desperetly need help - i think i have win32.worm.beagle

Discussion in 'Malware Help (A Specialist Will Reply)' started by templer10, Feb 11, 2008.

  1. templer10

    templer10 Private E-2

    would really appriciate some help here.

    yesterday i suddenly got hit by a blue screen of death and when the computer rebooted itself AVG (internet security) and AVG antispam weret working.

    After dome digging using several online antivirus programs i think i have win32.worm.beagle.

    to remove it i tried the suggest standard solutions: i got mstools running and file is attached, i used CCleaner when i could get it to work (i had to use adaware which works of and on to remove Mdelk.exe - it removed it temprarly but it didnt solve the problem and it came back after a few minutes (i got hit by another blue screen of death)

    i tried to Activate spybot & combofix - both refused to run.

    i really dont know what to do so ANY help would be appriciated.

    p.s. - i checked my installed programs and didnt see anything suspicius, i didnt have java running (neew computer) so i installed the one you suggested.
     

    Attached Files:

    templer10, Feb 11, 2008
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please uninstall both eMule and Ask toolbar.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.

    If you use Firefox browser

    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser

    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Be sure to tell us how things are running.
     
    TimW, Feb 12, 2008
    #2
  3. templer10

    templer10 Private E-2

    i deleted emule and asktoolbar - didnt actually find asktoolbar installed - so deleted it manualy.

    i did the analyze and removed those you mentioned.
    then i added the line you asked to the registery and then

    i downloaded avanger and tried to run it with antiviruses disabled - it didnt work - it sayed the same thing that AVG used to say when i tried to run it - avenger.exe is illegal (or something like it) in win32 application - note - iam actually translating the error messege since i have windows in hebrew langague.

    iam attaching a new log off MGtools
     

    Attached Files:

    templer10, Feb 12, 2008
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Ok.....use windows explorer to find and delete those files ...you could try safe mode to do so.

    Then re-run run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also ComboFix.
     
    TimW, Feb 13, 2008
    #4
  5. templer10

    templer10 Private E-2

    Couldnt find any libary and/or file called C:\WINDOWS\system32\drivers\down, I eventually managed to delete mdelk, Still can't run comboFix, new logs from mglogs are attached.
     

    Attached Files:

    templer10, Feb 13, 2008
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please delete everything in these two folders:
    C:\WINDOWS\Temp
    C:\Documents and Settings\user\Local Settings\Temp

    Now download a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:

    * Delete on Reboot
    * then Click on the All Files button.*(or on the folders option)*
    * Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    * Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    * Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.
     
    TimW, Feb 14, 2008
    #6
  7. templer10

    templer10 Private E-2

    Ok - i managed to delete the files in c:\windows temp and all files in c:\windows\temp Exept a file called ~DFBC0D.tmp

    i downloaded and run killbox, deleted the temp files, deleted the C:\WINDOWS\system32\drivers\down Folder by manualy deletign it from CMD (killbox didnt manage to do it).

    i still have infections from somewhere and i still cant run combofix, avenger etc.

    iam attaching a new mgtools log.
     

    Attached Files:

    templer10, Feb 14, 2008
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Next, download and run RogueRemover.

    Now how are you doing?
     
    TimW, Feb 14, 2008
    #8
  9. templer10

    templer10 Private E-2

    i added the line to the registery, i downloaded rogue remover - installed - it wont run - i think the Infection or whatever it is is stopping it.
     
    templer10, Feb 14, 2008
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Ok..let's do this: Go to Bitdefender agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

    Click-on the Detected Problems tab. Then select Click here to export the scan report

    When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.
     
    TimW, Feb 14, 2008
    #10
  11. templer10

    templer10 Private E-2

    Ok... Done, Bitdefender report uploaded.

    note- i uploaded it as *.txt since *.html wouldnt upload so it stills need renaming.

    to make things short: this is the filesthat it found to have problems:

    [sblock=files]
    C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe -Infected with: Win32.Bagle.SUX@mm

    C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe - Deleted

    C:\WINDOWS\system32\drivers\srosa.sys - Infected with: Rootkit.Bagle.D

    C:\WINDOWS\system32\drivers\srosa.sys - Disinfection failed

    C:\WINDOWS\system32\drivers\srosa.sys - Delete failed

    D:\download\3wPlayer-1.0.0.3-setup-0210.exe=>(Instyler o)=>(Instyler Module 7) Infected with: Trojan.FatObfus.Gen

    D:\download\3wPlayer-1.0.0.3-setup-0210.exe=>(Instyler o)=>(Instyler Module 7) Disinfection failed

    D:\download\3wPlayer-1.0.0.3-setup-0210.exe=>(Instyler o)=>(Instyler Module 7) Deleted

    D:\download\3wPlayer-1.0.0.3-setup-0210.exe=>(Instyler o) Update failed

    D:\download\3wPlayer-1.0.0.3-setup-0395.exe=>(Instyler o)=>(Instyler Module 7) Infected with: Trojan.FatObfus.Gen

    D:\download\3wPlayer-1.0.0.3-setup-0395.exe=>(Instyler o)=>(Instyler Module 7) Disinfection failed

    D:\download\3wPlayer-1.0.0.3-setup-0395.exe=>(Instyler o)=>(Instyler Module 7)Deleted

    D:\download\3wPlayer-1.0.0.3-setup-0395.exe=>(Instyler o) Update failed

    D:\download\bsplayer142.833.zip=>bsplayer142.833.exe=>(NSIS o)=>zlib_nsis0010 Detected with: Application.Adware.Savenow.G

    D:\download\bsplayer142.833.zip=>bsplayer142.833.exe=>(NSIS o)=>zlib_nsis0010 Disinfection failed

