Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Request Help To Remove Bagle Trojan Virus And Changes


  • This topic is locked This topic is locked
11 replies to this topic

#1 mda

mda

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 31 August 2007 - 08:15 AM

i am having a problem with a virus that i've been unable to
fix, and i hope someone on here can help me remove it and
fix the changes it may have made to the registry.

i am using vista business oem.

i had avast antivirus with all updates running.

ditto windows defender and windows firewall.

the user accounts control is disabled, ditto the shadow copies.

------------------------------------------------------------------

i downloaded some rar files.

several hours later i noticed the network connection
application window popping up, trying to access
internet explorer (i never use ie, only opera and firefox).
i kept closing the app over and over again.
i finally let it access ie to see why it was opening.

it tried to go to a couple of web sites a few times, but
never got anything but a blank page.

i tried using task manager to see what was going on and
found a program named hidr.exe that i did not recognize.
i stopped the program, then searched to find the file. i then
deleted the file. i assumed that since avast, defender, and
the firewall were running and that since avast had not
warned me of a virus being downloaded, that hidr.exe was
just another innocuous piece of spyware that came in with
the images and text from my browser.

several hours after that, i tried to use avast to manually
scan some newly downloaded files, and it's scan window
did not open. i tried again, but still nothing. i looked at the
avast icon on the taskbar, and saw it disappear. i tried to
load avast manually with the desktop shortcut, and the link
was reported as bad. when i looked in the avast directory,
most of the .exe files were missing. i then tried to re-install
avast, and as i did that, it's .exe files vanished. ditto for the
other missing files that i tried to copy from a usb drive. the
files either would vanish as i installed them, or when i looked
with windows explorer to see if my copies were there.
the files also were being deleted from the usb drive. the only
way i was able to copy the files back to the original drive
without them being almost immediately deleted was to put it in
a usb case and use another drive as my system drive

i looked on the web for an explanation and discovered that
hidr.exe was a virus that deleted antiviral programs. i tried
installing avast in safe mode, but it could not find the virus.
i also tried the manual removal some websites mentioned,
but the changes to the registry that it mentioned did not seem
to exist in my registry, at least not where the websites said
the alterations would be.

i tried installing trend micro pc-cillian, but it's files vanished as
well. i then tried online virus scanners, which found no viruses
on my system. i then tried installing pc-cillian on another system
drive, and connected my original c:\ drive via usb.

that found a virus in one of the new rar files, so i thought that all
i had to do was to delete that file. when i re-installed my orginal
system drive, i discovered that the virus must be still in the
system, since files were still vanishing.

i tried some more looking around the web, found a couple of anti-
virus programs that would install both in safe mode and normal
mode, but they could also not find any viruses.

i assume that the hidr.exe file came from a program .exe file in that
.rar file i downloaded, and that it installed something nasty in my
system or changed things in the registry. i can't figure out why
avast did not see the virus inside the .exe, and i can't figure out
why trend's pc-cillian or the other programs could not find the installed
virus or find the registry changes.

the name given to the virus in the .exe file in the rar file varies a bit
by the programs i tried- bagle.add, W32/Bagle.ea, Worm_Win32_Bagle.gen!C,
and WORM_BAGLE.KO.

the worst it seemed to be doing was deleting chkdsk.exe, as well as notskrnl.exe
which is needed to boot windows and forced me to use the install/repair disc
every time i needed to boot. none of the websites i looked at seemed to
mention those two files.

i tried using hijack this, startup list, Prevx2Agent.1.0.2.85.Vista, registryboosteraff,
Autoruns, avast cleaner aswclnr, trend housecall66, and trend registry cleaner sysclean

--------------------------------------------------------------------
from the McAfee > Theat Center > Virus Detail Page-Aliases

TROJ_MITGLIED.AI (Trend Micro)
Trojan-Proxy.Win32.Mitglieder.dz (Kaspersky)
W32.Beagle.DZ (Symantec)
W32/Bagle.MD (Norman)
Win32/TrojanProxy.Mitglieder.DZ (ESET)

Characteristics

"W32/Bagle.ea is a trojan which terminates processes and services, most
of which are related to popular security and antivirus applications."

this seems to be correct


"It also uses a rootkit component for hiding its presence on an infected system.

