|
srosa worm
Got hit by this on Wednesday and I'm still cleaning! It came through my AV and closed down that and Zone Alarm, rendered safe mode (XP SP3) unuseable and stopped me running any exe files to restore those.
It has a very bad press on Google. I have restored the safe mode reg keys, reinstalled ZA and AV and followed several 'guides' on removal, but I am still getting remnants of it popping up. Anyone got a guaranteed fix (without re-format!)? One useful tip would be how it has renedered exes u/s! |
What sites "Got hit by this on Wednesday and I'm still cleaning" where you surfing?:E It might help others to avoid.
|
No chance, not taking the risk on linking. Post more info as to this link plz
|
Thanks Stacy - had seen that one, but since I can run Malware which 'keeps on' 'finding and quarantining' the proiblem I decide not to load yet another AV.
Dazdaz - cannot help - I was sent a zip file which passed Malwarebytes inspection but when opened infected. There is something 'hiding' somewhere - it is just a case of finding it! |
|
I'm almost there, but stuck with
Documents and Settings\xxxxxx\Application Data\drivers\downld (Worm.Bagle). (A classic signature) I can delete the folder, but on reboot it reappears. Everthing else has gone (I think!). I'll give the Kaspersky routine a blast today. B***s hiding somewhere! EDIT: I will post the link to the reg safe boot 'restore keys' in the sticky. Despite all, I still cannot use system restore - it goes right through the process and then says 'fail'. I still have backed up reg files from before the 'invasion' - is there any merit in restoring these and if so which? |
Overdue apologies and thanks to StaceyF for my 'dissing' the suggestion made - I thought, because I had sorted safeboot and Malwarebytes already it would not help.
Ran it this PM as per the link and I have now had a 'clean' Malwarebytes scan, and am running 'housecall' through the whole system at this time. No flagging of worm bagle so far. I do, however, still have the folder as above 'Documents and Settings\xxxxxx\Application Data\drivers\downld' which continually reappears on reboot (as a hidden but empty folder). Other problem is system restore is still not working so I ain't out of the woods yet, but a bit closer to the edge:) |
I'm feeling for you BOAC and hope that you clear this soon. As a matter of interest can say which AV you were running?
|
BOAC, there are a range of options for deleting stubborn folders here: Cannot delete file or folder | Windows Problem Solver
But it may be that it's being re-created by a program that starts up whilst booting. try ' configsys ' and look through the start up programs and un-tick any that are not essential, then do the same in the 'services' tab, but make a note of what you've done so you can restore them as needed |
Thanks for the sympathy - I know where that is in the Oxford Dictionary:)
In order: It was Avast that 'appeared' to have let it through GG - I did that early on and cannot see anything suspicious - I'm pretty sure it is in the reg, but again Hijack this shows no nasties that I recognise. It's not that I cannot delete the folder - if I change the attributes I can. It just reappears on reboot. |
BOAC,
The little bugger may be coming back from the system restore files, I have had a similar thing happen in the past. Try turning System Restore off (all the restore files will be lost). Then delete the infected directory. Run msconfig if you can, and have a look in the services and startup tags and see if anything odd is present, untick anything that looks dtrange (you can alwats retick later) Odd start files that contain random alpha characters are a good bet. |
Avt - restore went a while back, and all remaining RPs have gone in the bin. As I said to GG I have checked config and there seems to be nothing there. I think this little **** is too cunning to lodge there!
Still showing 'Documents and Settings\xxxxxx\Application Data\drivers\downld' which continually reappears on reboot (as a hidden but empty folder) having been deleted. It is triggering a Malwarebytes worm.bagle warning but I cannot see any files in the folders (unhidden), size 0. This is pretty well identical to new virus which I have just found and I 'm working through that today, except I do not have any sys restore folders now nor do I have a ***\Application Data\m\. folder. |
Time to copy your documents, wipe the HD, and install Windows 7?
|
As with all things Windows, keef, watching and waiting:) I think SP1 would be a good point to join the party.
|
A further puzzle has developed today. I'm wondering (in a 'non-expert' way) whether all my hacking and slashing has in fact emasculated the virus but not eliminated it.
All references are to the infected profile (which has admin status - yes, I know.....) Malwarebytes scans: Scan Documents and Settings\xxxxxx\Application Data\ - MB tells me I have worm.bagle in Documents and Settings\xxxxxx\Application Data\drivers\downld - 'cleaning' has no effect Scan \drivers and/or \drivers\downld - no infection flagged up. Could it be that the 'signature' is the presence of the folders \drivers\downld but that the worm is no longer able to write to those folders? If only I could find where the thing hides.................:ugh: |
possibly a bit more info for you: Description
When I-Worm.Bagle.gt is executed, it performs the following activities: It drops following files in Application data folder, "%User Profile%\Application Data%"\hldrrr.exe "%User Profile%\Application Data%"\hidn2.exe Upon execution, it creates a text file named ERROR.TXT in the root folder (usually C:\). The said file contains the following string: Text decoding error. For autoexecution it create the below registry entry drv_st_key = "%User Profile%\Application Data\hidn\hidn2.exe" HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Other System Modifications: This worm creates the following registry key and entry as part of its installation routine: HKCU\Software\FirstRun FirstRun = "1" In addition, it deletes the following registry key to prevent the system from restarting in safe mode: HKLM\SYSTEM\CurrentControlSet\ Control\SafeBoot also: HKEY_CURRENT_USER\Software\Microsoft\Windows\currentversion\ run\ * mule_st_key = c:\documents and settings\administrator\application data \m\flec006.exe Not certain if you've seen this: Removal Win32.Worm.Bagle - Malware City Blogs |
GG - thanks for the extra info some of which I had not seen - problem is I have 'none of the above' on my system. The Blog link I saw on Thursday by which time I had removed the reg keys, reinstated safeboot with the reg plug-in I mentioned and confirmed those files did not exist. A real puzzle. Running 'Super anti-spyware' at the moment.
Bizarrely too, if I boot into 'Administrator' I get Documents and Settings\Administrator\Application Data\drivers but without the 'downld' folder! |
Therefore it must come from something that is run when you as non-admin starts up but not when admin starts up. Since it (I assume) came as an E-Mail attachment perhaps it's in what ever your E-Mail client is.
|
GG - "All references are to the infected profile (which has admin status - yes, I know.....)". I think the email side is not involved - it was a downloaded zip. Any ideas on the Malwarebytes behaviour?
|
No I haven't but you could try sending them a E-Mail telling them what you've done and whats happening now, I'm sure they'll help you if they can: Malwarebytes.org
|
| All times are GMT. The time now is 15:47. |
Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.