WIN32 : Beagle-BG3 (need help)

Hi people.

I got a virus (or many) that did corrupt my AVG free anti-virus software, i either cannot delete it from the control panel (it’s not there).

I installed Avast home edition (free) and did a boot scan. He found 18 viruses, such as Win32 :beagle-bg3. So far so good.

In windows, the interactive scan have found (again) the same virus 5 times. I asked him to put it in the avast chest.

Something strange too, is that everytime i reach my os, a folder window appear with
c://windows/system32/Microsoft/
and a Protect folder in it (it contains nothing)

I downloaded Hijack This and made a scan. here is the result. If any of you can help me get rid of that virus, please help !

Thanks.


Logfile of HijackThis v1.99.1
Scan saved at 11:45:47, on 2005-04-24
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\mizu\LOCALS~1\Temp\Rar$EX01.219\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Media Playback Support Dll - {9D9A7350-46C9-4E3C-92EF-382B5740A1C3} - C:\WINDOWS\System32\bvicore.dll
O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - C:\WINDOWS\webdir.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [E-Color Registration] C:\Program Files\E-Color\Registration\SonnReg.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [Jet Detection] “C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe”
O4 - HKLM..\Run: [lmu] C:\WINDOWS\LMU.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM..\Run: [WC] C:\PROGRA~1\Miclone\WORLDC~1\WORLDC~1.EXE
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Microsoft Outrunner H20] C:\WINDOWS\system32\Microsoft Outrunner\OUTRUNNER.exe /start
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\RunServices: [Microsoft Server Application] Sound.exe
O4 - HKLM..\RunServices: [Windows Compliant] qtdmzi.exe
O4 - HKCU..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - HKCU..\Run: [keydrv.exe] C:\WINDOWS\System32\winsystems.exe
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra ‘Tools’ menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.emploiquebec.net
O15 - Trusted Zone: http://www.hotmail.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.com/82/html/gtdownlr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4B280838-680A-486E-A99F-F97D73F82D42} (egames.AxRTPC) - http://dreamville.e-games.com.my/AxClient/AxRTPC.CAB
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/renderer/mabiweb_JP.2005.2.2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {8F9D2276-C29C-4122-A7B6-B323773B385B} (e-games.installer) - http://dreamville.e-games.com.my/themepark/Install/axDown2003.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip..{C83B63A2-A53D-425C-A6E4-6CE6714804F8}: NameServer = 206.108.60.11 206.108.60.12
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Hi mizu,

Diffinatly remove these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Media Playback Support Dll - {9D9A7350-46C9-4E3C-92EF-382B5740A1C3} - C:\WINDOWS\System32\bvicore.dll
O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - C:\WINDOWS\webdir.dll
O4 - HKLM..\Run: [lmu] C:\WINDOWS\LMU.exe
O4 - HKLM..\Run: [WC] C:\PROGRA~1\Miclone\WORLDC~1\WORLDC~1.EXE
O4 - HKLM..\Run: [Microsoft Outrunner H20] C:\WINDOWS\system32\Microsoft Outrunner\OUTRUNNER.exe /start
O4 - HKLM..\RunServices: [Microsoft Server Application] Sound.exe
O4 - HKLM..\RunServices: [Windows Compliant] qtdmzi.exe
O4 - HKCU..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - HKCU..\Run: [keydrv.exe] C:\WINDOWS\System32\winsystems.exe
O17 - HKLM\System\CCS\Services\Tcpip..{C83B63A2-A53D-425C-A6E4-6CE6714804F8}: NameServer = 206.108.60.11 206.108.60.12
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)

Its also safe to remove these: (they are not malware though, so ill leave what is removed up to you)

BHO and Toolbar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

Program AutoStart’s
O4 - HKLM..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM..\Run: [Jet Detection] “C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot

Internet Explorer Extra ‘Tools’ menuitems and buttons
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra ‘Tools’ menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

If you didn’t add these to your Internet Explorer Trusted Zone, remove them
O15 - Trusted Zone: http://*.emploiquebec.net
O15 - Trusted Zone: http://www.hotmail.com

Downloaded Program files
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.com/82/html/gtdownlr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4B280838-680A-486E-A99F-F97D73F82D42} (egames.AxRTPC) - http://dreamville.e-games.com.my/AxClient/AxRTPC.CAB
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/renderer/mabiweb_JP.2005.2.2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {8F9D2276-C29C-4122-A7B6-B323773B385B} (e-games.installer) - http://dreamville.e-games.com.my/themepark/Install/axDown2003.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab

