I got the anoying virus back that deletes avast.

??? Hi i found out which file that has the virus that ruins my avast installation. Well i packed it in with winrar and send-ed it to analyze to avast hope you guys find a way to brake it. But this time the rootkit remover do-sent help me. it says removing and deleted but i suspect that it is reinstalling it self just after reboot and avast wont work either ???
So now I’m taking a on-line virus check other places and hopes it get rid of all of them.
I also made a check on the file with Mailware scan. and here is the result:

Scan taken on 27 Feb 2007 03:18:20 (GMT)
AntiVir Found HEUR/Crypted
ArcaVir Found Trojan.Downloader.Beagle.Bp
Avast Found nothing
AVG Antivirus Found Downloader.Generic3.TSE
BitDefender Found Trojan.Downloader.Bagle.BJ
ClamAV Found Worm.Bagle-51
Dr.Web Found Win32.HLLM.Beagle
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Email-Worm.Win32.Bagle.hq
Fortinet Found W32/Bagle.BP!tr.dldr
Kaspersky Anti-Virus Found Email-Worm.Win32.Bagle.hq
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found W32/Mitglied.ACU
VirusBuster Found Trojan.Bagle.Gen!Pac20
VBA32 Found nothing

Well i think this is the file otherwise it is one other possibility but well see about that when or if my system ever get back to normal
::slight_smile:

Thank you.

You never said in the last thread if it was Panda or F-Secure that removed it, but you need to try both. There seem to be at least 2 variants of this.

Also, since BitDefender caught it download the free version and scan with that

http://www.bitdefender.com/site/view/Download-Free-Products.html

This is a non-resident scanner so it won’t provide the real time protection you need, but it may solve the problem.

Well sorry i tried panda only since i couldnt find download for the other one but now im still having this probem
starting panda… checking… removing… reboot… clean… after 1 min. its back checkink… 2 found removing and so on so on.

So i will try to find the otherone again… thks

Here’s a link to F-Secure Blacklight

http://www.f-secure.com/blacklight/

Download and install Bitdefender and Blacklight and make sure the Bitdefender defienitions are updated. Then disconnect your computer from the internet, boot into safe mode, and scan from there.

Lets make sure you send a sample to avast this time and hopefully it will be able to include it in the VPS.

If you are getting it back you have a weakness in your security, you need to tighten things down.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

This is what i had meant…in another post …Avil is for me the best Antivirus but the Defenitions (vps) are not really brand new up to date…i am using Bitdefender Free as my Second Antivirus scanner when i am thinking that avast don’t have the Virus in the VPS yet also only for Security reasons i am using a second antivirus only scanner…

:slight_smile: Hi Snakie & Josy :

  I hope each of you have more security than just Avast on your
  computers !? Nowadays, should have 1 or more antiSPYWARE/
  antiTROJAN program(s), such as the Good & FREE AVG Antispyware
  ( www.ewido.net ) and/or the FREE version of "SUPERantispyware"
   from www.superantispyware.com .

   And I do NOT recall seeing anything about having a software
   firewall in any of your Posts !?

Ok. Here is it. I am using Progs as follows:

Antivirus:

Avast Home (Primary)
Bitdefender Free (Secondary)

Firewall:

I have a Router with a Firewall in it.

I am using as Software Firewall Comodo 2.4 Pro

Spyware and other related:

  1. Spyware Terminator (with Realtime Protection)

  2. Adaware SE

  3. Spybot Search & Destroy

  4. SpywareBlaster

  5. From time to time hijackthis

So that’s all…

:slight_smile: Hi Josy :

  Did you know that "Spyware Terminator" is by a company called
  "Crawler", who in the past made "rogue/suspect" antispyware products !?

  Would encourage you to read the "Superantispyware vs Spyware 
  Terminator" thread on the very good Wilderssecurity Forums at
  www.wilderssecurity.com/showthread.php?t=164428 .

  And as to Spybot; its quality has fallen in recent months and for quite
  some time has NOT been in the top "tier" of "Trustworthy Products" of
  antiSPYWARE Expert Eric Howes at
  www.spywarewarrior.com/rogue_anti-spyware.htm#trustworthy .

   Might be wise to add a rootkit "detection" program; recommend
   you start with the Good & FREE "RootkitRevealer" from
   www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx

Ok.

Do you know SpywareBlaster? However Spywareterminator is doing his good job not for scanning spyware within the realTime Protection (hips also) and the most " Free progs" don’t have it or disabled (only in the buy version).

So i will check the Links that have you posted.

:slight_smile: Hi Josy :

  Have had SpywareBlaster ( & its "companion" SpywareGuard ) and
  Ad-Aware SE Personal on my computer for quite some time .

