Got hit by this on Wednesday and I'm still cleaning! It came through my AV and closed down that and Zone Alarm, rendered safe mode (XP SP3) unuseable and stopped me running any exe files to restore those.

It has a very bad press on Google. I have restored the safe mode reg keys, reinstalled ZA and AV and followed several 'guides' on removal, but I am still getting remnants of it popping up. Anyone got a guaranteed fix (without re-format!)? One useful tip would be how it has renedered exes u/s!

What sites "Got hit by this on Wednesday and I'm still cleaning" where you surfing?:E It might help others to avoid.

No chance, not taking the risk on linking. Post more info as to this link plz

Thanks Stacy - had seen that one, but since I can run Malware which 'keeps on' 'finding and quarantining' the proiblem I decide not to load yet another AV.

Dazdaz - cannot help - I was sent a zip file which passed Malwarebytes inspection but when opened infected.

There is something 'hiding' somewhere - it is just a case of finding it!

Win32.Bagle is a nasty one - have you tried Combo-Fix?

See thread on Kaspersky Forums (http://forum.kaspersky.com/index.php?showtopic=59482).

SD

I'm almost there, but stuck with

Documents and Settings\xxxxxx\Application Data\drivers\downld (Worm.Bagle). (A classic signature)

I can delete the folder, but on reboot it reappears. Everthing else has gone (I think!). I'll give the Kaspersky routine a blast today. B***s hiding somewhere!

EDIT:

I will post the link to the reg safe boot 'restore keys' in the sticky. Despite all, I still cannot use system restore - it goes right through the process and then says 'fail'.

I still have backed up reg files from before the 'invasion' - is there any merit in restoring these and if so which?

Overdue apologies and thanks to StaceyF for my 'dissing' the suggestion made - I thought, because I had sorted safeboot and Malwarebytes already it would not help.

Ran it this PM as per the link and I have now had a 'clean' Malwarebytes scan, and am running 'housecall' through the whole system at this time. No flagging of worm bagle so far. I do, however, still have the folder as above 'Documents and Settings\xxxxxx\Application Data\drivers\downld' which continually reappears on reboot (as a hidden but empty folder).

Other problem is system restore is still not working so I ain't out of the woods yet, but a bit closer to the edge:)

I'm feeling for you BOAC and hope that you clear this soon. As a matter of interest can say which AV you were running?

BOAC, there are a range of options for deleting stubborn folders here: Cannot delete file or folder | Windows Problem Solver (http://winhlp.com/node/39)

But it may be that it's being re-created by a program that starts up whilst booting. try ' configsys ' and look through the start up programs and un-tick any that are not essential, then do the same in the 'services' tab, but make a note of what you've done so you can restore them as needed

Thanks for the sympathy - I know where that is in the Oxford Dictionary:)

In order:

It was Avast that 'appeared' to have let it through

GG - I did that early on and cannot see anything suspicious - I'm pretty sure it is in the reg, but again Hijack this shows no nasties that I recognise. It's not that I cannot delete the folder - if I change the attributes I can. It just reappears on reboot.

BOAC,

The little bugger may be coming back from the system restore files, I have had a similar thing happen in the past. Try turning System Restore off (all the restore files will be lost). Then delete the infected directory.

Run msconfig if you can, and have a look in the services and startup tags and see if anything odd is present, untick anything that looks dtrange (you can alwats retick later)

Odd start files that contain random alpha characters are a good bet.

Avt - restore went a while back, and all remaining RPs have gone in the bin. As I said to GG I have checked config and there seems to be nothing there. I think this little **** is too cunning to lodge there!

Still showing 'Documents and Settings\xxxxxx\Application Data\drivers\downld' which continually reappears on reboot (as a hidden but empty folder) having been deleted. It is triggering a Malwarebytes worm.bagle warning but I cannot see any files in the folders (unhidden), size 0.

This is pretty well identical to new virus (http://www.computing.net/answers/security/new-virus/26128.html) which I have just found and I 'm working through that today, except I do not have any sys restore folders now nor do I have a ***\Application Data\m\. folder.

Time to copy your documents, wipe the HD, and install Windows 7?

As with all things Windows, keef, watching and waiting:) I think SP1 would be a good point to join the party.

A further puzzle has developed today. I'm wondering (in a 'non-expert' way) whether all my hacking and slashing has in fact emasculated the virus but not eliminated it.

All references are to the infected profile (which has admin status - yes, I know.....)

Malwarebytes scans:

Scan Documents and Settings\xxxxxx\Application Data\ - MB tells me I have worm.bagle in Documents and Settings\xxxxxx\Application Data\drivers\downld - 'cleaning' has no effect

Scan \drivers and/or \drivers\downld - no infection flagged up.

