Malware deletes spybot...

[trfillos]

I have something in my computer since yesterday that I believe it's malware that deletes the SpyBotSD, blindman, TeaTimer and Update executable files. When I am trying to copy a good SpyBotSD.exe from a cd I burned I am receiving the following message 'Cannot copy SpyBotSD: Cannot find the specified file.' !!!

At a second approach of mine, I tried the same as above but I renamed SpyBotSD.exe to SD.exe. Now the file copied OK and runs. The scan result finds a Win32.Agent.bgy, A FirstRRRun something registry key and the executable 'C:\windows\exefld.exe'. I am fixing it but at the next restart Spybot scan it's there again.

I have also noticed a process with a random (probably) number.exe at my task manager. Also found this file 'c:\windows\system32\hidr.exe' and I delete it because after a quick internet search I found that it was part of Bagle.HV virus. I don't know if I did the right thing by deleting this file...

This thing also disables completely windows security center.

It also deleted NOD32 I had installed. Now I can not reinstall it because after the extraction of the installation files an error is coming up.

Now, the conclusion is that. I cannot find and remove this thing. Also I don't know how dangerous is...

PLEASE HELP!!! THANKS VERY MUCH FOR YOUR TIME

[tashi]

Hello.

You may have several infections on the machine, please follow the procedure in the following link to the best of your ability to do so. Skip the Spybot-S&D scan for now.
If you cannot run the on-line anti virus scan, produce the HJT log and make a note for the person who will respond.

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

Start your own thread in the Malware Removal Forum

Cheers.

[helpin u]

I had this same problem and wasted all evening trying to figure out what kind of malware was doing this.

Turns out it's a rootkit that installs itself as a driver, it also hooks the file create function so you can't install antivirus, antispyware, etc.

complete details and removal instructions are here:

Edit


this was the tool that finally exposed this malware to me and gave me the google search term i needed:

RootKit Unhooker:

Edit.

virus / rootkit name is called
Trojan-Downloader.Win32.Bagle.cu

i got it from a trojaned file on eMule.

Once i got that far it was pretty easy to fix.

this thing had installed drivers, services, files, directories, and changed permissions on folders. what a pain.


good luck.

We appreciate your trying to help, but advice is given here Malware Removal Forum after we have seen logs and made an analysis. In order to assist our members as safely as possible. ;-)