Avast 4.8 forced update, or possible malware attack? Need help troubleshooting.

So last month when I was on my computer my Comodo firewall started flagging an exe file named “avast_free_antivirus_setup_offline.exe” trying to connect to the internet out of the blue. I thought this was really weird since I didn’t download such a file. I do run an older version of Avast (4.8 version) on my computer, but I have the program update for that set to manual. Anyways, I wasn’t quite sure what was going on or where that file had come from, so I decided to block it from trying to connect to the internet. Right after I block it, my firewall flags another exe file named “Instup.exe” trying to connect to the internet (the exact location of this file was “C:\Windows\Temp_av_iup.tm~a04196\Instup.exe”). Again, a file I did not download or open. So I ended up blocking that file from connecting to the internet as well. Then, about 10 seconds later, my Avast 4.8 starts notifying me that a bunch of files are trying to change the registry (but that the registry changes keep getting denied). The popup notification came and went really fast so I didn’t get a chance to see what those files where exactly. Then maybe 20 seconds later, an orange Avast program shortcut icon suddenly appears on my desktop. Then, without any notification or message, my computer just restarts out of the blue (good thing I wasn’t doing anything important!). During the restart process, a windows update package also gets installed. At this point I am shitting my pants not knowing what is happening and fearing the worst - that I am under some sort of malware attack.

After my computer restarts, I notice that my Avast 4.8 no longer runs on startup. Instead it got replaced by an orange iconed Avast version 12. At this point my firewall starts flagging a bunch of Avast related exe’s (from the folder of the newly installed version) trying to connect to the internet. The exe files in question are: two instance’s of instup.exe (one located in “C:\Program Files\AVAST Software\Avast\setup\instup.exe” and the other located in “C:\Program Files\AVAST Software\Avast\setup\Sfx\instup.exe”), AvastSvc.exe, AvastUI.exe, AvastEmUpdate.exe, and avBugReport.exe. In which I ended up blocking all of them for fear of not knowing what was going on.

I also later figured out that the windows update package that was installed was a Kernel-Mode Driver Framework v1.9 (KB970158) and that it came from a Microsoft update standalone package located in “C:\Program Files\AVAST Software\Avast\setup\kb970158_x64.msu”.

At this point, I am somewhat confused and need some help with troubleshooting. I have several questions that I could use some help with:

  1. Was this an Avast forced update to version 12? or did I just come under some sort of malware attack?

  2. Is it normal for Avast to install a Windows update package like that?

  3. What exactly is “Instup.exe” and why does it need to connect to the internet? Also, why are there multiple instances of it trying to connect to the internet?

  4. My browser (Mozilla Firefox) is now unable to load any webpages with the https protocol whenever Avast 12 is open. Whenever I try to load any webpage that has “https” in front of it, Mozilla just takes me to an error page that says it’s unable to load the page because of some security issues. Non https webpages load fine. Never had this issue with Avast 4.8. If I close Avast 12, then Mozilla works fine and can load all pages normally. I like using Firefox, is there a fix for this?

  5. Is there a way to access the virus chest of Avast 4.8 again? Avast 4.8 no longer runs or starts its service, on startup. When I open it and try to view the virus chest a window pops up saying: “Initialization of chest files - Action was completed with errors!”. Under the errors report tab of that window it says: “Program cannot use chest client: (null) → Description: The array bounds are invalid”. This is important because before the Avast 12 update happened, my Avast 4.8 had sent several important files to the virus chest which where actually false positives. I need to be able to recover those files.

  6. I am looking to do a clean uninstall and customized reinstall of Avast’s latest version. What is the best, most thorough and complete way for me to uninstall Avast 4.8 as well as Avast 12? Is it safe to use Revo uninstaller instead of the Windows control panel program uninstaller here?

  7. If I use the offline installer for the latest version, can I disconnect myself from the internet before doing the install? Or does it require a connection to the internet in order to tweak itself during the install? Should I also be closing my Comodo Firewall before doing the install? And if so, do I need to set it so that Comodo Firewall doesn’t run automatically at startup right after the restart of the install? I figure Avast might conflict with the firewall if it needs to finish configuring itself on the immediate restart right after the install completes, is this the case?

  8. Is it safe to delete the Avast related files and folders located in the C:\Windows\Temp folder? More specifically the one named avast_free_antivirus_setup_offline.exe?

  9. I’ve read in another thread that Avast mainstream support for Vista OS ended 4 years ago, and that extended support will end in April of this year. Could I get some clarification on what this means exactly for Vista users? Does it mean that Vista users will no longer receive virus definition updates after April?

Thanks in advance for taking the time to read through my post and in helping me with the questions I have. It is much appreciated.

2017 marks the end of virus definition updates for Avast version 4.8
https://blog.avast.com/2017-marks-the-end-of-virus-definition-updates-for-avast-version-4.8

avast FAQ > https://support.avast.com/support/home

videos > https://www.avast.com/faq.php?q=video&authenticity_token=nVxv5f2XjLH8mzLJmONEGa1XcvD6IuvND1%2BaWtWPiD4%3D#searchForm

What OS/SP are you running ?
Is it 32 or 64 bits ?

Vista 64bit SP2. It’s definately outdated though since I turned off Windows update back in 2010 since some of the updates where conflicting with some of my drivers back then, and I haven’t turned it back on/updated since.

Version 12 of avast should be running on that system without a problem.

As there have been a huge amount of changes in avast since version 4.8, I strongly suggest to perform a clean installation of the latest version.

  • Remove avast through control panel
  • Run avasclear
  • Remove any leftovers (folder/files/registry entries) manually
  • Install all updates for the OS as well as drivers for the hardware you are using
  • Install the latest avast version

Before I do that, is there any way I can retrieve the false positive files that where placed inside the virus chest of Avast 4.8? (question 5 on the original post for more info on the trouble I’ve been having)

Been having trouble accessing the virus chest of 4.8 ever since Avast 12 got installed. Ideally, I would want to retrieve the files before uninstalling Avast 4.8.

As things have been overwritten, I don’t think there is a way to get those files back.

But why not get the files from your backup ?

But why not get the files from your backup ?
ehmm .... backup ???

If you open the virus chest and select the file/s you should be able to use the Restore or Extract. I would say that extract is better as using restore sends the file back to its original location and avast may alert on it again, possibly sending it back to the chest. Before using extract, create the folder you want to extract to and then add that folder location to the avast exclusions so it doesn’t alert when extracted.

I unfortunately, didn’t make a backup. I don’t think the things have been overwritten though, since both versions of Avast are installed into two seperate folders right? Like when I open the Avast 4.8 virus chest subfolder I can still see the data of the quarantined files. I’m just unable to connect to the virus chest from the program to retrieve or extract those files if that makes any sense.

Anyways, I’ll try tinkering around with it and see if I can figure out a fix. I’ll post results if I find a way to retrieve them.

Yes, things are overwritten, not just files but also registry entries.