Got clobbered by W32.Beagle.GM

Discussion in 'malware problems & news' started by stumped1, Mar 25, 2008.

Thread Status:
Not open for further replies.
  1. stumped1

    stumped1 Registered Member

    Joined:
    Mar 25, 2008
    Posts:
    8
    Not sure if this is the right place to post this but i got my butt kicked by what was apparently W32.Beagle.GM. It walked right past symantec av and windows defender. This thing turned off sav, defender, replaced hijackthis with a virus, turned off services...
    Combofix almost got rid of it but then XP kept blue screening with a c00002a error even in safe mode.

    What i'm looking for may not even exist: something that will watch the system and allow me to uh - shut down / turn off/ CRUSH anything deemed nasty?
    I mean, it's just some code being executed; why can i just stop it from running...?
    Any thoughts on Sandboxie - Ice Sword, Spybot's tea timer?
    I'm stumped. :'(
     
  2. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    Sorry to hear, it won't hurt running drwebs cureit to see if anything is left infected.

    If you no longer have faith in an antivirus, try a hips program that will put you in control..
     
  3. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    sandboxie Is a excellent choices and may want to consider threatfire it is light easy to use.
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    It's a question of privileges. Bagle installs a rootkit, so it "owns" your machine. Your best bet would be going to a malware cleaning forum and ask for expert advice. In the meantime, you can try Prevx CSI and SAS free.
    Can I ask how you got this infection?
     
  5. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
  6. computer geek

    computer geek Registered Member

    Joined:
    Oct 6, 2007
    Posts:
    776
  7. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country

    On a daily basis DeepFreeze, Returnil and others will allow you to reboot and effectively crush anything nasty.

    An imaging program like Acronis or Shadow Protect will let you restore a known
    good image. If I had an infected machine I would not be happy trying to fix it - would never really be sure - so I would simply delete and restore.
     
  8. stumped1

    stumped1 Registered Member

    Joined:
    Mar 25, 2008
    Posts:
    8
    How i got it? By doing things i shouldn't :mad:
    I googled and found the c00002a error could be caused by a pending file rename - makes sense with combofix running - i never got out of the bsod loop -
    Went to plug the drive into a working system using a usb adapter setup but plugged power cord in wrong and smoked (literally) the hd.
    The part about owning my machine - yeah - i noticed :(
    I know it's technically harder than it sounds but it seems silly that i cant make a machine just do what i tell it to.
    Any thoughts on Sandboxie vs. a HIPS system?
    Thanks for your replies.

    found this review of hips fwiw
    http://www.techsupportalert.com/security_HIPS.htm
     
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Searching for warez? Installing a codec? Clicking a random link on instant messaging/spam mail?
    They won't help to clean your PC if this is what you're asking for.
     
  10. stumped1

    stumped1 Registered Member

    Joined:
    Mar 25, 2008
    Posts:
    8
    No, i know they wont clean it -i meant opinions on how bullet proof they are.
     
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    If used correctly, they're very close to being bullet-proof.
     
  12. stumped1

    stumped1 Registered Member

    Joined:
    Mar 25, 2008
    Posts:
    8
    Say, while i'm here- can anyone give me pointers on how to use process explorer and gmer or where i might find this information?
    Using pe i was able to find the registry locations for the file (ddccayv.dll)
    but every time i deleted the keys they reappeared and when i used pe to close the handle of course it would just restart. Sorry - dont know enough about code execution but here must be a way of halting execution / unloading the file, yes?
     
  13. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Hello,
    On a major infections such as what appears to be the case where your system is being modified before your eyes and the "Clean up" tools don't work you need to use a boot disk with specialized system recovery tools such as Bart PE and scan/clean outside the OS... Sometimes you may even have to manually replace modified system files the hack did...

    Sandboxie et all.. are useless as they offer no detection or cleaning capabilities where it comes to infections.... Think of them as pre emptive not reactive...