    D:\download\bsplayer142.833.zip=>bsplayer142.833.exe=>(NSIS o)=>zlib_nsis0010 Deleted

    D:\download\bsplayer142.833.zip=>bsplayer142.833.exe=>(NSIS o) Update failed

    D:\download\prog backup\DivXPro511Adware.exe=>(NSIS o)=>lzma_solid_nsis0019 Detected with: Adware.Gator.C

    D:\download\prog backup\DivXPro511Adware.exe=>(NSIS o)=>lzma_solid_nsis0019 Disinfection failed

    D:\download\prog backup\DivXPro511Adware.exe=>(NSIS o)=>lzma_solid_nsis0019 Deleted

    D:\download\prog backup\DivXPro511Adware.exe=>(NSIS o) Update failed

    [/sblock]
     

    Attached Files:

    templer10, Feb 15, 2008
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now tell me if you are still having problems.
     
    TimW, Feb 15, 2008
    #12
  13. templer10

    templer10 Private E-2

    I did what you Told me, Afterwards - i could activate rogue remover (which didnt find any problems), started to do a scan using kaspersky to check if i had anything more and got a new blue screen of death and rogue remover isnt working anymore, spyboth etc also not working So i still got SOMETHING.

    new MGtolls log is attached (note - it asked me if i want to cancel or debug something near the end of the run - not sure what is up with that) Ill Running kespersky online scanner (it only checks and wont fix anyway) and i will add the log when it's done
     

    Attached Files:

    templer10, Feb 15, 2008
    #13
  14. templer10

    templer10 Private E-2

    OK - kaspersky report attached - seems it found stuff bitdefender didnt.
     

    Attached Files:

    templer10, Feb 16, 2008
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Then lets remove them and see how it goes:

    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt
     
    TimW, Feb 17, 2008
    #15
  16. templer10

    templer10 Private E-2

    IAm still having problems - I have counterspy and It keeps finding Trojan-.downloader.win32.bagle.at in location: hkey_users\s-1-5-21-1123561945-688789844-725345543-1003\SOFTWARE\FIRSTRUN

    if i delete it a few moments later i get hit by a blue screen of death and things start to crop back up again (like mdelk.exe).

    for instance - in last time i found the folloing in a kerpesky scan - (i deleted them in the meantime) but they or similar will probably come back eventually.

    any things to do?
     

    Attached Files:

    templer10, Feb 18, 2008
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Is counterspy a paid for version or just the trial version ....if trial, uninstall it.
    What exactly is the error from the BSOD?
     
    TimW, Feb 18, 2008
    #17
  18. templer10

    templer10 Private E-2

    what is BSOD?
     
    templer10, Feb 19, 2008
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    BSOD = "Blue screen of death"

    What error did it refer to?
     
    TimW, Feb 19, 2008
    #19
  20. templer10

    templer10 Private E-2

    I dont know - it's gone in less then a second - But it always came after i deleted

    Trojan-.downloader.win32.bagle.at in location: hkey_users\s-1-5-21-1123561945-688789844-725345543-1003\SOFTWARE\FIRSTRUN

    Using counterspy.
     
    templer10, Feb 19, 2008
    #20
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re-run ComboFix and run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file as well as the ComboFix log.
     
    TimW, Feb 19, 2008
    #21
  22. templer10

    templer10 Private E-2

    Combofix doesnt work for me (and never did) - I get "not a valid win32 windows application" error. MGlogs are attached.
     

    Attached Files:

    templer10, Feb 19, 2008
    #22
  23. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    New procedures for running ComboFix which may get it to run:

    Running ComboFix
     
    TimW, Feb 19, 2008
    #23
  24. templer10

    templer10 Private E-2

    Tried that - Doesnt work - Note i DONT have English version of windows, it's hebrew localized so the directory isnt actually called "desktop" where the desktop is - i tried to input the correct directory also with the other paramaters - didnt work sitll - it keeps saying the "not a valid win32 windows application" error.
     
    templer10, Feb 19, 2008
    #24
  25. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Why are you not using avenger to do the removal? KillBox does not always work!

    download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt
     
    TimW, Feb 20, 2008
    #25
  26. templer10

    templer10 Private E-2

    since avenger doesnt work - i get the same "not a valid win32 windows application" with it i did before.

    p.s - i used file assasin to delete stuff not killbox.
     
    templer10, Feb 21, 2008
    #26
  27. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just as long as they are removed ...which I assume they are?
    Would you attach a new MGLogs.zip so I can check it?
    How are things running?
     
    TimW, Feb 21, 2008
    #27
  28. templer10

    templer10 Private E-2

    They are removed But i expect they will come back eventually, this isn't the first time i removed those files, they keep coming back after a day or 2, i think those files aren't the cuase of the problem - just a symptom of it.

    Logs attached.
     

    Attached Files:

    templer10, Feb 22, 2008
    #28
  29. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I'm not seeing anything ...although I have no idea what this is in your NewFiles log:
    C:\WINDOWS\system32\drivers\š‰—‰„ ‡ƒ™„
    I would also be careful about your surfing habits and P2P sharing as that may be where the issue lies.
    Make sure you clean out your temp files and please let me know if the files show up again. :)
     
    TimW, Feb 23, 2008
    #29
  30. templer10

    templer10 Private E-2

    they showed up again immidatly following a reboot. logs attached.
     

    Attached Files:

    templer10, Feb 24, 2008
    #30
  31. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please run Counterspy and attach the log to your next reply.

    Then Go to Bitdefender agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

    Click-on the Detected Problems tab. Then select Click here to export the scan report

    When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

    I think the problem is in the application data folders ....but you still have a few things that I cannot read.
     
    TimW, Feb 24, 2008
    #31

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds