Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: nhmaster on January 05, 2007, 03:46:05 PM
-
Hello
I have a problem that some virus or program is deleting the exe operating file of any virus propection including avast?? I install it, it appears for seconds after install then becomes deleted , have read a few threads with simular comments but no answers
Shaun
-
Hello and welcome :)
Have you tried running some online scans, for example:
http://housecall.trendmicro.com/
http://www.emsisoft.com/en/software/ax/ ... ?
EDIT: also can you post your HiJackThis (http://filehippo.com/download_hijackthis/) Log file here, so we can have a look on it ?
-
Which file is it deleting ?
There is an ashavast.exe file but that only starts the program and runs the meory check and simple user interface to run an on-demand scan.
On-line Virus Scanners and other useful Links Security-Ops.eu.tt (http://www.security-ops.eu.tt)
You could also use an on-line scanner to confirm, established connection to the on-line scanner of your choice and just before you do the scan, pause Standard Shield, enable after completion. Assuming you can get it to run.
Whilst the other topics you say you have read suggested options like other scanners, etc. what have you tried ?
-
Does not make any difference will not permit a panda scan online any ideas whats causing it??
Shaun
-
Does not make any difference will not permit a panda scan online any ideas whats causing it??
Have you tried with other online scanners ? If not, try other scanner. There are lots of links on the site DavidR gave you ;)
If none scanner can't start post your HiJackThis (http://filehippo.com/download_hijackthis/) log file here ;)
-
Hiya
Here is a screenshot of the only exe files that remain after install
Shaun(http://www.look-tenerifeproperty.com/images/ScreenHunter_004.jpg)
something has deleted the icons in sys tray and the related exe files??
Shaun
-
Hiya again
Done all types of online scans most lockup before completion ,trend scan completed and got a couple but prob still persists
Hers the highjackthis log
Logfile of HijackThis v1.99.1
Scan saved at 15:18:12, on 05/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\winxp\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Bin\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BespokeMarketing Harvester Recovery] C:\Program Files\BespokeMarketing\Harvester\stabliser.exe -logon=fulllisense
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: RentRight Reminder System.lnk = C:\Program Files\RentVer3\reminder.exe
O4 - Global Startup: 108Mbps Wireless LAN Adapter Configuration Utility.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: SWFDecompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160579613167
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1D84757-1D5C-4387-ADF7-CE03F45A37A8}: NameServer = 80.58.0.33,80.58.32.97
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4A99A0A-4237-4F7D-845B-3782DC0F9637}: NameServer = 80.58.0.33,80.58.32.97
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
Shaun
-
hmmm... :-\ I'm afraid I cannot see any problems with your log file, maybe someone else will have a look at it.
But meantime, what did Trend scanner found ?
-
Hello
A couple of trojan generic virus´s that it deleted another strange thing is the same virus has disable the option of safemode it will not allow you to reboot in safemode
-
Does not make any difference will not permit a panda scan online any ideas whats causing it??
Have a look at the windows/hosts file (there is no file extension, use notepad to look/edit), there is likely to be a number of entries for AV sites, 127.0.0.1 http://www.pandasoftware.com, etc. if there are delete the entry lines.
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode if you can get in there.
1. Ewido, a.k.a. avg anti-spyware (http://www.ewido.net/en/download/) If using winXP. or a-Squared free (http://www.emsisoft.com/en/software/free/) if using win98/ME.
-
i have same problem... and i also can not safe boot.
i tried almoast everything
-
i have same problem... and i also can not safe boot.
i tried almoast everything
Is there any error message?
Can you attach this HDD in another computer and scan it from there?
-
i did that, scaned (and cleaned some viruses and trojans) in another computer vith avast, an some online scaners from security-ops.eu.tt. system apears to be clean, but i still cannot instal avast, spybot or any other antivirus. same problem, missed *.exe files
after instaling avast and rebooting, avast starts for some 5-10 second and than just disapears with every *.exe file.
-
i did that, scaned (and cleaned some viruses and trojans) in another computer vith avast, an some online scaners from security-ops.eu.tt.
Was Panda Active Scan one of them? If it wasn't please give that a try.
-
after instaling avast and rebooting, avast starts for some 5-10 second and than just disapears with every *.exe file.
I'm almost sure that there is an old thread here in avast forum about exe being disappearing...
Anyway, it would be good if you download, install, update and run other trojan remover tools:
a-squared (http://www.emsisoft.com/en/software/free/)
Free AVG Antispyware (http://www.ewido.net/en/)
SUPERantispyware (http://www.superantispyware.com)
-
Can you attach this HDD in another computer and scan it from there?
i did that, scaned (and cleaned some viruses and trojans) in another computer vith avast, an some online scaners from security-ops.eu.tt. system apears to be clean,
Would it be possible to scan with ewido in the same manner, or does ewido just do the entire computer? I'm not familar with the program, so I don't know if you can do a selective scan.
-
Would it be possible to scan with ewido in the same manner, or does ewido just do the entire computer? I'm not familar with the program, so I don't know if you can do a selective scan.
Ewido, now AVGantispyware is fully customizable...
-
Perhaps he should try that. The files on the "infected?" hd should be dormant and maybe ewido(avg) could find something.
-
i tried online panda, bitdefender, MS oncare, ewido, kaspersky web scaner, and some anti spyware tools...
HDD seems to be clean.
-
HDD seems to be clean.
So, does anybody can tell why the avast exe files are disappearing? ::) ??? ::)
-
It does seem to be happening alot all of a sudden.
This is a shot in the dark, nothing more than a guess, but it feels like a rootkit to me - some form of bagle maybe. Something like this with stealth capability
http://www.pandasoftware.com/com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=119057&sitepanda=particulares
I've been trying to download AVG Antirootkit Beta since yesterday to see if its worth recommending. I registered for the beta program but no downloads are available. Well, maybe when everybody's back to work I'll get the download, or maybe someone on the forum has some experience with it.
-
Here's something similar from another forum. Different av, but same symptoms.
http://forums.mcafeehelp.com/viewtopic.php?t=100803&highlight=missing+exe
-
I got the same problem. I cant install any Antivirus,Antispyware-Software on my Vista harddisk, it always deletes the exe files. My XP harddisk seems to be clean, but when i scan the vista harddisk from xp, it doesn't find anything.
NEED HELP...
-
ok new scan new virus :D
panda online
Hacktool:rootkit/mhook Not disinfected hkey_local_machine\system\currentcontrolset\services\m_hook
Virus:w32/bagle.hx.worm desinfected
-
i restarted in Vista and used F-Secure BlackLight (http://www.f-secure.com/blacklight/). it found W32/Bagle too!
i am happy i got rid of it now.
-
So, it turned out that this is caused by a rootkit (bagle variant) ???
I wonder when Alwil will add rootkit detection to avast! ::)
-
I wonder when Alwil will add rootkit detection to avast! ::)
Avast 5??? Hopefully ...
I'm sure many of would be happy to be beta testers on this.
@ leni
Can you check your registry for this key
hkey_local_machine\system\currentcontrolset\services\m_hook
Maybe this can be fixed manually.
-
ok thanks for f-secure blacklight beta :) i am now finaly clean.
-
I used mwav toolkit from www.mwti.net/products/mwav/mwav and it idenify a bagle virus on my computer, maybe the reason for my disapearing exe file