Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Can't remove Bagle.M --need some help

Mar 13, 2004 10:24PM PST

AVG identifies that I have the Bagle.M worm. have tried most published fixes including AVG scans (repaired iinj4.exe), Housecall, which does not identify it , Stinger , etc., but every time I restart the worm is back.

I have tried to remove all the files identified on various websites as part of the problem and even tried to edit the registry but the culprit keys are not there.
I am running WinXPpro and have AVG, Spyblaster, Spywareguard and Spysweeper active. System restore is deactivated.

Can anyone help me to eliminate this worm?

Richard

Discussion is locked

- Collapse -
Re:Can't remove Bagle.M --need some help
Mar 13, 2004 11:46PM PST

The Bagle.M's file is a PE executable about 14336 bytes in size packed with UPX file compressor.

When it is run, it copies itself as SYSWRUN4X.EXE file to Windows System folder and creates a startup key for this file in the Registry:


[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"usrgtway.exe" = "%winsysdir%\SYSWRUN4X.EXE"

where %winsysdir% represents Windows System folder name.

Then Bagle.M drops 2 more files into Windows System folder: WINDLLZUP.EXE and BGXTDLL.EXE. Both files are DLLs (Dynamic Link Libraries). The WINDLLZUP.EXE is a loader for BGXTDLL.EXE file. It allows both files to become DLLs used by EXPLORER.EXE file (one of the main Windows components).

More here: http://www.f-secure.com/v-descs/bagle_m.shtml

- Collapse -
Re:Re:Can't remove Bagle.M --need some help
Mar 14, 2004 4:37AM PST

I thought I got rid of it but its back????

I deleted and reinstalled my AV software--I also tried the F-Secure AV but for some reason it locked up the computer and had to be uninstalled.

I finally found one of the suspect keys in the Registry--HKCU--and deleted it and also removed the offending executables--iirj4 and irun4-- and ran a complete AV Scan and was clean. As soon as I restarted the computer the Bagle was back.

Any suggestions are welcome.

Richard

- Collapse -
Re:Can't remove Bagle.M --need some help
Mar 14, 2004 4:52AM PST

The following files are dropped on to the %SYSDIR% folder:

System.exe - 19, 968 bytes (DLL which acts as a mail relay)
iinj4.exe - 1, 536 bytes (DLL wich loads System.exe)
irun4.exe- 14, 848 bytes (Copy of itself)
The DLL files are detected as W32/Bagle.dll.gen with the 4333 DATS and above.

The DLLS are injected into the Explorer process.

The following Registry key is added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "ssgrate.exe" = C:\WINNT\SYSTEM32\irun4.exe

Have you deleted all the files mentioned here?? On winMe\XP you have to disable system Restore - scan again to finally get rid of it!
Don't forget to enable system restore after the scan again.

http://vil.nai.com/vil/content/v_101086.htm

- Collapse -
Re:Re:Can't remove Bagle.M --need some help
Mar 14, 2004 5:10AM PST

Marianna,

Checked the registry and there is no registry key shown for this (only once did I find and delete the ssgrate key).

All the files you mentioned were deleted.

This is the second time I did all this and started the computer to find the Bagle back. I just cant figure out where it is hiding.

I took all the files out again and will restart once more after I finish posting this.

Thanks for you help.

Richard

- Collapse -
Richard, Please Try This...
Mar 14, 2004 10:31AM PST

Since the McAfee "Stinger" removal tools is now able to remove all current variants of Bagle/Beagle, please download it to your computer desktop, restart into "Safe Mode", the double click on the file to run it. Run it repeatedly until it comes up negative. Here's the link:

Stinger
http://vil.nai.com/vil/stinger/

Hope this helps.

Grif

- Collapse -
Re:Richard, Please Try This...
Mar 14, 2004 12:24PM PST

Thank You Grif!

That did it. The Stinger found four instances of two versions of the Bagle, and moved them. I rescanned and was clean.

It is also interesting that the Stinger found two of the instances in the Norton protected Recycle Bin--which I thought I removed when I got rid of Systemworks 1-1/2 years ago.

Now I'll have to go about removing the Protected Recycle Bin which I suppose might be the reason none of the other AV products could find the Worm.

Thanks again for the help.

Rich

- Collapse -
(NT) Richard, That's Good To Hear ! Glad We Could Help
Mar 14, 2004 1:12PM PST

.