Unknown - Probably Infection

**jonathanasdf** · 2008-02-14, 06:34

My final solution: Delete boot.ini. Now i've booted back into windows. I'm not going to try that again.

Any other ideas on what to do? I googled and found that SPTD.sys was had some incompatibility issues and sometimes prevents the loading of safe mode. I'm upgrading it right now, and going to try loading safe mode again.

**jonathanasdf** · 2008-02-14, 08:04

Ok. Managed to delete mdelk.exe. Still cannot boot into safe mode, or run any antivirus. Deleted SPTD.sys, and now it restarts at MUP.sys without any warning when booting into safe mode.

I still don't see any suspicious virus behavior... but why would my antivirus suddenly not work after working fine for so long...

**jonathanasdf** · 2008-02-14, 15:07

Here is the ESET log.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2873 (20080213)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=e230fc137e9ef54ba6c39410f434eb5d
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-02-14 09:20:13
# local_time=2008-02-14 01:20:13 (-0800, Pacific Standard Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 2
# scanned=506544
# found=20
# scan_time=5061
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\3L24I2NQ\b64_1[1].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\3L24I2NQ\b64_31[1].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\K7932JCS\b64_1[1].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_1[1].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_1[2].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_1[3].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_2[1].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_2[2].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_31[1].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_31[2].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_1[1].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_2[1].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_2[2].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_31[1].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_31[2].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_31[3].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_31[4].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_31[5].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\mdelk.exe a variant of Win32/Bagle worm (unable to clean - error while deleting) 771623BE7FBD00AAC125685BAA4A35EC
G:\vist\WGA.october.2007.(lildude) (v7).1.7.59.1\Windows Xp Sp2 Keygen with auto key changer\1) Windows XP SP2 Keygen\KeyGen.exe probably a variant of Win32/TrojanDownloader.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000

There must be some registry, as I know I deleted mdelk but it poped back up.

**shelf life** · 2008-02-14, 23:28

hi,

thanks for the info. iam starting to think its something more than malware now. corrupted registry and or files?
IE: the errors at boot up. you should start thinking about a reformat/reinstall of windows. just in case. you should pull off to cd/dvd, flash drive 2nd HD etc anything you dont want to lose.
i think you can enter safe mode, its the errors at bootup that are preventing it, why you can boot normally with no problems i have no idea. I also wouldnt edit the boot.ini file unless you are sure of what you are doing. could leave you with a door stop.
if you have the windows install cd you can try system file checker although it wont fix a corrupt registry.

run>start and type in sfc /scannow
there is space after the c and before the /
its worth a try anyway at this point.

**jonathanasdf** · 2008-02-15, 01:36

Thanks for the help. I really hope its not a corrupt file system... I don't have any removable harddrives, that means I would have to upload all backups and everything to the internet, which firstly isn't safe for my files, and secondly I can't access them until I reinstall, and I have tons of school work right now that requires computer.

I'm going to try booting with the /sos switch and seeing the problem. I have already tried the Microsoft disk recovery service, and it requires a floppy that I don't have.

Thanks for all your help. I hope this will work out...

**shelf life** · 2008-02-15, 02:54

hi,

that last online scan dosnt really look to bad. so lets say you do get into safe mode and manage to clean up some files. if its a corrupt registry or files you will still have the same problem.
if you have the install cd you could try a repair of xp which should preserve your data. see links:

http://www.michaelstevenstech.com/XPrepairinstall.htm
http://www.microsoft.com/windowsxp/u...ps/doug92.mspx

in any case you should really backup what you can.
better to lose some data then all of it.

**jonathanasdf** · 2008-02-15, 03:42

I would rather not be so hasty...

I just checked the boot sequence and error message from the boot using the /sos switch. The error appears to be:

0x0000007B(0xF7906528, 0xC0000034, 0x00000000, 0x00000000)

I'm posting this on the Microsoft support forum to see if anyone can make sense of it.

I will run sfc soon.

So, now instead of that problem, is there any way to remove the Bagel infection without going to safe mode? I tried Sopho's Bagel remover, which doesn't find it. Spyware S&D Can't load up. So....

Maybe could you also ask around the other helpers? Some of them might know something.

**shelf life** · 2008-02-16, 00:17

hi,

I would rather not be so hasty...

its not about being hasty, more like being prepared, a just in case.

i think you have the "new" version of the worm. i think the tool you have is for the older versions.
i also think it may be part of a root kit. lets try gmer.

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit/Malware tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
-------------------------------------

**jonathanasdf** · 2008-02-16, 03:39

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-02-15 18:35:38
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwOpenProcess [0xBAEE831C]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwQuerySystemInformation [0xBAEEDC8A]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwSetInformationFile [0xBAEE841A]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtOpenProcess
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtQuerySystemInformation
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtSetInformationFile

---- Kernel code sections - GMER 1.0.14 ----

I'm skipping the kernel code sections because that section is huge. Also, hldrrr.exe was running as a hidden process, along with winitems.exe.

I can't find the log, so I'm going to try a rescan and post the log.

**jonathanasdf** · 2008-02-16, 04:12

Ok. The important parts of the log, so the log is shortened from about 3 million characters to the limit of 20k characters.

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-02-15 19:05:38
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwOpenProcess [0xBAEE831C]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwQuerySystemInformation [0xBAEEDC8A]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwSetInformationFile [0xBAEE841A]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtOpenProcess
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtQuerySystemInformation
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtSetInformationFile

---- Processes - GMER 1.0.14 ----

Process C:\WINDOWS\system32\wintems.exe (*** hidden *** ) 3704 [Registry]

File C:\WINDOWS\system32\drivers\srosa.sys 112432 bytes <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\hldrrr.exe 746967 bytes
File C:\WINDOWS\system32\drivers\down

A Ton of C:\WINDOWS\system32\drivers\down\########.exe
632
File C:\WINDOWS\system32\wintems.exe 71172 bytes
File C:\WINDOWS\ime\SHARED 0 bytes
File C:\WINDOWS\ime\SHARED\imepaden.hlp 81368 bytes
File C:\WINDOWS\ime\SHARED\imepadsm.dll 102463 bytes
File C:\WINDOWS\ime\SHARED\imepadsv.exe 311359 bytes
File C:\WINDOWS\ime\SHARED\imlang.dll 102456 bytes
File C:\WINDOWS\ime\SHARED\RES 0 bytes
File C:\WINDOWS\ime\SHARED\RES\PADRS404.DLL 15872 bytes
File C:\WINDOWS\ime\SHARED\RES\padrs411.dll 36927 bytes
File C:\WINDOWS\ime\SHARED\RES\padrs412.dll 14336 bytes
File C:\WINDOWS\ime\SHARED\RES\padrs804.dll 15360 bytes

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\srosa.sys [SYSTEM] srosa <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----

Thread: Unknown - Probably Infection

Thread Tools

Display

Posting Permissions