Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: AR1 on July 06, 2007, 01:07:39 PM

Title: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: AR1 on July 06, 2007, 01:07:39 PM
Evidently I've been infected with something nasty that is attacking Avast itself.
It began after downloading a virtual pdf printer from a P2P.
Avast stopped appearing in the bottom right task bar. When I try to reinstall the system, the ashAvast.exe file is non existent. I even tried to download the file from eMule, it downloaded but disappeared before I could open it. Now eMule has stopped working also.
At start up, I get the two Avast globes for a few seconds, then as soon as the network symbol starts up, they disappear.
Another symptom is that when I'm connected to the net, there are loads of packets being transfered even though no programs are running.
I'm running XP on an older Presario 1700....

HELP! PLEASE!!
Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: Lisandro on July 06, 2007, 02:02:28 PM
avast being deleted (exe files) is a problem reported before, maybe searching the board you'll find something.

Meanwhile, I suggest you follow the general cleaning procedure:

1. Disable System Restore on Windows ME (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q264887) or Windows XP (http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405). System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3).

2. Clean your temporary files. You can use CleanUp (http://www.stevengould.org/downloads/cleanup/) or the Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html) features for that.

3. It will be good if you download, install, update and run AVG Antispyware (http://www.ewido.net/en/). Some users recommend SUPERantispyware (http://www.superantispyware.com), Spyware Terminator (http://www.spywareterminator.com/) and/or a-squared (http://www.emsisoft.com/en/software/free/) (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

4. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG (http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0), Panda (http://research.pandasoftware.com/blogs/research/archive/2007/04/27/New-Panda-Anti_2D00_Rootkit-_2D00_-Version-1.07.aspx) and/or F-Secure BlackLight (http://www.f-secure.com/blacklight/try_blacklight.html).

5. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here and, specially, scan and submit to on-line analysis the RunScanner (http://www.runscanner.net/) log would help to identify the problem and the solution.

6. Install avast again from the scratch and schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (http://support.microsoft.com/default.aspx?scid=kb;en-us;315222) (repeatedly press F8 while booting).

7. After you're clean, use the immunization of SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) or, which is better, the  Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html) features of spyware/adware cleaning and removal.

8. Finally, when you're clean, check for insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/) to update insecure applications and avoid reinfection.
Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: mauserme on July 06, 2007, 02:03:16 PM
Scan with F-Secure Blacklight and post the results

http://www.f-secure.com/blacklight/



Then post ComboFix and HijackThis logs:

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.


Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: Lisandro on July 06, 2007, 02:08:07 PM
Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
Mauserme, is this link updated to new HijackThis 2.0.2 (stable version)?
Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: mauserme on July 07, 2007, 03:29:47 PM
Mauserme, is this link updated to new HijackThis 2.0.2 (stable version)?
Thanks Tech.  I didn't even notice Trend's version was out of beta.
Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: AR1 on July 08, 2007, 07:36:40 AM
Thanks for all the info, unfortunately I jumped the gun and looked at other strings on the same issue; I ran Blacklight and it found 11 items.
I proceeded to reinstall Avast... Then the PC will not hook up to the net anymore.
When I look at my network list it says that another program is controlling that option and that I should run IZC from windows....
I'll try repair that first, then see what to do before I do a Format C:/....
Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: AR1 on July 08, 2007, 08:25:13 AM
Typo: WZC not IZC.
Anyway, I tried to run it, as per windows instructions and I get an 10XX error. I'm trying to download and install the Lynksys driver to see if it will help...
Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: mauserme on July 08, 2007, 02:43:26 PM
... I ran Blacklight and it found 11 items.
What were the file names?  What action did you take?


I'll try repair that first, then see what to do before I do a Format C:/....

See if LSPFix helps (don't rush into a re-format)

http://cexx.org/lspfix.htm
Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: AR1 on July 08, 2007, 07:30:32 PM
First of all, thanks for all your help!!

OK, well I did all the various scans and fixes except Blacklight, which is running as I write; it caused a serious problem before, so I'm a bit itchy about allowing it to take any action. I got the net to work again by downloading a new driver for my Linksys WAN card, and am using that utility to connect.

When I open the View Wireless Network list via the icon in the toolbar, I still get nothing but that WZC note.

I'm not too worried about that, but at least the net is working with all the programs Tech told me to run. (Am running Combofix and LSP now).

