Hi. My system got infected with a virus, I believe it was wintem.exe. I have the impression the virus killed Avast. When I rebooted my system Avast showed up in the systray with a red slash over it. Then, a few seconds later, it disappeared altogether.
I used other anti-virus software to make sure my system is clean. I don’t seem to have the virus anymore.
I deleted my Avast folder, then reinstalled Avast and rebooted my system and ran the boot-time scan. The install seemed successful, but now no avast icon shows up in my systray at all. I am not sure if Avast is running on my system or not, or how to get the icon back into my systray.
What does your Task Manager show is running, they begin with ash or asw, see image ?
As a temporary measure until this is resolved you can create a desktop shortcut for this file C:\Program Files\Alwil Software\Avast4\ashDisp.exe (the avast icon and interface to the providers). Right click on the file and select Send To, Desktop (create shortcut).
What other security based software do you have that might block new startup entries, e.g. Spybot S&D (TeaTimer), AdAware (AdWatch), SpySweeper, Spyware Doctor (StartUpGuard), PrevX, WinPatrol, ProcessGuard, etc. ?
Also check recent topics as this seems to be doing the rounds at the moment, a search for bagle and blacklight and see if you can monitor what has been said in other topics.
Thanks for your help. I’m running Blacklight right now.
So far it says it has found 379 (!!!) hidden items on my computer.
I’ve never seen so many items come up on a virus scan in my life. It is a little worrying!
I am also wondering if Blacklight can really get rid of a rootkit. I read the following in the Wikipedia article for Rootkit:
“For the Windows platform there are many free detection tools such as Blacklight. Another Windows detector is RootkitRevealer from Sysinternals. It will detect all current rootkits by comparing the results from the OS to the actual listing read from the disk itself. However, some rootkits started to add this particular program to a list of files it does not hide from–so in essence, they remove the differences between the two listings, and the detector doesn’t report them.”
The article almost makes it sound like there’s really no way to get rid of a rootkit aside from totally reinstalling Windows. Hope that’s not the case!
Ok, I finally managed to solve the problem – only took me all day!
Looking more closely at the Blacklight log I noticed two other files which were lurking there, whose names I remembered coming across when reading up on this problem in forums. It turns out that even though I had deleted wintems.exe, I needed to delete these two as well to get rid of the problem.
So for anyone else who is having the same problem as I am, the solution is:
Glad that you stuck with it, thanks for the feed back, hopefully it could help others.
Blacklight did it for some. One of the issues with rootkit revealer is that it just produces raw data a little like hijackthis and you need someone to analyse the logs.
I guess those files were in the system32 (or other system) folder and they need permission to be able to do that so prevention is the name of the game as once they get established and hidden it is very difficult to deal with them.
You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
Once you get avast installed run a boot-time scan and see if it detects anything else.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.
I’ve been recovering from this one for 6 days, now.
It shut down Windows Update service, Firewall and the Security Center then shut down Avast one provider at a time finally deleting Ashdisp.exe. It will keep on deleting as many times as you reinstall, so forget it.
This one is really smart and will be one step ahead of you no matter what you do. I tried a fresh Windows install on another drive, but it somehow prevents you from booting except in the infected installation.
I got a little desperate and deleted some files in system32 named mmf.sys, mmf(2).sys and mmf(2)(3).sys. They looked supicious enough. After which I couldn’t reboot, but was able to do a clean Windows XP install after that.
I’m not sure it’s gone, though. Nothing has been able to lock on to this bugger - and I’ve downloaded just about every antivirus product out there, nothing found.
I managed to save a copy of the infected Windows install folder, if anyone cares to do an autopsy.
I just tried Blacklight, which found nothing. Maybe it’s gone.