EXEs being changed

[RejZoR]

I'm wondering here, how come Self-Defense didn't help here? I know it can still be bypassed like any other thing out there but this easy?
Or maybe he turned off Self-Defense...

[DavidR]

There is one beagle variant that I know of that can get past most AVs including avast's self-defence. Hopefully they will get the sample to analyse and combat the element that is effectively disabling avast.

[Lisandro]

I'm wondering here, how come Self-Defense didn't help here? I know it can still be bypassed like any other thing out there but this easy?
Or maybe he turned off Self-Defense...

Some Beagle variants just make self defense a joke... it's sad, but it's true.

[sepulchre]

First of all, I didn't turn Self Defense or anything else off.

Ok. Here are the  results of my efforts thus far.

Online scanners:

Kaspersky - Scans but does not repair anything.

ESET - Found the virus but only in the file I downloaded, "CD Utils.rar".
          It deleted that file but did nothing for the system which is still infected.

Bit Defender - I cannot get to their online scanner. It shows a EULA with an "Accept" button but clicking that does nothing. I am awaiting a response to my email to their support service. They acknowledged the email and said I will be contacted within 48 hours.

Trendmicro house call - Another app that scans only; no repairs.

F-Secure - Will not load and run. Says I don't have some authority needed. (I am the administrator of this PC)


Bootable CDs:

Dr. Web - Boots but doesn't do anything. Am I missing something here?

Bit Defender - Boots and goes through its installation process until it gets to "Trying to update Bit Defender Scanner . . ." then hangs for a bit before rebooting itself to normal Windows.

F-Secure - This one ran successfully. It took a few hours and it did find a couple of viruses hidden in some things I don't ever use (got them in case I ever needed, glad I didn't). But it did not detect the Beagle or Bagle virus.

I have not yet tried the other bootable CDs but will be doing so as you read this. I also will get another copy of the Cd Utils file and send it to Avast in a password protected RAR. I'm not sure how I would put it in the Chest without the use of Avast.

If there is ANYTHING anyone can think of for me to try I am able and willing. I would REALLY rather not format my C: and have to reinstall 111 gig of applications that I need daily. I really appreciate your efforts and whatever further assistance you might have for me.

Thank you,
Ken

[Lisandro]

sepulchre, you did a huge job trying to cleaning...
I wish avast team take a look in this dangerous virus that, for years, is the weakness of avast installation, destroying it.
The better would be trying to improve avast detection of this particular variant of Beagle.
Do you have any known file that is infected with it?

[Mr.Agent]

you can alway try threatfire,spybot s&d and Anti Vir Premium (Promotion) -----> https://license.avira.com/en/promotion-cj0ptfb6eh8cmw6a101r you can have some other license promotion by searching on google (antivir premium security suite promotion) or you can alway try to get a new promotion key by register again (i never tryed it so you can try you when its will be expired)

PS : The license key avira is valid for 3 months only but you can try my thing i said

So may god bless you for avira find your beagle and virus

Give me the result and i hope its have working

[sepulchre]

Here's an update:

The Kaspersky bootable CD scanned my machine for 22 hours and found nothing. 

I found a piece made specifically to kill all forms of Beagle by Semantic but it also found nothing.

I just started running the Avira bootable disc. I certainly hope it finds something.

I don't believe that I have some new variant. I'm pretty sure the file I got has been around for some time. Surely there is a cure for this blasted thing. I really really really don't want to format my hard drive. It will take a long time (too long) to recover and I would probably never know what I'd lost.

By the way, I did send the file from which the virus came (CD Utils.zip) to virus@avast.com in a password protected RAR with the password in the body of the email and with the subject "undetected malware".

@ Mr. Agent: I cannot run Spybot S&D or any other antivirus application. That is the nature of this virus; it disables virus hunters. The same goes for HijackThis. Please read my original thread starter.

If there are ANY other ideas I'm ready to try them. I'm getting a bit desperate. Why is it that all these "top notch" virus scanners can't find anything wrong? There must be something running in memory to disable AVs every few seconds. Does anyone know of an online memory scanner?

Thanks everyone again for all your help,
Ken

[CharleyO]

***

Try renaming HJT to something else and then see if it will run.