Upon execution, the trojan drops a copy of itself as:

Documents and Settings\%Username%\Application Data\hidires\hidr.exe

Drops its rootkit component into the following location:

Documents and Settings\%UserName%\Application Data\hidires\m_hook.sys"

i could not find this, even in safe mode.

"Creates the following registry entries to autostart itself when Windows starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"drvsyskit" = "Documents and Settings\%UserName%\Application Data\hidires\hidr.exe"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\m_hook
"ImagePath" = "Documents and Settings\%UserName%\Application Data\hidires\m_hook.sys" "

i also could not find this.

--------------------------------------------------------------------------------------------------
some of the files it deleted on my drive-

08/26/2007 16:09
Scan of all local drives

File C:\Program Files\Alwil Software\Avast4\ashAvast.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\ashChest.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\ashDisp.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\ashLogV.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\ashPopWz.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\ashQuick.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\ashServ.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\ashSimp2.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\ashSimpl.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\ashSkPcc.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\ashSkPck.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\ashUpd.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\ashWebSv.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\aswRegSvr.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\copyx64.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\sched.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\VisthLic.exe Error 0xC000000F {File Not Found}
File C:\Program Files\Alwil Software\Avast4\VisthUpd.exe Error 0xC000000F {File Not Found}

File C:\Program Files\Iomega\Registration\Register.exe Error 0xC000000F {File Not Found}

File C:\Program Files\Mozilla Firefox\uninstall\helper.exe Error 0xC000000F {File Not Found}

File C:\Program Files\PowerQuest\PartitionMagic 8.0\BTIniNt.exe Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\DOS\BTIni.exe Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\DOS\FSIMAGE.EXE Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\DOS\partinfo.exe Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\DOS\PQBOOT.EXE Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\DOS\PQBOOTX.EXE Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\DOS\PQMAGIC.EXE Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\DOS\PTEDIT.EXE Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\DOS\SNUTIL.EXE Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\DOS\WRPROG.EXE Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\PartIn9x.exe Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\PartInNT.exe Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\PMagic9x.exe Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\PMagicBt.exe Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\PMagicNT.exe Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\PQLAUNCH.EXE Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\PqPe.exe Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\pqpe9x.exe Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\pqpeNT.exe Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\PTEDIT32.EXE Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\RESCUEME\DOSYSTEM\CHKDSK.EXE Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\RESCUEME\DOSYSTEM\EMM386.EXE Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\RESCUEME\DOSYSTEM\FLOPPY.EXE Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\RESCUEME\DOSYSTEM\FLOPPY9x.EXE Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\RESCUEME\DOSYSTEM\FLOPPYME.EXE Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\RESCUEME\DOSYSTEM\NWCDEX.EXE Error 0xC000000F {File Not Found}
File C:\Program Files\PowerQuest\PartitionMagic 8.0\RESCUEME\DOSYSTEM\PTEDIT32.EXE Error 0xC000000F {File Not Found}

File C:\Program Files\Roxio\VideoUI 9\tracelog.exe Error 0xC000000F {File Not Found}

File C:\Windows\Installer\{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}\PQBoot.exe Error 0xC000000F {File Not Found}

File C:\Windows\System32\chkdsk.exe Error 0xC000000F {File Not Found}

File C:\Windows\System32\ntoskrnl.exe Error 0xC000000F {File Not Found}

File C:\Windows\winsxs\x86_microsoft-windows-chkdsk_31bf3856ad364e35_6.0.6000.16386_none_bfaf97e48fc56cbc\chkdsk.exe Error 0xC000000F {File Not Found}

File C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6000.16386_none_69f99fa4b7380194\ntoskrnl.exe Error 0xC000000F {File Not Found}

File E:\0TEMPDL\NORTON\NU\NORTON80\DISK3\RESCUE.EXE Error 0xC000000F {File Not Found}
File E:\0TEMPDL\NORTON\NU\NORTON80\DISK3\SYSINFO.EXE Error 0xC000000F {File Not Found}

