Worm-Email.Bagle (General Components)

joia · 01-26-2008, 02:16 AM

Symptoms
1.A message window was loading with windows start with the following message " select something to patch " It was like a normal explorer window but smaller and selected the folders and files wich patched without any confirmation.
2.Antivirus was not running anymore. The message was that is not valid win32 application
3. The following services was disabled. Windows defender - windows firewall - update - and security senter ( I reenabled manually but upon reboot a message appeared that some application was not running - on right click the name of the application was- install-which not appeared on the quik sturtup programs neither disabled nor enabled)
Actions taken
1Post to avira forums - Advise from another user to use combofix (After a breaf search the warnings on using this ap made me to try another solution first)
2.Uninstall avira
3.Install again (could not complete the installation)
4.Install other antivirus progs (nod 32-bit diffender- virus fighter) (could not complete installation)
5 fixes tools from microsoft - not worked -it was stacking in certain point
6. Antispy prog could make a scan and find this results

Infections found running Trojan remover (trial edition)

Worm-Email.Bagle (General Components)
Malware (General Components)

Infected registry keys/values detected
hkey_current_user\software\datetime4\
hkey_current_user\software\datetime4\port\
hkey_current_user\software\datetime4\uid\
hkey_current_user\software\datetime4\wdrn\
hkey_current_user\software\microsoft\windows\currentversion\run\german.exe\
Malware (General Components)
Infected registry keys/values detected
hkey_current_user\software\firstrrrun\
hkey_current_user\software\microsoft\windows\currentversion\run\drvsyskit\
Looking into registry found the folder datetime and firstrrun and deleted manually but not the other references
the prog deleted the rest but after rebooting and scanning i was back in the previous situation
I rebooted into safe mode to try to run hijack this in order to post the log in avira (in normal mode was stopping the scan in certain point)
my screen was freezing and i had to start new session - I was intented to type explorer but system 32 oppened and showed me (strange enough i think) a folder which was named in blue letters and almust the same name as the abobe folder windrivers(this not appeared in the system in normal mode) I oppened and looked into a file wich could open with text editor. It seemed to be the programming for the virus ( i am sorry not to keep a copy of this to post here) I remember that in first lines the autor was a name with guru extention )
Selecting the text i removed all the references then deleted the file and then the entire folder.
The results of my action. The select something to patch desapeared and also the install file mentioned before - My computer seemed to run normal but i took blue screen twice ( I think this was dew to many incoplete installations so i runned an unistaller wich removed them from registry )
The last problems that remain
1. I can run hijack in normal mode but i cant run delete or remove the combofix from my destop - when clicking starts loading for almust 2 minutes and then says is not win32 application.
2 I cant run an online scan
3 I can't run any antivirus
3 I cant open some hiden folders - the message is i dont have rights.

I have compleded the five steps I will wait instruction on what to do
In any case i can record what i am doing and send the swf file to have a clear image of my problem
Thanks for your time

01-26-2008, 02:16 AM	#1 (permalink)
joia Registered User Join Date: Jan 2008 Posts: 4 OS: vista ultimate	Worm-Email.Bagle (General Components) Symptoms 1.A message window was loading with windows start with the following message " select something to patch " It was like a normal explorer window but smaller and selected the folders and files wich patched without any confirmation. 2.Antivirus was not running anymore. The message was that is not valid win32 application 3. The following services was disabled. Windows defender - windows firewall - update - and security senter ( I reenabled manually but upon reboot a message appeared that some application was not running - on right click the name of the application was- install-which not appeared on the quik sturtup programs neither disabled nor enabled) Actions taken 1Post to avira forums - Advise from another user to use combofix (After a breaf search the warnings on using this ap made me to try another solution first) 2.Uninstall avira 3.Install again (could not complete the installation) 4.Install other antivirus progs (nod 32-bit diffender- virus fighter) (could not complete installation) 5 fixes tools from microsoft - not worked -it was stacking in certain point 6. Antispy prog could make a scan and find this results Infections found running Trojan remover (trial edition) Worm-Email.Bagle (General Components) Malware (General Components) Infected registry keys/values detected hkey_current_user\software\datetime4\ hkey_current_user\software\datetime4\port\ hkey_current_user\software\datetime4\uid\ hkey_current_user\software\datetime4\wdrn\ hkey_current_user\software\microsoft\windows\currentversion\run\german.exe\ Malware (General Components) Infected registry keys/values detected hkey_current_user\software\firstrrrun\ hkey_current_user\software\microsoft\windows\currentversion\run\drvsyskit\ Looking into registry found the folder datetime and firstrrun and deleted manually but not the other references the prog deleted the rest but after rebooting and scanning i was back in the previous situation I rebooted into safe mode to try to run hijack this in order to post the log in avira (in normal mode was stopping the scan in certain point) my screen was freezing and i had to start new session - I was intented to type explorer but system 32 oppened and showed me (strange enough i think) a folder which was named in blue letters and almust the same name as the abobe folder windrivers(this not appeared in the system in normal mode) I oppened and looked into a file wich could open with text editor. It seemed to be the programming for the virus ( i am sorry not to keep a copy of this to post here) I remember that in first lines the autor was a name with guru extention ) Selecting the text i removed all the references then deleted the file and then the entire folder. The results of my action. The select something to patch desapeared and also the install file mentioned before - My computer seemed to run normal but i took blue screen twice ( I think this was dew to many incoplete installations so i runned an unistaller wich removed them from registry ) The last problems that remain 1. I can run hijack in normal mode but i cant run delete or remove the combofix from my destop - when clicking starts loading for almust 2 minutes and then says is not win32 application. 2 I cant run an online scan 3 I can't run any antivirus 3 I cant open some hiden folders - the message is i dont have rights. I have compleded the five steps I will wait instruction on what to do In any case i can record what i am doing and send the swf file to have a clear image of my problem Thanks for your time