Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!

Evidently I’ve been infected with something nasty that is attacking Avast itself.
It began after downloading a virtual pdf printer from a P2P.
Avast stopped appearing in the bottom right task bar. When I try to reinstall the system, the ashAvast.exe file is non existent. I even tried to download the file from eMule, it downloaded but disappeared before I could open it. Now eMule has stopped working also.
At start up, I get the two Avast globes for a few seconds, then as soon as the network symbol starts up, they disappear.
Another symptom is that when I’m connected to the net, there are loads of packets being transfered even though no programs are running.
I’m running XP on an older Presario 1700…

HELP! PLEASE!!

avast being deleted (exe files) is a problem reported before, maybe searching the board you’ll find something.

Meanwhile, I suggest you follow the general cleaning procedure:

  1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).

  2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

  3. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
    If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

  4. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

  5. Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

  6. Install avast again from the scratch and schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

  7. After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

  8. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

Scan with F-Secure Blacklight and post the results

http://www.f-secure.com/blacklight/

Then post ComboFix and HijackThis logs:

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Mauserme, is this link updated to new HijackThis 2.0.2 (stable version)?

Thanks Tech. I didn’t even notice Trend’s version was out of beta.

Thanks for all the info, unfortunately I jumped the gun and looked at other strings on the same issue; I ran Blacklight and it found 11 items.
I proceeded to reinstall Avast… Then the PC will not hook up to the net anymore.
When I look at my network list it says that another program is controlling that option and that I should run IZC from windows…
I’ll try repair that first, then see what to do before I do a Format C:/…

Typo: WZC not IZC.
Anyway, I tried to run it, as per windows instructions and I get an 10XX error. I’m trying to download and install the Lynksys driver to see if it will help…

What were the file names? What action did you take?

See if LSPFix helps (don’t rush into a re-format)

http://cexx.org/lspfix.htm

First of all, thanks for all your help!!

OK, well I did all the various scans and fixes except Blacklight, which is running as I write; it caused a serious problem before, so I’m a bit itchy about allowing it to take any action. I got the net to work again by downloading a new driver for my Linksys WAN card, and am using that utility to connect.

When I open the View Wireless Network list via the icon in the toolbar, I still get nothing but that WZC note.

I’m not too worried about that, but at least the net is working with all the programs Tech told me to run. (Am running Combofix and LSP now).

Avast still will not get past the stage after reboot when you’re given the wellcome note prompt. As soon as you press OK and the wireless and LAN icons appear, the Avast globes disappear. (I use Aswclear to remove Avast each time).
My Disc on Key was in the drive, how can I be sure it’s clean?

Well, here are the various log files, Runscan & HJT are too large to copy/paste (I hope I ran them at the correct time?):

FSBL (Blacklight):
07/08/07 19:57:30 [Info]: BlackLight Engine 1.0.64 initialized
07/08/07 19:57:30 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/08/07 19:57:30 [Note]: 7019 4
07/08/07 19:57:30 [Note]: 7005 0
07/08/07 19:57:45 [Note]: 7006 0
07/08/07 19:57:45 [Note]: 7011 1864
07/08/07 19:57:45 [Note]: 7026 0
07/08/07 19:57:46 [Note]: 7026 0
07/08/07 19:57:53 [Note]: FSRAW library version 1.7.1022
07/08/07 19:57:56 [Info]: Hidden file: c:\Documents and Settings\xxx\Application Data\hidires\hidr.exe
07/08/07 19:57:56 [Note]: 10002 2
07/08/07 19:57:56 [Info]: Hidden file: c:\Documents and Settings\xxx\Application Data\hidires\rosa.sys
07/08/07 19:57:56 [Note]: 10002 2
07/08/07 19:57:57 [Note]: 10002 3
07/08/07 19:57:57 [Note]: 10002 3
07/08/07 19:57:57 [Note]: 10002 2
07/08/07 19:57:57 [Note]: 10002 2
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Empty.txt
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Filters.xml
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\news.png
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\paint.png
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Profiles\Blank.txt
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Sample1.jpg
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Sample2.jpg
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Note]: 10002 2
07/08/07 19:59:17 [Note]: 10002 2
07/08/07 19:59:27 [Info]: Hidden file: c:\Program Files\Skype\toolbars\Shared\SPhoneParser.dll
07/08/07 19:59:27 [Note]: 10002 3
07/08/07 19:59:27 [Note]: 10002 2
07/08/07 19:59:27 [Note]: 10002 2
07/08/07 20:05:44 [Note]: 10002 2
07/08/07 20:05:44 [Note]: 10002 2
07/08/07 20:18:53 [Note]: 7007 0

Thanks again mauserme & Tech!!

AR1

These 2 are the cause of your problems with avast! They can be renamed.