File E:\WIN95-PRGS\AFTERDRK\REGISTER.EXE Error 0xC000000F {File Not Found}

File E:\W95-PUT-ON-CD\DOS-BOOT\CHKDSK.EXE Error 0xC000000F {File Not Found}

File E:\D-ON-WIN95-5-4-07\000\PCI-133\PCI2IDE133\DOS\CHKDSK.EXE Error 0xC000000F {File Not Found}

File E:\D-ON-WIN95-5-4-07\pshop4\RegFiles\REGISTER.EXE Error 0xC000000F {File Not Found}

File E:\E-ON-WIN95-5-4-07\DOS\CHKDSK.EXE Error 0xC000000F {File Not Found}
File E:\E-ON-WIN95-5-4-07\DOS\EMM386.EXE Error 0xC000000F {File Not Found}

File E:\E-ON-WIN95-5-4-07\DTTOYS\REGISTER.EXE Error 0xC000000F {File Not Found}

File E:\E-ON-WIN95-5-4-07\HPNETPRN.W4W\MONITOR.EXE Error 0xC000000F {File Not Found}

File E:\E-ON-WIN95-5-4-07\MHUNI2\REGISTER.EXE Error 0xC000000F {File Not Found}

File E:\E-ON-WIN95-5-4-07\NAV\RESCUE.EXE Error 0xC000000F {File Not Found}

File E:\E-ON-WIN95-5-4-07\NU\RESCUE.EXE Error 0xC000000F {File Not Found}
File E:\E-ON-WIN95-5-4-07\NU\SYSINFO.EXE Error 0xC000000F {File Not Found}

File E:\E-ON-WIN95-5-4-07\SCSI\SCANNER.EXE Error 0xC000000F {File Not Found}

File E:\E-ON-WIN95-5-4-07\SDD52\BACKUP\MONITOR.EXE Error 0xC000000F {File Not Found}
File E:\E-ON-WIN95-5-4-07\SDD52\WIN16\MONITOR.EXE Error 0xC000000F {File Not Found}

File E:\E-ON-WIN95-5-4-07\WINDOWS\EMM386.EXE Error 0xC000000F {File Not Found}

File E:\E-ON-WIN95-5-4-07\WINDOWS\PIXTRAN\RUNSETUP.EXE Error 0xC000000F {File Not Found}

File E:\E-ON-WIN95-5-4-07\WINDOWS\TWAIN\EPSON\RUNSETUP.EXE Error 0xC000000F {File Not Found}

File E:\E-ON-WIN95-5-4-07\AFTERDRK\REGISTER.EXE Error 0xC000000F {File Not Found}

File E:\C-OLD-WIN95-5-13-1997\pshop4\RegFiles\REGISTER.EXE Error 0xC000000F {File Not Found}

File E:\C-OLD-WIN95-5-13-1997\ZIP\ARJ\REGISTER.EXE Error 0xC000000F {File Not Found}

File E:\C-OLD-WIN95-5-13-1997\WINDOWS\EMM386.EXE Error 0xC000000F {File Not Found}

File E:\C-OLD-WIN95-5-13-1997\WINDOWS\COMMAND\CHKDSK.EXE Error 0xC000000F {File Not Found}

File E:\C-OLD-WIN95-5-13-1997\SCSI\scanner.exe Error 0xC000000F {File Not Found}

File E:\C-OLD-WIN95-5-13-1997\Program Files\Quick View Plus\REGISTER\REGISTER.EXE Error 0xC000000F {File Not Found}

File E:\C-OLD-WIN311-5-13-1997\WINDOWS\EMM386.EXE Error 0xC000000F {File Not Found}

File E:\C-OLD-WIN311-5-13-1997\SCSI31\SCSI\SCANNER.EXE Error 0xC000000F {File Not Found}
File E:\C-OLD-WIN311-5-13-1997\SCSI\SCANNER.EXE Error 0xC000000F {File Not Found}

File E:\C-OLD-WIN311-5-13-1997\NU\RESCUE.EXE Error 0xC000000F {File Not Found}
File E:\C-OLD-WIN311-5-13-1997\NU\SYSINFO.EXE Error 0xC000000F {File Not Found}

