maybe a reinstall of Service pack would help (after cleaning out the beagle garbage from other machine)…

I thinked Beagle was already eliminated from my machine.

Oh, BTW, I solved the IE/Firefox issue by reinstalling both browsers again. Still no WZC, but I’ll try the reinstallation of sevice pack.

Thank You!

jedikalimero your system looks clean just an ADS deleted, I must admit it was just an offchance for SDFix as that does do registry repairs to the default windows
As for WZC I am afraid that was right over my head as I work from a single desktop system

Hi all,

Exactly the same situtation here resulting from running a file that I should not run in the first place. However, I did explicitly scanned the file with Avast before runinng it and I got no warning whatsoever. Now avast is disabled, wireless conection unavailable (device not recognized), restoring to a point in time results in “Cannot restore… try different restore point”, and safe mode won’t boot (reboots at loading jgogo.sys).

Hopefully repairing system from cd will allow me to run in safe mode, wich in turn should allow me to restore system to a point in time.

What makes me wonder is that I did explicitly scan the file. Such thing happened to me once before which in turn raises my doubts about avast efficacy (assuming that this is the same virus).

where did you get the file? Beagle can’t be detected proactively without detecting Themida itself… each new generation is repacked and there’s no way how to look inside quickly and effectively… the only way is to have the sample before anyone gets infected…

I have removed the file already, reinstalled windows (on old copy) and am currently trying to run newly installed avast on startup. It founds files infected with Win32:Beagle-AAW, or corrupted files (restore points). It has crashed and restarted once so far so I am afraid I will need to reinstall everything from scratch.

I got the file from emule - it was named “resharper 4.1 build 933.rar” size about 3Mb. I have scanned the archive first with no indication of virus. I have unpacked it and took a look at the files before I run the exe one. There were four files in there, one of them being nfo and one of them being exe. I suspected that it is a virus as nfo file contained binary and exe size was way to small to be the right file, but I run exe anyway, trusting Avast to catch it on the fly. I was terribly wrong, but inadvertantly that is my fault.

Anyways running exe opened an app pretending to be “flight blacbox decoder”. At that point I knew I got infected and closed it at once but that was too late.

Hope that helps.

Try an online full computer on-line scanning before…

Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender (free removal of the malware)

Not possible.

After a scan with avast on startup now windows requires activation before letting me log in. And since I am not connected to the Internet (due to Beagle damage) it is no possible. I am not sure if this is related to Avast scan, or rather to the number of times I have logged in after repair (safe and normal), but this is the case.

Anyways I keep all my data on separate drives so formatting C will not do any “serious” damage other than loosing whole day on reinstallation (which is pretty serious in everyones case). By now I would have whole new system up and runnnig. Oh well… High time to buy some drive imaging soft like Gohst.

Thanks for your responses and do not make my mistakes.

People suggest Disk Director (for whole partition/disks backup) or True Image (images of the files/disks), both from Acronis company.

It may be helpful for troubleshooting.

download and install AutoRuns by By Mark Russinovich (not necessary step) -
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx - this is useful utility to verify
system “startups” and “hooks”, including loading drivers.

This particular virus (in my case) runs as driver “srosa.sys” & “srosa2.sys”
Even if virus active, srosa2.sys shown by AutoRuns (in “drivers” tab) as “sK9Ou0s” with
description “AVZ Driver” at path (in my case) c:\documents and settings%login_name%\application data\drivers\srosa2.sys
Since virus itself is “rootkit”, srosa.sys does not shown if virus active. (but if virus
deactivated, AutoRuns shows “srosa” autorun entry for srosa.sys).
In my case another executable - winupgro.exe - in the same directory was registered for startup
(in registry at HKCU\Software\Microsoft\Windows\CurrentVersion\Run as “drvsyskit”)

so cure was simple as renaming the directory (beware it marked as “hidden”) where those viruses
reside, and then reboot.

