[Linda68]

Hello,
I completely removed Paretologic, copied the new combofix.exe directly to the desktop and ran it.
Received, combofix.exe is not a valid win32 application.

[Advertisements]

It is Bagle. Somehow is re-spawining.

Lets try this:

1. Please download The Avenger2 by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\drivers\srosa.sys
C:\Windows\System32\WINTEMS.EXE
C:\Windows\System32\MDELK.EXE
C:\Windows\System32\13219648.EXE
C:\Windows\System32\13213389.EXE
C:\Windows\System32\13204887.EXE
C:\Windows\System32\HLDRRR.EXE
C:\Windows\System32\ban_list.txt
C:\Windows\System32\Drivers\WINTEMS.EXE
C:\Windows\System32\Drivers\MDELK.EXE
C:\Windows\System32\Drivers\13219648.EXE
C:\Windows\System32\Drivers\13213389.EXE
C:\Windows\System32\Drivers\13204887.EXE
C:\Windows\System32\Drivers\HLDRRR.EXE
C:\Windows\System32\Drivers\ban_list.txt
C:\Windows\13219648.EXE
C:\Windows\13213389.EXE
C:\Windows\13204887.EXE
C:\RegCure 1.5.exe
C:\MGtools.exe

Drivers to delete:
srosa

Folders to delete:
C:\WINDOWS\system32\drivers\downld

Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SROSA

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V).
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

Run Combofix afterward and let me know the outcome.

[JSntgRvr]

It is Bagle. Somehow is re-spawining.

Lets try this:

1. Please download The Avenger2 by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\drivers\srosa.sys
C:\Windows\System32\WINTEMS.EXE
C:\Windows\System32\MDELK.EXE
C:\Windows\System32\13219648.EXE
C:\Windows\System32\13213389.EXE
C:\Windows\System32\13204887.EXE
C:\Windows\System32\HLDRRR.EXE
C:\Windows\System32\ban_list.txt
C:\Windows\System32\Drivers\WINTEMS.EXE
C:\Windows\System32\Drivers\MDELK.EXE
C:\Windows\System32\Drivers\13219648.EXE
C:\Windows\System32\Drivers\13213389.EXE
C:\Windows\System32\Drivers\13204887.EXE
C:\Windows\System32\Drivers\HLDRRR.EXE
C:\Windows\System32\Drivers\ban_list.txt
C:\Windows\13219648.EXE
C:\Windows\13213389.EXE
C:\Windows\13204887.EXE
C:\RegCure 1.5.exe
C:\MGtools.exe

Drivers to delete:
srosa

Folders to delete:
C:\WINDOWS\system32\drivers\downld

Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SROSA

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V).
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

Run Combofix afterward and let me know the outcome.

[Linda68]

Now I get avenger.exe is not a valid Win32 application after following the directions.
It looks like Paretologic was allowing me to run most of these applications before, but now that it has been removed, it is back to square one.

[JSntgRvr]

Download Deckard's System Scanner (DSS) from here or here to your Desktop. Note: You must be logged onto an account with administrator privileges.

• Close all applications and windows.
• Double-click on dss.exe to run it, and follow the prompts.
• When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of both, the main.txt and the extra.txt in your next reply.

If the files are too long, attach them to a reply:

• Scroll down and click the [Manage Attachments] button
• Browse to the following folder:
  
  • C:\Deckard\System Scanner
• Click Upload to upload these files one by one
• Submit your reply

[Linda68]

The two text files should be attached!

Attached Files

•  extra.txt   12.66KB   403 downloads
•  main.txt   16.66KB   262 downloads

[JSntgRvr]

Hi, Linda68

Please print these instructions as you will need to disconnect from the Internet.

We are going to use an unconventional method to attempt to remove this Trojan from your computer.

We will need to remove AVAST and SuperAntispyware as it is possible the Trojan may be using these means to re-Spawn. That would leave your computer unprotected for the time being. You can reinstall once we have remove this trojan.

