[Karol33]

Hi I am new to this forum and I am looking for some help. Some time ago I was infected with W32/Bagle.dv.dr. I know this is the exact virus because I asked me to "select a file to crack" when I downloaded a game from eMule. I rebooted and saw wintems.exe running in task manager, I also saw hldrrr.exe but only once. My AVG, SPYBOT S&D, and CCleaner don't work. Will removing this infection be difficult, since I am not a security expert?

I can't provide a HJT log since I get a message that is is not a valid windows 32 application, probably the virus blocked it or deleted it. Thanks in advance.



Here is my Kaspersky log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, February 25, 2008 6:41:36 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/02/2008
Kaspersky Anti-Virus database records: 580494
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 124009
Number of viruses found: 4
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 02:49:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\kalendariusz\MyDB.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\kalendariusz\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\CACHE\kalendariu00 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\kalendariusz Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\kalendariusz.abi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\kalendariusz.aby Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Application Data\AOL\C_America Online 9.0\IDB\Apps.Lst Object is locked skipped
C:\Documents and Settings\user\Application Data\AOL\C_America Online 9.0\IDB\art.idx Object is locked skipped
C:\Documents and Settings\user\Application Data\AOL\C_America Online 9.0\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\user\Application Data\AOL\C_America Online 9.0\IDB\spool.lst Object is locked skipped
C:\Documents and Settings\user\Application Data\AOL\C_America Online 9.0\IDB\sysnews.lst Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\cert8.db Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\formhistory.dat Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\history.dat Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\key3.db Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\parent.lock Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\search.sqlite Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\KHALMNPR.EXE Infected: Trojan-Downloader.Win32.Bagle.jv skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\xm5y9kj0.Default User\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4TGS27IR\b64_1[1].jpg Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4TGS27IR\b64_1[2].jpg Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\LC1VL64E\b64_1[1].jpg Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OTUQAG0Q\b64_31[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OTUQAG0Q\b64_31[2].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\user\ntuser.dat Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Logitech\Video\LogiTray.exe Infected: Trojan-Downloader.Win32.Bagle.jv skipped
C:\Program Files\Windows Media Player\projy.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mdelk.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.




I also uploaded my report.




Ok I looked over the result and the threats are:

1)C:\Documents and Settings\user\KHALMNPR.EXE
Infected: Trojan-Downloader.Win32.Bagle.jv

2)C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4TGS27IR\b64_1[1].jpg
Infected: Trojan-PSW.Win32.Agent.xd

3)C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4TGS27IR\b64_1[2].jpg
Infected: Trojan-PSW.Win32.Agent.xd

4)C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\LC1VL64E\b64_1[1].jpg
Infected: Trojan-PSW.Win32.Agent.xd

5)C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OTUQAG0Q\b64_31[1].jpg
Infected: Email-Worm.Win32.Bagle.of

6)C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OTUQAG0Q\b64_31[2].jpg
Infected: Email-Worm.Win32.Bagle.of

7)C:\Program Files\Logitech\Video\LogiTray.exe
Infected: Trojan-Downloader.Win32.Bagle.jv

8)C:\Program Files\Windows Media Player\projy.html Infected: Trojan-Clicker.HTML.IFrame.dn

9)C:\WINDOWS\system32\mdelk.exe
Infected: Email-Worm.Win32.Bagle.of

I saw some infections so I got rid of everything, but i cant delete melk.exe.

Attached Files

•  Kaspersky2.txt   19.41KB   202 downloads

[Advertisements]

Hi, Karol33

Welcome.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[JSntgRvr]

Hi, Karol33

Welcome.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[Karol33]

I did what you said about disabling anti virus apps, renaming it and I don't get the ComboFix is Preparing to Run message, I just get the window and that is it and a white line pulsing, am I doing something wrong? I tried following the combofix guide on you site and I get the same thing, I also used Firefox and IE and still nothing any thoughts?

Edited by Karol33, 27 February 2008 - 06:04 PM.

[JSntgRvr]

Hi, Karol33

Download WinPFind35U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of WinpFind35U.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with WinpFind35U or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
• Now click the Run Scan button on the toolbar.
• The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Save that notepad file

Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).

[Karol33]

ok i ran the scan, I didn't select anything just ran the scan like you said.

I uploaded the WinPFind35.Txt result.

Attached Files

•  WinPFind35.Txt   74.52KB   307 downloads

Edited by Karol33, 27 February 2008 - 08:22 PM.

[JSntgRvr]

1. Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\wintems.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

If this file is successfully deleted, please attempt to run Combo-fix once again.