I should admit that if virus active, it hides srosa.sys and rest of “slave stuff” (like “downld”
subdirectory), so if in your system it reside in standard ~/system32/drivers directory, you have
to boot from installation CD to console (i.e. CMD.EXE) or using something like BartPE to boot, find and delete those files.

-±
Curios enough: avast recognize srosa.sys as “infected by Win32:Beagle-AAW [trj]”, but keep
silence about another two beasts: srosa2.sys & winupgro.exe

Another curiosity - even with active virus, entry point for srosa2.sys shown by AutoRuns and
could be “unchecked” (“deactivated”/“disabled”) but this is not affect virus activity (at least
regarding “countermeasures” against avast)

Yet Another Coupled Curiosity - this virus did try brake firewall (in my case it is Kerio Personal
Firewall) and succeed (removing kpf driver) but than did not perform any counteraction to
prevent repair KPF installation… hmmm… I was lucky to not loose my fw configuration files
:-))

well, this is the lesson (“well known” in *nix world) that services like AV & FW should run on
his own account with his own privileges.
So installer should create/reuse dedicated account for avast (advising user choose the same
password as used for login… just to make user/admin life simple ,-)) and create all sensitive
data (including registry entries) with permissions for R/W only granted to avast account and
with R/O “for the rest of world” (if system itself needs access to it) or even w/o any
permissions at all… and, of course, starts all avast services using this dedicated account.

Yes, it’s “boring”,
yes, it makes some difficulties for standard uninstaller, for example
yes, it’s not a “silver bullet” since user anyway use admin privileges…
But it makes some “difficulties” for viruses and virus-makers not aware yet about such
“defensive environment”.

-±
PS: I have this drivers so could send it if it still needs.

Hello,
it seems like I have downloaded the same virus.

things were like that:
after few minutes from running the downloaded .exe file (from emule archive) my computer automatically reloaded.

it was very suspicious, and I thought it gonna be a virus,
though I had my Avast! and Outpost Firewall Pro on, and expect them to prevent any problems.

after reboot, it was a very very long delay at startup and a message about RPC error from Avast, again long delay, but than Avast loaded (?) and its icon at tray became active.

I scheduled a full scan in avast and reboot. During scan one virus was removed, and I thought that problem is solved.

But again my computer reloaded automatically. And I paid attention to “winupgro.exe” file in task bar. I terminated process, found this file and deleted it.

The main important part:
After reading about “winupgro.exe” issue in the internet, I downloaded Avast! Virus Cleaner Tool, cuz it was written that it is able to fight with Beagle virus… But during the whole scan no viruses were found! And after reboot I again see “winupgro.exe” in my task bar and start-up (though I removed it from startup menu with msconfig, not to mention that I erased the file).

The question is: do I have to use other special antivirus products and utilities to fight with that virus, or Avast has its own tool to clean it and I just misused it or did something wrong?

Do I have to reinstall Avast Home Edition, in this case? (cuz no threat was found even with Cleaner Tool, and Avast seems to be loaded in memory properly at start up).

I was infected by this virus last month with the same set of issues as posted by the thread starter and exhunter here. It is also described here: http://freeforum.avg.com/read.php?4,186342,186364 which is almost exactly my case. I, too, scanned the downloaded file manually with Avast Home edition before launching it and it reported the file as clean. Spy Bot Search and Destroy also reported no problems. I’m reporting this now to alert you that this virus is still a threat to Avast users and that you take care to include this terrible virus in your signature files. I was surprised to see that after 5 months Avast still does not detect it.

The most comprehensive info that I’ve been able to find on this virus is here: http://www.prevx.com/filenames/X2333748967407030363-X1/WINUPGRO.EXE.html

I was able to remove the virus files by finding them with the Avira bootable disk and then deleting the files by booting into Knoppix (Avira would not delete them).

I also cleaned the registry manually and ran more scans and found no traces. However, Win XP has sustained other unknown damages and freezes within 24 hrs of runtime. It looks like I’ll have to reinstall after all.

Shame! Where are the virus analysts? >:( >:(