First download the enclosed folder. Save and extract its contents to the C: folder. It is important this folder be saved in the C: folder (Root directory). Once saved it should appear as C:\Baglefix

Disconnect from the internet. If you have to disconnect the cable from the computer, please do so.

Set Explorer to view Hidden Files and Folders:

• Right-click your Start button and go to "Explore".
• Select Tools from the menu
• Select Folder Options
• Select the View tab
• Click on Show all Files and Folders
• Select Apply to All Folders | Yes | Apply | OK.

Go to the Add Remove programs and remove these programs, then delete the following folders:

C:\WINDOWS\system32\drivers\downld
C:\paretologic
c:\program files\superantispyware
E:\Program Files\Alwil Software (Don't know why is on E:\, but it may be the cause of the infection spawning)

Set Explorer to Defaults:

• Right-click your Start button and go to "Explore".
• Select Tools from the menu
• Select Folder Options
• Select the View tab
• Click on Restore Defaults
• Select Apply to All Folders | Yes | Apply | OK.

Close all windows.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), navigate to the C:\Baglefix folder. Doubleclick on the Fixme.bat. The MSDOS window will open. That is normal. The computer will restart. Allow it to fully restart.

Run Combofix and let me know the results.

[Linda68]

I haven't run the fix file yet, BUT, I wanted to let you know that I DO NOT have a drivers directory in the system32 parent folder in Explorer. I DO have a folder that is in blue in bold letters that says DRVSTORE and in it there is another LONG folder name (in blue) that starts with wlphonecv_8800C15 and on and on ...

I had to go through DOS to delete it. I know it is hard to believe. I saved a bmp of it for when I reconnect to the Internet so you can see.

[Linda68]

I ran the fixme.bat. Upon reboot, it could not find the 2ndround.bat file, so I had to rerun it and place the 2ndround.bat file in the proper location. Afterwards, I tried combofix without luck, same win32 error. It appears I have a catchme txt file on my desktop I don't recall seeing. Is is okay if I hook back up to the internet to send?

Is there a way I can verify that the 2ndround.bat file ran?

[JSntgRvr]

Hi, Linda68

That is the reason I asked to save the folder n the root directory, C:\, as I insert a command in the registry to run the C:\\BagleFix\\2ndRound.bat at startup.

Download the enclosed folder. It contains a renamed copy of Combofix, as MyPoppy.exe. Save and extract it to the desktop. Do not rename Combofix unless instructed.

Remove original Combofix.

Run the Fixme.bat file once again. (Make sure the Baglefix folder is in the root diretory, C:\), then after a full restart, try running Mypoppy.exe file.

[JSntgRvr]

Is is okay if I hook back up to the internet to send?

Yes, but do not expend too much time online unprotected.

[Linda68]

The combofix log is attached ...
I have WinRAR on my PC, when I double clicked, it made two Baglefix folders...at the root and another subfolder of the same name. Sorry ...

Attached Files

•  ComboFix.txt   8.79KB   253 downloads

[JSntgRvr]

Hi, Linda68

One last check. Rightclick on the Internet Explorer link and select Properties. If a shortcut, it should indicate the Target and the Start in location. Please post this information on your next reply.

• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop

File::C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnkC:\WINDOWS\pss\LaunchU3.exe.lnkCommon StartupRegistry::[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

Once saved, referring to the picture above, drag CFScript.txt into MyPoppy.exe, and post back the resulting report along with a Hijackthis log..

[Linda68]

Hi
My IE link was not a shortcut. The Properties selection brought up the big box with all the tabs.
Combofix is attached...hijackthis still won't run.

Attached Files

•  ComboFix.txt   9.53KB   415 downloads

[JSntgRvr]

Can you run Hijackthis?

[Linda68]

Nope, I mentioned it in my previous post. Still get not a valid win32 app