1.Starup message from fake avast asking for license thing.
2.Hidden task manager
3.Hidden folder options
4.ashdisp.exe on startup (locked)
5.Many trojans (I removed them I guess)
This is not my Laptop so I dont know what happened exactly.
Avast seem to be a fake antivirus, has blue icon with small letter a
I downloaded bitdefender rescue disk and updated it and found 17 trojan/virus/… I chose delelte
Going back to windows I found one start up file that refuses to go away, ashdisp.exe and a folder in program files named “alwil software” inside it “avast4” and inside it many files that is protected (all of it)
Using msconfig I was not able to disable shdisp.exe from running, using other tools I got denied error.
Uninstall from add/remove gave error too (trying to uninstall avast)
Booting into safe mode caused restart and back to safe mode options
Looking at safe mode drivers I found it restart on bthidmgr.sys so uninstalled blue-tooth
After that safe mode restarted on different driver, mup.sys.
I used some online scanners and local (eset & scanners trend micro & emsisoft antimalware) some found little more things and I deleted them but PC still not working correctly.
Using malwarebyte, it found registry errors and some issues and after restart I was able to gain access to folder options and task manager but I still
1.Got the licence key error on startup
2.Not able to remove avast getting “Avast! A setiface error has accured: 2 try to reinstall or contact support, please.”
3.start up file ashdisp.exe still unremovable.
4.I also lost network card so I reinstalled it.
Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
ashDisp.exe belongs to avast! 4.8. From looking a little at the log, I can see that it appears that 4.8 is installed.
The reason that you will not be able to delete the file is because of the self defense module.
ALWIL Software was the name of the company that made avast, but that has changed now to AVAST Software.
As per the actual infections, that is for someone more knowledgeable. essexboy is usually the one to read the OTL logs best, so I will defer to him for that
Uninstall avast from Control Panel (if possible). If, for any reason, you can’t run it, try booting in Safe Mode and doing it from there. Anyway, boot after that.
Run the avast! Uninstall Utility saved on 1. If, for any reason, you can’t run it, try booting in Safe Mode and doing it from there. Anyway, boot after you’ve run it.
Install avast! using the setup saved on 2. Boot.
Register your free copy or add the license key for Pro.
Check and post the results. If, for any reason, you did not solve, try doing the step 3 in Safe Mode anyway.
My friend, uninstall doesn’t work and safe mode is not accessible , how then ?
I tried it requesting safe mode or disabling protection ??
Update********
I installed the new version 5.** and on its own removed version 4.8 , I scanned using reboot mode and all seem clean, I haven’t checked safe mode yet, I will try windows update since this PC has never been updated.
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Thanks for the links you gave me but I can’t get to run in safe mode, I would like to start scanning there first and of course have my safe mode back, safe mode stops at mup.sys and I read many interent disccsions and they say it’s usually the problem with the sys file that comes after the one start up stopped at, is there a memory dump or so that lists sys file that didn’t load ? I have downloaded scunia and I got score 94% (old .net versions not being fixed by auto update), I am saying that because most people suggest a clean registery but I spent too much time downloading and updating windows and drivers (New bios ver., new LAN, new wifi, new thumbpad, new video) and would like to pinpoint the problematic sys file and redownload the driver, is that possible ?
Dear essexboy:
Is what you pasted safe on the registery ? I mean does it harm a fine registry ? I seem to have some problems because of the files I deleted with bitdefender boot cd but I guess 80-90% done and I just need a scan in safe mode and I don’t understand most of the script, I mean would you do it on a daily bases without causing trouble or just in extreme cases ? Thanks.
Thank you scott
I find it strange that avast was in blue theme,a strange mp3 player like interface that has no scan options, a blue desktop icon with the letter “a”, I had avast before and I downloaded new avast and they are both Orange,it was not like anything I know about avast.
Not strange, really…it is just that you started using avast after version 5, which started the whole orange/grey theme…and it is understandable that this would cause confusion.
