srosa worm
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
srosa worm
Got hit by this on Wednesday and I'm still cleaning! It came through my AV and closed down that and Zone Alarm, rendered safe mode (XP SP3) unuseable and stopped me running any exe files to restore those.
It has a very bad press on Google. I have restored the safe mode reg keys, reinstalled ZA and AV and followed several 'guides' on removal, but I am still getting remnants of it popping up. Anyone got a guaranteed fix (without re-format!)? One useful tip would be how it has renedered exes u/s!
It has a very bad press on Google. I have restored the safe mode reg keys, reinstalled ZA and AV and followed several 'guides' on removal, but I am still getting remnants of it popping up. Anyone got a guaranteed fix (without re-format!)? One useful tip would be how it has renedered exes u/s!
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Thanks Stacy - had seen that one, but since I can run Malware which 'keeps on' 'finding and quarantining' the proiblem I decide not to load yet another AV.
Dazdaz - cannot help - I was sent a zip file which passed Malwarebytes inspection but when opened infected.
There is something 'hiding' somewhere - it is just a case of finding it!
Dazdaz - cannot help - I was sent a zip file which passed Malwarebytes inspection but when opened infected.
There is something 'hiding' somewhere - it is just a case of finding it!
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
I'm almost there, but stuck with
Documents and Settings\xxxxxx\Application Data\drivers\downld (Worm.Bagle). (A classic signature)
I can delete the folder, but on reboot it reappears. Everthing else has gone (I think!). I'll give the Kaspersky routine a blast today. B***s hiding somewhere!
EDIT:
I will post the link to the reg safe boot 'restore keys' in the sticky. Despite all, I still cannot use system restore - it goes right through the process and then says 'fail'.
I still have backed up reg files from before the 'invasion' - is there any merit in restoring these and if so which?
Documents and Settings\xxxxxx\Application Data\drivers\downld (Worm.Bagle). (A classic signature)
I can delete the folder, but on reboot it reappears. Everthing else has gone (I think!). I'll give the Kaspersky routine a blast today. B***s hiding somewhere!
EDIT:
I will post the link to the reg safe boot 'restore keys' in the sticky. Despite all, I still cannot use system restore - it goes right through the process and then says 'fail'.
I still have backed up reg files from before the 'invasion' - is there any merit in restoring these and if so which?
Last edited by BOAC; 24th Oct 2009 at 08:16.
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Overdue apologies and thanks to StaceyF for my 'dissing' the suggestion made - I thought, because I had sorted safeboot and Malwarebytes already it would not help.
Ran it this PM as per the link and I have now had a 'clean' Malwarebytes scan, and am running 'housecall' through the whole system at this time. No flagging of worm bagle so far. I do, however, still have the folder as above 'Documents and Settings\xxxxxx\Application Data\drivers\downld' which continually reappears on reboot (as a hidden but empty folder).
Other problem is system restore is still not working so I ain't out of the woods yet, but a bit closer to the edge
Ran it this PM as per the link and I have now had a 'clean' Malwarebytes scan, and am running 'housecall' through the whole system at this time. No flagging of worm bagle so far. I do, however, still have the folder as above 'Documents and Settings\xxxxxx\Application Data\drivers\downld' which continually reappears on reboot (as a hidden but empty folder).
Other problem is system restore is still not working so I ain't out of the woods yet, but a bit closer to the edge
I'm feeling for you BOAC and hope that you clear this soon. As a matter of interest can say which AV you were running?
