Avast has disapeared

system · 2008-01-02T17:41:45.000Z

Hi everybody,

I got a 32-bits vista and intel dua core computer and for a fews days, it stops by itself and Avast dispears from everywhere (taskbar, menu, desktop and it’s own file) so I can not check out where the issues come from.
I’ve tried to scan my discs through the web (trendmicro & a-squared) but each time I start the devices, a blue screen appears and my computer restarts.
I went in my local services to automatically activate Avast but there’s no way for he computer to find it eventhough I’ve repaired or replaced it.
What am I suppose to do yet before formating everything?
Thanks a lot and happy new year everybody!

Lisandro · 2008-01-02T17:50:28.000Z

Can you boot from Safe Mode and run avast from there?
The same for on-line scanners?
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
AVGas (does not necessary if you have AVG antispyware installed)
F-Secure
BitDefender (free removal of the malware)
HitmanPro (multiply scanners)

system · 2008-01-05T07:24:57.000Z

“Can you boot from Safe Mode and run avast from there?”

I haven’t try this yet.

“The same for on-line scanners?”

yes, I’ve tried two of them (Bit defender & another one linked on the forum), everything turns off with the blue page and reboots.

Lisandro · 2008-01-05T11:18:11.000Z

Ari post:3:

“Can you boot from Safe Mode and run avast from there?”
I haven’t try this yet.

Maybe…

Ari post:3:

“The same for on-line scanners?”
yes, I’ve tried two of them (Bit defender & another one linked on the forum), everything turns off with the blue page and reboots.

Hmmm, a pain one… Can you schedule a boot time scanning with avast? If any system file is infected, don’t delete or send to Chest as you (maybe) cannot boot after that.

system · 2008-01-05T20:31:18.000Z

Hi, I’ve just tried Kaspersky and I got 3 Trojan (or 2, I’ve no idea… :-X):

"C:\Windows\System32\drivers\down\103618187.exe Infected: Trojan-Downloader.Win32.Bagle.gi skipped

C:\Windows\System32\drivers\down\18759718.exe Infected: Trojan.Win32.Pakes.bwy skipped

C:\Windows\System32\drivers\down\97781.exe Infected: Trojan.Win32.Pakes.bwy skipped "

What am I supposed to do? ???(I can not put it in quarantine with it without buying Kaspersky.) and Avast’s still hidden.

Lisandro · 2008-01-05T21:05:22.000Z

Can you see (view) that files into Windows Explorer? Can you delete them? Or booting in Safe Mode and trying to delete?

Are you showing hidden files and folders?
To unhide them, open any folder and go to Tools >folder options > View, then scroll down to where it says ‘Hidden files and folders’ and then check/tick the ‘Show hidden files and folders’.
Then again try and go into the _restore folder and clear the temp folder.

Tutorial here: http://www.bleepingcomputer.com/tutorials/tutorial62.html

Sometimes, only using Unlocker (http://ccollomb.free.fr/unlocker/) or Delete FXP (http://www.jrtwine.com/) you can delete files like that.

system · 2008-01-05T22:45:50.000Z

just use PREVX CSI and eSCAN to remove your viruses. Avast can apparantly not do the job for the moment.

system · 2008-01-05T22:48:45.000Z

Sorry … forgot. It seems that you have a bagle og rootkit virus. Very agressive viruses and you will not be able to install avast, kaspersky or any of the usually used antivirus programs.

system · 2008-01-06T09:10:33.000Z

I’ve deleted all files infected and detected with kaspersky. I just used PREVX CSI and 2 more have appeared in system32:

[b]HLDRRR.EXE
Disagree with this determination?
This executable program has a file size of 587,583 bytes, it is called HLDRRR.EXE and is located in the %windir%\system32\drivers\ folder.
This file is considered unsafe and is part of the malware group, Backdoor.SdBot.gen. It was first seen on Sunday, Jan 6 2008. It has only been seen by one user in this section of the community. The file has only been seen in FRANCE.
HLDRRR.EXE has been seen to perform the following behaviors:

The Process is packed and/or encrypted using a software packing process
HLDRRR.EXE has been the subject of the following behaviors:
Added as a Registry auto start to load Program on Boot up

WINTEMS.EXE
Disagree with this determination?
This executable program has a file size of 471,556 bytes, it is most frequently called WINTEMS.EXE and is most frequently located in the %windir%\system32\ folder.
This file is considered unsafe and is part of the malware group, Trojan.Mitglieder. It was first seen on Saturday, Dec 8 2007. It has been seen frequently by 27 users in this section of the community. The file was first seen in ITALY but has been seen in other locations, including The EUROPEAN UNION.
WINTEMS.EXE has been seen to perform the following behaviors:

The Process is packed and/or encrypted using a software packing process
The Process is polymorphic and can change its structure
This Process Creates Other Processes On Disk
Executes a Process
This Process Deletes Other Processes From Disk
Creates a TCP port which listens and is available for communication initiated by other computers
Registers a Dynamic Link Library File
Makes outbound connections to other computers using NETBIOSOUT protocols
Can communicate with other computer systems using HTTP protocols
WINTEMS.EXE has been the subject of the following behaviors:
Added as a Registry auto start to load Program on Boot up
Created as a process on disk
Executed as a Process
Deleted as a process from disk
Terminated as a Process[/b]

“It seems that you have a bagle og rootkit virus. Very agressive viruses and you will not be able to install avast, kaspersky or any of the usually used antivirus programs.”

What am I supposed to do then?

system · 2008-01-06T13:32:00.000Z

I’ve just recovered my system from Bagle.hk (as it is named by Kaspersky). And that’s what I did.
Try searching and deleting every single mention of hldrrr and srosa in registry. In my case there was no wintems.exe file, so I’m not sure if it’s in registry. After that reboot and if you cleaned registry good worm will not be active, so you can search for infected files. Try searching for files with the same size and date/time as virus (hldrrr and wintems). Also check programs in auto-run.
You can search more information by using words “srosa” and “Bagle” (or “Beagle”) and use Kaspersky online file checking.

system · 2008-01-06T14:07:13.000Z

I tried to delete hldrrr files but I’m not the full administrator, so I’m not allowed to do it. How can I change that? ???

Lisandro · 2008-01-06T14:27:41.000Z

Ari post:11:

I tried to delete hldrrr files but I’m not the full administrator, so I’m not allowed to do it. How can I change that? ???

Boot in Safe Mode and try from there.
Also, try Sometimes, only using Unlocker (http://ccollomb.free.fr/unlocker/) or Delete FXP (http://www.jrtwine.com/) or KillBox (http://killbox.net/).

system · 2008-01-06T22:34:13.000Z

It’s done yet for the hldrrr files! Thanks a lot to everybody!!! :-*

Lisandro · 2008-01-07T00:36:56.000Z

Ari post:13:

It’s done yet for the hldrrr files!

What you have done?

system · 2008-01-07T16:51:29.000Z

I changed the management settings of the system32 file and became full administrator. I’ve rebooted and was able to delete the contaminating root. But thanks to that, I’ve no idea how, Microsoft deceted that my Vista is cracked…and as I don’t have the key…shitty new year beginning!

Lisandro · 2008-01-07T20:32:17.000Z

Ari post:15:

I changed the management settings of the system32 file and became full administrator.

I really won’t trust in any settings besides the default ones for system32 folder…

Announcements