File E:\C-OLD-WIN311-5-13-1997\DOS-ORG\CHKDSK.EXE Error 0xC000000F {File Not Found}
File E:\C-OLD-WIN311-5-13-1997\DOS-ORG\EMM386.EXE Error 0xC000000F {File Not Found}
File E:\C-OLD-WIN311-5-13-1997\DOS\CHKDSK.EXE Error 0xC000000F {File Not Found}
File E:\C-OLD-WIN311-5-13-1997\DOS\EMM386.EXE Error 0xC000000F {File Not Found}

File E:\C-WIN95--5-9-07\clickbook\clikb205\REGISTER.EXE Error 0xC000000F {File Not Found}

File E:\C-WIN95--5-9-07\nav-5\navapw32.exe Error 0xC000000F {File Not Found}

File E:\C-WIN95--5-9-07\nav-5\NavLu32.exe Error 0xC000000F {File Not Found}
File E:\C-WIN95--5-9-07\nav-5\NAVW32.EXE Error 0xC000000F {File Not Found}
File E:\C-WIN95--5-9-07\nav-5\NSCHED32.EXE Error 0xC000000F {File Not Found}
File E:\C-WIN95--5-9-07\nav-5\RESCUE.EXE Error 0xC000000F {File Not Found}

File E:\C-WIN95--5-9-07\Program Files\Quick View Plus\PROGRAM\Register.exe Error 0xC000000F {File Not Found}
File E:\C-WIN95--5-9-07\Program Files\Quick View Plus\REGISTER\REGISTER.EXE Error 0xC000000F {File Not Found}

File E:\C-WIN95--5-9-07\SCSI\scanner.exe Error 0xC000000F {File Not Found}

File E:\C-WIN95--5-9-07\WINDOWS\EMM386.EXE Error 0xC000000F {File Not Found}

File E:\C-WIN95--5-9-07\WINDOWS\COMMAND\CHKDSK.EXE Error 0xC000000F {File Not Found}

File E:\C-WIN95--5-9-07\WINDOWS\TWAIN_32\Scanwiz\SCAN32.EXE Error 0xC000000F {File Not Found}

File E:\C-WIN95--5-9-07\ZIP\ARJ\REGISTER.EXE Error 0xC000000F {File Not Found}
File E:\C-WIN95--5-9-07\ZIP\ARJ\arj255\REGISTER.EXE Error 0xC000000F {File Not Found}

File E:\pm8\DOS\BTIni.exe Error 0xC000000F {File Not Found}
File E:\pm8\DOS\FSIMAGE.EXE Error 0xC000000F {File Not Found}
File E:\pm8\DOS\partinfo.exe Error 0xC000000F {File Not Found}
File E:\pm8\DOS\PQBOOT.EXE Error 0xC000000F {File Not Found}
File E:\pm8\DOS\PQBOOTX.EXE Error 0xC000000F {File Not Found}
File E:\pm8\DOS\PQMAGIC.EXE Error 0xC000000F {File Not Found}
File E:\pm8\DOS\PTEDIT.EXE Error 0xC000000F {File Not Found}
File E:\pm8\DOS\SNUTIL.EXE Error 0xC000000F {File Not Found}
File E:\pm8\DOS\WRPROG.EXE Error 0xC000000F {File Not Found}

BC AdBot (Login to Remove)

 


#2 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:07:47 PM

Posted 31 August 2007 - 04:14 PM

Hi mda,

Try using the W32.Beagle@mm Removal Tool for the Bagle/Beagle infection.

Sophos has also provided These instructions to help remove the infection.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

#3 mda

mda
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 31 August 2007 - 09:50 PM

thanks for the response. unfortunately, neither of these programs worked. the removal tool
was dated July 5, 2006, so perhaps it only works on windows oss up to xp. ditto for the
baglegui.com program from sophos. both used the same 1.13 data file.

i got many visual c++ runtime errors from the removal tool before it started to work, and as
it said i could run it in normal windows, i did that. i did not know it would try to scan all of my
files or i would have run it in safe mode.

the virus did it's bit as the tool was scanning and deleted my files again. it said there were no
viruses. i ran it again in safe mode, and got the same end result. the logs from both programs
had thousands of entries that either said "not scanned" or "warning: not scanned, path to long"
(their misspelling).

