EXEs being changed

[sepulchre]

Hello,
I downloaded a file: "CD Utils" and scanned it with Avast (home edition, recently updated). It showed no problems. When I ran the "run" exe I immediately got a balloon saying Avast was disabled and I had no virus protection. I tried running Avast and got a message saying, "ashAvast.exe is not a valid Win32 application." I took a look at the file and saw that the 'modified' date was just now. In fact, watching it, I saw that it was being modified every few seconds!
So I tried a couple of other scanners I have with the same results. It's even happening to Hijack This.
So I tried rebooting in safe mode; Nope. My PC keeps rebooting until I choose Normal Mode. Also, when I boot up an explorer window come up showing my documents and settings. I looked in msconfig and saw nothing unusual in the startup. I know because I had been looking at the startup entries recently.
So . . . does anyone know anything about this? Am I doomed to format my C:?

Ken

[Mr.Agent]

show the file on virustotal plz

[sepulchre]

Pardon my noobness but what is virustotal? Also, I deleted the file (scared of it). I could try to find it again.

[Lisandro]

www.virustotal.com

1) It uses the Windows version of the AVs so avast has more unpackers for windows and that is the version most are using.
2) There are 27 different scanning engines greater than the others.
3) It also has an email submission option for periods when they are busy and you get a reply.
4) It can cue the submission and you can carry on browsing and you will eventually (not to long) get your result displayed.

[sepulchre]

Ok, I did that. There were lots of results. Now, will it be possible to get rid of the virus(s)?

[DavidR]

I'm afraid it isn't particularly good news - Your system is infected, probably by a variant of beagle that tries to disable anti-virus programs, the error you mentioned appears to be one of the signs of that.

I tried running Avast and got a message saying, "ashAvast.exe is not a valid Win32 application."

I took a look at the file and saw that the 'modified' date was just now. In fact, watching it, I saw that it was being modified every few seconds!

So because of this modification it may indicate that it has got past the self-defence module and this is another pointer to a variant of beagle.

As you are finding it is disabling other security applications also.

Commonly this is hidden by a rootkit, so you can try these tools.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- Trend Micro RootkitBuster - http://www.trendmicro.com/download/rbuster.asp
- F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight

Then try, DrWeb CureIt! - See http://www.freedrweb.com/cureit/ - Download ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe (Free) Fairly effective against file infectors, Virut (infects .exe, .scr, .mp3 & .wmv), more so when used in safe mode.

DrWeb also do a Live CD if you are unable to get into your system see, http://www.freedrweb.com/livecd/?lng=en, documentation ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf

- How to restore Safe Boot.
The malware may have deleted the SafeBoot registry keys.
Here are some options to restore them:

http://didierstevens.wordpress.com/2006/06/26/restoring-safeboot/
http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
Also see http://forum.avast.com/index.php?topic=26554.msg216924#msg216924

[DavidR]

Ok, I did that. There were lots of results. Now, will it be possible to get rid of the virus(s)?

What was the URL of the VirusTotal results page ?
That information helps us to help you.

[sepulchre]

http://www.virustotal.com/analisis/ba68d890d53b8f31fdc840841f057ba6

Thanks for you efforts!
Ken

[sepulchre]

I forgot to mention - System Restore does not work either.

[sepulchre]

I tried Panda Root Kit. It is also effected: " . . not a valid Win32 application."

[Maxx_original]

it's Beagle..

[sepulchre]

Ok, how do I get rid of it?

[Lisandro]

Read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD's:
1. Avira
2. Kaspersky
3. BitDefender
4. F-Secure
5. Dr. Web

[Lisandro]

Oh, if that fails, try full computer on-line scanning:
Kaspersky
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender

[DavidR]

I tried Panda Root Kit. It is also effected: " . . not a valid Win32 application."

That is just one of the tools, keep trying in the hope one gets through, you should also send this to avast.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.