;D
Well actually i was front of my PC all day trying to find out what to do and stuff
and i first tried panda anti rootkit but it never deleted the actually files only the active ones so after reboot it installed it self back.
So i finally downloaded f-secure blackligtht it found like 19 files err i had only 1 option to rename the files but no guarantee for it was some usefull system files. So i took each file to google and made a search to see if it matched with any known virus and it did so i renamed all the files.
Then i need to clean the registry since it also was in there to mess things more so i did a scan with registry booster and it found like 215 registry entries. didn’t bother to see if the virus string where there to so i deleted them all.
then reboot and fresh install of avast 4.0 and checked everything twice to make sure nothing was replaced and now avast is working fine again. So i was in to my netbank to change all the passwords and stuff since it was a Trojan it is pretty good idea to change every important passwords.

By the way the avast icon on the corner was very helpfull to notice that i had the virus or mailware dont know what it was. since it disable the avast and the icon first appairs and disappairs. since all the executable files was deleted from avast install folder. So if avast fails to load or re-installing fails and shortcut cannot find destination file be sure to check for root wares.

Well again i hope avast will take more protection on soon,

Thanks for the follow up snakie. Its good to see your dedication to solving this problem paid off - hopefully for good.

If you have the file names/locations Blacklight found could you post them. This might be helpful for others struggling with this problem.

Yeah - this is getting very frustrating :frowning:

Thanks for taking the time to provide the feed back and we share your hope fore more protection, now you could play a part in that by sending the renamed samples to avast.

You can also add the file to the User Files (File, Add) section of the avast chest where they can do no harm and send it from there (select the file, right click, email to Alwil Software).

Version 5 of avast (date unknown) will also have anti-kill to stop it being disabled.

i already send-ed the file that gave me the virus in first place. and the virus wont be active until it is executed.
i think its named escape from monkey island 4 1.0.exe
or something like that supposed to be a patch for a game but nothing happens when executed
anyhow i got another new problem i think the virus i had has completely damaged the windows safe boot up everytime i try to load up in the safe mode with or without network i get a blue screen critical error and reboot so i cannot boot up in the safe mode!
Do microsoft win xp CD have any repair for this kinda issue or is a format and reinstall required? I hope not since i never made a reinstall like 5 years now and i don’t have allot space to make all the backups i collected in this 5 years :cry:

If you made a back up try restoring it.

:slight_smile: Hi Snakie :

 If Mauserme's latest advise does NOT work, I recommend you ask
 the experienced, volunteer Microsoft Most Valuable Professional(s)
 on the forums at http://aumha.net for help .

Just a follow up again. The virus name or worm name is worm\bagel leaves to exe files in windows system32 hldrrr.exe and wintems.exe and alot of dll’s and registry. and the files are hidden in the %root% so its impossible to locate them manually "atleast for me the (noob) it was impossible)

Well i was making backups of my hd untill i found another forum with same problem.
So here is the solution.
http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe

Hide this in the desktop for later use.
First of all u have to remove worm\bagel VERY VERY anoying worm indeed and destroys alot of data >:( Anoying
However i first tried the avenger with no luck.

Get avenger
http://swandog46.geekstogo.com/avenger.zip

mark input screen manually and copy paste this not the lines------------

Folders to Delete:
%userprofile%\Application Data\hidn

registry values to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | drv_st_key

drivers to unload:
m_hook

and press the button with trafic light and let the program reboot for u and enjoy a almost clean pc :slight_smile:
I thought
But however it was still present.

So i got the Blacklight and it found all the files there was like 19 files “dll, and exe” hldrrr.exe and oneother cant remember i checked the filenames on google to see if it was some important system files since it wasnt i renamed them with black light.
then i got registry booster to remove all unnecassary starters.

after reboot i noticed on menu start / run / msconfig start the hldrrr and wintems was still set to start up however it wouldnt start since i renamed those files so just uncheck them.

Well anyhow and the PC IS CLEEAAAAAAAAAAAAAAN yipeYA YEAH

Now you can execute the safebootkeyrepair.exe and use you windows completly normal ;D IM SO HAPPY. (HATES formatting and re-install windows)

Thks for all support to everyone. And all the other forums. ;D ;D ;D ;D

Thanks for the follow up, snakie, and for the link to safebootkeyrepair.exe. I’m sure this will prove useful in the future.

Its hard to say if the worm or the registry cleaner caused the safeboot problem, though I haven’t seen it with this worm in the past. Either way I think a review of the items any registry cleaner proposes to delete, prior to deletion, is a good practice to avoid all sorts of problems. And always make a backup. 8)