05 janeiro 2008

Removing the virus Bagle/Beagle

Well, staff, made time that was not victim of a virus and things of the type, mainly for taking very well-taken care of. Until these days, I was infected. For this virus, also pointed as "gusamo BAGLE" of "plague bagle", if you to look for therefore in the net, it will see many forums and topics on such.

Detection of the virus
Of beginning I did not perceive that it was infected. I perceived that the computer was with some weird problems; at It Macromedia Flash, when executing it, it started to load boot but soon he closed the applicatory one of the nothing; without logic none, and nor pointed error; e curiously Dreamweaver loaded and functioned normally. The ftp Explorer was not more wanting to connect with the server of the Geocities, but the guilt probably was not the virus, therefore not yet it is connecting.

But it was yesterday the night, while it talked with a friend in the MSN, it sent me a music, and in the end of the sharing, in the hour where the anti-virus (AVG) would make sweepings, it gave some error and it did not accept the archive. Soon it said for it that the archive was infected, and it it spoke that not. There I was to see, and I perceived that my anti-virus (AVG) was not opened. I found thie stranger, therefore it always is, is in boot of the Windows (Professional XP SP2); I ordered to execute the Anti-virus, but the shortcut started to look the executable one and it did not find. I was until the folder in the "Archives of programs", and the folder of the AVG was with many archives lacking, as if somebody hada deleted.

Soon I thought that my brother had desisntalado the AVG or something thus. I gave one reboot in the PC to see if boot of windows executed the AVG, but nothing. I really was without a anti-virus. Worse, as my user is advanced and not ir administrator, I am restricted for many tasks, as to install softwares that to manipulate the register, archives of system among others. Then it could not install again.
I was for the Task Manager and perceived that they had some precesses at least suspected, therefore did not remember me of them.

Well, today, my brother repaired the absence of the AVG and tried to install again, when an imperfection in the installation occurred. E it said: "Muluque, you caught virus in this thing." There it was to travel, and me I left logged in the administrator to remove the virus and such.
I was in net, I caught other anti-viruses as Panda (that already I save me some times) and Avast. Later, I was with distrust of zuar the main user of the computer, then I placed my user as Administrator and moved for there.
In my user, of first lode that message when it is moved in msconfig, and I was there to look at back in the inicialization. E of face I perceived that it was with virus. I found the follonwing one:

It had seen these two archives, and never it was more than what in the face that were virus, worm, or some thing of the type:

hldrrr.exe in: system32\drivers
wintems.exe in: system32

O looked for on such in google, and I really evidenced that they were virus.

Well, in this I did not have sucess in the installation of the Panda. But it obtained to install the AVAST e it soon ordered to give one reboot in the PC, and would make sweepings in boot of the Windows. E thus was.


In boot, really it made long sweepings, almost 1h. E found 5 archives infecteds.
c:\Doc. and. Set.\Eduardo\Conf. places\temp. Internet\Content.IE5\P2WBWL9I\b64_3 [1].jpg
c:\Doc. and. Set.\Evandro\Conf. plaecs\temp. Internet\Content.IE5\7Aw9JY4K\b64_3[1].jpg
c:\System volume Information\_restore {DE2FD822-3A3D-4CE5-80B0-9818AF1C409}\A0032966.exe
c:\System Volume Information\_restore {DE2FD822-3A3D-4CE5-80B0-98182AF1C409}\A0032967.exe
all infected with: Win32: Beagle-YN [wrm]

But nothing of hldrrr.ece, nor of wintems.exe. The Windows initiated, and to vary, the AVAST did not initiate; it executable one also was deleted, and was total inoperative. E, in msconfig, the two archives were selected for inicialzation, being again that I cancelled of the other time.

In the Prompt of Command - cmd
Then I was to try to deletar them in marra. I was in the folder of system32, with the option "to show occult archives and of the system", but wintems.exe did not appear. I was in the folder drivers, and there also it did not find hldrrr.exe.

Then, I was to try for cmd. I was until the folder sustem32\drivers, and only gave the command to show the executable ones:
dir/w *.exe
e appeared an only o archive, the bendito hldrrr.exe
then I ordered to del it:
del hldrrr.exe

I again gave the command of "dir", and the archive had disappeared. Well, I find that I had sucess. Then I gave a "compact disc". I was until the folder system32, in order to make the same with wintems.exe. But it did not appear as its friend.

The Final Blow - the Removal
I was to look more on such in the net. I found forums and sites, as this [link], that ir very possessed a long and complicated method, would have that to move in the memory, it register and etc. E was not in order everything this. But I found another site, one blog [link], which was well objective and pointed one program that it decided the problem, eliminated the virus easy.

