Avast.exe disappears from the system

system · 2007-10-25T23:49:45.000Z

I’m an Avast Home user with Win Vista Home Basic.
This morning I noticed the Avast icon was gone from the icon tray. I tried to start the program using the Windows start menu pop-up but I got a “windows cannot find avast.exe” message. I went to the c:\Program Files\Alwil Software\Avast 4 folder and the exe file isn’t there. Checked the services and all the Avast modules are there although in a manual mode. At the same time, Windows Defender and Windows Security Center were disabled and couldn’t start them either.
I tried to run Spybot search and destroy and the exe file has disappeared also.
I went to Windows control panel to unistall Avast (to reinstall it later). Couldn’t find it.
Ran the Avast cleanup utility and then reinstalled - Same thing, as soon as I restarted the PC the exe file was gone and no icon present.
Decided to run a Kapersky online check with the following results:
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -startup Infected: Trojan-Downloader.Win32.Bagle.fc skipped
Lots of files locked!
I removed the infected file and activated the Windows Vista User Account Control. I could then run Windows Defender and enable the Security Center BUT NO AVAST!
HELP
Thks. in advance

Lisandro · 2007-10-26T00:01:49.000Z

disova post:1:

“windows cannot find avast.exe” message.

There isn’t an executable called this way…
ashavast.exe could be the correct one.

disova post:1:

At the same time, Windows Defender and Windows Security Center were disabled and couldn’t start them either.

You probably still have an infection, probably a rootkit on your system that is killing avast and WSC.

See http://forum.avast.com/index.php?topic=26554.0
http://forum.avast.com/index.php?topic=25941.0

http://research.pandasoftware.com/blogs/research/archive/2006/12/14/Rootkit-cleaner.aspx
http://www.f-secure.com/blacklight/try_blacklight.html

After running the above rootkit tools if nothing is found try these.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.
AVG anti-spyware or SUPERantispyware or Spyware Terminator.

system · 2007-10-26T01:39:19.000Z

Thank you very much for the quick response!
Here’s what I’ve done so far:

Blacklight and Panda are either not available or not Vista compatible, but I found AVG Anti-rootkit free. The results:

C:\Windows\System32\drivers\srosa.sys,Hidden driver file
C:\Windows\System32\drivers\srosa.sys,Hidden File
C:\Windows\System32\IME\shared,Hidden Directory
C:\Windows\System32\IME\shared\IMCCPHR.exe,Hidden File
C:\Windows\System32\IME\shared\IMEAPIS.DLL,Hidden File
C:\Windows\System32\IME\shared\imecfm.dll,Hidden File
C:\Windows\System32\IME\shared\IMEPADSM.DLL,Hidden File
C:\Windows\System32\IME\shared\IMEPADSV.EXE,Hidden File
C:\Windows\System32\IME\shared\IMETIP.DLL,Hidden File
C:\Windows\System32\IME\shared\imever.dll,Hidden File
C:\Windows\System32\IME\shared\IMJKAPI.DLL,Hidden File
C:\Windows\System32\IME\shared\MSCAND20.DLL,Hidden File

Although these results are from the second scan. I previously removed hidr.exe, since I saw this in the recommended threads. Should I remove the rest also?
I have Superantispyware, but it gives me a blue screen a few minutes after starting the scan in normal mode. In safe mode only cookies appear.
I tried scheduling an Avast boottime scan but although the simp files are there, they won’t start.
No improvement yet. What’s next?

DavidR · 2007-10-26T02:20:05.000Z

I would google the file names to see what is known about them, e.g. srosa.sys is linked to Beagle

IMCCPHR.exe is a part of Microsoft Global Input Method Editors (IMEs). IME is a program that allows computer users to enter complex characters and symbols, …

http://www.greatis.com/vista/DLL/i/imeapis.dll.htm

Sorry I haven’t googled the others it is after 3 a.m. here and my bed is calling.

system · 2007-10-26T02:31:56.000Z

Thank you for the help. Your advice led me to the antirootkit software and then to the srosa.sys investigation. Google took me to this site:
http://www.zonavirus.com/datos/descargas/95/elibagla.asp and to a small program called ElibaglA, which did the cleaning for me.
I’ve reinstalled Avast and Spybot and both work now.
Thks. again…

DavidR · 2007-10-26T12:49:45.000Z

No problem, welcome to the forums.

Lisandro · 2007-10-26T14:08:39.000Z

disova post:3:

Panda are either not available or not Vista compatible

Thanks for the info. I haven’t noticed that.

disova post:3:

Should I remove the rest also?

My AVG rootkit scanning come out clean… So, I can guess these files aren’t legit.

disova post:3:

I have Superantispyware, but it gives me a blue screen a few minutes after starting the scan in normal mode.

Strange… it’s working on my side…

system · 2007-10-26T21:53:31.000Z

Tech post:7:

disova post:3:

Panda are either not available or not Vista compatible

Thanks for the info. I haven’t noticed that.

disova post:3:

Should I remove the rest also?

My AVG rootkit scanning come out clean… So, I can guess these files aren’t legit.

disova post:3:

I have Superantispyware, but it gives me a blue screen a few minutes after starting the scan in normal mode.

Strange… it’s working on my side…

Yup, Panda sends a “not OS compatible” message when attempting to install. Blacklight is now a part of an antivirus package.

Those rootkits weren’t legit.

Superantispyware gave me the blue screen when the pc was infected. It’s OK now.

Cheers.

DavidR · 2007-10-26T22:03:31.000Z

Well I though that was how things were shaping up as MS files, with the exception being srosa.sys which could be linked to Beagle.

That is one of the problems with some anti-rootkit tools they find hidden system files so you need to do what you did ‘ask’ before action. Some of them snow you under in information and you need to analyse it.

Panda and AVG anti-rootkits are among the more friendly tools unfortunately the problem with Vista compatibility will be with us for a while.

Lisandro · 2007-10-27T00:01:09.000Z

disova post:8:

Superantispyware gave me the blue screen when the pc was infected. It’s OK now.

How did you clean your computer? Just using AVG Antirootkit?

system · 2007-10-29T15:16:54.000Z

Tech post:10:

disova post:8:

Superantispyware gave me the blue screen when the pc was infected. It’s OK now.

How did you clean your computer? Just using AVG Antirootkit?

Quoting above messages:

“Thank you for the help. Your advice led me to the antirootkit software and then to the srosa.sys investigation. Google took me to this site: http://www.zonavirus.com/datos/descargas/95/elibagla.asp and to a small program called ElibaglA, which did the cleaning for me.
I’ve reinstalled Avast and Spybot and both work now.”

Thas how I did it. This program removed all items reported by AVG, so it seems every one of them was part of the infection.

Lisandro · 2007-10-29T17:26:57.000Z

Thanks for report. It’s good to know that AVG antirootkit did the work correctly.

Announcements