iexplore.exe deleted after deleting W32BugBear

[paulbasel]

I installed Avast 4.1 Home version on a friend's Windows 98 machine. He was recently alerted by Avast that Win32BugBear was found on his machine. This was months after Avast was installed.

He tried Repair and the system informed him that it could not be repaired. He then click Delete. Now he can't connect to the Internet via MS Explorer. I check his system and found that the executable, iexplore.exe was deleted.

What is going here that Avast deletes executable files?? Is there any way to repair this without reinstalling the OS?

Paul

[Eddy]

He then click Delete

Tell him to check what file it is and what the locatation is before deleting next time. He also could have send it to the chest.

To repair:

control panel > software > windows components

or download IE and install it.
Microsoft IE installer
or
browsers.evolt.org (complete install package)

[paulbasel]

Thanks for quick response Eddy

My friend is not very computer literate and doesn't have much money so I found Avast for him and assumed he would read the instructions. Obviously he didn't.  I wasn't that familiar with Avast since I have used TrendMicro's PC-cillin for years. I didn't think that an anti-virus program would actually delete a system file or an executable without warning the user. I have never had that happen with PC-cillin.

What is also curious to me is that his system was clean when we installed Avast and yet the software allowed the Trojan to infect his system and then found it later during a scan. It's not a question of updates (he does do that) because this trojan has been around for a long time.

It appears that the trojan came in via an email attachment, but why didn't Avast recognize it before it infected his system. PC-cillin has found this same bug on emails sent to me in the past and I never had to make a decision about repair or delete - it simply quarantined the bug.

Thanks for the links.

Paul

[Eddy]

I didn't think that an anti-virus program would actually delete a system file or an executable without warning the user.

Avast did ask what to do

It appears that the trojan came.......

Can't tell what happend since some info is missing. Like did he setup mail protection correctly... Was Avast running when he opened the mail attachment? Things like that.

And why the heck did he opened that attachement? It has a double extension which is always supicous!

You could say Avast is protecting mail in two ways. First with the mail scanner, second with the on-access scanner. If for some reason (not likely) a infected attachment stills come through and you open the attachment, the on-access scanner will scan the attachment. So it looks to me that either Avast wasn't/isn't setup properly or perhaps even not running at all when the infection took place.

i sure hope you can/will check it for your friend and make sure everything is up and running. You can use the EICAR TEST FILE to check if Avast reacts or not. Send a email to your friends address with the eicar test file attached.

Do it while you are there ofcourse, or he may scare hisself to death if he is not expecting a infected email

[DavidR]

What is also curious to me is that his system was clean when we installed Avast and yet the software allowed the Trojan to infect his system and then found it later during a scan. It's not a question of updates (he does do that) because this trojan has been around for a long time.

Win32:BugBear
is an Internet worm written in Microsoft C and packed with UPX. The worm is 50688 bytes long, it spreads via email and via network shares. It drops the trojan horse with keylogging and backdoor capabilities. The worm arrives as a randomly named attachment in email message with variable subjects and body. It uses the well known IFrame exploit that allows it to run automatically on vulnerable computers without patch.

This would indicate a vulnerability that has not been patched. Either that or the patch has failed in some way, overwritten by another patch perhaps or missed when the OS was re-installed perhaps.

http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp

[Eddy]

With or without the patch, Avast should have caught it. So I think we have a wrong setting or something like that here.

[paulbasel]

Guys, thanks for all the input.

While my friend's system is probably not fully up to date with all the MS security patches, I do agree with Eddy that Avast should have caught the Bear. Avast was installed with all of the default settings. During the setup it correctly identified IE and Netscape on his computer and was alerting him to other bugs that it found over the months, so he told me.

I sent him Symantec's Bear detect and repair executable, fxbgbear.exe which he ran, but it found nothing. He ran it from Normal mode, not in Safe mode. I'm not sure he has the knowledge to do this. I sent him instructions but he is not very computer literate. Avast keeps alerting him to the fact that the trojan is still on his system.

He's in Florida for about 4 months so he doesn't have access to his installation CDs and the downloads of IE 6.0 are so massive (75 MB) that I'm not sure he wants to do it over his dialup connection. Even if he did decide to download IE, if his system is not clean, he will wind up with the same problem after the reinstall.

One other point. The error message when he starts up IE is that the executable can't be found. When he trys Netscape, the program starts but then it complains that it can find no connection. Over the phone, I walked him through the checking of all of his connection settings and they are correct. His Outlook Express is able to connect and he receives and can send emails.

Any other suggestions.

Paul

[Eddy]

Is there someone in his neighbourhood that can hold his hand (no offense) and help him to walk through all steps on the page in my signature? If so, I think that is a good start. At least his system will be clean, updated and secured. After that we can take on the problems that are remaining.

This looks to me the way to go for him.

[paulbasel]

Eddy

I think you are right (and no offense taken). I'll suggest that to him. It might be a little tough finding someone in Florida who is familiar with a German OS, but if he searches around I'm sure he can find someone.

Thanks again for your help

Paul
Basel, Switzerland

[Eddy]

He could ofcourse pay the tickets so we can have a look

Keep us informed how he is doing. Good luck.

ps: NL (Netherlands) here

[paulbasel]

Hi Eddy

Here's an update. My friend in Florida didn't pay for tickets for us to visit him, but I was able to talk him through starting his computer in Safe mode and running the latest bugbear variant killer.

It removed all 12 instances of the critter and he is back up and running. Only one small problem - Windows 98 now refuses to shut down. In other words, the normal shutdown doesn't function at all, he must actually pull the plug on the computer. Any ideas on why this occured.

BTW, iexplore.exe wasn't deleted, it was just infected - so Avast wasn't at fault after all (except for letting the creature into his system in the first place).

Thanks again for your comments and help.

Paul

[Eddy]

Thanks for the update Paul.

Microsoft has a patch for the shutdown problem on Win98. Let him install that and everything should be back to normal.

[paulbasel]

Thanks Eddy, you've been a great help. I found the patch and sent it to my friend. I think he can handle this install without my help, but one never knows.

It should solve the problem, I hope.

Paul