    If you are good with figuring things out systematically you can try and do a live manual cleanup:

    If you still want to give a live manual cleanup a try you can go and read this page on virus cleanup.. the best tools for manual cleanup are also listed: Advanced Cyber Self Defense!
     
    Last edited: Mar 26, 2008
  14. wat0114

    wat0114 Guest

    This Removal procedure of w32.beagle.gm may hopefully help. Follow it very carefully, step-by-step, otherwise seeking online help as suggested by likuidkewl might be your best bet, unless you can bite the bullet and re-install Windows as a last resort.
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I agree here.

    If you want to prevent a recurrance with a fast fix, Returnil is your best choice. It installs nicely and so far i not seen any problems of compatibility with other security apps including AV's.

    From the looks of things, the Memory Virtualization feature of Returnil would save you AND YOUR AV from being bit again.

    Returnil also allows you to save material in it's own pre-NTFS formatted virtual partition even after you dump your session. When you think you may be headed for trouble, you can activate SESSION MANAGER and at-once it throws your system into a safer virtual state on-the-fly.

    Other programs mentioned of course are additional safety measures that can suppliment your AV, but i just mention Returnil because they have a "free" version (RVS 2008 ) just recently released and it's nothing at all to install and then to turn quickly from worry directly into safety.
     
  16. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    The virtualisation crowd peeps strikes again! Nonsense!
    How can u use a dynamic system, make changes, update programs if you cant ever do so as you have everything virtualised... This is not a usable proposition as it only works for small stints like when online... And it certainly will not help in cleaning up a virus!

    Get real!

    Advising someone to use virtualisation when they ask for help with a virus displays either ignorance or a plain sight attempt at marketing!

    Besides the correct protocol is to use the appropriate counter measures... such as an AV, a HIPS and under certain circumstances a virtual space!
     
    Last edited: Mar 29, 2008
  17. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Given the choice between:

    (a) Restoring a clean image in say 5 minutes and
    (b) using any existing cleanup program to remove a nasty

    which would you choose ?


    By the way the OP asked for something that would "allow me to uh - shut down / turn off/ CRUSH anything deemed nasty?" Isn't this what Returnil, DeepFreeze,..... and imaging programs do ?
     
  18. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    I would chose an av given that it would detect and block the nasty at first sight. Also AV + HIPS combination are more effective as they allow you to operate "Allways" protected and not only during virtualised sessions...

    An infection post returnil perhaps would be effective given that Returnil was running in protected mode... But you just cant always run in protected mode as computer usage is very dynamic.

    Also personally I don't believe in imaging software for security for a range of reasons... They cant be trusted as you can build viruses, rootkits, and other types of infections into your images, and as such will keep restoring them... You need something that will assist you in "preventing" infections or at least identify them in the first place... Imaging and virtualisation do not deal with this issue at all... as they do not identify existing infections prior to creating images, also given that you integrate an infection into your virtualised environment or in the image you are DOA without even knowing it... This is why I think it to be a far superior approach to use the Firewall + AV + HIPS + Sandbox (Sanboxes, used only under controlled parameters) approach.

    As I have said before, Virtualisation and imaging should be part of an intelligent, layered protocol, and not as a single point of defense...
    Imaging software are designed as a backup/restore of essential "systems" and not as a security platform... anyone who preaches it's good for security is missing very important bits and pieces in his thinking...
     
    Last edited: Mar 29, 2008
  19. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country

    Let me re-phrase my question - you have a machine with a virus. would you prefer to be able to reboot and its gone or restore a clean image or try to fix it with some program ?

    I think too much is made of the problems of running with DeepFreeze. Basically you run protected until you want to make a change. If configured efficiently - and I admit this does require a little thought - then very few reboots are required.



    I find it best to move the Firefox profile to another drive and, of course, to have data kept separate from the OS and Programs. Unless you want to use the machine to test new programs how often do you need to change programs ? As no AV, AS, HIPS etc are required there are no updates to worry about here. Every month or so Windows needs updating.

    Anyway - on those rare occasions when not running in protected mode let us say that the machine becomes contaminated. Solution - just restore an earlier image. To be fair this is only theory because as you well know I have never been able to get contaminated.


