I got a 32-bits vista and intel dua core computer and for a fews days, it stops by itself and Avast dispears from everywhere (taskbar, menu, desktop and it’s own file) so I can not check out where the issues come from.
I’ve tried to scan my discs through the web (trendmicro & a-squared) but each time I start the devices, a blue screen appears and my computer restarts.
I went in my local services to automatically activate Avast but there’s no way for he computer to find it eventhough I’ve repaired or replaced it.
What am I suppose to do yet before formating everything?
Thanks a lot and happy new year everybody!
Can you boot from Safe Mode and run avast from there?
The same for on-line scanners? Kaspersky (very good detection rates) ESET NOD32 Trendmicro housecall AVGas (does not necessary if you have AVG antispyware installed) F-Secure BitDefender (free removal of the malware) HitmanPro (multiply scanners)
Hmmm, a pain one… Can you schedule a boot time scanning with avast? If any system file is infected, don’t delete or send to Chest as you (maybe) cannot boot after that.
Can you see (view) that files into Windows Explorer? Can you delete them? Or booting in Safe Mode and trying to delete?
Are you showing hidden files and folders?
To unhide them, open any folder and go to Tools >folder options > View, then scroll down to where it says ‘Hidden files and folders’ and then check/tick the ‘Show hidden files and folders’.
Then again try and go into the _restore folder and clear the temp folder.
Sorry … forgot. It seems that you have a bagle og rootkit virus. Very agressive viruses and you will not be able to install avast, kaspersky or any of the usually used antivirus programs.
I’ve deleted all files infected and detected with kaspersky. I just used PREVX CSI and 2 more have appeared in system32:
[b]HLDRRR.EXE
Disagree with this determination?
This executable program has a file size of 587,583 bytes, it is called HLDRRR.EXE and is located in the %windir%\system32\drivers\ folder.
This file is considered unsafe and is part of the malware group, Backdoor.SdBot.gen. It was first seen on Sunday, Jan 6 2008. It has only been seen by one user in this section of the community. The file has only been seen in FRANCE.
HLDRRR.EXE has been seen to perform the following behaviors:
The Process is packed and/or encrypted using a software packing process
HLDRRR.EXE has been the subject of the following behaviors:
Added as a Registry auto start to load Program on Boot up
WINTEMS.EXE
Disagree with this determination?
This executable program has a file size of 471,556 bytes, it is most frequently called WINTEMS.EXE and is most frequently located in the %windir%\system32\ folder.
This file is considered unsafe and is part of the malware group, Trojan.Mitglieder. It was first seen on Saturday, Dec 8 2007. It has been seen frequently by 27 users in this section of the community. The file was first seen in ITALY but has been seen in other locations, including The EUROPEAN UNION.
WINTEMS.EXE has been seen to perform the following behaviors:
The Process is packed and/or encrypted using a software packing process
The Process is polymorphic and can change its structure
This Process Creates Other Processes On Disk
Executes a Process
This Process Deletes Other Processes From Disk
Creates a TCP port which listens and is available for communication initiated by other computers
Registers a Dynamic Link Library File
Makes outbound connections to other computers using NETBIOSOUT protocols
Can communicate with other computer systems using HTTP protocols
WINTEMS.EXE has been the subject of the following behaviors:
Added as a Registry auto start to load Program on Boot up
Created as a process on disk
Executed as a Process
Deleted as a process from disk
Terminated as a Process[/b]
“It seems that you have a bagle og rootkit virus. Very agressive viruses and you will not be able to install avast, kaspersky or any of the usually used antivirus programs.”
I’ve just recovered my system from Bagle.hk (as it is named by Kaspersky). And that’s what I did.
Try searching and deleting every single mention of hldrrr and srosa in registry. In my case there was no wintems.exe file, so I’m not sure if it’s in registry. After that reboot and if you cleaned registry good worm will not be active, so you can search for infected files. Try searching for files with the same size and date/time as virus (hldrrr and wintems). Also check programs in auto-run.
You can search more information by using words “srosa” and “Bagle” (or “Beagle”) and use Kaspersky online file checking.
I changed the management settings of the system32 file and became full administrator. I’ve rebooted and was able to delete the contaminating root. But thanks to that, I’ve no idea how, Microsoft deceted that my Vista is cracked…and as I don’t have the key…shitty new year beginning!
