aswMon2.sys doesnt get installed (repeatedly) after new beagle virus)

Hello i had some kind of strange trojan attack.
Some new beagle virus i think as i had wfsintwq.sys srosa2.sys (2 indicates its a new beagle variant i think).

Well in short i removed all the involved virus files (a bit more then those 2 above)
And the virus is no longer active, doesnt come back and also i have no bleu screens anymore from the virus
So i’m pretty sure its a dead virus now.

However when i try to install Avast, (which i installed and removed a few times now).
It never installs aswMon2.sys (c:\winnt\system32\drivers.… from there it is missing).
It also doesnt install aswrdr.sys and aswFsBlk.sys aswtdi.sys

During install everything seams ok, however the tray icon shows it as not running.

In the setup logs it says error copying [… on of those files above…] (0x00000002)

why wont a disk filter driver install ??


aditional info some how the virus had slipped trough mcafee (paid version), and so i have also removed that virus scanner, those filter drivers are no longer active, there might be something else active as filter driver perhaps, but i have no idea on how to check that out ??

Any help is welcome.

Beagle (Bagle) is a very tricky infection. Could disable the antivirus, could avoid it installation.

The F-Bagle utility disinfects computers infected with the certain Bagle worm variants. Please see the readme.txt file for more information.
Download: http://www.f-secure.com/tools/f-bagle.zip
Download: ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.zip

The unpacked version is available from here:
Download: http://www.f-secure.com/tools/f-bagle.exe
Download: ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.exe
Readme: http://www.f-secure.com/tools/f-bagle.txt
Readme: ftp://ftp.f-secure.com/anti-virus/tools/f-bagle.txt

Users can use this tool against bagle variants:
http://www.symantec.com/security_response/writeup.jsp?docid=2004-011916-0524-99

This article provides the steps to remove SecurityCenter from your computer.
http://ts.mcafeehelp.com/faq3.asp?docid=71525
Also for direct download: http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe
and http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe (2007)

Sometimes, McAfee won’t be completely removed if, before, you do not uninstall Avast, including the use of its “Uninstall Application” if necessary (www.avast.com/eng/faq-install-uninstall-avast.html).

the remover file doesnt work also… although i’m still pretty sure i removed most of the virus

i’m wondering if perhaps a rootkit is blocking some actions, going to check it out

if you still thinks your computer is infected meaby malwarebytes or superantspyware could find it.

http://filehippo.com/download_malwarebytes_anti_malware/

http://filehippo.com/download_superantispyware/

hopes this help you solve your problem.

good luck.

the f-beagle utility didnt work; but then again, i’m sure i allready deleted most of the virus
As a proof no longer does my PC crash after the first minute.
And the virus files dont come back to the system
Aand thats even now i’m connected to the internet again, so the virus is kind of dead now.

If run a rootki detecter called gmer, it seams to find still some files (in registry).
But physicaly those files i have allready removed.

the only file i have not deleted i gues is a file called acs3550p.sys
Next i’m going to boot using BartsPE Cdrom and do a search for such a file.
As now windows dont let me see it (which would be normal if its a rootkit).
i think i still face some kind of rootkit left over now.

Wow meanwhile if done lots of things but not really much worked, to solve the remaining problems.
I still believe some kind of rootkit is active in the system.
For example when i want to shutdown or restart XP, i have to go to click that option twice, so something is hooked up there.

I’ve been looking with BartPE again, but couldnt find asc35550p.sys
Then ive did a chkdsk of my c: drive, there seamed to be lots of problems in my MFT$ , (a normal hidden XP disk part)
Checkdisk solved them i think, but still had to logoff twice, so something is still active.

Well now i just looked up my XP key using http://www.petri.co.il/quickly_retrieve_windows_cd_key.htm (use legally)
Since it has been a real long long time ago i bought XP, and lost that package box with that number
Anyway the key is connected to your specific machine so i dont think people can fraud with that.

Now that i got that key noted i’m going for a XP repair option with the original CD
see how to : http://michaelstevenstech.com/XPrepairinstall.htm

When XP is good again i will use portable firefox (download it from a clean system) put it on USB and then download AVAST again, from this point i dont like to use internet explorer… if that has been done i’m goging to do windows update as now (deu to this repair option, my system is back to XP SP2)


i just keep you people update just in case someone will get into the same problems as i did.

Won’t the rescue CDs help?

Read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD’s:

  1. Dr. Web
  2. Avira
  3. BitDefender
  4. Kaspersky
  5. F-Secure

You can check also this comparison article.

Thanks for mentioning, i already had used the bit defender resque CD which seams to be the best i think since it does make a online connection so it will update virus signatures.

the XP repair option didn’t work out, turns out i have SP3 and removed old hotfix deinstallers, while my CD version of XP is SP2, this result in a failing boot.
It kept a waiting message ‘please wait’ for about a hour

So then i restarted with the XP CD in recovery console mode, and performed next :

  1. Chckdisk /P (which since i have used it often now) didnt report errors but took a long while to run.
  2. fixboot
  3. fixmbr
    (1+2+3, might remove some bootloader viruses as well i think)

then at least this system started again (and yes i’m now typing from it with internet connection)
Besides of that avast wont install, other similar programs wont either, like ad aware.
One almost wouldn’t note there is something wrong with my PC now.
I’m still guessing some rootkit has left over a filesystem filter driver that refuses to get deleted, and does not allowed to be overwritten by another filesystem filter driver. (a typical rootkit problem).

Now i’m running Malewarebytes anti-malware scanner, http://www.malwarebytes.org/mbam.php
It does seam to find infections although as it is still runnning, i’m not sure if it are only left over registry entries to virus files that doent exist anymore, or that they are something else

I will keep you update.

OH BTW is there a way that i can talk to the support people of avast on how i did remove myself manual most of the virus files. I dont like to teach virus writers of how i did that, and its i think quite simple and unique. But it works… only not for this (unknown) yet rootkit filter driver leftover.

Well it seams to be fine again, i have now just installed avast, and it works !

Also when i shutdown/reboot i dont need to click it twice anymore.
So i think the rootkit is gone now, it was asc3550p.sys i think; i’m not sure what it does.

And i think after all my actions the final actions in which i did fixmbr and fixboot
Then malwarebyte’s antimalware tool did a good job also for some left overs.

Next what i did is to allow XP for unsigned drivers (by popup to warn me); during the virus/trojan attack i indreased that security level to only allow signed drivers (and in the end i wondered if that might be the reason that Avast wouldnt install)… So i’m not realy sure what was the finall killer of the rootkit but i’m glad its gone now.
Also windows update seams to work fine now, it worked fine just before i used malwarebyte’s tool. And my eventlogs look bleu again

Hmm i think i got the virus with some kind of wrong tool download (as i was looking for image improvement filters, i gues some of those files was infected) Well i removed them all as well, and i also reinstalled my web brouwser cash etc so there isn’t any trace left and i wont get back into it.

All the years that i have XP its my first virus, and what a trouble this has been.

Still i would be happy to inform avast
On how i manualy removed most of the files myself.
Can i talk to someone ?,
I prefer not to blog about this as it might endup in the wrong hands.