In this I also looked for in the PC, for some other archives, that the sites pointed, that it was part of pacte of the virus:


But it did not find more none; but sho knows if it was infected with them also or not?
Then, I lowered the program that the author of blog said to be the easy solution, a light program in Spaniard that ir does not need installation, it makes sweepings of the virus in the PC, finds it and it removes, EliBagLa. [to make download here click, ~47kb]

I installed it and I ordered to execute it. It soon detected the presence of the virus Worm BAGLE e ordered to five one reboot in the PC to conclude the elimination.
I restarted the computer, boot was until much more fast of this time (I believe that the virus was leaving slow more boot), bur in the hour of loggin in the user the computer brake-stpo gave one. Until I thought: "There! There it goes 1 to have that to format". But soon, it appeared a message of the anti-virus saying that the virus had benn removed sucessfully, and appeared it stops making sreepings before initiating the Desktop of the user.

Eliminated virus

EliBagLa it really decided, simple, and wasy. With only 48kb, and without stopping the PC, having that to install nothing; it made simply its work. In msconfig, the archives hldrrr.exe and wintems.exe if found inactive. The Flash came back to function! E now I could install the anti-virus (AVG).
All speak badly of the AVG, I speak badly also - it seems a pierced bolter; the proper infection of this virus was a test of this, although to be using the gratuitous version, was with update in day. But for what I walked seeing in the Internet, the virus was also not detected by the majority of the anti-viruses, anti-spy, firewall, alerts etc. To be sincere, I do not remember myself to have read in no place something type: "mine anti-x detected the virus".
However, this did not decide the problem. In the following day, he was hldrrr.exe there again. I was until brave rherefore. Therefore if not even that software did not devide, what it would decide? Then I entered in the site of the Superdownloads and especially lowered most of the applicatory ones for removal of this virus [link - programs] e also I entered in the support of the Microsoft, Windows XP, and looked for on the Bagle virus, and found some information, in special applicatory removal of virus developed for the Microsoft, calls: "Tool of Removal of Badly-Intentioned Software of the Windows" [link]. It has in around 8,5 mb, does not need to install.
I lowered others some programs of the Superdownloads, but none found SWINS, NOTHING, NOTHING. But the EliBaglA found 1 archive again infected (hldrrr.exe). But already the toll oh the Windows, I opted to making the total sweepings; it led around 2h15min (the HD is little great a with much thing); but in the end, it it found "8 archives infecteds" and it eliminated them, correcting the problem. But moan that software does not make a report and does not speak that archives were these and where they was. But finally, the virus total was eradicated.
Stranger was to notice, that exactly after the removal of the virus, the AVG does not want more to install. As much is that now I am with the installed and operative AVAST normally. A "conseq" of the removal of the virus wwas that when initiating windows, the Bar of Tools is one time stopped, half that loading some thing still, but later is all normal one.
As I was infected
So far it is a mystery. it can have been me, can have been my brother. It does not have doubts that it was fot the navigation in the Internet. But certainly it was not for click in none link suspicious. But I believe that the virus was "mesclado" with some archive of paging or image in some site. Mainly for the archive infected in the folder Tempory Internet (in the two users), with the name of "b64_3[1].jpg" (an image).
Suspected of one blog that I entered yesterday, therefore when it click in link to see publications previous, as soon as loaded the page; the sound of some clicks in links listenning, and the site was redirected for a site of games in flash, that by the way, of games did not have nothing, but a mount of links of pornography. Perhaps moment was ness.
I believe that ir has benn even before. Visa, that made one 2 or 3 days that did not obtain to execute the Flash. E see,s that the virus was what hindered its execution.
Symptoms of the Virus
What I could notice in my computer:
- presence of hldrrr and of wintems in the services and msconfig;
- boot was more slow;
- the AVG - anti-virus - simply it adds, and more does not meet its executable one;
- some programs do not execute, as the case of the Flash;
- you do not obtain to install and to execute anti-virus with success;
- it has sites that they say that the virus is capable to steal given and passwords; to damege a little more the computeder, and also hinders to enter in windows in the security way - but I did not arrive to test.
- the connections of nets had had its extinugished passwords.
I wait to be able to have helped it. In case that he has been contaminated for this virus, or is with some of these symptoms. It lowers and it executes the EliBagLe, does not go cost nor to weight nothing. And in case that it is contaminated, this program, alone, and rapidity goes to five account of the service.

This is version translate for Wordlingo.
It may contain errors of translation.
Version original: Portuguese (Brazil) (View)

