new invisible virus

[marcoleo]

dear,

I've a registered avast pro installed on windows XP.
Two days ago I've seen disappear the avast icon tray; I've rebooted the machine but avast doesn't start.
I try to reinstall it but a very strange think were happened, during the installation the executable are written to disk but after few second are automatically deleted.
Check the running program and services but noting suspicious, so start hijackthis... everything normal.
Try to install trial version of mcafee, f-prot, nav2006 but same problem of avast, the executables were deleted. With spybot also. Scanned the system with some free online av but it seems clean. Connected the HD as secondary to a machine with working, updated avast but no virus found.
The only strange thing in the system is a folder "c:\document and setting\leo\application data\m" this folder is reported empty but if you try to delete it, any tools report that cannot delete a directory not empty, in safe mode too.
Any proposal to get rid of it?

[Lisandro]

Two days ago I've seen disappear the avast icon tray; I've rebooted the machine but avast doesn't start.

1. Check the option in the Appearance tab of settings or
2. Repair your avast installation through Control Panel or
3. Make a link to ashdisp.exe in your startup folder or
4. Add the path to ashDisp.exe into a value named avast! in the Windows Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Try to install trial version of mcafee, f-prot, nav2006 but same problem of avast, the executables were deleted.

Wait... don't try to solve installing other antivirus... there is a problem in your computer, don't take any medicine to cure it...

Connected the HD as secondary to a machine with working, updated avast but no virus found.

This seems to be a good thing... if the files are clean, maybe your problem is not a virus but other one.
Do you mean the setup.exe files are deleted? You're running them and they disapppear? 

The only strange thing in the system is a folder "c:\document and setting\leo\application data\m" this folder is reported empty but if you try to delete it, any tools report that cannot delete a directory not empty, in safe mode too.
Any proposal to get rid of it?

Sure: http://www.softpedia.com/get/Security/Secure-cleaning/Pocket-Killbox.shtml

[marcoleo]

dear tech, thanks for your reply.
Already checked the appearence setting
There is no way to repair the installation, the repair option is not shown.
ashdisp.exe will be deleted immediately after a reinstallation
Isn't a problem in my computer, is a new virus or a variant, it delete only executable of any antivirus or antispyware, you try to install, even if I copy, for example, ashAvast.exe in a shared folder, of this machine, from another machine it shall be delete after few second. If I rename ashAvast.exe as ashAvast1.exe it stay there and I can start it, the memory test report no infection, obviously the program can't work in full due the other missing executables.
The setup work fine, but if you have open the destination folder in another windows you can see the load of the executables then in few seconds the deletion of them.
I'm not concerning in reformat the HD but, due the fact I'm consultant, I would like to know what kind of virus can be, just in case one of my customer will be infected.

[Lisandro]

There is no way to repair the installation, the repair option is not shown.

Bad news...

obviously the program can't work in full due the other missing executables.

Does ashClear.exe work in this case?
http://files.avast.com/files/eng/aswclnr.exe

I would like to know what kind of virus can be, just in case one of my customer will be infected.

Me either... I hope Alwil team see this...

[marcoleo]

aswclnr.exe is the first attempt I've do, if you open it instead of save, it work but don't find any virus.
If you save it on disk will be deleted

[Lisandro]

Ok. If avast can't detect it, avast! BART CD won't help. Even boot time scanning or ashClear.exe.
So, I can only guess about on-line scanning and find an antivirus that detects the infection and could clean it:
Jotti
Trendmicro
Virustotal
ewido

[marcoleo]

thanks, I will try those av, then I let U know the results

[Spiritsongs]

   Hi :

      You should be looking into IF you have a "rootkit" ;
      best to view the info at :

      http://www.castlecops.com/f233-Rootkit_Revelations.html

[NickGolovko]

I am ready to help, you also may address me in this case.

[marcoleo]

thanks all for the help.
Virus found and succesfully removed:

installed virit, it has found:
hgfs.sys win32.mitglieder.au (no info on it)

Removed the infected file, then installed prevx1:
it found:
m_hook.sys unceratin
removed it, rebooted, then deleted folder c:\document & setting\application data\m (that has subfolder "shared")
reboot, complete scan with prevx1, then found & removed:
Worm.Bagle.EK hldrrr.exe First seen: Sep 24 2006 (GMT)
discovered in italy, where i'm:
AreaName  FirstSeen                LastSeen PCsSeen
ITALY          Sep 24 8:53:25      Sep 24 12:45:11 28 1

Worm.Beagle.DZ First seen: Sep 18 2006 (GMT)
Worm.Beagle.DZ in exefld

beagle variant started from m_hook???