Avast home removed by virus

[jedikalimero]

Yesterday I run a exe file I shouldn't have run. Immediately I got a window telling me a program was trying to disable avast and a backcount. I pressed the don't allow option and the I got a lot of messages telling the program was trying to change keys in the register but it seems eventually the virus won, because the tray icon of avast appeared as stopped and when I moved the pointer over it, disappeared.

I connected the hard disk to another computer and run avast scan but it didn't find anything. Also run panda activescan and  another web based scanner and they didn't find anything neither.

The affected computer is still running but there are some issues:
- I can't connect to my wi-fi network (and so to internet). the wireless configuration service can't be started (error 1068)
- Avast services are disabled
- If I open the program files\alwil software\avast4 folder, I can see how many of the files are being constantly rewritten (their icons tilt and the modified date is constantly updated)
- The same happens with Norton Partition Manager.

I still have the zip (or rar) file where the virus came (downloaded from edonkey network)

[jedikalimero]

Two sympthoms I forgot:

- trying to start windows in any of secure modes gives a blue screen of death
- Trying to take the system to a restore point doesn't work

[Maxx_original]

it could be a new variant of Win32:Beagle... send the sample to virus[at]avast[dot]com.. can you list the recently changed files on the infected HDD from the other machine? most interesting is the windows folder, system32 subfolder, system32\drivers and maybe a root of the drive..

[jedikalimero]

it could be a new variant of Win32:Beagle... send the sample to virus[at]avast[dot]com.. can you list the recently changed files on the infected HDD from the other machine? most interesting is the windows folder, system32 subfolder, system32\drivers and maybe a root of the drive..

OK, I sent the file to http://virusscan.jotti.org/ and it tells:
File:  setup.exe 
Status:  INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) 
MD5:  7273363da6c59b96dad6616a37d25d97 
Packers detected:  -
-------------
A-Squared  Found Trojan-Downloader.Win32.Bagle!IK 
AntiVir  Found TR/Dldr.Bagle.aha 
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found Win32/Themida 
BitDefender  Found DeepScan:Generic.Bagle.9D1F90F4 
ClamAV  Found nothing
CPsecure  Found nothing
Dr.Web  Found Trojan.Packed.650 
F-Prot Antivirus  Found nothing
F-Secure Anti-Virus  Found Trojan-Downloader.Win32.Bagle.aha 
G DATA  Found DeepScan:Generic.Bagle.9D1F90F4 
Ikarus  Found nothing
Kaspersky Anti-Virus  Found Trojan-Downloader.Win32.Bagle.aha 
NOD32  Found nothing
Norman Virus Control  Found nothing
Panda Antivirus  Found nothing
Sophos Antivirus  Found Mal/Bagle-B 
VirusBuster  Found nothing
VBA32  Found nothing

So it looks like Bagle in fact. I've sent you the infector file (subject of mail is: Virus bagle stops the Avast antivirus)

[jedikalimero]

Modified files in avast folder are:
copyx64.exe
ashDisp.exe
aswRegSvr.exe
ashAvast.exe
ashChest.exe
ashLogV.exe
ashMaiSv.exe
ashPopWz.exe
ashQuick.exe
ashServ.exe
ashSimp2.exe
ashSkPcc.exe
ashSkPck.exe
ashUpd.exe
ashWebSv.exe
ashUpdSv.exe
sched.exe
VisthLic.exe
VisthUpd.exe
ashSimpl.exe

all files from AMD and IA64 folders are gone except for aswMonFlt.sys (I'm comparing the contents with the ones in my laptop)
also some files from INF

Files modified in windows folder (or at least with modified date posterior to infection) are:
win.ini
IE Error Log.txt
WindowsUpdate.log
SchedLgU.txt
bootstat.dat
wiaservc.log
0.log
wiadebug.log
setupapi.log

But, as I said, modifications in those files maybe just normal behaviour of the system

In System32 folder:
FNTCACHE.DAT
vapps.xml
wpa.dbl

in system32\drivers:
srosa.sys
srosa2.sys

Any solution?

[essexboy]

Download Combofix from any of the links below. You must rename it before saving it.  Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.  
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

[Maxx_original]

srosa.sys and srosa2.sys are quite interesting for us (they are the rootkits added by Beagle)... can you send also these two files? thx

[matt231]

...to get firefox to actually display that rename option, set the options up like the screenshot attached.

For removing the malware you may find http://whirlpool.net.au/wiki/?tag=malware_removal useful.

[jedikalimero]

OK, attached is the output of COMBOFIX

After that, I reinstalled Avast (an outdated version since I can't still connect to internet with my desktop) and used EliBagle and it found still 2 infected files. attached is the output (it looks like Avast got infected again. There is no tray icon this morning)

And finally, the output of Hijackthis.

MAXX, I'm afraid SROSA files were deleted by some activescan (Panda or other I can't remember) and Combofix, but you have the infector file I sent you so you can infect a controlled PC to obtain them ;-)

I still can't get the WZC service running again :-(

[jedikalimero]

I've tried to restore the system to a point before the infection but all restore points have disappeared.

[Maxx_original]

MAXX, I'm afraid SROSA files were deleted by some activescan (Panda or other I can't remember) and Combofix, but you have the infector file I sent you so you can infect a controlled PC to obtain them ;-)

yes, we can, but Beagle won't run under VMWare and similar virtual machines due to Themida layer and that's always a pain... anyway, thx for your submission

[essexboy]

Any files moved by combofix are quarantined in the qoboox folder in your root drive and have a .vir added extension so they can be uploaded to Avast from there for analysis.  Looking at the logs now  

[essexboy]

I have had a look at your log and there does not appear to be any remaining traces of beagle

To repair the registry lets use SDFix as that has a good repair section as part of its routine

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

[jedikalimero]

Any files moved by combofix are quarantined in the qoboox folder in your root drive and have a .vir added extension so they can be uploaded to Avast from there for analysis.  Looking at the logs now  

OK, here it is srosa2.sys.vir (well, not here, but sent to virus[at]avast[dot]com.)
Latests Avast database detects the virus in the original infector file, but not in srosa2.sys.vir

Hope you enjoy it :-D

I have managed to recover my internet connection in some way: My thompson wi-fi USB receiver, that works with Windows WZC still can't run but I've connected another wi-fi USB receiver from Belkin that uses its own software so I can stablish connection with this one temporally (I took it from another computer that now is without connection).

I'm going to use SDFix and lets see if everything works again. Another thing that doesn't work well is every time I start Firefox, it says he is not the default browser even if I check the option every time. As a consequence, every link I open from Thunderbird, Favorites folder, etc, opens in IExplorer instead of Firefox.

[essexboy]

I will have a quick research on that problem