NAV 2008 Failed to remove W32/Bagle virus- computer screwed badly

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

From your description of what it did to you it sounds like this on the Norton website:


Trojan.Tooso.F

 

Also Known As: Win32.Glieder.{T-V, Y, AA-AF} [Computer Associates], Email-Worm.Win32.Bagle.pac [Ka, Email-Worm.Win32.Bagle.{bi-bn}, W32/Bagle.br [McAfee], W32/Bagle.gen@MM [McAfee], Troj/BagleDl-N [Sophos], Troj/BagleDl-O [Sophos], TROJ_BAGLE.BH [Trend Micro]

 

 

[ .... ] 

 

Protection
  • Initial Rapid Release version April 15, 2005
  • Latest Rapid Release version April 9, 2008 revision 048
  • Initial Daily Certified version April 15, 2005
  • Latest Daily Certified version June 17, 2008 revision 017
  • Initial Weekly Certified release date April 16, 2005

 


That page includes some detailed manual instructions for removal that people might find useful.

 

How uptodate were your definitions?

2 Likes

Well until that virus took over the computer, my antivirus definitions were updated and checked for most recent update several times a day.  After that virus took over I had no more live update, no more virus scanner, and no way of preventing malicious processes. There was no way to do any more updates, and I did try the manual removal instructions. The major problem with every hopeful solution I found was the fact that I needed to use safe mode in windows. Safe mode was completely gone. When trying to boot in safe mode the computer would reboot almost immediately after choosing “start in safe mode” and hitting the enter button.

5 Likes

Yoy should have tried going into Safe Mode through MSconfig, it loads in a diffent way, automatically.

 

This is how Symantec advises users to get  into Safe Mode in cases such as yours, instead of using the "tapping the F8 key" method.

 

How to get into Safe Mode when infected

Oh man, I didn’t realize that other safeboot method was any different. Wonder why there’s two different versions of safe mode. That probably would have saved me a week of headaches.

But did this work?

"Oh man, I didn't realize that other safeboot method was any different. Wonder why there's two different versions of safe mode. That probably would have saved me a week of headaches."

 

Yeah, too bad, and although there is obviously only one "version" of Safe Mode, this way of getting in stops you from being hijacked on the way.

 

When in Safe Mode, you can scan your PC and get rid of the virus/s, which have nowhere to hide, even if you have to go in with "networking" so you can scan and delete from on online source as well.

well, I just tried this other method of getting into safe mode and it locked me out of the computer. I’ll explain- this computer is still having a problem starting in safe mode, when safe mode is chosen it then loads some of the drivers, then suddenly crashes and reboots.  When I was using F8 to choose safe mode, after it crashed I was able to just choose boot normally, and it boots just fine. Now that it is trying to boot in safe mode only, I’m in a continuous rebooting loop. I have no way of disabling this new setting, and the other boot options don’t work (like use last known good settings etc.).  Now what do I do? I have a dos boot disk that I made with xp’s “format floppy disk” feature. The boot disk is useless because of the NTFS drive. It doesnt read the hard drive.

I guess they made recovery disks and imaging programs for situtations like that! I'm sorry I can't help with solutions but I'm sure there will be some useful comments from others here.

 

The real crux of the matter is that, honestly and I'm not pointing fingers, the problem began:  I opened a file that contained the Win32/Bagle virus

 

No security program can be fully uptodate with the rate at which new attacks come up -- hence the talk/actuality of heuristics and whitelists (the latter sounds as though experience with it could be like that with MS UAC 8:( -- so part of any troubleshooting and resolution needs to answer the question: How did I come to open that file?

 

However that's for later -- I hope you manage to recover your system, or most of it.

<< The boot disk is useless because of the NTFS drive. It doesnt read the hard drive.  >>

 

I don't know what boot disk you are using but you can certainly download boot disks that do read NTFS.

 

Check out http://www.bootdisk.com/ntfs.htm and similar sources.