Why are you uninstalling avast this way…?
What other security based software do you have that might block new startup entries, e.g. Spybot S&D (TeaTimer), AdAware (AdWatch), SpySweeper, Spyware Doctor (StartUpGuard), PrevX, WinPatrol, ProcessGuard, etc.?

  1. Check the option in the Appearance tab of settings.
    or
  2. Repair your avast installation through Control Panel.
    or
  3. Make a link to ashdisp.exe in your startup folder
    or
  4. Add the path to ashDisp.exe into a value named avast! in the Windows Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    See picture here: http://forum.avast.com/index.php?topic=26155.msg213891#msg213891

If that does not help, please, uninstall, boot, install again, boot.

The two files are strange…

But I’m not an expert on cleaning… Did you Google their names?

Well;

You guys are, as the British say, “The dogs bollocks”!!!

Avast! is working and running (It’s scanning my Disc-On-Key aswell, I hope that’s enough to be sure?)

Evidently what tipped the scales in our favour is ComboFix (note attached files).

To answer your questions,

The hidr.exe is;

“hidr.exe
hidr.exe is a Trojan W32.Beagle.DZ.
hidr.exe tries to terminate antiviral programs installed on a user computer.
More info: http://securityresponse.symantec.com/avc
Removal:
Kill the process hidr.exe and remove hidr.exe from Windows startup using RegRun Reanimator.
http://www.regrun.com
Removal: hidr.exe is removed by RegRun.”

rosa.sys;
“rosa.sys - Email-Worm.Win32.Bagle.in”

LSP found no problems (probably due to me running via the Linksys interface, I can live with that).

At first, all I had running was Avast!.
Now I’ve been following instructions and have:

Spywareblaster, AVG Antiroot kit, A-Squared Anti-Malware, Spyware Terminator, Advanced WindowsCare V2, Spyware Blaster.

(Excuse my ignorance, please);

When should I reable my system restore?
Should I keep all the other protection softwares?

Many thanks!!

If you happen to have any samples of the two files you could send them to avast.

Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject. Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

I assume you meant that as a compliment ??? ;D

When you have a chance see if you’re able to boot into safe mode. You don’t need to do anything in safe mode - I just want to know if you can.

Mauserme;
A compliment of compliments, credit given where credit is due.

It will boot in safe mode, and Avast ran a scan of the hard disc during the boot.

So no problem there.

DavidR;
I’ll send whatever Avast picked up (the Trojan), but with regard to the Rosa; ComboFix collected that one and I’m not sure how to send it or even where to find it. I’m a bit scarred to do something that’ll release it back in to the system, so specific instructions would be appreciated (once agai, pleas excuse my ignorance). What I can tell you is that the Rosa was what attacked the Avast. The Trojan was picked up and quarantined by Avast during the thorough scan I ran through the system after it finally ran for the first time.

AR1

Assuming you were able to find it (probably long gone by now due to the processes you have run), adding it to the avast chest will not release it into the system, the avast chest is a protected area where the malware can’t get out nor anything (other than avast) get in and execute any file stored there.

After you’re clean or at any time now… if it gets infected, just redo the process: disable than enable. This deletes the infected restore points left behind.

They won’t harm, on contrary 8)

The paths to the quarantined files are

[b]C:\Qoobox\Quarantine\C\DOCUME~1\xxx\APPLIC~1\hidires.vir\hidr.exe

C:\Qoobox\Quarantine\C\DOCUME~1\xxx\APPLIC~1\hidires.vir\rosa.sys[/b]

I don’t know if you will be able to copy these to the avast! chest without moving them out of the ComboFix quarantine (and I would advise against it). But if you can do it while leaving them where they are please do.

When you’re finished trying that post the results of your efforts - I would like to clean these infected backups and remove some of the specialized tools we used. We should also clean your restore points and talk a bit about a firewall.

In your HijackThis log there are 2 lines that seem to be related to the Trend Micro Dashboard. It appears to have been uninstalled and we can remove the traces of it unless you are still using it.

EDIT: I forgot for a moment you turned System Restore off, but I would like to start with a clean point after deleting the malware backups none the less.

Hi there,

Well, I’ve tried to send the viruses off, but the Combofix files that I compressed were blocked by the Hotmail scanner and the Avast chest will only send via a std. email service (Outlook, etc.), while I use Hotmail.

If there are any ideas on how to send them off, they’ld be well appreciated.

When (or if) I send them off, how should I ‘get rid’ of them, or should I just leave them there?

With regard to the Trend Dashboard; how can I remove it?

Also the rest of the issues you stated, I’ld like to try and deal with them.

Many thanks,
AR1

Just to double check before we remove the tools please upload this file to Virus Total and post the anaysis

C:\WINDOWS\system32\winzvprt5.sys