Bagle Virus

[gale]

Four viruses have suddenly appeared.... that I know of. hldrrr.exe, flec006.exe, wintems.exe and mdelk.exe. Messages apear from a "program not being a valid win32 app" to failure to start in "safemode" to mention a few. My virus program will catch these files and delete same. Problem is when I think things are going good they reappear. CPU usage will go to 100% with little or no activity. Have used several pgms to find and delete these buggers but they come back. I have reinstalled XP but something sneaks by. Any help. Thanks.

[lodore]

Hello,
do you have any external hard drives attached to your computer?
or usb flash drive?
if you reinstalled windows it would of got wiped from c: but looks like its coming from another drive.
try superantispyware and drweb cure it.
links in my sig.

[Baz_kasp]

Hi,

Bagle is a nasty bugger, but it can be repaired with some help from an experienced malware fighter (the safemode issue and the disabled security apps). I would suggest you visit one of the ASAP member sites that help clean hosed machines to get expert help, as standalone antivirus probably will not get rid of the whole infection and reset your safeboot keys etc

[jmonge]

SUPERAntispyware will do the job

[GlobalForce]

Hi Gale.

Don't dilly-dally. The advice Baz gave is appropriate, get experienced ASAP help.


S

[Searching_ _ _]

There are other people with similar issues, reformatting and reinstall-malware still present, not large scale but they are around.

http://www.wilderssecurity.com/showthread.php?t=174046


Quote from Computrace http://www.absolute.com/products-core-technology.asp

"The Computrace® Agent is a small software client that can be embedded into the BIOS firmware “at the factory”, or installed like most software applications onto the hard drive of a computer. When embedded in the BIOS of computers by major OEMs, such as Dell, Fujitsu, Gateway, HP, Lenovo, Motion Computing, Panasonic and Toshiba, the Computrace Agent can survive operating system re-installations, hard drive reformats and even hard drive replacements.

The ability to withstand these changes is critical in order to survive unauthorized removal attempts as well as work seamlessly with customers' break/fix and IMAC (Install/Move/Add/Change) processes.

*What if these methods are used to create a reinfection. A malicious installation of the legit Computrace software (There are other companies) to track a computer user for reinfection. The moment you connect online for any reason, you become visible for reinfection.

http://stason.org/TULARC/security/co...an-floppy.html

A PC virus known as
EXE_Bug can fake out the boot process by setting the PC's CMOS to look
as if there are no floppy drives in the machine. Most BIOS'es don't
even try to boot from a floppy in this case, and go straight to the hard
disk, loading the virus from the MBR.

*With this you might notice some time or date alterations when it was previously correct; if not, maybe some settings in bios setup are changed.

Raw disk

http://www.vbforums.com/showthread.php?t=240304

Ok this code is intended to access the hard disk and read/write to it.

*I included this because I had an empty drive, according to Hexeditor, while online, using a bartpe cd, someone wrote 2.5 megs of data at the end of the disk. No joke!


For HDD, simple Windows reformat is not enough. Programs like Dban and Killdisk, though preferred, may not be enough but should be a minimum. If you have an Intel CPU, try HDDErase, it will absolutely clear everything on your HDD.
Reset your cmos after wiping before restarting.

There are also some other speculative locations, basically any place that has memory thats flashable and can load into ram memory. Don't forget your router or modem, N.P.D.E.A http://www.infoworld.com/article/07/...ESS%20SECURITY

Have fun

[gale]

ZoneAlarm disappeared and when I tried to reinstall same received a message that it was not a "valid Win32 app." Same with DAP and several other pgms. Yes, I do have my backup on an external hard drive. Wiped c: drive clean and reinstalled Win XP. Reinstalled backup being careful not to replace any files that I installed. Somehow or other the backup is bringing the virus back in. I might have to foreget about a backup and reinstall everything from scratch. Thanks for the help though.

Quote:

Originally Posted by jmonge

SUPERAntispyware will do the job

Nice try (to advertise) but no back-up to support your ... sentence ?

[Searching_ _ _]

Quote:

Originally Posted by gale

Yes, I do have my backup on an external hard drive.

Have you scanned the backup drive for problems before wiping the primary drive?

SAS
Dr. Web Cureit
MBam
AVP Tool

Before going all out, try Baz's suggestion, posting at a help forum if you can't get a handle on it yourself. You'll learn a lot more than by wiping. And if it's a new strain you'll be helping make the world aware of it.

[gale]

Quote:

"Have you scanned the backup drive for problems before wiping the primary drive?"

Yes. I made sure the external drive had been wiped clean. Thanks.