avast not running?

Hi. My system got infected with a virus, I believe it was wintem.exe. I have the impression the virus killed Avast. When I rebooted my system Avast showed up in the systray with a red slash over it. Then, a few seconds later, it disappeared altogether.

I used other anti-virus software to make sure my system is clean. I don’t seem to have the virus anymore.

I deleted my Avast folder, then reinstalled Avast and rebooted my system and ran the boot-time scan. The install seemed successful, but now no avast icon shows up in my systray at all. I am not sure if Avast is running on my system or not, or how to get the icon back into my systray.

Any help would be appreciated. Thanks!

What does your Task Manager show is running, they begin with ash or asw, see image ?

As a temporary measure until this is resolved you can create a desktop shortcut for this file C:\Program Files\Alwil Software\Avast4\ashDisp.exe (the avast icon and interface to the providers). Right click on the file and select Send To, Desktop (create shortcut).

What other security based software do you have that might block new startup entries, e.g. Spybot S&D (TeaTimer), AdAware (AdWatch), SpySweeper, Spyware Doctor (StartUpGuard), PrevX, WinPatrol, ProcessGuard, etc. ?

Thanks for your reply!

Now I see that Avast is not running. No asw or ash show up in the task manager.

Also there is no “ashDisp.exe” in my Avast folder! Despite the fact I reinstalled the program.

Could whatever virus I got have done something to my system or registry to prevent Avast?

Not sure what to do at this point. I have deleted the Alwil folder and reinstalled a couple of times, with the same results.

I don’t have any other software running that would block new startups.

It would appear that you haven’t got rid of the virus and it could well be a rootkit (hidden) variant of Bagle worm.

Try this, BlackLight - It can detect rootkits like Rootkit Revealer but can also remove them. http://www.f-secure.com/blacklight/

Also check recent topics as this seems to be doing the rounds at the moment, a search for bagle and blacklight and see if you can monitor what has been said in other topics.

OK found the topic, http://forum.avast.com/index.php?topic=25822.15 this is the second page where blacklight is sited as detecting it. Then reinstall avast.

Thanks for your help. I’m running Blacklight right now.

So far it says it has found 379 (!!!) hidden items on my computer.

I’ve never seen so many items come up on a virus scan in my life. It is a little worrying!

I am also wondering if Blacklight can really get rid of a rootkit. I read the following in the Wikipedia article for Rootkit:

“For the Windows platform there are many free detection tools such as Blacklight. Another Windows detector is RootkitRevealer from Sysinternals. It will detect all current rootkits by comparing the results from the OS to the actual listing read from the disk itself. However, some rootkits started to add this particular program to a list of files it does not hide from–so in essence, they remove the differences between the two listings, and the detector doesn’t report them.”

The article almost makes it sound like there’s really no way to get rid of a rootkit aside from totally reinstalling Windows. Hope that’s not the case!

Ok, I have run blacklight but still no luck. It does not find anything with the name of “bagle.”

It did find the virus I had been notified of before called “wintems.exe” and I asked to rename it.

But upon rebooting nothing changed. I still can’t get Avast to install.

If I try to run Super Antispyware scan, my system suddenly reboots in the middle of it.

Any other options?

Ok, I finally managed to solve the problem – only took me all day!

Looking more closely at the Blacklight log I noticed two other files which were lurking there, whose names I remembered coming across when reading up on this problem in forums. It turns out that even though I had deleted wintems.exe, I needed to delete these two as well to get rid of the problem.

So for anyone else who is having the same problem as I am, the solution is:

run blacklight

Find and rename the following files:

Hidr.exe
M_hook.sys.
wintems.exe

Glad that you stuck with it, thanks for the feed back, hopefully it could help others.

Blacklight did it for some. One of the issues with rootkit revealer is that it just produces raw data a little like hijackthis and you need someone to analyse the logs.

I guess those files were in the system32 (or other system) folder and they need permission to be able to do that so prevention is the name of the game as once they get established and hidden it is very difficult to deal with them.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

Once you get avast installed run a boot-time scan and see if it detects anything else.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.

  1. Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.

Executable files being disappeared seems rootkit action.
Check http://www.antirootkit.com/software/index.htm

I’ve been recovering from this one for 6 days, now.

It shut down Windows Update service, Firewall and the Security Center then shut down Avast one provider at a time finally deleting Ashdisp.exe. It will keep on deleting as many times as you reinstall, so forget it.

This one is really smart and will be one step ahead of you no matter what you do. I tried a fresh Windows install on another drive, but it somehow prevents you from booting except in the infected installation.

I got a little desperate and deleted some files in system32 named mmf.sys, mmf(2).sys and mmf(2)(3).sys. They looked supicious enough. After which I couldn’t reboot, but was able to do a clean Windows XP install after that.

I’m not sure it’s gone, though. Nothing has been able to lock on to this bugger - and I’ve downloaded just about every antivirus product out there, nothing found.

I managed to save a copy of the infected Windows install folder, if anyone cares to do an autopsy.

I just tried Blacklight, which found nothing. Maybe it’s gone.

Crossing my fingers.