do you or anyone else have any other suggestions?

thanks,

mda

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:47 PM

Posted 31 August 2007 - 10:06 PM

Download Sysclean Package & save it to your desktop.
  • Create a new folder on drive "C:\" and rename it Sysclean - (C:\Sysclean).
  • Place the sysclean.com inside that folder.
  • Then download the latest Virus Pattern Files - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number)
  • Extract (unzip) the lptxxx.zip pattern file into the Sysclean folder where you put sysclean.com. (Click here for information on how to extract a file if your not sure how to do this. DO NOT scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Note: Some anti-virus programs such as Avast will alert you to a virus attack when running sysclean so it's best to disable them before going to the next step.

Scan with Sysclean as follows:
  • Open the Sysclean folder and double-click on sysclean.com to start the scanning process.
  • Put a check mark on the "Automatically clean or delete infected files" option by clicking in the checkbox.
  • Click the Advanced >> button.
  • The scan options appear. Select the "Scan all local fixed drives".
  • Click the "Scan button" on the Trend Micro System Cleaner console.
  • It will take some time to complete. Be patient and let it clean whatever it finds.
  • Another MS-DOS window appears containing the log file generated in the System Cleaner folder.
  • To view the log, click the "View button" on the Trend Micro System Cleaner console. The Trend Micro Sysclean Package - Log window appears.
    • The Files Detected section shows the viruses that were detected by System Cleaner.
    • The Files Clean section shows the viruses that were cleaned.
    • The Clean Fail section shows the viruses that were not cleaned.
  • Exit when done, reboot normally and re-enable your anti-virus program.
Instructions with screenshots are here if you need them.

When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have the rights to scan some locations. The scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system. This tool generates a log file (sysclean.log) in the same folder where the scan is completed.

Then perform one of these online Virus scans if symptoms persist: ESET Online Scanner
BitDefender Online Scanner <- Add a check by "Autoclean".
(Requires Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 mda

mda
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 01 September 2007 - 10:29 AM

thanks for the reply. i mentioned in my first post that i tried sysclean. i tried
it just like you described, but it did not see any viruses.

i did try ESET Online Scanner and BitDefender Online Scanner because of your
post. they did not show any viruses either, other than a test rar file i put in
place that has spyware in it (just to see if they worked- this had previously
been caught by avast).

i have a copy of the bagle/beagle virus in it's rar/exe file that is still messing with my laptop, on a flash chip. maybe someone knows if there is someplace that can analyze it for me?

#6 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:07:47 PM

Posted 01 September 2007 - 11:16 AM

Anytime you come across a suspicious file, you can submit it to jotti's virusscan or Virus Total.
In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

#7 mda

mda
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 02 September 2007 - 04:41 AM

thanks. i tried the two sites. the results are below:

Online malware scanJotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File:
Status: INFECTED/MALWARE
MD5: 8247c16432d8e81da5ee15f90e4e8eef
Packers detected: Analyzing...
Bit9 reports: File not found

Scanner results
Scan taken on 02 Sep 2007 09:26:37 (GMT)
A-Squared Found nothing
AntiVir Found TR/Bagle.Gen.B
ArcaVir Found Worm.Beagle.Jc
Avast Found Win32:Beagle-WS
AVG Antivirus Found Downloader.Generic5.XGC
BitDefender Found Trojan.Downloader.Bagle.DF
ClamAV Found Trojan.Bagle-4
CPsecure Found W32.Email.W.Bagle.jc
Dr.Web Found Win32.HLLM.Beagle
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Bagle.cw
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Bagle.cw
NOD32 Found Win32/Bagle.JC
Norman Virus Control Found W32/Mitglied.AGS
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found I-Worm.Bagle.OD
VBA32 Found nothing
-------------------------------------------------------------------
VirusTotal - Free Online Virus and Malware Scan - Result

File received on 09.02.2007 11:17:54 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 18/32 (56.25%)
Loading server information...
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned
(position: ) for an undefined time.