[Karol33]

I downloaded it and I get a "C:\Documents and Settings\user\Desktop\avenger.exe is not a valid Win32 application." when I try to run it. The virus blocked it I guess.

[JSntgRvr]

Hi, Karol33

It is interfering with everything. Do you have the Recovery Console installed?

• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop

File::C:\Documents and Settings\user\KHALMNPR.EXEC:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4TGS27IR\b64_1[1].jpgC:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4TGS27IR\b64_1[2].jpgC:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\LC1VL64E\b64_1[1].jpgC:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OTUQAG0Q\b64_31[1].jpgC:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OTUQAG0Q\b64_31[2].jpgC:\Program Files\Logitech\Video\LogiTray.exeC:\Program Files\Windows Media Player\projy.htmlC:\WINDOWS\system32\mdelk.exeC:\WINDOWS\system32\wintems.exe

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

If unsuccessful in Normal Mode, attempt to boot in Safe mode and try again.

[Karol33]

Well it only blocks anti virus program and some root kit applications. I don't know if I have a Recovery Console installed, should I do what you said anyways? Can I damage my pc in anyway?

Oh and I already deleted some of the infections.
I got rid of:
C:\Documents and Settings\user\KHALMNPR.EXE
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4TGS27IR\b64_1[1].jpg
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4TGS27IR\b64_1[2].jpg
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\LC1VL64E\b64_1[1].jpg
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OTUQAG0Q\b64_31[1].jpg
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OTUQAG0Q\b64_31[2].jpg
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Windows Media Player\projy.html

And how do I get into Safe mode?

Edited by Karol33, 28 February 2008 - 05:07 PM.

[JSntgRvr]

Hi, Karol33

Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

.
Attempt to run Combofix in Safe Mode.

[Karol33]

I tired Combo-Fix with the CFScript.txt in windows and nothing, same as before a blue window and that pulsing white line. I also tried to do it in Safe Mode
but Safe Mode didn't work. I tap F8 after the beep then I select Safe Mode, I see a bunch of processes come up and my pc restarts and on start up it says your computer stopped responding and the menu comes up to start windows normally. I tired a third time and I got a white loading bar at the bottom after I choose Safe Mode, but I got the same result.

Edited by Karol33, 28 February 2008 - 08:28 PM.

[JSntgRvr]

We will need to use an alternate way to reach the contents of your drive and attempt to delete these files.

First download the enclosed folder. Save and extract its contents to the C:\ folder. It is a batch file to attempt to remove the Bagle trojan files. Its name, Runme.bat. It is important it is Saved in the C:\ folder (Root directory).

We'll have to use an alternate method for accessing NTFS files.

• Please download BurnAtOnce and save it to your desktop.
• Click on Downloads, then on burnatonce 0.99.5
• Install it by double-clicking on the file bao0995.exe that you downloaded.
• Click Next, accept the license agreement, and click Next until the button says "Install". Click "Install" to finish.

• Download the NtFSfreeDOS.iso image..
• Save it to your desktop.
• Put a blank CD in your computer’s burner.
• Right-click on the file NtFSfreeDOS.iso, and select "burnatonce" from the menu.
• Confirm that the box under the menu at the top says "NtFSfreeDOS.iso".
• Click the "Write" button.
• When the disk finishes, eject the CD.
• Configure the computer to start from the CD-ROM or DVD-ROM drive. For information about how to do this, see your computer documentation, or contact your computer manufacturer.
• Insert the Image of NtFSfreeDOS.iso that you copied to CD into your CD-ROM or DVD-ROM drive, and then restart your computer.

You shall be presented with the following screens



You will have to answer "Yes" < Press Enter >



At the command prompt (A:\>), type these (in bold) and press Enter after each line...

A:\>C:
C:\>RunMe.bat

If the computer does not re-start, Type EXIT when done and press Enter. Remove the CD and the computer will boot back into Windows.

Once in Windows, re-Scan with Hijackthis and post a fresh log.

[Karol33]

My DVD/CD drive doesn't work because of the virus, I put in a game cd or a blank cd and I get no response . That is why I tried running an anti virus program and then I found I had the bagle. Hope I am not dead in the water.

[JSntgRvr]

Hi, Karol33

Sooner or later it will show its weakness.

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
wintems.exe
mdelk.exe

[Exclude]

[Options]
Filter=KVDLUI

2. Download Registry Search to your desktop.

• Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
• Open the new folder, and double click on regsearch.exe
• Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
• Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
• Please reply here with the entire contents of the Notepad file from RegSearch.

[Karol33]

Ok I did what you said, I have uploaded the log.

Attached Files

•  RegSearch.txt   1.45KB   300 downloads