you can alway try threatfire,spybot s&d and Anti Vir Premium (Promotion) -----> https://license.avira.com/en/promotion-cj0ptfb6eh8cmw6a101r you can have some other license promotion by searching on google (antivir premium security suite promotion) or you can alway try to get a new promotion key by register again (i never tryed it so you can try you when its will be expired)
PS : The license key avira is valid for 3 months only but you can try my thing i said
So may god bless you for avira find your beagle and virus
The Kaspersky bootable CD scanned my machine for 22 hours and found nothing. >:(
I found a piece made specifically to kill all forms of Beagle by Semantic but it also found nothing.
I just started running the Avira bootable disc. I certainly hope it finds something.
I don’t believe that I have some new variant. I’m pretty sure the file I got has been around for some time. Surely there is a cure for this blasted thing. I really really really don’t want to format my hard drive. It will take a long time (too long) to recover and I would probably never know what I’d lost.
By the way, I did send the file from which the virus came (CD Utils.zip) to virus@avast.com in a password protected RAR with the password in the body of the email and with the subject “undetected malware”.
@ Mr. Agent: I cannot run Spybot S&D or any other antivirus application. That is the nature of this virus; it disables virus hunters. The same goes for HijackThis. Please read my original thread starter.
If there are ANY other ideas I’m ready to try them. I’m getting a bit desperate. Why is it that all these “top notch” virus scanners can’t find anything wrong? There must be something running in memory to disable AVs every few seconds. Does anyone know of an online memory scanner?
If Blacklight doesn’t find anything then you might want to consider this :
From reading the description of the symptoms you seem to be haing I believe that the file you have is a exe infector or at least has that feature as one of its payload.
You should probably be able to run EXE files(I think).
What you might want to do also is to save the file attached to the post and change the extension to .bat and run it. It should beable to inform you on the currently running task if the taskmanager doesn’t seem to work
I will also try to do some research as I understand that having this sort of nasty can be very fustrating >:(
I discovered that I can rename ashAvast.exe on another PC and then put it on my machine and it does work. (the memory scanner found nothing) Unfortunately, avast uses many EXEs and they have all been disabled. I cannot rename them all because they call each other.
On a brighter note, I did the same with HighjackThis now have my renamed version (DogThis.exe) and it works just fine. But I am not an expert at making sense of the resulting log file. Maybe I can find someone who is and can find out more about what’s going on.
I have to go to work now but when I get back I will try restoring the EXE file association. As I said before, when I try to run an antivirus EXE I get the message box, “so and so.exe is not a valid Win32 application.” Other EXE files run just fine.
By the way, F-Secure’s scanner didn’t find anything and was said to contain Blacklight. However, I will put it in line with all else to be tried. Also, Taskmanager does work, but I can’t see anything unusual. But it may be there and I just don’t recognize it.
Ok, I didn’t understand that it was the the AVs that could not be run >:(
Well in that case forget what I said above with the EXE association because if your problem doesn’t happen with every EXE than it doesn’t have to do with the EXE association.
On the other hand can you post the list of running processes along with the DogThis log (if it isn’t already included)
I have no further recommandation at the moment as I think we have exhausted as the information you ahve given us but the DogThis log will provide a sea of data which we will try to take advantage of in order to remove your malware
Logfile of HijackThis v1.99.1
Scan saved at 7:59:20 AM, on 3/6/2009
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Do you any games(Enemy Territory - QUAKE or Medal of Honor Airborne or Need for Speed™ ProStreet or Proccess ID or PunkBuster, etc… ? If not then the file :
C:\WINDOWS\system32\PnkBstrA.exe
Might be suspicious as it is associated to those programs as well as some viruses. I would definitly check on virustotal.com whether that file is clean
dont worry al968 its not a virus i got it and yes its for punk buster if u wanna play on PB server for Battlefield 1942 or something that run PB anti cheat
Btw sepulchre if the virus keep to off your anti virus then maybe you should try to copy it on a disk the setup and key so now go to your cpu infected then install it and if its didnt work then well i will have trying to help you but i think the best way will be maybe to format your pc. (correct me if im wrong)
@Mr.Agent:
As I said earlier, I know that this file usually belongs to Punk Buster, and as I have explained above the reason I asked is to indeed make sure that this file is the one used by Punk Buster and has not been replaced by a virus as it is often the case :
I also don’t understand what the cpu has to do this any of this ??? ???
@sepulchre:
Also I am still optimistic in the sense that I still think that we can save you from formating your hard drive.
Please post when you have completed the virustotal scan of the suspicious file or any update on the progress of the virus
Sorry for my absence - had to work. So I’ve made no progress.
Still I remain hopeful though I am preparing myself for the possibility of having to format.
Anyway, I will get the newer HJT today and post the results; thanks for the link.
I posted a link to the VirusTotal results earlier in the thread, but here they are:
Okay, I just got the latest version of HJT, renamed it and ran it. Here is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:47 AM, on 3/8/2009
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
I attempted to reinstall Windows and now Windows will not boot up. This is coming to you from a boot of Dr. Web (linux). So I guess I’m well and truly screwed.
A friend said I might have problems with my master boot record (MBR). Well I don’t know if that can be fixed now. When I try to boot it gets as far as the Windows screen with the little moving bar, then reboots. That’s also what happens when I try to boot into Safe Mode.
So I guess I will be Forced to reformat. >:( >:( I was prepared to do that but I wanted to make an inventory of the drive first. Now I don’t know if I’ll be able to do that.
I will report any progress made.
If anyone ever finds out who produced the virus I would like show to that SOB my shotgun!
Thanks to everyone for your help. I encourage all to continue to work towards finding a cure.
Ken
Do you have a floppy in this computer? If so, you can boot on DOS and use
fdisk /mbr
to recover your mbr.
Also, if you can boot from Windows CD and get the recovery console. There are options to recover the MBR.
It seems that you don’t use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses.
We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.
O4 - HKCU..\Run: [mount.exe] C:\Program Files\FileUtilities.3\mount.exe /z
It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.
Thank you So much! I will look for MBR fixes and look into HJT again.
In desparation I tried the Bit Defender bootable CD once more. I had thought it was hanging up while “Trying to update the database” but it simply took awhile. When it did come up I saw that, besides the scanner, it has a hard rive view. I was glad because I wanted to jot down as much as I could about what’s on the drive before reformatting. I didn’t think the scanner would find anything - nothing else has - but I started it anyway. It took a long while to write down all that was on the drive and when I was finished so was the scanner. Much to my amazement IT FOUND THE BEAGLE VIRUS!! ;D in several places! And deleted it as well!
Since my reinstall of Windows was incomplete I have started that again. Hopefully, that will repair the MBR.
So. . . . BIT DEFENDER RULES!! . . . well, their bootable CD does anyway. ;D
Oh, pardon me. I will, of course, still use Avast as I am still confident in its abilities. I emailed the offending file in a password protected RAR with the password in the body to virus@avast.com with the subject “Undetected Virus” as the subject. So I hope the Techs at Avast can analyse it and employ detection of it in an update soon.
Many, many thanks to you all for your efforts and help. As I said, I’m hopeful that this install of Windows will work. If it’s not working properly I will try the latest remedies you have suggested.
Thanks again,
Ken
Ok, the machine still wont boot. I tried a DOS bootable floppy and fdisk /mbr to no avail. I booted with my Windows disk and choose Recovery, but it asks for an administrator’s password. I have a little utility on a bootable CD that changes the administrator’s password but it says that the password is Blank and cannot be changed.
I was prepared to do that but I wanted to make an inventory of the drive first. Now I don’t know if I’ll be able to do that.