***

[Lisandro]

There is a similar topic http://forum.avast.com/index.php?topic=25822.0
Use this tool to scan your PC - http://www.f-secure.com/blacklight

You probably still have an infection, probably a rootkit on your system that is killing avast.

I suggest you visit this page http://www.antirootkit.com/software/index.htm for antirootkit detection, removal & protection.

[mouniernetwork]

If Blacklight doesn't find anything then you might want to consider this :

From reading the description of the symptoms you seem to be haing I believe that the file you have is a exe infector or at least has that feature as one of its payload.

Hence I recommand that you try restoring the EXE file association with the help of the following page:
http://www.dougknox.com/xp/file_assoc.htm

You should probably be able to run EXE files(I think).\
What you might want to do also is to save the file attached to the post and change the extension to .bat and run it. It should beable to inform you on the currently running task if the taskmanager doesn't seem to work  

I will also try to do some research as I understand that having this sort of nasty can be very fustrating  

Just hang tight  

Al968

[sepulchre]

I discovered that I can rename ashAvast.exe on another PC and then put it on my machine and it does work. (the memory scanner found nothing) Unfortunately, avast uses many EXEs and they have all been disabled. I cannot rename them all because they call each other.

On a brighter note, I did the same with HighjackThis now have my renamed version (DogThis.exe) and it works just fine. But I am not an expert at making sense of the resulting log file. Maybe I can find someone who is and can find out more about what's going on.

I have to go to work now but when I get back I will try restoring the EXE file association. As I said before, when I try to run an antivirus EXE I get the message box, "so and so.exe is not a valid Win32 application." Other EXE files run just fine.

By the way, F-Secure's scanner didn't find anything and was said to contain Blacklight. However, I will put it in line with all else to be tried. Also, Taskmanager does work, but I can't see anything unusual. But it may be there and I just don't recognize it.

Something has to work. I have faith.

[CharleyO]

***

On a brighter note, I did the same with HighjackThis now have my renamed version (DogThis.exe) and it works just fine. But I am not an expert at making sense of the resulting log file. Maybe I can find someone who is and can find out more about what's going on.

Post you "DogThis" log here and someone will look at it.


***

[mouniernetwork]

I discovered that I can rename ashAvast.exe on another PC and then put it on my machine and it does work. (the memory scanner found nothing) Unfortunately, avast uses many EXEs and they have all been disabled. I cannot rename them all because they call each other.

On a brighter note, I did the same with HighjackThis now have my renamed version (DogThis.exe) and it works just fine. But I am not an expert at making sense of the resulting log file. Maybe I can find someone who is and can find out more about what's going on.

I have to go to work now but when I get back I will try restoring the EXE file association. As I said before, when I try to run an antivirus EXE I get the message box, "so and so.exe is not a valid Win32 application." Other EXE files run just fine.

By the way, F-Secure's scanner didn't find anything and was said to contain Blacklight. However, I will put it in line with all else to be tried. Also, Taskmanager does work, but I can't see anything unusual. But it may be there and I just don't recognize it.

Something has to work. I have faith.

Ok, I didn't understand that it was the the AVs that could not be run 
Well in that case forget what I said above with the EXE association because if your problem doesn't happen with every EXE than it doesn't have to do with the EXE association.
On the other hand can you post the list of running processes along with the DogThis log (if it isn't already included)

I have no further recommandation at the moment as I think we have exhausted as the information you ahve given us but the DogThis log will provide a sea of data which we will try to take advantage of in order to remove your malware 

Al968

[sepulchre]

Here's my DogThis log. 

Logfile of HijackThis v1.99.1
Scan saved at 7:59:20 AM, on 3/6/2009
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\xNeat Clipboard Manager\xNeatClipMngr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\ztemp\baglegui.com
D:\# - Network Share\DogThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dvdcopyrip.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [xNeat Clipboard Manager] C:\Program Files\xNeat Clipboard Manager\xNeatClipMngr.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\FileUtilities.3\mount.exe /z
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InterBase 7.5 Guardian gds_db (IBG_gds_db) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase 7.5 Server gds_db (IBS_gds_db) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

Thanks again for all your efforts.
Ken

[CharleyO]

***

You have used an old Version of HJT. Please deleted the old HJT, download HJT from the link below, rename it again, run it, and then supply a new log.

http://filehippo.com/download_hijackthis/ 


***