After having been infected by Beagel-YN and Beagel-ZL, and spend about 24 hours to clean the system by booting from a different disk and scanning/deleating all infected files, I have a problem with Avast - I can reinstall it and it runes fine as a boot scan, and commes with a clean scan result, BUT the resident virus scanner is not startet at boot, and i get the error message “ashAvast.exe er ikke et gyldigt win32-program” - danish XPpro - comparable to the “ashAvast.exe is not a valid Win32 application” when i try to run Avast. I tryed a WinXP repair instalation, but that does not help.
Everything seems to be working fine, apart from not being able to reinstall the antivirus after the attack !!!.
Is there anybody who has any knoledge on what the problem is
After running the above rootkit tools if nothing is found try these.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.
AVG anti-spyware or SUPERantispyware or Spyware Terminator.
Correct - it was a rootkit infection - probably came in together with Beagel-YN, the hidden process was named “wintems.exe”. Blacklight rootkit eliminator can show that the problem and process is there, but cannot remove it.
but Unchackme does the job.
Thanks for the assistance. hope this note can help other - it has taken me 36 hours to diagnose and remve this problem!
I can’t run the panda rootkit cuz it give me the same 'not a valid Win32 error". I tried starting in safe mode but it just reboots my pc and says it cannot start in safe mode. I don’t know what ya do with the recovery console. It has a command prompt but i don’t know what iI’m supposed to type in there.
Classic symptoms of bagel - not valid win32 and no safe mode
First we need to find the associated driver and kill it then work from there. As an aside my boss gave me his laptop yesterday with bagel among others - Took 3 hrs to remove
Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
I have tried many things since yesterday, when Avast (and Comodo Firewall pro) stopped running with the message “ashAvast.exe is not a valid Win32 application”.
I’ve run an online Panda scan, in which it supposedly disinfected several variants of Bagle worms. Restarted, still with no luck. I’ve run DSS, but have no idea how to proceed next.
It’s very frustrating, as I have so much data on my Windows XP laptop, and need Avast and Comodo to work. Any help would be greatly appreciated.
But the Author of combofix sUBs has improved his tool to counter this virus - However, there are a few things that must be done
When you go to save combofix at the start of the download process you MUST rename it to Gotcha.exe and not save it as combofix. Otherwise the virus WILL disable it
Download ComboFix from Here or Here to your Desktop.
[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall
The first time I downloaded, I forgot to rename it. So the application disappeared when I tried to access it. But on the second try, I did all that I should have done.
Do you want me to send both the main and extra logs? It’s quite long.
Please downloadThe Avenger by Swandog46 to your Desktop.
[*]Click on Avenger.zip to open the file[*]Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
[QUOTE]Drivers to unload:
srosa
Files to delete:
c:\windows\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
[/quote]
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Now, start The Avenger program by clicking on its icon on your desktop.
[*] Under “Script file to execute” choose “Input Script Manually”.
[*]Now click on the Magnifying Glass icon which will open a new window titled “View/edit script”
[*] Paste the text copied to clipboard into this window by pressing (Ctrl+V).
[*] Click Done
[*] Now click on the Green Light to begin execution of the script
[*] Answer “Yes” twice when prompted.
The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Unload”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
Thank you for the information. But, when I try to open the Avenger application, I get the same message: “avenger.exe is not a valid Win32 application”.
