|
Thanks for the memory jog - I have emailed, but I'm not sure how much support they offer for the 'freebie' gang.:)
|
After severe 'attacking' yesterday I am pleased to report that Malwarebytes shows 'no infection' although the 'drivers' folder is still reappearing on reboot, so at last some more progress.
MWB have responded to my emailing (thanks GG) and are looking at the logs. One (extra!) lesson I have noted is that if you run Combofix (having turned off sys restore) it 'restores' sys restore as part of its process. Worth watching. |
I am always amazed to see people "fixing" a machine over 10..20 hours, but not really getting rid of an infection, whereas to format the machine cleanly and reinstall takes a known and finite piece of time and results in a machine that is KNOWN to be clean.
The steps are: LOW LEVEL FORMAT THE DRIVE (to remove any boot sector Rootkits) - good time to think about putting in a brand new upgrade drive Install the new OS (get your Windows 7 if you like) Install your applications. Selectively copy your data files, word docs, etc. In the future, maintain a low privilege level account and do most of your activities as that user. Login as admin when you have to install or change some settings (or use the RUN AS function to run a program as administrator) Use High security settings for your browser (IE) , Noscript (for Firefox) and No Javascript/Plugins for Opera (use site specific settings to allow javascript and plugs for sites you particularly trust.) |
I am always amazed to see people "fixing" a machine over 10..20 hours, |
SOURCE: wwwDOTmalwarecityDOTc0m/blog/removal-win32wormbagle-124.html
Removal Win32.Worm.Bagle Date: 07/17/2008 Author: Andrei Bereczki The Bagle worm is a piece of malware that spreads by itself over email, disk drives and network shares. It has rootkit capabilities that enable it to hide from the user. It disables the windows firewall and several antivirus products. It also drops a hosts file which disables access to certain anti-virus websites. Anti-virus software might be unable to perform any definition updates because of this. In order to remove Win32.Worm.Bagle we first have to know that we are infected with it.
pci32.sys (old versions) hldrrr.exe or hidr.exe mdelk.exe http://www.malwarecity.com/images/cmd-removal.gif
Explanation: we are replacing srosa.sys with the dummy null driver that does nothing, so this is what will be loaded on system startup uppon reboot
reg delete "HKLM\SYSTEM\CurrentControl\SetServices\srosa" /F 9. Start regedit (Start -> Run then type: regedit.exe) Browse to the following registry key: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA and right click it. Select Permissions, select Everyone then check Allow "Full-Control". After this delete the key At this point your system should be clean of the Bagle infection. If any of the steps above fails, please send us a copy of the file at virus-submission(AT)bitdefender.com in order to assist you with a specific removal guide. Additional notes: this guide is intended for any type of user as long as they follow the exact steps described above. Any damage done to your system as a result of following this guide is your responsibility. Malwarecity.com cannot guarantee a successful removal for any threat version described above. or better yet, call some techie friends or technicians. Then pay them, it's worth your data |
Hmm ! Quite a postal backlog there.
Firstly I would prefer NOT to have to re-install all my programmes if I can avoid it. Obviously it is a last option. aquamon - I didn't get a fair bit of that post and I don't recognise "Weren't you the same person earlier this year ..........". If you look back you will see there is nothing 'visible' in startup. Services are possibly next on the list after MWB come back again. They have asked for the combofix scan log C-N thanks - checked all that a while ago and nothing there. Either a different variant or I got had rid of those bits myself. The other 'advantage' to sticking with it is, of course, it improves the virus knowledge base (and I'm with GG:)) |
BOAC, the best option, IMO, is to just disconnect your HD and scan it in a clean system with updated AV. Then reconnect to your machine again. edit: Check also your windows firewall settings, in control panel. I'm sure it's also modified to allow the worm to propagate.
|
Thought I would pop my head out of the trench and dodge the muck and bullets..................:)
So far MWB have been most attentive. They called for a combofix log and I have just run Combofix again with a script they sent, and have returned the log at their request. Very impressive for a 'free' software supplier. |
They are offering an upgrade to the pro version for about $10 which is very reasonable.
|
Gone!
MBAM cleared most of it but the rogue folders kept returning on boot. A mate sent me a link to 2 'new' av progs, Panda 'Cloud', an AV prog and Norman 2009 Malware cleaner (site nicely on a USB stick!). Norman does not need to be installed. Panda required uninstallation of my (Avast) AV which I did and ran Panda Cloud. It found and cleaned a few entries. I also ran Norman which found more. This am I have NO return of the folders. A MBAM scan shows me uninfected. I do not know which of the 2 'new' ones fixed it, of course, but I prefer Norman as it sits with the AV running. I'll add links to my forthcoming links in the sticky for both. |
Result! :ok:
I admire your perseverance. :) May I re-iterate my advice to run as a standard user account as much as possible? SD |
Advice taken!!! Yes- I knew I should, but, yoiu know.................:{ Lesson learnt.
|
| All times are GMT. The time now is 13:42. |
Copyright © 2026 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.