As per your question to essexboy about his post, since he is not here at the moment (and may not be until later today), I will answer for him somewhat.
The script he has put together is specifically made for the machine that the logs came from, and it is based on what he can see in those logs. If you take a look at his posts you will see similar replies…
Obviously, you can wait for essexboy’s reply though, he is the one that knows more
That is correct it is based on your system alone, and anything I remove should not be there. Looking at the log you cannot access task manager or reg edit at the moment. When you ran bitdefender did it delete a file called atapi.sys ?
Oh thats kind of you to do this, No I regained acess to all windows (except safe mode) I think maleware byts helped do that, not bitdefender not eset not, they dont seem interested in fixing the aftermath of viruses, bitdefender deleted 1500 to 1600 files , now I feel it was a big mistake, I went to toshiba and downloaded every driver I didnt download before (usefull or not) but still safe mode still stops at mup.sys, I found out the option to start up menu to enable logging but I found no log after hang, regarding atapi.sys I downloaded DVD driver and nero, don’t restore atapi or metion its missing, I am not sure but I will look for it so what is the name of the device I need to download to redownload atapi ? I didnt see IDE in Toshiba driver list I think. sorry to bother you with this.
I will run your custom scan maybe it will help.thank you
Generally the driver that follows mup.sys is atapi.sys the file you see on the screen is the last one succesfully loaded
The most common cause is the executing PnP (Plug and Play) and ACPI routines issue.
To fix the issue, we need to access the computer from Recovery Console.
If you do have your Windows CD
To start the Recovery Console directly from the Windows XP CD you would do the following:
[*]Insert the Windows XP cd in your computer.[*]Restart your computer so you are booting off of the CD.[*]When the Welcome to Setup screen appears, press the R button on your keyboard to start the Recovery Console.[*]The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.[*]It will then prompt you for the Administrator’s password. If there is no password, simply press enter. Otherwise type in the password and then press enter.[*]If you entered the correct password you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console.
Type map and press enter.
It will give you the drive letters.
Note down the letter of you CD-ROM.
If it is a letter other than E you should replace the letter E with your CD drive letter when applying the expand command later on if the command is needed to be applied.
Type following commmands, pressing Enter after each one.
[*]ren c:\windows\system32\drivers\atapi.sys atapi.old
(It will returns to the prompt again without notification)[*]copy c:\windows\servicepackfiles\i386\atapi.sys c:\windows\system32\drivers
(If you get a notification “1 file(s) copied” you don’t need to do the next expand command and go to exit command. But if you get notification that the file doesn’t exist proceed with expand command)[*]expand e:\I386\atapi.sy_ c:\windows\system32\drivers
(You should be notified that the file expanded)[*]exit
You may remove the CD or let Windows boot normally.
If you don’t have your Windows CD
Please download ARCDC from Artellos.com.
[*]Double click ARCDC.exe
[*]Follow the dialog until you see 6 options. Please pick: [i]Windows Professional SP2 & SP3[/i]
[*]You will be prompted with a Terms of Use by Microsoft, please accept.
[*]You will see a few dos screens flash by, this is normal.
[*]Next you will be able to choose to add extra files. Select the Default Files.
[*]The last window will allow you to burn the disk using BurnCDCC
Then, follow instructions from Step #1 above.
That’s exactly what I was looking for but it doesn’t work, I put the CD and I either let it load and it reaches partitioning and deleting page or clicking F2 (not R) will lead to Automated recovery but I get:
Please insert the disk labeled:
windows automated system recovery disk
Into the floppy drive.
Press any key when ready.
Any idea whats wrong with this CD ? And it’s a laptop so no floppy available !
Update:
Used step 2 and I burned DVD loaded recovery and expanded…
I went into safe mode and again mup.sys then reboot into start up menu !!!
Damn it I am reinstalling Windows… >:(
Thank You Essexboy, spg SCOTT, Techfor every minute of your time
