Evidently I’ve been infected with something nasty that is attacking Avast itself.
It began after downloading a virtual pdf printer from a P2P.
Avast stopped appearing in the bottom right task bar. When I try to reinstall the system, the ashAvast.exe file is non existent. I even tried to download the file from eMule, it downloaded but disappeared before I could open it. Now eMule has stopped working also.
At start up, I get the two Avast globes for a few seconds, then as soon as the network symbol starts up, they disappear.
Another symptom is that when I’m connected to the net, there are loads of packets being transfered even though no programs are running.
I’m running XP on an older Presario 1700…
avast being deleted (exe files) is a problem reported before, maybe searching the board you’ll find something.
Meanwhile, I suggest you follow the general cleaning procedure:
Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).
It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.
Install avast again from the scratch and schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.
Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.
[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Thanks for all the info, unfortunately I jumped the gun and looked at other strings on the same issue; I ran Blacklight and it found 11 items.
I proceeded to reinstall Avast… Then the PC will not hook up to the net anymore.
When I look at my network list it says that another program is controlling that option and that I should run IZC from windows…
I’ll try repair that first, then see what to do before I do a Format C:/…
Typo: WZC not IZC.
Anyway, I tried to run it, as per windows instructions and I get an 10XX error. I’m trying to download and install the Lynksys driver to see if it will help…
OK, well I did all the various scans and fixes except Blacklight, which is running as I write; it caused a serious problem before, so I’m a bit itchy about allowing it to take any action. I got the net to work again by downloading a new driver for my Linksys WAN card, and am using that utility to connect.
When I open the View Wireless Network list via the icon in the toolbar, I still get nothing but that WZC note.
I’m not too worried about that, but at least the net is working with all the programs Tech told me to run. (Am running Combofix and LSP now).
Avast still will not get past the stage after reboot when you’re given the wellcome note prompt. As soon as you press OK and the wireless and LAN icons appear, the Avast globes disappear. (I use Aswclear to remove Avast each time).
My Disc on Key was in the drive, how can I be sure it’s clean?
Well, here are the various log files, Runscan & HJT are too large to copy/paste (I hope I ran them at the correct time?):
Why are you uninstalling avast this way…?
What other security based software do you have that might block new startup entries, e.g. Spybot S&D (TeaTimer), AdAware (AdWatch), SpySweeper, Spyware Doctor (StartUpGuard), PrevX, WinPatrol, ProcessGuard, etc.?
Check the option in the Appearance tab of settings.
or
Repair your avast installation through Control Panel.
or
Make a link to ashdisp.exe in your startup folder
or
You guys are, as the British say, “The dogs bollocks”!!!
Avast! is working and running (It’s scanning my Disc-On-Key aswell, I hope that’s enough to be sure?)
Evidently what tipped the scales in our favour is ComboFix (note attached files).
To answer your questions,
The hidr.exe is;
“hidr.exe
hidr.exe is a Trojan W32.Beagle.DZ.
hidr.exe tries to terminate antiviral programs installed on a user computer.
More info: http://securityresponse.symantec.com/avc…
Removal:
Kill the process hidr.exe and remove hidr.exe from Windows startup using RegRun Reanimator. http://www.regrun.com
Removal: hidr.exe is removed by RegRun.”
rosa.sys;
“rosa.sys - Email-Worm.Win32.Bagle.in”
LSP found no problems (probably due to me running via the Linksys interface, I can live with that).
At first, all I had running was Avast!.
Now I’ve been following instructions and have:
If you happen to have any samples of the two files you could send them to avast.
Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject. Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
Mauserme;
A compliment of compliments, credit given where credit is due.
It will boot in safe mode, and Avast ran a scan of the hard disc during the boot.
So no problem there.
DavidR;
I’ll send whatever Avast picked up (the Trojan), but with regard to the Rosa; ComboFix collected that one and I’m not sure how to send it or even where to find it. I’m a bit scarred to do something that’ll release it back in to the system, so specific instructions would be appreciated (once agai, pleas excuse my ignorance). What I can tell you is that the Rosa was what attacked the Avast. The Trojan was picked up and quarantined by Avast during the thorough scan I ran through the system after it finally ran for the first time.
Assuming you were able to find it (probably long gone by now due to the processes you have run), adding it to the avast chest will not release it into the system, the avast chest is a protected area where the malware can’t get out nor anything (other than avast) get in and execute any file stored there.
After you’re clean or at any time now… if it gets infected, just redo the process: disable than enable. This deletes the infected restore points left behind.
I don’t know if you will be able to copy these to the avast! chest without moving them out of the ComboFix quarantine (and I would advise against it). But if you can do it while leaving them where they are please do.
When you’re finished trying that post the results of your efforts - I would like to clean these infected backups and remove some of the specialized tools we used. We should also clean your restore points and talk a bit about a firewall.
In your HijackThis log there are 2 lines that seem to be related to the Trend Micro Dashboard. It appears to have been uninstalled and we can remove the traces of it unless you are still using it.
EDIT: I forgot for a moment you turned System Restore off, but I would like to start with a clean point after deleting the malware backups none the less.
Well, I’ve tried to send the viruses off, but the Combofix files that I compressed were blocked by the Hotmail scanner and the Avast chest will only send via a std. email service (Outlook, etc.), while I use Hotmail.
If there are any ideas on how to send them off, they’ld be well appreciated.
When (or if) I send them off, how should I ‘get rid’ of them, or should I just leave them there?
With regard to the Trend Dashboard; how can I remove it?
Also the rest of the issues you stated, I’ld like to try and deal with them.