Author Topic: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!  (Read 11851 times)

0 Members and 1 Guest are viewing this topic.

AR1

  • Guest
Evidently I've been infected with something nasty that is attacking Avast itself.
It began after downloading a virtual pdf printer from a P2P.
Avast stopped appearing in the bottom right task bar. When I try to reinstall the system, the ashAvast.exe file is non existent. I even tried to download the file from eMule, it downloaded but disappeared before I could open it. Now eMule has stopped working also.
At start up, I get the two Avast globes for a few seconds, then as soon as the network symbol starts up, they disappear.
Another symptom is that when I'm connected to the net, there are loads of packets being transfered even though no programs are running.
I'm running XP on an older Presario 1700....

HELP! PLEASE!!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
« Reply #1 on: July 06, 2007, 02:02:28 PM »
avast being deleted (exe files) is a problem reported before, maybe searching the board you'll find something.

Meanwhile, I suggest you follow the general cleaning procedure:

1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3).

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

4. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

5. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

6. Install avast again from the scratch and schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

7. After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

8. Finally, when you're clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.
The best things in life are free.

mauserme

  • Guest
Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
« Reply #2 on: July 06, 2007, 02:03:16 PM »
Scan with F-Secure Blacklight and post the results

http://www.f-secure.com/blacklight/



Then post ComboFix and HijackThis logs:

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.


Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
« Reply #3 on: July 06, 2007, 02:08:07 PM »
Click here to download HJTsetup.exe
Mauserme, is this link updated to new HijackThis 2.0.2 (stable version)?
The best things in life are free.

mauserme

  • Guest
Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
« Reply #4 on: July 07, 2007, 03:29:47 PM »
Mauserme, is this link updated to new HijackThis 2.0.2 (stable version)?
Thanks Tech.  I didn't even notice Trend's version was out of beta.

AR1

  • Guest
Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
« Reply #5 on: July 08, 2007, 07:36:40 AM »
Thanks for all the info, unfortunately I jumped the gun and looked at other strings on the same issue; I ran Blacklight and it found 11 items.
I proceeded to reinstall Avast... Then the PC will not hook up to the net anymore.
When I look at my network list it says that another program is controlling that option and that I should run IZC from windows....
I'll try repair that first, then see what to do before I do a Format C:/....

AR1

  • Guest
Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
« Reply #6 on: July 08, 2007, 08:25:13 AM »
Typo: WZC not IZC.
Anyway, I tried to run it, as per windows instructions and I get an 10XX error. I'm trying to download and install the Lynksys driver to see if it will help...

mauserme

  • Guest
Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
« Reply #7 on: July 08, 2007, 02:43:26 PM »
... I ran Blacklight and it found 11 items.
What were the file names?  What action did you take?


I'll try repair that first, then see what to do before I do a Format C:/....

See if LSPFix helps (don't rush into a re-format)

http://cexx.org/lspfix.htm

AR1

  • Guest
Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
« Reply #8 on: July 08, 2007, 07:30:32 PM »
First of all, thanks for all your help!!

OK, well I did all the various scans and fixes except Blacklight, which is running as I write; it caused a serious problem before, so I'm a bit itchy about allowing it to take any action. I got the net to work again by downloading a new driver for my Linksys WAN card, and am using that utility to connect.

When I open the View Wireless Network list via the icon in the toolbar, I still get nothing but that WZC note.

I'm not too worried about that, but at least the net is working with all the programs Tech told me to run. (Am running Combofix and LSP now).

Avast still will not get past the stage after reboot when you're given the wellcome note prompt. As soon as you press OK and the wireless and LAN icons appear, the Avast globes disappear. (I use Aswclear to remove Avast each time).
My Disc on Key was in the drive, how can I be sure it's clean?

Well, here are the various log files, Runscan & HJT are too large to copy/paste (I hope I ran them at the correct time?):

FSBL (Blacklight):
07/08/07 19:57:30 [Info]: BlackLight Engine 1.0.64 initialized
07/08/07 19:57:30 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/08/07 19:57:30 [Note]: 7019 4
07/08/07 19:57:30 [Note]: 7005 0
07/08/07 19:57:45 [Note]: 7006 0
07/08/07 19:57:45 [Note]: 7011 1864
07/08/07 19:57:45 [Note]: 7026 0
07/08/07 19:57:46 [Note]: 7026 0
07/08/07 19:57:53 [Note]: FSRAW library version 1.7.1022
07/08/07 19:57:56 [Info]: Hidden file: c:\Documents and Settings\xxx\Application Data\hidires\hidr.exe
07/08/07 19:57:56 [Note]: 10002 2
07/08/07 19:57:56 [Info]: Hidden file: c:\Documents and Settings\xxx\Application Data\hidires\rosa.sys
07/08/07 19:57:56 [Note]: 10002 2
07/08/07 19:57:57 [Note]: 10002 3
07/08/07 19:57:57 [Note]: 10002 3
07/08/07 19:57:57 [Note]: 10002 2
07/08/07 19:57:57 [Note]: 10002 2
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Empty.txt
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Filters.xml
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\news.png
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\paint.png
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Profiles\Blank.txt
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Sample1.jpg
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Sample2.jpg
07/08/07 19:59:17 [Note]: 10002 3
07/08/07 19:59:17 [Note]: 10002 2
07/08/07 19:59:17 [Note]: 10002 2
07/08/07 19:59:27 [Info]: Hidden file: c:\Program Files\Skype\toolbars\Shared\SPhoneParser.dll
07/08/07 19:59:27 [Note]: 10002 3
07/08/07 19:59:27 [Note]: 10002 2
07/08/07 19:59:27 [Note]: 10002 2
07/08/07 20:05:44 [Note]: 10002 2
07/08/07 20:05:44 [Note]: 10002 2
07/08/07 20:18:53 [Note]: 7007 0

