Remove Win32:beagle-aww Please

patryduf · Oct 16, 2008

I am desperate to get rid of this virus. I do not have Wifi anymore and the tools to remove this virus, as posted in other threads, are not running for more than 3 seconds. I managed to start in safe mode just after running the tools several times and run those tools again in safe mode, but as soon as I come back in windows the virus installs itself back and I'm at square one again.

I run XP SP3, on a VAIO laptop, Avast. I tried Combofix, Elibagla, gmer and DrWeb CureIt.

I NEED that computer back. HELP!

Thanks
Patryduf

Logs:

TimW · Oct 16, 2008

You need to attach the other three requested logs:

Superantispyware
MalwareBytes
MGLogs.zip

patryduf · Oct 16, 2008

Here they are.
Looks like I still can't get my wifi back...

I left the laptop as it was after all the scans. Did not reboot, did nothing.

Thanks for your help,

Patryduf

patryduf · Oct 16, 2008

Use this Combofix file as it is more recent.
I did not read the instructions for the previous one.
Sorry.

patryduf · Oct 17, 2008

Can someone tell me if I should reinstall networking services... just to get my connexion back? Could it ruin the whole work in progress?

Thanks

TimW · Oct 17, 2008

I am not certain yet what is causing your wifi issues...it maybe malware or it could be hardware...did you look in the device manager to see if anything was amiss?

Could you tell me what this is:
Code:
C:\Documents and Settings\Yvon\Desktop\
ELIBAGLA.BEA%D8B%D8%D8H.EXE
Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the "Input script here:"
part of the window:

Drivers to delete:
srosa

Registry Keys to delete:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000]
Click to expand...

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

patryduf · Oct 17, 2008

C:\Documents and Settings\Yvon\Desktop\
ELIBAGLA.BEA%D8B%D8%D8H.EXE

This is a malware scanner I downloaded after someone in another forum or research on the net (don't remember) told it worked for him.

TimW · Oct 17, 2008

Ok......please run the rest and attach the logs.

patryduf · Oct 17, 2008

I had a few error messages that I will post in a couple of minutes...

TimW · Oct 17, 2008

Ooops...must be nap time.....

* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the "Input script here:"
part of the window:

Drivers to delete:
srosa

Registry Keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000
Click to expand...

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

patryduf · Oct 17, 2008

Log files with error...

Now executing the "good" actions

patryduf · Oct 17, 2008

Here are the files.

Thanks again for your time, Tim

Yvon

TimW · Oct 17, 2008

Let's try again:

Now we need to use ComboFix to remove a bunch of malware files.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

Drivers::
srosa

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000]
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.

patryduf · Oct 17, 2008

TimW said: ↑

I am not certain yet what is causing your wifi issues...it maybe malware or it could be hardware...did you look in the device manager to see if anything was amiss?
Click to expand...

Everything is there with "this device is working properly" status.
I uninstalled all devices and reinstalled. No change.

TimW · Oct 17, 2008

This srosa driver may be the cause...but if not ( since I am assuming that your internet hardwire connection is working), it could just be that your wireless nic card died.

Those can be purchased for @ $50...(USB wireless....)

Get me the logs and lets see if we managed to kill it yet.

patryduf · Oct 17, 2008

Ok... Rebooting..

patryduf · Oct 17, 2008

Those USB keys are nice tools!

Give me good new... :major

TimW · Oct 17, 2008

Sweet...combo killed it.

Now the question is does the wifi still not work? If it does not...I would suggest posting in either hardware or software....( though if the computer is a little old you may just need to replace the wifi card or purchase a USB Wireless device).

Let's clean up from the scans how:

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-
Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

If you do get a success message, then:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

patryduf · Oct 17, 2008

fixMe.reg has been successfully entered into the registry.

YESSS!

It really makes my day... Thank you so much, Tim!

For the Wifi, I'll try to find something...

:wave

patryduf · Oct 17, 2008

Tim!

For the wifi, i saw that the service WZCSVC was not started due to the NDIS dependencie was not started itself. Went to the net for a research and found that:

skoman

Junior Member with 21 posts. Join Date: Feb 2007
Experience: Computer Illiterate

16-Jun-2008, 04:55 AM #3
I fixed the problem.I see that Wi-FI has been demaged on everybody that has been infected with win32 bagle worm.So here is my solution to the problem
I found that the service still exist in the registry but its not visible in the service.msc console.
So here is what I did:
Go to Start>run>regedit
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisuio
I changed the start value to 2(automatic).It was 4(disabled)
After reboot my WIFI was working again.

AND IT WORKED!!!
Can you see the tears in my eyes?

Thanks again so much for your time and perseverence with my case.
I wish I never need your assistance again... but if I do, I will certainly ask and recommend the "MAJOR GEEKS" for help.

Have a nice weekend!
Yvon
(The guy with a (sort of) brand new laptop)

TimW · Oct 17, 2008

Glad to here you got it running.... and good info.

Log in or Sign up

Remove Win32:beagle-aww Please

patryduf Private E-2

Attached Files:

combo1.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

patryduf Private E-2

Attached Files:

MGlogs.zip

SUPERAntiSpyware Scan Log - 10-16-2008 - 17-47-20.log

mbam-log-2008-10-16 (19-19-59).txt

patryduf Private E-2

Attached Files:

ComboFix.txt

patryduf Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

patryduf Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

patryduf Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

patryduf Private E-2

Attached Files:

MGlogs.zip

avenger.txt

patryduf Private E-2

Attached Files:

avenger.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

patryduf Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

patryduf Private E-2

patryduf Private E-2

Attached Files:

MGlogs.zip

ComboFix.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

patryduf Private E-2

patryduf Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member