Could it be that the 'signature' is the presence of the folders \drivers\downld but that the worm is no longer able to write to those folders?

If only I could find where the thing hides.................:ugh:

possibly a bit more info for you: Description


When I-Worm.Bagle.gt is executed, it performs the following activities:
It drops following files in Application data folder,
"%User Profile%\Application Data%"\hldrrr.exe
"%User Profile%\Application Data%"\hidn2.exe

Upon execution, it creates a text file named ERROR.TXT in the root folder (usually C:\). The said file contains the following string:

Text decoding error.

For autoexecution it create the below registry entry

drv_st_key = "%User Profile%\Application Data\hidn\hidn2.exe"
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Other System Modifications:

This worm creates the following registry key and entry as part of its
installation routine:

HKCU\Software\FirstRun
FirstRun = "1"

In addition, it deletes the following registry key to prevent the
system from restarting in safe mode:

HKLM\SYSTEM\CurrentControlSet\
Control\SafeBoot

also:
HKEY_CURRENT_USER\Software\Microsoft\Windows\currentversion\ run\

* mule_st_key = c:\documents and settings\administrator\application data
\m\flec006.exe


Not certain if you've seen this: Removal Win32.Worm.Bagle - Malware City Blogs (http://www.malwarecity.com/blog/removal-win32wormbagle-124.html)

GG - thanks for the extra info some of which I had not seen - problem is I have 'none of the above' on my system. The Blog link I saw on Thursday by which time I had removed the reg keys, reinstated safeboot with the reg plug-in I mentioned and confirmed those files did not exist. A real puzzle. Running 'Super anti-spyware' at the moment.

Bizarrely too, if I boot into 'Administrator' I get Documents and Settings\Administrator\Application Data\drivers but without the 'downld' folder!

Therefore it must come from something that is run when you as non-admin starts up but not when admin starts up. Since it (I assume) came as an E-Mail attachment perhaps it's in what ever your E-Mail client is.

GG - "All references are to the infected profile (which has admin status - yes, I know.....)". I think the email side is not involved - it was a downloaded zip. Any ideas on the Malwarebytes behaviour?

No I haven't but you could try sending them a E-Mail telling them what you've done and whats happening now, I'm sure they'll help you if they can: Malwarebytes.org (http://www.malwarebytes.org/contact.php)

Thanks for the memory jog - I have emailed, but I'm not sure how much support they offer for the 'freebie' gang.:)

After severe 'attacking' yesterday I am pleased to report that Malwarebytes shows 'no infection' although the 'drivers' folder is still reappearing on reboot, so at last some more progress.

MWB have responded to my emailing (thanks GG) and are looking at the logs.

One (extra!) lesson I have noted is that if you run Combofix (having turned off sys restore) it 'restores' sys restore as part of its process. Worth watching.

I am always amazed to see people "fixing" a machine over 10..20 hours, but not really getting rid of an infection, whereas to format the machine cleanly and reinstall takes a known and finite piece of time and results in a machine that is KNOWN to be clean.

The steps are:
LOW LEVEL FORMAT THE DRIVE (to remove any boot sector Rootkits) - good time to think about putting in a brand new upgrade drive

Install the new OS (get your Windows 7 if you like)

Install your applications.

Selectively copy your data files, word docs, etc.


In the future, maintain a low privilege level account and do most of your activities as that user. Login as admin when you have to install or change some settings (or use the RUN AS function to run a program as administrator)

Use High security settings for your browser (IE) , Noscript (for Firefox) and No Javascript/Plugins for Opera (use site specific settings to allow javascript and plugs for sites you particularly trust.)

I am always amazed to see people "fixing" a machine over 10..20 hours,

It's the challenge of it.

SOURCE: wwwDOTmalwarecityDOTc0m/blog/removal-win32wormbagle-124.html


Removal Win32.Worm.Bagle

Date: 07/17/2008

Author: Andrei Bereczki


The Bagle worm is a piece of malware that spreads by itself over email, disk drives and network shares. It has rootkit capabilities that enable it to hide from the user. It disables the windows firewall and several antivirus products. It also drops a hosts file which disables access to certain anti-virus websites. Anti-virus software might be unable to perform any definition updates because of this.
In order to remove Win32.Worm (http://www.malwarecity.com/site/Main/listDictionary/W/#worm).Bagle we first have to know that we are infected with it.

