems.exe and performed a "secure move". This made the original wintems.exe zero out (0kb) and moved (I think) the other to the Desktop. It cannot be seen no matter what I try. The thing is now wintems.exe doesn't show up in TaskManager... which I think is a good thing.

Also, when trying to view hidden files and folders through the folder options dialog, the radio button is just... gone. I can't really explain it. It just is completely gone so I can't view hidden files although I had hidden files viewable normally.

I need some help really bad. This is my work computer and although I have another, I must try and save this install of windows and everything on the drive. I have read through numerous forum posts and threads regarding this virus, but I have had zero luck with anything yet since I can't get anything to run or boot into Safe Mode.

So, if anyone can help it is much appreciated. Thanks. :(
 

5ifty1

Thread Starter
Joined
Apr 12, 2008
Messages
9
Ok I got ONE THING to run. A rootkit detector by Gmer called catchme 0.2.

Here's the log:

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

? [496]

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\srservice 3.0.0.0ce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRVce 3.0.0.0ce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\StarWindServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\stisvcndServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\streamipServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\swenumipServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\swmidiipServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\SwPrviipServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\symc810pServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\symc8xxpServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\sym_hixpServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\sym_u3xpServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\sysaudioServiceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\SysmonLogerviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TapiSrvogerviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TcpiprvogerviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TDPIPEvogerviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TDTCPEvogerviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TermDDvogerviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TermServiceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\ThemesrviceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvrviceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TosIderviceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TrkWksrviceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\TSDDDsrviceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\UdfsDsrviceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\ultrasrviceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\UpdaterviceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\upnphosticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\UPSphosticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\usbphosticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\USBAAPLticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\usbehciticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\usbhubiticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\usbprinticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\usbscanticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\USBSTORticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\usbuhciticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\usnjsvcticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\VgaSaveticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\VHZOaveticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\ViaIdeeticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\VolSnapticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\VSSSnapticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\W32TimeticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\W3SVCmeticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\WanarpeticeviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\WBHWDOCTiceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\Wdf01000iceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\WDICA000iceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\wdmaud00iceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\WebClientceviceAEce 3.0.0.0.0yer

HKLM\SYSTEM\CurrentControlSet\Services\winmgmt Workflow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\Winsock Workflow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2Workflow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WinTrustWorkflow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSNWorkflow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WmimPmSNWorkflow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WmiApRplWorkflow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WmiApSrvWorkflow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WMPNetworkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WS2IFSLorkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\wscsvcLorkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WSTCODECrkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\wuauservrkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WudfPfrvrkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WudfRdrvrkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WudfSvcvrkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\WZCSVCcvrkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\xmlprovvrkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\xusb21vvrkSvclow Foundation 3.0.0.0

HKLM\SYSTEM\CurrentControlSet\Services\agd3m2kbF-65AF-4331-B80F-304BE8EC37CA}

scanning hidden autostart entries ...

scanning hidden files ...

C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\Connections\Shared
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\Connections\Shared\ASP.NET
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\Connections\Shared\Connection_common.js 8192 bytes
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\DataSources\Shared
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\DataSources\Shared\ASP.Net
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\ServerFormats\Shared
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\ServerFormats\Shared\ASP.Net
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\ServerModels\Shared
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\ServerModels\Shared\ASPNetShared.js 8192 bytes
C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\ServerModels\Shared\ServerSettingsDefault.xml 4096 bytes
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\shared
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\shared\webengines
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\downld\101656.exe 73728 bytes
C:\WINDOWS\system32\drivers\downld\102968.exe 73728 bytes
C:\WINDOWS\system32\drivers\downld\105859.exe 4096 bytes
C:\WINDOWS\system32\drivers\downld\119093.exe 20480 bytes
C:\WINDOWS\system32\drivers\downld\122656.exe 16384 bytes
C:\WINDOWS\system32\drivers\downld\124078.exe 4096 bytes
C:\WINDOWS\system32\drivers\downld\136875.exe 28672 bytes
C:\WINDOWS\system32\drivers\downld\139609.exe 28672 bytes
C:\WINDOWS\system32\drivers\downld\140156.exe 4096 bytes
C:\WINDOWS\system32\drivers\downld\147343.exe 28672 bytes
C:\WINDOWS\system32\drivers\downld\152015.exe 28672 bytes
C:\WINDOWS\system32\drivers\downld\155484.exe 49152 bytes
C:\WINDOWS\system32\drivers\downld\159812.exe 49152 bytes
C:\WINDOWS\system32\drivers\downld\163984.exe 20480 bytes
C:\WINDOWS\system32\drivers\downld\186265.exe 28672 bytes
C:\WINDOWS\system32\drivers\downld\198234.exe 28672 bytes
C:\WINDOWS\system32\drivers\downld\206984.exe 49152 bytes
C:\WINDOWS\system32\drivers\downld\264703.exe 20480 bytes
C:\WINDOWS\system32\drivers\downld\280765.exe 28672 bytes
C:\WINDOWS\system32\drivers\downld\294015.exe 28672 bytes
C:\WINDOWS\system32\drivers\downld\322359.exe 49152 bytes
C:\WINDOWS\system32\drivers\downld\45812.exe 69632 bytes
C:\WINDOWS\system32\drivers\downld\48500.exe 69632 bytes
C:\WINDOWS\system32\drivers\downld\49890.exe 40960 bytes
C:\WINDOWS\system32\drivers\downld\52281.exe 69632 bytes
C:\WINDOWS\system32\drivers\downld\59453.exe 69632 bytes
C:\WINDOWS\system32\drivers\downld\63031.exe 73728 bytes
C:\WINDOWS\system32\drivers\downld\64656.exe 73728 bytes
C:\WINDOWS\system32\drivers\downld\65828.exe 716800 bytes
C:\WINDOWS\system32\drivers\downld\66343.exe 716800 bytes
C:\WINDOWS\system32\drivers\downld\88875.exe 16384 bytes
C:\WINDOWS\system32\drivers\downld\92046.exe 4096 bytes
C:\WINDOWS\system32\drivers\downld\95203.exe 4096 bytes
C:\WINDOWS\system32\drivers\downld\97687.exe 69632 bytes
C:\WINDOWS\system32\drivers\downld\99562.exe 69632 bytes
C:\WINDOWS\system32\drivers\hldrrr.exe 679936 bytes
C:\WINDOWS\system32\drivers\mdelk.exe 679936 bytes
C:\WINDOWS\system32\drivers\srosa.sys 94208 bytes
C:\WINDOWS\system32\mdelk.exe 69632 bytes

scan completed successfully
hidden processes: 1
hidden services: 72
hidden files: 52
 

5ifty1

Thread Starter
Joined
Apr 12, 2008
Messages
9
So far, I've gone through and deleted all the numbered exe files as well as deleted the "downld" folder through DOS. I dunno if this stuff will stick though...

When I try to delete hldrrr.exe, mdelk.exe, and srosa.sys through DOS, I get the message "A device attached to the system is not functioning." in the cmd window.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top