Bagle Virus

Discussion in 'malware problems & news' started by gale, Sep 1, 2008.

Thread Status:
Not open for further replies.
  1. gale

    gale Registered Member

    Joined:
    May 22, 2005
    Posts:
    11
    Four viruses have suddenly appeared.... that I know of. hldrrr.exe, flec006.exe, wintems.exe and mdelk.exe. Messages apear from a "program not being a valid win32 app" to failure to start in "safemode" to mention a few. My virus program will catch these files and delete same. Problem is when I think things are going good they reappear. CPU usage will go to 100% with little or no activity. Have used several pgms to find and delete these buggers but they come back. I have reinstalled XP but something sneaks by. Any help. Thanks.
     
  2. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Hello,
    do you have any external hard drives attached to your computer?
    or usb flash drive?
    if you reinstalled windows it would of got wiped from c: but looks like its coming from another drive.
    try superantispyware and drweb cure it.
    links in my sig.
     
  3. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    Hi,

    Bagle is a nasty bugger, but it can be repaired with some help from an experienced malware fighter (the safemode issue and the disabled security apps). I would suggest you visit one of the ASAP member sites that help clean hosed machines to get expert help, as standalone antivirus probably will not get rid of the whole infection and reset your safeboot keys etc :)
     
  4. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    SUPERAntispyware will do the job:thumb:
     
  5. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Hi Gale.

    Don't dilly-dally. The advice Baz gave is appropriate, get experienced ASAP help.


    S
     
  6. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    There are other people with similar issues, reformatting and reinstall-malware still present, not large scale but they are around.

    https://www.wilderssecurity.com/showthread.php?t=174046


    Quote from Computrace http://www.absolute.com/products-core-technology.asp

    "The Computrace® Agent is a small software client that can be embedded into the BIOS firmware “at the factory”, or installed like most software applications onto the hard drive of a computer. When embedded in the BIOS of computers by major OEMs, such as Dell, Fujitsu, Gateway, HP, Lenovo, Motion Computing, Panasonic and Toshiba, the Computrace Agent can survive operating system re-installations, hard drive reformats and even hard drive replacements.

    The ability to withstand these changes is critical in order to survive unauthorized removal attempts as well as work seamlessly with customers' break/fix and IMAC (Install/Move/Add/Change) processes.

    *What if these methods are used to create a reinfection. A malicious installation of the legit Computrace software (There are other companies) to track a computer user for reinfection. The moment you connect online for any reason, you become visible for reinfection.

    http://stason.org/TULARC/security/computer-virus-l/80-How-do-I-boot-from-a-clean-floppy.html

    A PC virus known as
    EXE_Bug can fake out the boot process by setting the PC's CMOS to look
    as if there are no floppy drives in the machine. Most BIOS'es don't
    even try to boot from a floppy in this case, and go straight to the hard
    disk, loading the virus from the MBR.

    *With this you might notice some time or date alterations when it was previously correct; if not, maybe some settings in bios setup are changed.

    Raw disk

    http://www.vbforums.com/showthread.php?t=240304

    Ok this code is intended to access the hard disk and read/write to it.

    *I included this because I had an empty drive, according to Hexeditor, while online, using a bartpe cd, someone wrote 2.5 megs of data at the end of the disk. No joke!


    For HDD, simple Windows reformat is not enough. Programs like Dban and Killdisk, though preferred, may not be enough but should be a minimum. If you have an Intel CPU, try HDDErase, it will absolutely clear everything on your HDD.
    Reset your cmos after wiping before restarting.

    There are also some other speculative locations, basically any place that has memory thats flashable and can load into ram memory. Don't forget your router or modem, N.P.D.E.A http://www.infoworld.com/article/07/04/19/HNroutercellattackrisk_1.html?WIRELESS SECURITY

    Have fun
     
    Last edited: Sep 2, 2008
  7. gale

    gale Registered Member

    Joined:
    May 22, 2005
    Posts:
    11
    ZoneAlarm disappeared and when I tried to reinstall same received a message that it was not a "valid Win32 app." Same with DAP and several other pgms. Yes, I do have my backup on an external hard drive. Wiped c: drive clean and reinstalled Win XP. Reinstalled backup being careful not to replace any files that I installed. Somehow or other the backup is bringing the virus back in. I might have to foreget about a backup and reinstall everything from scratch. Thanks for the help though.
     
  8. ASpace

    ASpace Guest


    Nice try (to advertise) but no back-up to support your ... sentence ? :rolleyes:
     
  9. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Have you scanned the backup drive for problems before wiping the primary drive?

    SAS
    Dr. Web Cureit
    MBam
    AVP Tool

    Before going all out, try Baz's suggestion, posting at a help forum if you can't get a handle on it yourself. You'll learn a lot more than by wiping. And if it's a new strain you'll be helping make the world aware of it.
     
  10. gale

    gale Registered Member

    Joined:
    May 22, 2005
    Posts:
    11
    Yes. I made sure the external drive had been wiped clean. Thanks.
     
Loading...
Thread Status:
Not open for further replies.