Go to Start->Run and type cmd.exe
Browse to %windir%system32drivers by typing “cd %windir%system32drivers”
Type “dir srosa*” and “dir *.exe”. If you have some of the following files displayed you have a bagle infection: srosa.sys (Bagle rootkit, almost in all versions)
pci32.sys (old versions)
hldrrr.exe or
hidr.exe
mdelk.exe
http://www.malwarecity.com/images/cmd-removal.gif (http://www.malwarecity.com/images/cmd-removal.gif)

You may also check “sc query srosa” and “sc query pci32” but this may or may not return results. Now if you successfully identified a Win32.Worm.Bagle infection it's time for neutralization and removal. Please follow these steps:

Type “copy null.sys srosa.sys” (replace srosa.sys with pci32.sys if you have the older version) in your command prompt. Note: it's supposed that you are still in %windir%system32drivers
Explanation: we are replacing srosa.sys with the dummy null driver that does nothing, so this is what will be loaded on system startup uppon reboot

type “attrib +r +h srosa.sys” in your command prompt Explanation: the Trojan (http://www.malwarecity.com/site/Main/listDictionary/T/#trojan) component of bagle will try to rewrite srosa.sys on every system boot (http://www.malwarecity.com/site/Main/listDictionary/B/#boot). If it's hidden and read only it will not be able to do so (in these version so far).

Reboot
Open a command shell (http://www.malwarecity.com/site/Main/listDictionary/S/#shell) again (see step 1 from the detection process)
Go to %windir%system32drivers (see step 2 from the detection process)
Unhide the hidden srosa file: “attrib -h srosa.sys”
Delete the files you detected earlier by typing: “del /f filename”. For example: “del /f srosa.sys”, “del /f hldrrr.exe”, “del /f mdelk.exe” etc.
Delete the registry (http://www.malwarecity.com/site/Main/listDictionary/R/#registry) keys it created by typing: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "drvsyskit" /F
reg delete "HKLM\SYSTEM\CurrentControl\SetServices\srosa" /F
9. Start regedit (Start -> Run then type: regedit.exe)
Browse to the following registry key: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA and right click it.
Select Permissions, select Everyone then check Allow "Full-Control".
After this delete the key


At this point your system should be clean of the Bagle infection. If any of the steps above fails, please send us a copy of the file at virus-submission(AT)bitdefender.com ([email protected]) in order to assist you with a specific removal guide.
Additional notes: this guide is intended for any type of user as long as they follow the exact steps described above. Any damage done to your system as a result of following this guide is your responsibility. Malwarecity.com cannot guarantee a successful removal for any threat (http://www.malwarecity.com/site/Main/listDictionary/T/#threat) version described above.


or better yet, call some techie friends or technicians. Then pay them, it's worth your data

Hmm ! Quite a postal backlog there.

Firstly I would prefer NOT to have to re-install all my programmes if I can avoid it. Obviously it is a last option.

aquamon - I didn't get a fair bit of that post and I don't recognise "Weren't you the same person earlier this year ..........". If you look back you will see there is nothing 'visible' in startup. Services are possibly next on the list after MWB come back again. They have asked for the combofix scan log

C-N thanks - checked all that a while ago and nothing there. Either a different variant or I got had rid of those bits myself.

The other 'advantage' to sticking with it is, of course, it improves the virus knowledge base (and I'm with GG:))

BOAC, the best option, IMO, is to just disconnect your HD and scan it in a clean system with updated AV. Then reconnect to your machine again. edit: Check also your windows firewall settings, in control panel. I'm sure it's also modified to allow the worm to propagate.

Thought I would pop my head out of the trench and dodge the muck and bullets..................:)

So far MWB have been most attentive. They called for a combofix log and I have just run Combofix again with a script they sent, and have returned the log at their request. Very impressive for a 'free' software supplier.

They are offering an upgrade to the pro version for about $10 which is very reasonable.

Gone!

MBAM cleared most of it but the rogue folders kept returning on boot. A mate sent me a link to 2 'new' av progs, Panda 'Cloud', an AV prog and Norman 2009 Malware cleaner (site nicely on a USB stick!). Norman does not need to be installed.

Panda required uninstallation of my (Avast) AV which I did and ran Panda Cloud. It found and cleaned a few entries. I also ran Norman which found more.

This am I have NO return of the folders. A MBAM scan shows me uninfected. I do not know which of the 2 'new' ones fixed it, of course, but I prefer Norman as it sits with the AV running. I'll add links to my forthcoming links in the sticky for both.

Result! :ok:

I admire your perseverance. :)

May I re-iterate my advice to run as a standard user account as much as possible?

SD

Advice taken!!! Yes- I knew I should, but, yoiu know.................:{ Lesson learnt.