More bang for your buck
Join Date: Nov 2005
Location: land of the clanger
Age: 82
Posts: 3,512
Likes: 0
Received 0 Likes
on
0 Posts
BOAC, there are a range of options for deleting stubborn folders here: Cannot delete file or folder | Windows Problem Solver
But it may be that it's being re-created by a program that starts up whilst booting. try ' configsys ' and look through the start up programs and un-tick any that are not essential, then do the same in the 'services' tab, but make a note of what you've done so you can restore them as needed
But it may be that it's being re-created by a program that starts up whilst booting. try ' configsys ' and look through the start up programs and un-tick any that are not essential, then do the same in the 'services' tab, but make a note of what you've done so you can restore them as needed
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Thanks for the sympathy - I know where that is in the Oxford Dictionary
In order:
It was Avast that 'appeared' to have let it through
GG - I did that early on and cannot see anything suspicious - I'm pretty sure it is in the reg, but again Hijack this shows no nasties that I recognise. It's not that I cannot delete the folder - if I change the attributes I can. It just reappears on reboot.
In order:
It was Avast that 'appeared' to have let it through
GG - I did that early on and cannot see anything suspicious - I'm pretty sure it is in the reg, but again Hijack this shows no nasties that I recognise. It's not that I cannot delete the folder - if I change the attributes I can. It just reappears on reboot.
Chief Tardis Technician
Join Date: Jan 2001
Location: Western Australia S31.715 E115.737
Age: 71
Posts: 554
Likes: 0
Received 0 Likes
on
0 Posts
BOAC,
The little bugger may be coming back from the system restore files, I have had a similar thing happen in the past. Try turning System Restore off (all the restore files will be lost). Then delete the infected directory.
Run msconfig if you can, and have a look in the services and startup tags and see if anything odd is present, untick anything that looks dtrange (you can alwats retick later)
Odd start files that contain random alpha characters are a good bet.
The little bugger may be coming back from the system restore files, I have had a similar thing happen in the past. Try turning System Restore off (all the restore files will be lost). Then delete the infected directory.
Run msconfig if you can, and have a look in the services and startup tags and see if anything odd is present, untick anything that looks dtrange (you can alwats retick later)
Odd start files that contain random alpha characters are a good bet.
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Avt - restore went a while back, and all remaining RPs have gone in the bin. As I said to GG I have checked config and there seems to be nothing there. I think this little **** is too cunning to lodge there!
Still showing 'Documents and Settings\xxxxxx\Application Data\drivers\downld' which continually reappears on reboot (as a hidden but empty folder) having been deleted. It is triggering a Malwarebytes worm.bagle warning but I cannot see any files in the folders (unhidden), size 0.
This is pretty well identical to new virus which I have just found and I 'm working through that today, except I do not have any sys restore folders now nor do I have a ***\Application Data\m\. folder.
Still showing 'Documents and Settings\xxxxxx\Application Data\drivers\downld' which continually reappears on reboot (as a hidden but empty folder) having been deleted. It is triggering a Malwarebytes worm.bagle warning but I cannot see any files in the folders (unhidden), size 0.
This is pretty well identical to new virus which I have just found and I 'm working through that today, except I do not have any sys restore folders now nor do I have a ***\Application Data\m\. folder.
Last edited by BOAC; 25th Oct 2009 at 09:05.
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
A further puzzle has developed today. I'm wondering (in a 'non-expert' way) whether all my hacking and slashing has in fact emasculated the virus but not eliminated it.
All references are to the infected profile (which has admin status - yes, I know.....)
Malwarebytes scans:
Scan Documents and Settings\xxxxxx\Application Data\ - MB tells me I have worm.bagle in Documents and Settings\xxxxxx\Application Data\drivers\downld - 'cleaning' has no effect
Scan \drivers and/or \drivers\downld - no infection flagged up.
Could it be that the 'signature' is the presence of the folders \drivers\downld but that the worm is no longer able to write to those folders?
If only I could find where the thing hides.................
All references are to the infected profile (which has admin status - yes, I know.....)
Malwarebytes scans:
Scan Documents and Settings\xxxxxx\Application Data\ - MB tells me I have worm.bagle in Documents and Settings\xxxxxx\Application Data\drivers\downld - 'cleaning' has no effect
Scan \drivers and/or \drivers\downld - no infection flagged up.
