??? Hi i found out which file that has the virus that ruins my avast installation. Well i packed it in with winrar and send-ed it to analyze to avast hope you guys find a way to brake it. But this time the rootkit remover do-sent help me. it says removing and deleted but i suspect that it is reinstalling it self just after reboot and avast wont work either ???
So now I’m taking a on-line virus check other places and hopes it get rid of all of them.
I also made a check on the file with Mailware scan. and here is the result:
Scan taken on 27 Feb 2007 03:18:20 (GMT)
AntiVir Found HEUR/Crypted
ArcaVir Found Trojan.Downloader.Beagle.Bp
Avast Found nothing
AVG Antivirus Found Downloader.Generic3.TSE
BitDefender Found Trojan.Downloader.Bagle.BJ
ClamAV Found Worm.Bagle-51
Dr.Web Found Win32.HLLM.Beagle
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Email-Worm.Win32.Bagle.hq
Fortinet Found W32/Bagle.BP!tr.dldr
Kaspersky Anti-Virus Found Email-Worm.Win32.Bagle.hq
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found W32/Mitglied.ACU
VirusBuster Found Trojan.Bagle.Gen!Pac20
VBA32 Found nothing
Well i think this is the file otherwise it is one other possibility but well see about that when or if my system ever get back to normal
:
Well sorry i tried panda only since i couldnt find download for the other one but now im still having this probem
starting panda… checking… removing… reboot… clean… after 1 min. its back checkink… 2 found removing and so on so on.
Download and install Bitdefender and Blacklight and make sure the Bitdefender defienitions are updated. Then disconnect your computer from the internet, boot into safe mode, and scan from there.
Lets make sure you send a sample to avast this time and hopefully it will be able to include it in the VPS.
If you are getting it back you have a weakness in your security, you need to tighten things down.
You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
This is what i had meant…in another post …Avil is for me the best Antivirus but the Defenitions (vps) are not really brand new up to date…i am using Bitdefender Free as my Second Antivirus scanner when i am thinking that avast don’t have the Virus in the VPS yet also only for Security reasons i am using a second antivirus only scanner…
I hope each of you have more security than just Avast on your
computers !? Nowadays, should have 1 or more antiSPYWARE/
antiTROJAN program(s), such as the Good & FREE AVG Antispyware
( www.ewido.net ) and/or the FREE version of "SUPERantispyware"
from www.superantispyware.com .
And I do NOT recall seeing anything about having a software
firewall in any of your Posts !?
Did you know that "Spyware Terminator" is by a company called
"Crawler", who in the past made "rogue/suspect" antispyware products !?
Would encourage you to read the "Superantispyware vs Spyware
Terminator" thread on the very good Wilderssecurity Forums at
www.wilderssecurity.com/showthread.php?t=164428 .
And as to Spybot; its quality has fallen in recent months and for quite
some time has NOT been in the top "tier" of "Trustworthy Products" of
antiSPYWARE Expert Eric Howes at
www.spywarewarrior.com/rogue_anti-spyware.htm#trustworthy .
Might be wise to add a rootkit "detection" program; recommend
you start with the Good & FREE "RootkitRevealer" from
www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx
Do you know SpywareBlaster? However Spywareterminator is doing his good job not for scanning spyware within the realTime Protection (hips also) and the most " Free progs" don’t have it or disabled (only in the buy version).
;D
Well actually i was front of my PC all day trying to find out what to do and stuff
and i first tried panda anti rootkit but it never deleted the actually files only the active ones so after reboot it installed it self back.
So i finally downloaded f-secure blackligtht it found like 19 files err i had only 1 option to rename the files but no guarantee for it was some usefull system files. So i took each file to google and made a search to see if it matched with any known virus and it did so i renamed all the files.
Then i need to clean the registry since it also was in there to mess things more so i did a scan with registry booster and it found like 215 registry entries. didn’t bother to see if the virus string where there to so i deleted them all.
then reboot and fresh install of avast 4.0 and checked everything twice to make sure nothing was replaced and now avast is working fine again. So i was in to my netbank to change all the passwords and stuff since it was a Trojan it is pretty good idea to change every important passwords.
By the way the avast icon on the corner was very helpfull to notice that i had the virus or mailware dont know what it was. since it disable the avast and the icon first appairs and disappairs. since all the executable files was deleted from avast install folder. So if avast fails to load or re-installing fails and shortcut cannot find destination file be sure to check for root wares.
Well again i hope avast will take more protection on soon,
Thanks for taking the time to provide the feed back and we share your hope fore more protection, now you could play a part in that by sending the renamed samples to avast.
You can also add the file to the User Files (File, Add) section of the avast chest where they can do no harm and send it from there (select the file, right click, email to Alwil Software).
Version 5 of avast (date unknown) will also have anti-kill to stop it being disabled.
i already send-ed the file that gave me the virus in first place. and the virus wont be active until it is executed.
i think its named escape from monkey island 4 1.0.exe
or something like that supposed to be a patch for a game but nothing happens when executed
anyhow i got another new problem i think the virus i had has completely damaged the windows safe boot up everytime i try to load up in the safe mode with or without network i get a blue screen critical error and reboot so i cannot boot up in the safe mode!
Do microsoft win xp CD have any repair for this kinda issue or is a format and reinstall required? I hope not since i never made a reinstall like 5 years now and i don’t have allot space to make all the backups i collected in this 5 years
If Mauserme's latest advise does NOT work, I recommend you ask
the experienced, volunteer Microsoft Most Valuable Professional(s)
on the forums at http://aumha.net for help .
Just a follow up again. The virus name or worm name is worm\bagel leaves to exe files in windows system32 hldrrr.exe and wintems.exe and alot of dll’s and registry. and the files are hidden in the %root% so its impossible to locate them manually "atleast for me the (noob) it was impossible)
Hide this in the desktop for later use.
First of all u have to remove worm\bagel VERY VERY anoying worm indeed and destroys alot of data >:( Anoying
However i first tried the avenger with no luck.
mark input screen manually and copy paste this not the lines------------
Folders to Delete:
%userprofile%\Application Data\hidn
registry values to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | drv_st_key
drivers to unload:
m_hook
and press the button with trafic light and let the program reboot for u and enjoy a almost clean pc
I thought
But however it was still present.
So i got the Blacklight and it found all the files there was like 19 files “dll, and exe” hldrrr.exe and oneother cant remember i checked the filenames on google to see if it was some important system files since it wasnt i renamed them with black light.
then i got registry booster to remove all unnecassary starters.
after reboot i noticed on menu start / run / msconfig start the hldrrr and wintems was still set to start up however it wouldnt start since i renamed those files so just uncheck them.
Well anyhow and the PC IS CLEEAAAAAAAAAAAAAAN yipeYA YEAH
Now you can execute the safebootkeyrepair.exe and use you windows completly normal ;D IM SO HAPPY. (HATES formatting and re-install windows)
Thks for all support to everyone. And all the other forums. ;D ;D ;D ;D
Thanks for the follow up, snakie, and for the link to safebootkeyrepair.exe. I’m sure this will prove useful in the future.
Its hard to say if the worm or the registry cleaner caused the safeboot problem, though I haven’t seen it with this worm in the past. Either way I think a review of the items any registry cleaner proposes to delete, prior to deletion, is a good practice to avoid all sorts of problems. And always make a backup. 8)