Avast home removed by virus

[XP_user]

srosa.sys and srosa2.sys are quite interesting for us (they are the rootkits added by Beagle)... can you send also these two files? thx

well, this is the lesson ("well known" in *nix world) that services like AV & FW should run on
his own account with his own privileges.
So installer should create/reuse dedicated account for avast (advising user choose the same
password as used for login... just to make user/admin life simple ,-)) and create all sensitive
data (including registry entries) with permissions for R/W _only_ granted to avast account and
with R/O "for the rest of world" (if system itself needs access to it) or even w/o any
permissions at all... and, of course, starts all avast services using this dedicated account.

Yes, it's "boring",
yes, it makes some difficulties for standard uninstaller, for example
yes, it's not a "silver bullet" since user anyway use admin privileges...
But it makes some "difficulties" for viruses and virus-makers not aware yet about such
"defensive environment".

-+-
PS: I have this drivers so could send it if it still needs.

[fokel]

Hello,
it seems like I have downloaded the same virus.

things were like that:
after few minutes from running the downloaded .exe file (from emule archive) my computer automatically reloaded.

it was very suspicious, and I thought it gonna be a virus,
though I had my Avast! and Outpost Firewall Pro on, and expect them to prevent any problems.

after reboot, it was a very very long delay at startup and a message about RPC error from Avast, again long delay, but than Avast loaded (?) and its icon at tray became active.

I scheduled a full scan in avast and reboot. During scan one virus was removed, and I thought that problem is solved.

But again my computer reloaded automatically. And I paid attention to "winupgro.exe" file in task bar. I terminated process, found this file and deleted it.

The main important part:
After reading about "winupgro.exe" issue in the internet, I downloaded Avast! Virus Cleaner Tool, cuz it was written that it is able to fight with Beagle virus... But during the whole scan no viruses were found! And after reboot I again see "winupgro.exe" in my task bar and start-up (though I removed it from startup menu with msconfig, not to mention that I erased the file).

The question is: do I have to use other special antivirus products and utilities to fight with that virus, or Avast has its own tool to clean it and I just misused it or did something wrong?

Do I have to reinstall Avast Home Edition, in this case? (cuz no threat was found even with Cleaner Tool, and Avast seems to be loaded in memory properly at start up).

[eva]

I was infected by this virus last month with the same set of issues as posted by the thread starter and exhunter here. It is also described here: http://freeforum.avg.com/read.php?4,186342,186364 which is almost exactly my case. I, too, scanned the downloaded file manually with Avast Home edition before launching it and it reported the file as clean. Spy Bot Search and Destroy also reported no problems. I'm reporting this now to alert you that this virus is still a threat to Avast users and that you take care to include this terrible virus in your signature files. I was surprised to see that after 5 months Avast still does not detect it.

The most comprehensive info that I've been able to find on this virus is here: http://www.prevx.com/filenames/X2333748967407030363-X1/WINUPGRO.EXE.html

I was able to remove the virus files by finding them with the Avira bootable disk and then deleting the files by booting into Knoppix (Avira would not delete them).

I also cleaned the registry manually and ran more scans and found no traces. However, Win XP has sustained other unknown damages and freezes within 24 hrs of runtime. It looks like I'll have to reinstall after all.

[Lisandro]

I was surprised to see that after 5 months Avast still does not detect it.

Shame! Where are the virus analysts?