AntivirusVersionLast UpdateResult
AhnLab-V32007.9.1.02007.09.01-
AntiVir7.4.1.662007.09.01TR/Bagle.Gen.B
Authentium4.93.82007.09.02-
Avast4.7.1029.02007.09.01Win32:Beagle-WS
AVG7.5.0.4842007.09.01Downloader.Generic5.XGC
BitDefender7.22007.09.02Trojan.Downloader.Bagle.DF
CAT-QuickHeal9.002007.09.01TrojanDownloader.Bagle.cw
ClamAV0.91.22007.09.02-
DrWeb4.332007.09.01Win32.HLLM.Beagle
eSafe7.0.15.02007.08.29suspicious Trojan/Worm
eTrust-Vet31.1.51002007.08.31-
Ewido4.02007.09.02-
FileAdvisor12007.09.02-
Fortinet3.11.0.02007.09.02W32/PackBag.A
F-Prot4.3.2.482007.09.02-
F-Secure6.70.13030.02007.09.02Trojan-Downloader.Win32.Bagle.cw
IkarusT3.1.1.122007.09.02-
Kaspersky4.0.2.242007.09.02Trojan-Downloader.Win32.Bagle.cw
McAfee51102007.08.31New Poly Win32
Microsoft1.28032007.09.02Worm:Win32/Bagle.gen!C
NOD32v224972007.09.01Win32/Bagle.JC
Norman5.80.022007.08.31W32/Mitglied.AGS
Panda9.0.0.42007.09.01-
Prevx1V22007.09.02-
Rising19.38.61.002007.09.02-
Sophos4.21.02007.09.02-
Sunbelt2.2.907.02007.08.31VIPRE.Suspicious
Symantec102007.09.02-
TheHacker6.1.9.1752007.08.31W32/Bagle.jc
VBA323.12.2.32007.09.01-
VirusBuster4.3.26:92007.09.02I-Worm.Bagle.OD
Webwasher-Gateway6.0.12007.09.01Trojan.Bagle.Gen.B
Additional information
File size: 315781 bytes
MD5: 8247c16432d8e81da5ee15f90e4e8eef
SHA1: e8ecc3d658ea3cd0ffc70c1c3785ec05f7ed0841
Sunbelt info: VIPRE.Suspicious is a generic detection for potential
threats that are deemed suspicious through heuristics.

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas.

VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com
---------------------------------------------------------------------------------

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:47 PM

Posted 02 September 2007 - 06:34 AM

Have you tried downloading and scanning with the MS Malicious Software Removal Tool?
click on the link "Skip the details and download the tool"
The tool has three scan options:
1. Quick scan: Scans areas of the system most likely to contain malicious software.
2. Full scan: Scans the entire system but can take up to several hours to complete.
3. Customized scan: In addition to a quick scan, the tool will also scan the contents of a user-specified folder.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 mda

mda
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 03 September 2007 - 09:17 PM

yes, thanks. i had already tried that. ditto the kapersky? online scanner. maybe
someone can tell where the problem is by looking at a hijack this log? or since it's
deleting specific files like ntoskrnl.exe and chkdsk.exe, is there some place on my
computer i can search for a list of those names, perhaps in the registry? or are
those names coded directly into the virus file that might be on my system so that
is not an option? arrg! maybe there is some program that can copy this
current registry and the registry from an older cloned drive and then compare
the two?

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:47 PM

Posted 04 September 2007 - 08:11 AM

maybe someone can tell where the problem is by looking at a hijack this log?



Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. If you can't perform a step, then skip and continue with the next. In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.)

When you have done that, post your log in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 mda

mda
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 05 September 2007 - 12:02 AM

thanks much. i'll give that a try.

#12 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:08:47 PM

Posted 05 September 2007 - 12:19 AM

mda,

Now that you have an open HJT log posted in the HijackThis Logs and Malware Removal forum, you shouldn't make any changes to your system.
Doing so, could change the results of the posted log, making it difficult to properly clean your system.

At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

I'm closing this topic until you are cleared by the HJT Team.
If, after your log has been cleaned, you still need help, please PM a Moderator and we will re-open this topic.

If you have any questions, don't hesitate to send me a PM.

.
.

Edited by tg1911, 05 September 2007 - 12:20 AM.

MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users