Could it be that the 'signature' is the presence of the folders \drivers\downld but that the worm is no longer able to write to those folders?
If only I could find where the thing hides.................
More bang for your buck
Join Date: Nov 2005
Location: land of the clanger
Age: 82
Posts: 3,512
Likes: 0
Received 0 Likes
on
0 Posts
possibly a bit more info for you: Description
When I-Worm.Bagle.gt is executed, it performs the following activities:
It drops following files in Application data folder,
"%User Profile%\Application Data%"\hldrrr.exe
"%User Profile%\Application Data%"\hidn2.exe
Upon execution, it creates a text file named ERROR.TXT in the root folder (usually C). The said file contains the following string:
Text decoding error.
For autoexecution it create the below registry entry
drv_st_key = "%User Profile%\Application Data\hidn\hidn2.exe"
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Other System Modifications:
This worm creates the following registry key and entry as part of its
installation routine:
HKCU\Software\FirstRun
FirstRun = "1"
In addition, it deletes the following registry key to prevent the
system from restarting in safe mode:
HKLM\SYSTEM\CurrentControlSet\
Control\SafeBoot
also:
HKEY_CURRENT_USER\Software\Microsoft\Windows\currentversion\ run\
* mule_st_key = cdocuments and settings\administrator\application data
\m\flec006.exe
Not certain if you've seen this: Removal Win32.Worm.Bagle - Malware City Blogs
When I-Worm.Bagle.gt is executed, it performs the following activities:
It drops following files in Application data folder,
"%User Profile%\Application Data%"\hldrrr.exe
"%User Profile%\Application Data%"\hidn2.exe
Upon execution, it creates a text file named ERROR.TXT in the root folder (usually C). The said file contains the following string:
Text decoding error.
For autoexecution it create the below registry entry
drv_st_key = "%User Profile%\Application Data\hidn\hidn2.exe"
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Other System Modifications:
This worm creates the following registry key and entry as part of its
installation routine:
HKCU\Software\FirstRun
FirstRun = "1"
In addition, it deletes the following registry key to prevent the
system from restarting in safe mode:
HKLM\SYSTEM\CurrentControlSet\
Control\SafeBoot
also:
HKEY_CURRENT_USER\Software\Microsoft\Windows\currentversion\ run\
* mule_st_key = cdocuments and settings\administrator\application data
\m\flec006.exe
Not certain if you've seen this: Removal Win32.Worm.Bagle - Malware City Blogs
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
GG - thanks for the extra info some of which I had not seen - problem is I have 'none of the above' on my system. The Blog link I saw on Thursday by which time I had removed the reg keys, reinstated safeboot with the reg plug-in I mentioned and confirmed those files did not exist. A real puzzle. Running 'Super anti-spyware' at the moment.
Bizarrely too, if I boot into 'Administrator' I get Documents and Settings\Administrator\Application Data\drivers but without the 'downld' folder!
Bizarrely too, if I boot into 'Administrator' I get Documents and Settings\Administrator\Application Data\drivers but without the 'downld' folder!
More bang for your buck
Join Date: Nov 2005
Location: land of the clanger
Age: 82
Posts: 3,512
Likes: 0
Received 0 Likes
on
0 Posts
Therefore it must come from something that is run when you as non-admin starts up but not when admin starts up. Since it (I assume) came as an E-Mail attachment perhaps it's in what ever your E-Mail client is.
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
GG - "All references are to the infected profile (which has admin status - yes, I know.....)". I think the email side is not involved - it was a downloaded zip. Any ideas on the Malwarebytes behaviour?
More bang for your buck
Join Date: Nov 2005
Location: land of the clanger
Age: 82
Posts: 3,512
Likes: 0
Received 0 Likes
on
0 Posts
No I haven't but you could try sending them a E-Mail telling them what you've done and whats happening now, I'm sure they'll help you if they can: Malwarebytes.org