Thanks again mauserme & Tech!!

AR1


« Last Edit: July 08, 2007, 07:33:44 PM by AR1 »

mauserme

  • Guest
Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
« Reply #9 on: July 08, 2007, 07:43:34 PM »
07/08/07 19:57:56 [Info]: Hidden file: c:\Documents and Settings\xxx\Application Data\hidires\hidr.exe

07/08/07 19:57:56 [Info]: Hidden file: c:\Documents and Settings\xxx\Application Data\hidires\rosa.sys
These 2 are the cause of your problems with avast!  They can be renamed.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
« Reply #10 on: July 08, 2007, 07:43:55 PM »
The Avast globes disappear. (I use Aswclear to remove Avast each time).
Why are you uninstalling avast this way...?
What other security based software do you have that might block new startup entries, e.g. Spybot S&D (TeaTimer), AdAware (AdWatch), SpySweeper, Spyware Doctor (StartUpGuard), PrevX, WinPatrol, ProcessGuard, etc.?

1. Check the option in the Appearance tab of settings.
or
2. Repair your avast installation through Control Panel.
or
3. Make a link to ashdisp.exe in your startup folder
or
4. Add the path to ashDisp.exe into a value named avast! in the Windows Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
See picture here: http://forum.avast.com/index.php?topic=26155.msg213891#msg213891

If that does not help, please, uninstall, boot, install again, boot.

The two files are strange...
07/08/07 19:57:56 [Info]: Hidden file: c:\Documents and Settings\xxx\Application Data\hidires\hidr.exe
07/08/07 19:57:56 [Info]: Hidden file: c:\Documents and Settings\xxx\Application Data\hidires\rosa.sys
But I'm not an expert on cleaning... Did you Google their names?
The best things in life are free.

AR1

  • Guest
Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
« Reply #11 on: July 08, 2007, 09:12:52 PM »
Well;

You guys are, as the British say, "The dogs bollocks"!!!

Avast! is working and running (It's scanning my Disc-On-Key aswell, I hope that's enough to be sure?)

Evidently what tipped the scales in our favour is ComboFix (note attached files).

To answer your questions,

The hidr.exe is;

"hidr.exe
hidr.exe is a Trojan W32.Beagle.DZ.
hidr.exe tries to terminate antiviral programs installed on a user computer.
More info: http://securityresponse.symantec.com/avc...
Removal:
Kill the process hidr.exe and remove hidr.exe from Windows startup using RegRun Reanimator.
http://www.regrun.com
Removal: hidr.exe is removed by RegRun."

rosa.sys;
"rosa.sys - Email-Worm.Win32.Bagle.in"

LSP found no problems (probably due to me running via the Linksys interface, I can live with that).

At first, all I had running was Avast!.
Now I've been following instructions and have:

Spywareblaster, AVG Antiroot kit, A-Squared Anti-Malware, Spyware Terminator, Advanced WindowsCare V2, Spyware Blaster.


(Excuse my ignorance, please);

When should I reable my system restore?
Should I keep all the other protection softwares?

Many thanks!!


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
« Reply #12 on: July 08, 2007, 09:37:53 PM »
If you happen to have any samples of the two files you could send them to avast.

Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject. Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mauserme

  • Guest
Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
« Reply #13 on: July 08, 2007, 11:03:38 PM »
You guys are, as the British say, "The dogs bollocks"!!!
I assume you meant that as a compliment  ???  ;D

When you have a chance see if you're able to boot into safe mode.  You don't need to do anything in safe mode - I just want to know if you can.

AR1

  • Guest
Re: Avast! 4 Home/ ashAvast.exe file invisible, Avast will not run HELP!
« Reply #14 on: July 09, 2007, 03:47:53 PM »
Mauserme;
A compliment of compliments, credit given where credit is due.

It will boot in safe mode, and Avast ran a scan of the hard disc during the boot.

So no problem there.

DavidR;
I'll send whatever Avast picked up (the Trojan), but with regard to the Rosa; ComboFix collected that one and I'm not sure how to send it or even where to find it. I'm a bit scarred to do something that'll release it back in to the system, so specific instructions would be appreciated (once agai, pleas excuse my ignorance). What I can tell you is that the Rosa was what attacked the Avast. The Trojan was picked up and quarantined by Avast during the thorough scan I ran through the system after it finally ran for the first time.

AR1