Avast home removed by virus

[polonus]

Hi jedikalimero,

Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here:
http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe

• Double-click FixPolicies.exe
• Click the "Install" button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies,
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
• A black box will briefly appear and then close.

This could help you solve a couple of problems,

polonus

[jedikalimero]

Essexboy, here are the  SDfix and HiJackthis reports

[jedikalimero]

Download to your Desktop FixPolicies.exe,
 ....
This could help you solve a couple of problems,

I've followed your instructions, but if this solved any problems, they were problems I was not aware of. WZC keeps refusing to start and IExplorer keeps retaining his "I Am Your Browser" status. :-(

[Maxx_original]

jedikalimaero: thx

[jedikalimero]

Do you think I could recover lost WZC functionality and the issue with Iexplorer/firefox if I boot with my original Windows CD and do a repair of the system? (Not the recover console but the repair option in installing Windows)

[Maxx_original]

maybe a reinstall of Service pack would help (after cleaning out the beagle garbage from other machine)..

[jedikalimero]

maybe a reinstall of Service pack would help (after cleaning out the beagle garbage from other machine)..

I thinked Beagle was already eliminated from my machine.

Oh, BTW, I solved the IE/Firefox issue by reinstalling both browsers again. Still no WZC, but I'll try the reinstallation of sevice pack.

Thank You!

[essexboy]

 jedikalimero your system looks clean just an ADS deleted, I must admit it was just an offchance for SDFix as that does do registry repairs to the default windows
As for WZC I am afraid that was right over my head as I work from a single desktop system

[exhunter]

Hi all,

Exactly the same situtation here resulting from running a file that I should not run in the first place. However, I did explicitly scanned the file with Avast before runinng it and I got no warning whatsoever. Now avast is disabled, wireless conection unavailable (device not recognized), restoring to a point in time results in "Cannot restore... try different restore point", and safe mode won't boot (reboots at loading jgogo.sys).

Hopefully repairing system from cd will allow me to run in safe mode, wich in turn should allow me to restore system to a point in time.

What makes me wonder is that I did explicitly scan the file. Such thing happened to me once before which in turn raises my doubts about avast efficacy (assuming that this is the same virus).

[Maxx_original]

where did you get the file? Beagle can't be detected proactively without detecting Themida itself... each new generation is repacked and there's no way how to look inside quickly and effectively.. the only way is to have the sample before anyone gets infected..

[exhunter]

I have removed the file already, reinstalled windows (on old copy) and am currently trying to run newly installed avast on startup. It founds files infected with Win32:Beagle-AAW, or corrupted files (restore points). It has crashed and restarted once so far so I am afraid I will need to reinstall everything from scratch.

I got the file from emule - it was named "resharper 4.1 build 933.rar" size about 3Mb. I have scanned the archive first with no indication of virus. I have unpacked it and took a look at the files before I run the exe one. There were four files in there, one of them being nfo and one of them being exe. I suspected that it is a virus as nfo file contained binary and exe size was way to small to be the right file, but I run exe anyway, trusting Avast to catch it on the fly. I was terribly wrong, but inadvertantly that is my fault.

Anyways running exe opened an app pretending to be "flight blacbox decoder". At that point I knew I got infected and closed it at once but that was too late.

Hope that helps.

[Lisandro]

Try an online full computer on-line scanning before...

Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender (free removal of the malware)

[exhunter]

Not possible.

After a scan with avast on startup now windows requires activation before letting me log in. And since I am not connected to the Internet (due to Beagle damage) it is no possible. I am not sure if this is related to Avast scan, or rather to the number of times I have logged in after repair (safe and normal), but this is the case.

Anyways I keep all my data on separate drives so formatting C will not do any "serious" damage other than loosing whole day on reinstallation (which is pretty serious in everyones case). By now I would have whole new system up and runnnig. Oh well.. High time to buy some drive imaging soft like Gohst.

Thanks for your responses and do not make my mistakes.

[Lisandro]

High time to buy some drive imaging soft like Gohst.

People suggest Disk Director (for whole partition/disks backup) or True Image (images of the files/disks), both from Acronis company.

[XP_user]

It may be helpful for troubleshooting.

download and install AutoRuns by By Mark Russinovich (not necessary step) -
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx - this is useful utility to verify
system "startups" and "hooks", including loading drivers.

This particular virus (in my case) runs as driver "srosa.sys" & "srosa2.sys"
Even if virus active, srosa2.sys shown by AutoRuns (in "drivers" tab) as "sK9Ou0s" with
description "AVZ Driver" at path (in my case) c:\documents and settings\%login_name%\application data\drivers\srosa2.sys
Since virus itself is "rootkit", srosa.sys does not shown if virus active. (but if virus
deactivated, AutoRuns shows "srosa" autorun entry for srosa.sys).
In my case another executable - winupgro.exe - in the same directory was registered for startup
(in registry at HKCU\Software\Microsoft\Windows\CurrentVersion\Run as "drvsyskit")

so cure was simple as renaming the directory (beware it marked as "hidden") where those viruses
reside, and then reboot.

I should admit that if virus active, it hides srosa.sys and rest of "slave stuff" (like "downld"
subdirectory), so if in your system it reside in standard ~/system32/drivers directory, you have
to boot from installation CD to console (i.e. CMD.EXE) or using something like BartPE to boot, find and delete those files.

-+-
Curios enough: avast recognize srosa.sys as "infected by Win32:Beagle-AAW [trj]", but keep
silence about another two beasts: srosa2.sys & winupgro.exe

Another curiosity - even with active virus, entry point for srosa2.sys shown by AutoRuns and
could be "unchecked" ("deactivated"/"disabled") but this is not affect virus activity (at least
regarding "countermeasures" against avast)

Yet Another Coupled Curiosity - this virus did try brake firewall (in my case it is Kerio Personal
Firewall) and succeed (removing kpf driver) but than did not perform any counteraction to
prevent repair KPF installation... hmmm... I was lucky to not loose my fw configuration files
:-))