Avast still will not get past the stage after reboot when you're given the wellcome note prompt. As soon as you press OK and the wireless and LAN icons appear, the Avast globes disappear. (I use Aswclear to remove Avast each time).
My Disc on Key was in the drive, how can I be sure it's clean?

Well, here are the various log files, Runscan & HJT are too large to copy/paste (I hope I ran them at the correct time?):

FSBL (Blacklight):
07/08/07 19:57:30 [Info]: BlackLight Engine 1.0.64 initialized
07/08/07 19:57:30 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/08/07 19:57:30 [Note]: 7019 4
07/08/07 19:57:30 [Note]: 7005 0
07/08/07 19:57:45 [Note]: 7006 0
07/08/07 19:57:45 [Note]: 7011 1864
07/08/07 19:57:45 [Note]: 7026 0
07/08/07 19:57:46 [Note]: 7026 0
07/08/07 19:57:53 [Note]: FSRAW library version 1.7.1022
07/08/07 19:57:56 [Info]: Hidden file: c:\Documents and Settings\xxx\Application Data\hidires\hidr.exe
07/08/07 19:57:56 [Note]: 10002 2
07/08/07 19:57:56 [Info]: Hidden file: c:\Documents and Settings\xxx\Application Data\hidires\rosa.sys
07/08/07 19:57:56 [Note]: 10002 2
07/08/07 19:57:57 [Note]: 10002 3
07/08/07 19:57:57 [Note]: 10002 3
07/08/07 19:57:57 [Note]: 10002 2
07/08/07 19:57:57 [Note]: 10002 2
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Empty.txt
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Filters.xml
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\news.png
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\paint.png
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Profiles\Blank.txt
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Sample1.jpg
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Sample2.jpg
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Note]: 10002 2
07/08/07 19:59:17 [Note]: 10002 2
07/08/07 19:59:27 [Info]: Hidden file: c:\Program Files\Skype\toolbars\Shared\SPhoneParser.dll
07/08/07 19:59:27 [Note]: 10002 3
07/08/07 19:59:27 [Note]: 10002 2
07/08/07 19:59:27 [Note]: 10002 2
07/08/07 20:05:44 [Note]: 10002 2
07/08/07 20:05:44 [Note]: 10002 2
07/08/07 20:18:53 [Note]: 7007 0

Thanks again mauserme & Tech!!

AR1


Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: mauserme on July 08, 2007, 07:43:34 PM
07/08/07 19:57:56 [Info]: Hidden file: c:\Documents and Settings\xxx\Application Data\hidires\hidr.exe

07/08/07 19:57:56 [Info]: Hidden file: c:\Documents and Settings\xxx\Application Data\hidires\rosa.sys
These 2 are the cause of your problems with avast!  They can be renamed.
Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: Lisandro on July 08, 2007, 07:43:55 PM
The Avast globes disappear. (I use Aswclear to remove Avast each time).
Why are you uninstalling avast this way...?
What other security based software do you have that might block new startup entries, e.g. Spybot S&D (TeaTimer), AdAware (AdWatch), SpySweeper, Spyware Doctor (StartUpGuard), PrevX, WinPatrol, ProcessGuard, etc.?

1. Check the option in the Appearance tab of settings.
or
2. Repair your avast installation through Control Panel.
or
3. Make a link to ashdisp.exe in your startup folder
or
4. Add the path to ashDisp.exe into a value named avast! in the Windows Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
See picture here: http://forum.avast.com/index.php?topic=26155.msg213891#msg213891

If that does not help, please, uninstall, boot, install again, boot.

The two files are strange...
07/08/07 19:57:56 [Info]: Hidden file: c:\Documents and Settings\xxx\Application Data\hidires\hidr.exe
07/08/07 19:57:56 [Info]: Hidden file: c:\Documents and Settings\xxx\Application Data\hidires\rosa.sys
But I'm not an expert on cleaning... Did you Google their names?
Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: AR1 on July 08, 2007, 09:12:52 PM
Well;

You guys are, as the British say, "The dogs bollocks"!!!

Avast! is working and running (It's scanning my Disc-On-Key aswell, I hope that's enough to be sure?)

Evidently what tipped the scales in our favour is ComboFix (note attached files).