    Re your edit - imaging does not identify infections - that is what scanners are for. If you can name a scanner that I might try that I haven't used then I will test my images. Using programs that provide a demo I have been unable to find any infections so my images are innocent till proven otherwise.
     
  20. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Your above description of a computer use is mild at best... I update tons of programs "Daily"... Just run the Secunia software inspector just for one and see how many of ur programs are outdated... insecure or abandoned by the developer and thus vulnerable.

    Besides, I don't think I'm unique in that I download and install programs and play around online a lot... Most power users would die under the restrictions such technology imposes... Besides advocating such a solution without appropriate backup defenses is unthinkable as joe average doesn't even know an executable from a process.. (just a bad joke) Even more a good program from a trojan or rookit...
     
  21. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Then a combo such as Prevx covers all basis... Think of it, AV+Anti malware scan + HIPS + global interconnect of malware issues...

    All I'm saying is that this combination works: AV HIPS Firewall Sandbox... You can add Imaging if you wish... in fact I thinks it a very good idea... I just prefer backing up to secure external servers but that's just a preference... As I see it as more dynamic and more relevant as in file level hierarchy and multi generational recovery available if needed...
     
  22. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Yes - I had forgotten Secunia. I do, however, run it in protected mode. Just now everything is up to date but the last time I found java needed updating I simply downloaded still in protected mode. Rebooted and updated java. I appreciate that Sun might want to corrupt me but I think the odds are small.

    In the real world, as opposed to Wilders I do have to wonder how many changes
    most users make to their machines ? if my clients are anything to go by Accountants, Solicitors, Architects.....) little changes from one year to the next
     
  23. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Oh... I know... with the Small biz crowd any change and they cry like babies with a full nappy! :'( The employees tend to fear change as it usually means having to learn a new skill or technology... not usually a welcome event!

    On the other hand the home crowd tends to download and try everything with the "Label" Free attached to it... that creates an ever changing and dynamic environment to operate in thus creating a breeding ground for trouble!:
     
  24. stumped1

    stumped1 Registered Member

    Joined:
    Mar 25, 2008
    Posts:
    8
    Hey Guys! Thanks for you responses - ok, this is something im playing with b/c it was free - no, i know it's not THE security answer, im just excited because i found a new toy.
    MS virtual pc 2007
    I have a guest xp sp2 running on a vista sp1 host. Vista has no additional security programs on it other than what comes with it.
    I am just ITCHIN' to try something on it. :D
    Anyone know the likelihood of something (nasty) jumping out of the play box and onto the host? :eek:
    And - if it's (relatively) safe, can someone recommend something try try on it (besides "eicar") ?

    Just to clarify: i want to put some minor virus on the virtual pc and not have it affect the real system at all (hopefully)....
    Good / bad idea?
     
  25. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    I"m not familiar with the Ms VM... I only use VMWare to play around... However vulnerabilities pertaining to file share have recently come to light.

    VMware in my opinion is the more mature technology and as such more uhm... well trustworthy to perform the likes of what you propose...

    If you want my opinion, I would use neither to explode viruses and watch the damage... Because if you are inexperienced you will make that inevitable human error and allow the infection to cross over...

    Personally for something of that nature, to do it safely try and get an old hard disk if you have one laying around or purchase a new one, format and load Windows, get a Hard disk drawer system from vantec (They have both IDE and SATA) so you can switch between operating system easily and quickly without risks as the disk drawers are entirely separate from each other as they must be replaced by hand or switched within the BIOS for disk boot selection however I wouldn't run both disk in parallel. (Helps to reduce risks) load a vm or some virtualisation tool like Returnil on the Laboratory disk, and explode the viruses to your hearts content... If the safety fails you did the damage on a spare disk and as such risks only the wasted time to rebuild it... (you can even image the disk in case the OS gets wrecked and simply re image it over)
     
    Last edited: Mar 29, 2008
Thread Status:
Not open for further replies.