Win32 Beagle-AX

[rondlac]

Hi,

I pick up a virus Avast identified as Win32 Beagle-AX.  I went to the Avast virus repair tool and found it did not address Beagle-AX.  Tried it too, didn't work.  Need help cleaning up.

Thanks,
rondlac

[Eddy]

Click on the link in my signature and follow the instructions in the malware removal section.

[rondlac]

Eddy,

Ok.  All is well, I think.  I found two other files that are infected.  For some reason Avast did not give the first virus alert until after I had shut down and rebooted.  And then only one file was cited.  After I put the infected file in the Chest the HDD continued downloading and would not allow any keyboard input.  I tried to Scan but the HDD activity kept interfereing, so I went to Safe Mode: it happened there too.  Even a utility I have that initiates Scan Disk on a regular or a Safe Mode boot before any programs and loaded did not work.  I re-read the data in your link went back to avast and scanned the whole system file, that's when I found the other two files.  Now only if the removed 'system' files regenerate, I'll be okay.  Here's hopping.

Thanks,
rondlac

[Eddy]

Post A HijackThis log here and let me have a look.
Let's see if I can find something.
Just to to check. That never harms

[xistenz]

You can also try the Beagle removal tool from symantec (http://securityresponse.symantec.com/avcenter/FxBeagle.exe), just to make sure that all traces of the virus are gone.

[rondlac]

Eddy,

I seem to be having problems with posting, I hit the giddy-up button and it doesn't go anywhere.  Similarly with my email when I hit a hyperlink nothing happened so I hit refresh and did it again and again and again...nothing happened.  I left my ICP site and surfed on.  Later I noticed my, whatca-call-it next to the Start button, was full of images and each one was from an attempt I made to activate the hyperlink.  Here's a copy of the Hijackthis log, I'm off to Symantec for a system wash.

 Logfile of HijackThis v1.99.0
Scan saved at 2:09:00 PM, on 02/17/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UTILITY DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.0&bm=ho_search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/vzn.dsl/welcome.htm?ver=19084&
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP4,0,2,10.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Data LifeGuard LifeLine Lite installer.lnk = C:\WINDOWS\temp\ins1.TMP\DLGLI1.EXE
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE (file missing)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\NPQTPL~1.DLL
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {FE67C682-F5EA-11CF-9C2F-0000C0C83ADC} (Jamba Class Library) - http://www.americanracing.com/wheelmatch/Jambalib.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (YBIOCtrl Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4_0_2_10.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab

Thanks,
rondlac

[Eddy]

--------------------------------------------------------------------------------
THESE ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
o2 - bho: nav helper - {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton systemworks\norton antivirus\navshext.dll (file missing)
o3 - toolbar: norton antivirus - {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton systemworks\norton antivirus\navshext.dll (file missing)
o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o9 - extra 'tools' menuitem: show &related links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o9 - extra button: (no name) - {cd67f990-d8e9-11d2-98fe-00c0f0318afe} - (no file)
o9 - extra button: aim - {ac9e2541-2814-11d5-bc6d-00b0d0a1de45} - c:\program files\aim95\aim.exe (file missing)
o16 - dpf: {fe67c682-f5ea-11cf-9c2f-0000c0c83adc} (jamba class library) - http://www.americanracing.com/wheelmatch/jambalib.cab
o16 - dpf: {ef99bd32-c1fb-11d2-892f-0090271d4f88} (ybioctrl class) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4_0_2_10.cab
o16 - dpf: {9b03c5f1-f5ab-47ee-937d-a8eda626f876} (anonymizer anti-spyware scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/webaas.cab
o16 - dpf: {e9348280-2d74-4933-be25-73d946926795} (deviceenum class) - http://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab
 

[rondlac]

Eddy,

I got a problem.  Some of the fix items must have been keystones because many of my programs won't run and can't be uninstalled so that I can reinstall them.  I made a copy of the registry using Win 98, unfortunately the system tells me I need to reinstall Win 98 in order to install the backup of the registry.  The problem is I do not have the Win 98 disc for this computer.  Did Hijackthis make a backup?  If it did where is it?  I want to backup some if my programs that I no longer have disks for and scrub the HDD and install Win Me.  You guessed it my Nero program is crippled and can't be uninstalled.

Thanks,
rondlac

[Eddy]

None of them are keystones.
Visit my website and look at the HijackThis section.
There is a tutorial/explanation about the log file.