Yesterday I run a exe file I shouldn’t have run. Immediately I got a window telling me a program was trying to disable avast and a backcount. I pressed the don’t allow option and the I got a lot of messages telling the program was trying to change keys in the register but it seems eventually the virus won, because the tray icon of avast appeared as stopped and when I moved the pointer over it, disappeared.
I connected the hard disk to another computer and run avast scan but it didn’t find anything. Also run panda activescan and another web based scanner and they didn’t find anything neither.
The affected computer is still running but there are some issues:
I can’t connect to my wi-fi network (and so to internet). the wireless configuration service can’t be started (error 1068)
Avast services are disabled
If I open the program files\alwil software\avast4 folder, I can see how many of the files are being constantly rewritten (their icons tilt and the modified date is constantly updated)
The same happens with Norton Partition Manager.
I still have the zip (or rar) file where the virus came (downloaded from edonkey network)
it could be a new variant of Win32:Beagle… send the sample to virus[at]avast[dot]com… can you list the recently changed files on the infected HDD from the other machine? most interesting is the windows folder, system32 subfolder, system32\drivers and maybe a root of the drive…
OK, I sent the file to http://virusscan.jotti.org/ and it tells:
File: setup.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file’s scan results will not be stored in the database)
MD5: 7273363da6c59b96dad6616a37d25d97
Packers detected: -
A-Squared Found Trojan-Downloader.Win32.Bagle!IK
AntiVir Found TR/Dldr.Bagle.aha
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Win32/Themida
BitDefender Found DeepScan:Generic.Bagle.9D1F90F4
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.Packed.650
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Bagle.aha
G DATA Found DeepScan:Generic.Bagle.9D1F90F4
Ikarus Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Bagle.aha
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/Bagle-B
VirusBuster Found nothing
VBA32 Found nothing
So it looks like Bagle in fact. I’ve sent you the infector file (subject of mail is: Virus bagle stops the Avast antivirus)
all files from AMD and IA64 folders are gone except for aswMonFlt.sys (I’m comparing the contents with the ones in my laptop)
also some files from INF
Files modified in windows folder (or at least with modified date posterior to infection) are:
win.ini
IE Error Log.txt
WindowsUpdate.log
SchedLgU.txt
bootstat.dat
wiaservc.log
0.log
wiadebug.log
setupapi.log
But, as I said, modifications in those files maybe just normal behaviour of the system
In System32 folder:
FNTCACHE.DAT
vapps.xml
wpa.dbl
Double click on Combo-Fix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
After that, I reinstalled Avast (an outdated version since I can’t still connect to internet with my desktop) and used EliBagle and it found still 2 infected files. attached is the output (it looks like Avast got infected again. There is no tray icon this morning)
And finally, the output of Hijackthis.
MAXX, I’m afraid SROSA files were deleted by some activescan (Panda or other I can’t remember) and Combofix, but you have the infector file I sent you so you can infect a controlled PC to obtain them
yes, we can, but Beagle won’t run under VMWare and similar virtual machines due to Themida layer and that’s always a pain… anyway, thx for your submission
Any files moved by combofix are quarantined in the qoboox folder in your root drive and have a .vir added extension so they can be uploaded to Avast from there for analysis. Looking at the logs now ;D
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
[*]Instead of Windows loading as normal, the Advanced Options Menu should appear;
[*]Select the first option, to run Windows in Safe Mode, then press Enter.
[*]Choose your usual account.
[*] Open the extracted SDFix folder and double click RunThis.bat to start the script.
[*] Type Y to begin the cleanup process.
[*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
[*] Press any Key and it will restart the PC.
[*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
[*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
[*] Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
OK, here it is srosa2.sys.vir (well, not here, but sent to virus[at]avast[dot]com.)
Latests Avast database detects the virus in the original infector file, but not in srosa2.sys.vir
Hope you enjoy it
I have managed to recover my internet connection in some way: My thompson wi-fi USB receiver, that works with Windows WZC still can’t run but I’ve connected another wi-fi USB receiver from Belkin that uses its own software so I can stablish connection with this one temporally (I took it from another computer that now is without connection).
I’m going to use SDFix and lets see if everything works again. Another thing that doesn’t work well is every time I start Firefox, it says he is not the default browser even if I check the option every time. As a consequence, every link I open from Thunderbird, Favorites folder, etc, opens in IExplorer instead of Firefox.
• Double-click FixPolicies.exe
• Click the “Install” button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies,
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
• A black box will briefly appear and then close.
I’ve followed your instructions, but if this solved any problems, they were problems I was not aware of. WZC keeps refusing to start and IExplorer keeps retaining his “I Am Your Browser” status.
Do you think I could recover lost WZC functionality and the issue with Iexplorer/firefox if I boot with my original Windows CD and do a repair of the system? (Not the recover console but the repair option in installing Windows)
