BOAC

Got hit by this on Wednesday and I'm still cleaning! It came through my AV and closed down that and Zone Alarm, rendered safe mode (XP SP3) unuseable and stopped me running any exe files to restore those.

It has a very bad press on Google. I have restored the safe mode reg keys, reinstalled ZA and AV and followed several 'guides' on removal, but I am still getting remnants of it popping up. Anyone got a guaranteed fix (without re-format!)? One useful tip would be how it has renedered exes u/s!

dazdaz

What sites "Got hit by this on Wednesday and I'm still cleaning" where you surfing? It might help others to avoid.

dazdaz

No chance, not taking the risk on linking. Post more info as to this link plz

BOAC

Thanks Stacy - had seen that one, but since I can run Malware which 'keeps on' 'finding and quarantining' the proiblem I decide not to load yet another AV.

Dazdaz - cannot help - I was sent a zip file which passed Malwarebytes inspection but when opened infected.

There is something 'hiding' somewhere - it is just a case of finding it!

Saab Dastard

Win32.Bagle is a nasty one - have you tried Combo-Fix?

See thread on Kaspersky Forums.

SD

BOAC

I'm almost there, but stuck with

Documents and Settings\xxxxxx\Application Data\drivers\downld (Worm.Bagle). (A classic signature)

I can delete the folder, but on reboot it reappears. Everthing else has gone (I think!). I'll give the Kaspersky routine a blast today. B***s hiding somewhere!

EDIT:

I will post the link to the reg safe boot 'restore keys' in the sticky. Despite all, I still cannot use system restore - it goes right through the process and then says 'fail'.

I still have backed up reg files from before the 'invasion' - is there any merit in restoring these and if so which?

BOAC

Overdue apologies and thanks to StaceyF for my 'dissing' the suggestion made - I thought, because I had sorted safeboot and Malwarebytes already it would not help.

Ran it this PM as per the link and I have now had a 'clean' Malwarebytes scan, and am running 'housecall' through the whole system at this time. No flagging of worm bagle so far. I do, however, still have the folder as above 'Documents and Settings\xxxxxx\Application Data\drivers\downld' which continually reappears on reboot (as a hidden but empty folder).

Other problem is system restore is still not working so I ain't out of the woods yet, but a bit closer to the edge

Tigger4Me

I'm feeling for you BOAC and hope that you clear this soon. As a matter of interest can say which AV you were running?

green granite

BOAC, there are a range of options for deleting stubborn folders here: Cannot delete file or folder | Windows Problem Solver

But it may be that it's being re-created by a program that starts up whilst booting. try ' configsys ' and look through the start up programs and un-tick any that are not essential, then do the same in the 'services' tab, but make a note of what you've done so you can restore them as needed

BOAC

Thanks for the sympathy - I know where that is in the Oxford Dictionary

In order:

It was Avast that 'appeared' to have let it through

GG - I did that early on and cannot see anything suspicious - I'm pretty sure it is in the reg, but again Hijack this shows no nasties that I recognise. It's not that I cannot delete the folder - if I change the attributes I can. It just reappears on reboot.

Avtrician

BOAC,

The little bugger may be coming back from the system restore files, I have had a similar thing happen in the past. Try turning System Restore off (all the restore files will be lost). Then delete the infected directory.

Run msconfig if you can, and have a look in the services and startup tags and see if anything odd is present, untick anything that looks dtrange (you can alwats retick later)

Odd start files that contain random alpha characters are a good bet.

BOAC

Avt - restore went a while back, and all remaining RPs have gone in the bin. As I said to GG I have checked config and there seems to be nothing there. I think this little **** is too cunning to lodge there!

Still showing 'Documents and Settings\xxxxxx\Application Data\drivers\downld' which continually reappears on reboot (as a hidden but empty folder) having been deleted. It is triggering a Malwarebytes worm.bagle warning but I cannot see any files in the folders (unhidden), size 0.

This is pretty well identical to new virus which I have just found and I 'm working through that today, except I do not have any sys restore folders now nor do I have a ***\Application Data\m\. folder.

Keef

Time to copy your documents, wipe the HD, and install Windows 7?

BOAC

As with all things Windows, keef, watching and waiting I think SP1 would be a good point to join the party.

BOAC

A further puzzle has developed today. I'm wondering (in a 'non-expert' way) whether all my hacking and slashing has in fact emasculated the virus but not eliminated it.

All references are to the infected profile (which has admin status - yes, I know.....)

Malwarebytes scans:

Scan Documents and Settings\xxxxxx\Application Data\ - MB tells me I have worm.bagle in Documents and Settings\xxxxxx\Application Data\drivers\downld - 'cleaning' has no effect

Scan \drivers and/or \drivers\downld - no infection flagged up.

Could it be that the 'signature' is the presence of the folders \drivers\downld but that the worm is no longer able to write to those folders?

If only I could find where the thing hides.................

green granite

possibly a bit more info for you: Description


When I-Worm.Bagle.gt is executed, it performs the following activities:
It drops following files in Application data folder,
"%User Profile%\Application Data%"\hldrrr.exe
"%User Profile%\Application Data%"\hidn2.exe

Upon execution, it creates a text file named ERROR.TXT in the root folder (usually C). The said file contains the following string:

Text decoding error.

For autoexecution it create the below registry entry

drv_st_key = "%User Profile%\Application Data\hidn\hidn2.exe"
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Other System Modifications:

This worm creates the following registry key and entry as part of its
installation routine:

HKCU\Software\FirstRun
FirstRun = "1"

In addition, it deletes the following registry key to prevent the
system from restarting in safe mode:

HKLM\SYSTEM\CurrentControlSet\
Control\SafeBoot

also:
HKEY_CURRENT_USER\Software\Microsoft\Windows\currentversion\ run\

* mule_st_key = cdocuments and settings\administrator\application data
\m\flec006.exe


Not certain if you've seen this: Removal Win32.Worm.Bagle - Malware City Blogs

BOAC

GG - thanks for the extra info some of which I had not seen - problem is I have 'none of the above' on my system. The Blog link I saw on Thursday by which time I had removed the reg keys, reinstated safeboot with the reg plug-in I mentioned and confirmed those files did not exist. A real puzzle. Running 'Super anti-spyware' at the moment.

Bizarrely too, if I boot into 'Administrator' I get Documents and Settings\Administrator\Application Data\drivers but without the 'downld' folder!

green granite

Therefore it must come from something that is run when you as non-admin starts up but not when admin starts up. Since it (I assume) came as an E-Mail attachment perhaps it's in what ever your E-Mail client is.

BOAC

GG - "All references are to the infected profile (which has admin status - yes, I know.....)". I think the email side is not involved - it was a downloaded zip. Any ideas on the Malwarebytes behaviour?

green granite

No I haven't but you could try sending them a E-Mail telling them what you've done and whats happening now, I'm sure they'll help you if they can: Malwarebytes.org