Other > Viruses and worms
Cannot detect Bagle rootkit/virus infected file!
(1/1)
Kamykaze:
My WinXP machine was partially infected with a Beagle virus that killed avast.
I was able to partially disable and clean up the infection referring to Avast stopped working, virus? post.
I googled for other instructions but the post above was the best source of info.
I.e.:
Accessing the file system from outside, found and deleted srosa.sys and hidr.exe
Booting system from previously known good configuration ran Combofix
This found and quarantined an Internet.lnk on a user desktop and _000005_.tmp.dll in system32 folder.
Deleted %windir%\exefld.
Reinstalled avast
Ran Rootkit Revealer, F-Secure Blacklight, avast Found no other infection signs.
Searched registry for instances of srosa and hidr.
Deleted HKLM\sytem\ControlSet001\services\srosa
Deleted related Control\Class\{8ECC055D-047F-11D1-A537-0000F8753ED1}
Deletet HKLM\sytem\ControlSet001\Enum\root\LEGACY_ROSA keys
Problem 1:
I don't know if there are other leftovers from the infection.
I'm suspitious of some url links that message the linked site can't be found but then load it anyway.
Any other info or tips welcome.
Problem 2:
The .exe file that I know started the infection is sitting on my desktop and nothing that I run signals it as bad.
Avast can't detect it and I think rootkit sw only detects installed rootkits and not the files that install them.
How can I detect these malware files?
Suddenly, it's a whole knew ball game and looks like I'm not equipped! :(
DavidR:
Send the files not detected to avast.
Send the sample/s to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
Bagle Rootkit variant:
See http://forum.avast.com/index.php?topic=26554.0
http://forum.avast.com/index.php?topic=25941.0
These two seemed to have the best result in killing the rootkit (one of which you have already used)
http://research.pandasoftware.com/blogs/research/archive/2006/12/14/Rootkit-cleaner.aspx
http://www.f-secure.com/blacklight/try_blacklight.html
There are some other tools you could run after the anti-rootkit scans, these may find the installation file responsible.
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
AVG anti-spyware (formerly Ewido) Resident scanner during trial On-Demand after trial ends. Or SUPERantispyware On-Demand only in free version. Or Spyware Terminator Resident scanner.
Kamykaze:
--- Quote ---Send the files not detected to avast.
--- End quote ---
Sent files by email according to instruction.
Meanwhile Kaspersky online File Scanner has identified these as email-worm.win32.bagle.jc
About the other posts: more or less the same. I didn't exhibit all symptoms reported (guess because the infected system never had a chance to boot before I deleted/moved the virus key files). No additional files were found other than the ones I reported above.
I also tried a safe boot that resulted in BSOD, but Combofix or one of the other scans fixed this.
On a note to others with similar infection, the LEGACY_SROSA key could only be deleted by setting permissions to do so on regedit.
I forgot to say but of course I updated avasts virus definitions before scanning so either this is a new variant or there's (still) something wrong with my install.
On another note related to these other posts. I also rely on disk image software for backup purposes rather than MS System Restore but it's been more than two months and a lot of installing/tweaking & customizing since so... :P
The lesson still is: Backup often. It will save time and work. I should know this by now :)
Thank you DavidR for your prompt response. If I understand you correctly, I should complement avast with one of these anti-spyware products. Is this something avast should/will do, or is it best left aside for specialized apps to do?
mauserme:
If you want to post a WinpFind3U log I'll be happy to look at it a little later.
Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:
Reg - Bot Check
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
[/list]
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
Navigation
[0] Message Index
Go to full version