Then search/browser for and delete these files: (if there)

C:\WINDOWS\System32[b]bvicore.dll[/b]
C:\WINDOWS[b]webdir.dll[/b]
C:\WINDOWS[b]LMU.exe[/b]
Sound.exe
qtdmzi.exe
C:\WINDOWS\System32[b]winshost.exe[/b]
C:\WINDOWS\System32[b]winsystems.exe[/b]
C:\WINDOWS\System32[b]angelex.exe[/b]

Then search/browser for and delete this Folder:
C:\WINDOWS\system32[b]Microsoft Outrunner[/b]

Also delete this folder if you don’t recognize this:

O4 - HKLM..\Run: [WC] C:\PROGRA~1\Miclone[b]WORLDC~1[/b]\WORLDC~1.EXE

Then run a boot time scan with avast, set to scan within archives (Open Avast > Menu (top left hand corner) > Boot time scan)

Then run any spyware scanners you have (Spybot/Ad-aware/Microsoft Antispyware etc)

Then remove any temp files you have, a good program for this is ccleaner: http://www.filehippo.com/download/ncAOCJr-Om3Lq35Rh3QQoQ2/download.html

The go to windowsupdate and install all windows and Internet Explorer updates/patches. (www.windowsupdate.com)

Let us know how you get on, and also after all above is done post a fresh Hijackthis log so we can confirm your safe.

–lee

Hi mizu,

if oricom.ca does mean anything to you (your Provider?), then don’t fix the O17-entry

:wink:

Thanks !!

i’ve done everything you told me, and erased the 017 too… yes its my internet provider… i hope it won’t make any trouble.

Here is the new Hijack this Log.


Logfile of HijackThis v1.99.1
Scan saved at 13:51:40, on 2005-04-24
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\mizu\Desktop\HijackThis.exe

O4 - HKLM..\Run: [E-Color Registration] C:\Program Files\E-Color\Registration\SonnReg.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

i've done everything you told me, and erased the 017 too... yes its my internet provider.. i hope it won't make any trouble.

Well i didn’t mean delete it if its your Internet Provider, but it should’t cause you to much trouble though, however if you want, you can restore it by doing this:

Open Hijackthis > Click ‘Open Misc tools section’ > Click ‘Backup’ > then find ‘O17 - HKLM\System\CCS\Services\Tcpip..{C83B63A2-A53D-425C-A6E4-6CE6714804F8}: NameServer = 206.108.60.11 206.108.60.12
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)’ and check the box, then click restore.

While your there you may want to delete some of the backups there as some are definite malware. (but not all are though)

Also i notice your log seems to be clean now, are you finding that your PC problem is gone and your PC is running faster?

Also from your log i see your XP is out of date, i very much suggest that you go to www.windowsupdate.com and install the latest service Pack (SP2), then update that to its latest version, this will stop malware from getting back on your system (its almost certain to without it).

Also i see from your log that you have no Firewall, are you running a hardware one? (usaly inside a router).
If not i suggest you download one, a good one is Sygate, you can get it from here: http://www.simtel.com/product.download.mirrors.php?id=53687

Let us know how your getting on, and if you need help :wink:

–lee

Well thanks, i downloaded Sygate.

I can’t really update my windows, because i’m using the same as my dad.
Since he is frequently on it, microsoft don’t accept families to have only 1 copy of windows (i don’t appreciate that).

But i’ll figure a way to protect my computer.

Thanks again !!

I can't really update my windows, because i'm using the same as my dad. Since he is frequently on it, microsoft don't accept families to have only 1 copy of windows (i don't appreciate that).

Yes, Microsoft like to make things difficult like that.

But as you can’t update to a safer version of IE, may i suggest another browser then, at least it will be safer for your machine. (is also free)

I personaly like Firefox: http://www.mozilla.org/products/firefox/
You can get a guide for Firefox here: http://www.nidelven-it.no/articles/introduction_to_firefox_4

But if you would rather a browser that has more of an Internet Explorer look and feel, try http://www.maxthon.com/

–lee

I have found the same virus on my sisters PC ( not connected to mine on anyway) and there it is located in the c:\ System volume information\ folder. Meaning is is in the system recovery section. But the strangest thing is she cant visit ant https site, not windows update and system recovery itself wont work aswell.

i deactivated the system recovery and rebooted the system and did a full system scan again. found nothing but still can not use windows update or any https site.

Are there any ideas to what I can try to get that working again and be sure the virus is gone

THNX