To answer your questions,

The hidr.exe is;

"hidr.exe
hidr.exe is a Trojan W32.Beagle.DZ.
hidr.exe tries to terminate antiviral programs installed on a user computer.
More info: http://securityresponse.symantec.com/avc...
Removal:
Kill the process hidr.exe and remove hidr.exe from Windows startup using RegRun Reanimator.
http://www.regrun.com
Removal: hidr.exe is removed by RegRun."

rosa.sys;
"rosa.sys - Email-Worm.Win32.Bagle.in"

LSP found no problems (probably due to me running via the Linksys interface, I can live with that).

At first, all I had running was Avast!.
Now I've been following instructions and have:

Spywareblaster, AVG Antiroot kit, A-Squared Anti-Malware, Spyware Terminator, Advanced WindowsCare V2, Spyware Blaster.


(Excuse my ignorance, please);

When should I reable my system restore?
Should I keep all the other protection softwares?

Many thanks!!

Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: DavidR on July 08, 2007, 09:37:53 PM
If you happen to have any samples of the two files you could send them to avast.

Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject. Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: mauserme on July 08, 2007, 11:03:38 PM
You guys are, as the British say, "The dogs bollocks"!!!
I assume you meant that as a compliment  ???  ;D

When you have a chance see if you're able to boot into safe mode.  You don't need to do anything in safe mode - I just want to know if you can.
Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: AR1 on July 09, 2007, 03:47:53 PM
Mauserme;
A compliment of compliments, credit given where credit is due.

It will boot in safe mode, and Avast ran a scan of the hard disc during the boot.

So no problem there.

DavidR;
I'll send whatever Avast picked up (the Trojan), but with regard to the Rosa; ComboFix collected that one and I'm not sure how to send it or even where to find it. I'm a bit scarred to do something that'll release it back in to the system, so specific instructions would be appreciated (once agai, pleas excuse my ignorance). What I can tell you is that the Rosa was what attacked the Avast. The Trojan was picked up and quarantined by Avast during the thorough scan I ran through the system after it finally ran for the first time.

AR1
Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: DavidR on July 09, 2007, 05:44:18 PM
Assuming you were able to find it (probably long gone by now due to the processes you have run), adding it to the avast chest will not release it into the system, the avast chest is a protected area where the malware can't get out nor anything (other than avast) get in and execute any file stored there.
Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: Lisandro on July 09, 2007, 07:56:23 PM
When should I reable my system restore?
After you're clean or at any time now... if it gets infected, just redo the process: disable than enable. This deletes the infected restore points left behind.

Should I keep all the other protection softwares?
They won't harm, on contrary 8)
Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: mauserme on July 10, 2007, 05:39:32 AM
The paths to the quarantined files are

C:\Qoobox\Quarantine\C\DOCUME~1\xxx\APPLIC~1\hidires.vir\hidr.exe

C:\Qoobox\Quarantine\C\DOCUME~1\xxx\APPLIC~1\hidires.vir\rosa.sys


I don't know if you will be able to copy these to the avast! chest without moving them out of the ComboFix quarantine (and I would advise against it).  But if you can do it while leaving them where they are please do.

When you're finished trying that post the results of your efforts - I would like to clean these infected backups and remove some of the specialized tools we used.  We should also clean your restore points and talk a bit about a firewall.

In your HijackThis log there are 2 lines that seem to be related to the Trend Micro Dashboard.  It appears to have been uninstalled and we can remove the traces of it unless you are still using it.


EDIT:  I forgot for a moment you turned System Restore off,  but I would like to start with a clean point after deleting the malware backups none the less.
Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: AR1 on July 12, 2007, 11:18:05 PM
Hi there,

Well, I've tried to send the viruses off, but the Combofix files that I compressed were blocked by the Hotmail scanner and the Avast chest will only send via a std. email service (Outlook, etc.), while I use Hotmail.

If there are any ideas on how to send them off, they'ld be well appreciated.

When (or if) I send them off, how should I 'get rid' of them, or should I just leave them there?

With regard to the Trend Dashboard; how can I remove it?

Also the rest of the issues you stated, I'ld like to try and deal with them.

Many thanks,
AR1
Title: Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
Post by: mauserme on July 13, 2007, 06:11:34 AM
Just to double check before we remove the tools please upload this file to Virus Total (http://www.virustotal.com/en/indexf.html) and post the anaysis

C:\WINDOWS\system32\winzvprt5.sys