f... beagle

hello to all… my fault i got infected by this worm.

i have avast 4 home full updated
win xp pro sp3

i don’t want to put on the old image (it’s the best way sometimes) so i’m trying to fix it.

First i used elibagla… after the restart it cancelled the exe files infected.
then re entered register key for hidden files and folder, deleted all temporary and fixed the safe boot mode (no more blue screen)

now i’m running the deep scanning with symantec removal tool and also with avast.

what else can i do to be sure to remove this rootkit?

this is the second time i took a virus… and the first time i activate it… shame on me :frowning: (i started with vic20… so)
thank you for helping me.

what goes around comes around in this case beagle

post up the logs of any hits from the boot time scans
with avast send to chest do not delete/ remove
others please quarantine

you already did this - right?
Schedule a boot time scanning with avast with archive scanning turned on.
rt click on the ball and update>programs
then open avast and schedule boot time scan- reboot and send any hits to chest, do not remove/delete
did you quarantine or send to chest any previous AV scans? what was there (ignore cookies)

then

  1. Disable System Restore and then reenable it again.-- you can do this later unless you are getting lots of hit in system restore

  2. Clean your temporary files. Use ATF cleaner or Ccleaner- but post up any relevant AV logs first

you can try DrWeb CureIT!
http://www.freedrweb.com/cureit/

  1. Use SUPERantispyware,
    http://www.superantispyware.com/
    update quarantine post logs

MBAM
http://malwarebytes.org/mbam.php
put a check mark next to any baddies and the click REMOVE CHECKED- a backup will be made
post the log

dbl check to see if everything is up to date
secunia.com/vulnerability_scanning/online/

we’ll go from there
feel free to read the stickie at the top of the forum and post a HJT after doing the above

What firewall?
any anti spyware apps installed already?

avast has a rootkit built in
so does SDFIX get the instructions at bleeping computer follow exactly
post the log and a fresh HJT

Polonus has a favorite we can double check with after we make sure there is nothing lurking in your system

Win32:Beagle should be covered by avast! cleaner. Only variants A-Z and AA-AH.

What Beagle variant are you infected with?

13/09/2008 4.17.11 Administrator 1528 Sign of “Win32:Beagle-AFX [Wrm]” has been found in “C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\VA2G3WAA\b64_3[1].jpg” file.
13/09/2008 4.16.47 Administrator 1528 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\TLARQMT2\b64_4[1].jpg” file.
13/09/2008 4.16.19 Administrator 1528 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\N3AGI56R\b64_2[1].jpg” file.
13/09/2008 4.15.56 Administrator 1528 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\BK4AC38I\b64_1[1].jpg” file.
13/09/2008 4.10.43 Administrator 1528 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\WINDOWS\system32\drivers\downld\466015.exe” file.
13/09/2008 4.10.38 Administrator 1528 Sign of “Win32:Beagle-AFX [Wrm]” has been found in “C:\WINDOWS\system32\drivers\downld\449125.exe” file.
13/09/2008 4.10.36 Administrator 1528 Sign of “Win32:Beagle-AFX [Wrm]” has been found in “C:\WINDOWS\system32\drivers\downld\449125.exe” file.
13/09/2008 4.10.26 Administrator 1528 Sign of “Win32:Beagle-AFX [Wrm]” has been found in “C:\WINDOWS\system32\drivers\downld\449125.exe” file.
13/09/2008 4.09.15 Administrator 1528 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\drivers\downld\375562.exe” file.
13/09/2008 4.08.53 Administrator 1528 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\WINDOWS\system32\drivers\downld\356609.exe” file.
13/09/2008 4.04.06 Administrator 1528 Sign of “Win32:Beagle-AAW [trj]” has been found in “C:\WINDOWS\system32\drivers\srosa.sys” file.
13/09/2008 4.01.19 SYSTEM 1824 Sign of “Win32:Beagle-AAW [trj]” has been found in “C:\WINDOWS\system32\drivers\srosa.sys” file.
13/09/2008 3.20.25 SYSTEM 1824 Sign of “Win32:Trojan-gen {Other}” has been found in “http ://www.freeserials.ws/dl \keygen.exe” file.

← i found an important .doc locked by pwd so i tried everything :frowning:

in “http://ww w.freeserials.ws/dl\keygen.exe” file.

I you feel it important to display a log file then I guess you should corrupt the active links first just in case someone accdentally clicks on it.

regards

right said, :wink:

Take care, Beagle is one of the most destructive malware against avast antivirus installation…

here are some basic instructions in more detail from Major geeks and some WHY DO WE DO IT THIS WAY stuff - however do put off the restore point triage if you have not done it already

also if you are running spybot t-timer or similar turn it off while cleaning- remember to turn back on or ask later- do not count on me to remember

* Download and install CCleaner
      o Now run Ccleaner with the default options (that means don’t change anything) to clean out temporary files.
      o Only use the default settings on the Windows Tab and select Run Cleaner. Do not run any other options from other tabs.
      o Also it is highly recommended to login to all other User Accounts on the PC including the Administrator account (on Win2K,XP and Vista) which will only show when you boot in safe mode.
            + Run CCleaner on each account. This can greatly reduce scan time and log sizes from the later scanning you will do below.
            + If you don’t see Ccleaner’s link when logging into the other accounts, just goto the C:\Program Files\Ccleaner folder and double click on the ccleaner.exe file to run it. You can also create a shortcut to the file on the Desktop of your other user accounts to make it easier to run in the future.
      o If you booted into safe mode to clean the Adminstrator account, be sure to reboot in normal mode before continue on with the below instructions.

Step 2: Enable viewing of hidden files, system files and file extensions

* Some programs hide themselves by making their files invisible in normal Windows settings. Run the steps in the below link (has steps for ALL Win OS's) to make them easier to find.
      o How to view hidden, system files & folders!

* Not doing this would allow file extensions commonly used by trojans and spyware to be hidden, for example a file ending in .exe or dll making

If you need this level of detail go here for the hot links
http://forums.majorgeeks.com/showthread.php?t=35407

To remove beagle/bagel whatever in one sweep follow these directions carefully. If it blue screens then you will need to disable Avast self protection for the duration of the run

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop

[*]If you are using Firefox, make sure that your download settings are as follows:

[]Tools->Options->Main tab
[
]Set to “Always ask me where to Save the files”.

[*]During the download, rename Combofix to Combo-Fix as follows:

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

[]It is important you rename Combofix during the download, but not after.
[
]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[
]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combo-Fix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\Combo-Fix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combo-fix’s window while it’s running. That may cause it to stall

HI
I do not do combofix but Essexboy is one of the few at this forum who does
If he is willing to work with you follow his instructions
then come back and do the general purpose scans as combofix only targets a sector of malware
there may be other things that it does not deal with

looking foreword to hearing from you

I’ll be out Tues-Thurs