Hello i had some kind of strange trojan attack.
Some new beagle virus i think as i had wfsintwq.sys srosa2.sys (2 indicates its a new beagle variant i think).
Well in short i removed all the involved virus files (a bit more then those 2 above)
And the virus is no longer active, doesnt come back and also i have no bleu screens anymore from the virus
So i’m pretty sure its a dead virus now.
However when i try to install Avast, (which i installed and removed a few times now).
It never installs aswMon2.sys (c:\winnt\system32\drivers.… from there it is missing).
It also doesnt install aswrdr.sys and aswFsBlk.sys aswtdi.sys
During install everything seams ok, however the tray icon shows it as not running.
In the setup logs it says error copying [… on of those files above…] (0x00000002)
why wont a disk filter driver install ??
–
aditional info some how the virus had slipped trough mcafee (paid version), and so i have also removed that virus scanner, those filter drivers are no longer active, there might be something else active as filter driver perhaps, but i have no idea on how to check that out ??
Sometimes, McAfee won’t be completely removed if, before, you do not uninstall Avast, including the use of its “Uninstall Application” if necessary (www.avast.com/eng/faq-install-uninstall-avast.html).
the f-beagle utility didnt work; but then again, i’m sure i allready deleted most of the virus
As a proof no longer does my PC crash after the first minute.
And the virus files dont come back to the system
Aand thats even now i’m connected to the internet again, so the virus is kind of dead now.
If run a rootki detecter called gmer, it seams to find still some files (in registry).
But physicaly those files i have allready removed.
the only file i have not deleted i gues is a file called acs3550p.sys
Next i’m going to boot using BartsPE Cdrom and do a search for such a file.
As now windows dont let me see it (which would be normal if its a rootkit).
i think i still face some kind of rootkit left over now.
Wow meanwhile if done lots of things but not really much worked, to solve the remaining problems.
I still believe some kind of rootkit is active in the system.
For example when i want to shutdown or restart XP, i have to go to click that option twice, so something is hooked up there.
I’ve been looking with BartPE again, but couldnt find asc35550p.sys
Then ive did a chkdsk of my c: drive, there seamed to be lots of problems in my MFT$ , (a normal hidden XP disk part)
Checkdisk solved them i think, but still had to logoff twice, so something is still active.
Well now i just looked up my XP key using http://www.petri.co.il/quickly_retrieve_windows_cd_key.htm (use legally)
Since it has been a real long long time ago i bought XP, and lost that package box with that number
Anyway the key is connected to your specific machine so i dont think people can fraud with that.
When XP is good again i will use portable firefox (download it from a clean system) put it on USB and then download AVAST again, from this point i dont like to use internet explorer… if that has been done i’m goging to do windows update as now (deu to this repair option, my system is back to XP SP2)
i just keep you people update just in case someone will get into the same problems as i did.
Thanks for mentioning, i already had used the bit defender resque CD which seams to be the best i think since it does make a online connection so it will update virus signatures.
the XP repair option didn’t work out, turns out i have SP3 and removed old hotfix deinstallers, while my CD version of XP is SP2, this result in a failing boot.
It kept a waiting message ‘please wait’ for about a hour
So then i restarted with the XP CD in recovery console mode, and performed next :
Chckdisk /P (which since i have used it often now) didnt report errors but took a long while to run.
fixboot
fixmbr
(1+2+3, might remove some bootloader viruses as well i think)
then at least this system started again (and yes i’m now typing from it with internet connection)
Besides of that avast wont install, other similar programs wont either, like ad aware.
One almost wouldn’t note there is something wrong with my PC now.
I’m still guessing some rootkit has left over a filesystem filter driver that refuses to get deleted, and does not allowed to be overwritten by another filesystem filter driver. (a typical rootkit problem).
Now i’m running Malewarebytes anti-malware scanner, http://www.malwarebytes.org/mbam.php
It does seam to find infections although as it is still runnning, i’m not sure if it are only left over registry entries to virus files that doent exist anymore, or that they are something else
I will keep you update.
OH BTW is there a way that i can talk to the support people of avast on how i did remove myself manual most of the virus files. I dont like to teach virus writers of how i did that, and its i think quite simple and unique. But it works… only not for this (unknown) yet rootkit filter driver leftover.
Well it seams to be fine again, i have now just installed avast, and it works !
Also when i shutdown/reboot i dont need to click it twice anymore.
So i think the rootkit is gone now, it was asc3550p.sys i think; i’m not sure what it does.
And i think after all my actions the final actions in which i did fixmbr and fixboot
Then malwarebyte’s antimalware tool did a good job also for some left overs.
Next what i did is to allow XP for unsigned drivers (by popup to warn me); during the virus/trojan attack i indreased that security level to only allow signed drivers (and in the end i wondered if that might be the reason that Avast wouldnt install)… So i’m not realy sure what was the finall killer of the rootkit but i’m glad its gone now.
Also windows update seams to work fine now, it worked fine just before i used malwarebyte’s tool. And my eventlogs look bleu again
Hmm i think i got the virus with some kind of wrong tool download (as i was looking for image improvement filters, i gues some of those files was infected) Well i removed them all as well, and i also reinstalled my web brouwser cash etc so there isn’t any trace left and i wont get back into it.
All the years that i have XP its my first virus, and what a trouble this has been.
Still i would be happy to inform avast
On how i manualy removed most of the files myself.
Can i talk to someone ?,
I prefer not to blog about this as it might endup in the wrong hands.