First of all, the real problem is not the fact that i ended up with a file contaminated with the Win32/bagle virus, the real problem is the fact that i PAID money for an antivirus program to do one thing, prevent exactly what happened from happening. On top of that, that virus has been around for 4 years, so if my program wasn't updated for more than a couple hours it's not going to make any difference. One more thing, that file not only should have been prevented from causing havoc, but even more importantly it should have been deleted or quarantined the second it was copied onto my machine- again norton did not do it's job.

The most embarrassing part is the fact that a free antivirus program was my savior.

 

As for recovery disks, again there should not be any need for a recovery disk in this situation with a simple worm/virus, especially when using a top of the line well know antivirus program like norton.  All this time since I installed this program I've been putting up with a slower than normal computer, and it was all for absolutely nothing. If it prevented the virus it would be worth having 10 different tasks running in the background hogging up all the memory, but it didn't work....

As I said I was not pointing fingers. Realistically no program can protect everyone from everything.

 

Although a bagle malware may have been around for X years they do change and if you look at that information I posted earlier you will see how many revised definitions Symantec have put out over the years, the last revision 017 in June this year!

 

I'm sorry it did not catch this one in time for you. Was the file in question compressed? Do you have NIS set to check inside compressed files?

jeez, 17 versions of that virus.  I noticed just about every different antivirus company has their own name for it (ie: norton gives it a different name than trend, or than mcafee, but they all had bagle as part of the name).

 

I had norton set to scan every file, and to scan within compressed files. I don't know how or what it scans in the background at all times, I thought all those running programs were watching out for infected files being copied onto the computer, or being opened, or being run- and I thought those running tasks were watching for malicious activity like making unauthorized changes to the registry etc. There were a lot of background tasks running.

 

I don't know which file was infected, I had popped in a cd with a bunch of backed up files from an old computer system so I could find some old vacation pictures. Apparantly a file on that cd had been infected.

 

My computer still has the problem of not booting in safe mode, I believe this problem was caused by the damaged registry files from the virus, but not positive.

If registry damage is the cause of the Safe Boot problem, have you tried a System Restore to an earlier time?

 

Also, you appear to have been able to get out of the "Safe Boot Loop" you referred to, so I guess not to suggest anything about that.

 

By the way, if you are interested to know which files were infected with what on the CD, why don't you do a CD/DVD drive scan using Kaspersky Online CD/DVD Scan . Would be interested to know the results.

I had to disable system restore as part of the procedure to remove the virus. There were a few files in there that were also infected. As for that cd, I just threw it away, I already got my pictures off it, and they've been scanned.  Now the problem is figuring out what's causing the computer to fail during safeboot. It does the normal scrolling through a list of drivers, and about half way through the screen turns black, then the computer restarts.

Doesn't sound good, I'll have to get back to you on this.

 

Edit:

 

I don't suppose you have a Window's installation CD so we can try a Window's Repair?

 

Also, are you still unable to go into Safe Mode when using the MS Config method?

 

 

 

 

Message Edited by johna on 07-10-2008 05:37 AM

It really is frustrating! I hope you get back to normal system operation. You have some good help here.

I'm sorry to hear you've been having so many problems. Although I have to admit that I'm surprised to hear that you've been infected with Beagle. We've seen very little new activity related to this threat family in recent years, therefore existing definitions should have been able to detect and clean it without any problems.

 

Do you still have a copy of the file you ran? If so could you submit it here and reply back with the resulting tracking number? I'd be interested to take a look and see why we didn't detect it.

 

Thanks

 

Orla 

Symantec Security Response 

That’s a great idea, I’ll see if I can find it and definitely upload it. Hopefully my current antivirus wont delete it while transferring.

johna wrote:

" By the way, if you are interested to know which files were infected with what on the CD, why don't you do a CD/DVD drive scan using Kaspersky Online CD/DVD Scan . Would be interested to know the results."

 

gto78 wrote:

" As for that cd, I just threw it away, I already got my pictures off it, and they've been scanned. "

 

Yeah, hope you can find it, would be interested to see what the infected files were.

 

Good luck.

 

ps Still researching the Safe Boot issue you are having.