avast causing user logoff

hi all. first, i just wanna give a big thanks to the avast! team. great product! ive been using it for a few years now, and ive recommended it and installed it to several pcs, belonging to friends and family members.
here is my problem. ive got a friends pc here. its an older one with windows xp on it. they did not have anti virus on it, so i installed avast. it installs fine. but after restart, i get the login/logoff issue with the user names. under safe mode, im able to login as administrator. from there, i uninstalled avast, restarted the pc, and was able to login under one of the users again.
so to test it out, i installed avast again. and again, after restart, i couldnt login. like before, id enter the password. it would seem as though its logging in, then it would instantly logoff.
so i uninstalled avast again, and now im able to log in just fine!

does anyone know why avast would be causing this?
thanks.

This is fairly likely to be caused by malware, not Avast. There are several trojans etc that can lock out the user, or disable some Windows features.
Has the computer ever had (or does it still have) an old antivirus program on it? It could be causing a confliction also.
What I would try is to re-install Avast, and as part of the set up it will prompt you for a boot scan.
Do that.
Also I would use MBAM (free version) as a demand scanner. You may want to try this first. Install it (if you can) update it, and run a quick scan.
Items found will be listed at the ewnd of the scan. Select all (unless you think there is a FP amongst the results) then select “remove selected”. If it prompts for a reboot, please do so promptly.
It would be useful to post the MBAM scan report.

Hi Tarq57. thank you for the reply. i did what you said. i ran mbam, did a quick scan, and saved the log file. i did not remove anything yet because i was hoping you would take a look at the log and let me know if its safe to do so. as far as i can tell, there are no other anti-virus programs installed. i also removed avast before doing this scan, so i could login. here are the results:

Malwarebytes’ Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/3/2009 5:17:27 AM
mbam-log-2009-07-03 (05-17-19).txt

Scan type: Quick Scan
Objects scanned: 108798
Time elapsed: 3 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\id (Malware.Trace) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\host (Malware.Trace) → No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) → Data: c:\windows\system32\userinit.exe → No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\wsaupdater.exe (Trojan.Agent) → No action taken.

again, any advise on what i should do would be greatly appreciated. thank you!

I will butt in and save you a wait, the detections look fine.

  • Run MBAM again and this time when the scan is complete, all detections should have a check mark in the box to the left of the entry, leave them selected (or select if not selected). At the bottom of the window there is a button, Remove Selected, click that and the items will be removed.

The log-in problems I believe is associated with the following registry key:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) → Data: c:\windows\system32\userinit.exe → No action taken.

avast may well have taken out that file as it is most certainly malicious. So when you start windows this registry entry is trying to run the malicious file and can’t find it, my theory anyway, so the boot falls over.

See http://www.systemlookup.com/search.php?type=filename&client=malwaresearch-ff&search=userinit.exe

After you have taken action with MBAM, you should be able to install avast and I believe the boot should work as normal.

hi DavidR. thanks for the help. before i remove anything, i just want to make sure once removed, ill be able to get into windows. i dont want to delete anything, even if infected, that will prevent me from getting to windows. so before i go ahead with this… youre saying its safe to let the program remove everything it found?

There is nothing on the list that would stop you getting into windows as they simply shouldn’t have been there and were circumventing your ability to boot into windows normally.

You can run MBAM in safe mode anyway so it should be possible to reverse any changes it makes (Quarantine tab).

Hi DavidR. thanks again for the reply. I ran it again, in safe mode this time. i removed the things it found. im busy with other things now, but later i will reinstall avast and see how it goes. would that be the next step? thanks!

Once you have avast installed it should ask about a boot-time scan allow it to do that. If anything is found, make a note of the malware name, file name and location, send to the Chest, don’t delete and report any findings.

Download, update and run SUPERantispyware On-Demand only in free version.

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

Hi DavidR. i did what you suggested. ran the boot-time scan. i had it move all to chest. after the scan was done, once again i got the user login/logoff loop. so like before, i started in safe mode and now this time, when i click on Administrator, its logging me off! any suggestions? i really need to get back into windows and remove avast, or at least get the log from the scan. thanks.

Well we really need to know what you moved to the chest, hence my comment to make notes on what was detected, malware name, file name and location as that helps us to help you.

Have the MBAM things also returned ?

hi DavidR. i booted the pc from a linux knoppix cd and copied the log file to a floppy. here it is:

07/04/2009 06:02
Scan of all local drives

File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251548.dll is infected by Win32:Trojan-gen {Other}, Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251549.sys is infected by Win32:Trojan-gen {Other}, Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251550.dll is infected by Win32:Kolweb-E [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251551.dll is infected by Win32:Adware-gen [Adw], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251552.dll is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251553.exe is infected by Win32:Trojan-gen {Other}, Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251554.dll is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251555.dll is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251556.dll is infected by Win32:Adware-gen [Adw], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251557.exe is infected by Win32:Trojan-gen {Other}, Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251558.exe is infected by Win32:Adware-gen [Adw], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251559.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251560.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251561.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251562.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251563.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251564.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251565.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251566.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251567.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251568.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251569.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251570.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251571.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251572.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251573.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251574.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251575.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251576.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251577.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251578.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251579.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251580.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251581.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251582.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251583.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\System Volume Information_restore{F55C3141-8481-4A22-A017-4090329E0372}\RP308\A0251753.exe is infected by Win32:Walivun [Trj], Moved to chest
File C:\WINDOWS\l7xu9z.sys is infected by Win32:Trojan-gen {Other}, Moved to chest
File C:\WINDOWS\system32\userinit.exe is infected by Win32:Walivun [Trj], Moved to chest
Number of searched folders: 5657
Number of tested files: 47616
Number of infected files: 39

this doesnt look too good! lol. please let me know what you think. and thank you for helping me with this!

If disable System Restore on Windows ME, XP or Vista and then enable it again you’ll delete all old restore points, removing the infected files.

Actually it doesn’t look bad as the C:\System Volume Information_restore points are not live, e.g. they aren’t involved in your boot.

Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.

  • Worst case scenario it isn’t infected and you delete it, you can’t use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.

  • So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

The only live file involved at boot time was the C:\WINDOWS\system32\userinit.exe is infected by Win32:Walivun [Trj], Moved to chest.

Now that was the entry which you also removed from the MBAM scan (?), so in theory that shouldn’t have been present if you ran the avast boot-time scan after removing this with MBAM.

So if you did as I suggested, first ran MBAM and removed all those found before running the avast boot-time scan, then avast shouldn’t have found anything, is that correct ?

The boot-time scan may only have removed the file but not the registry entries, which as I said before I believed that was responsible for the boot problem.

This one C:\WINDOWS\l7xu9z.sys is infected by Win32:Trojan-gen {Other}, Moved to chest, being a sys file (driver) could also have a hand in this issue and is one that MBAM didn’t find in its scan. I get zero hits on this on a google search which in its own right is suspicious, especially for a .sys file in the windows folder, it just looks like a randomly generated file name (common). This too may also have associated Registry entries and these too might have a hand in the problem.

However, I don’t know how we can find those entries if we can’t run windows. Try this - DrWeb also do a Live CD if you are unable to get into your system see, http://www.freedrweb.com/livecd/?lng=en, documentation ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf. I don’t know how successful this might be, I don’t know if it is able to delve into the registry or startup entries.

hey DavidR. you know what? I think im just gonna go ahead and reformat this hard drive, and reinstall windows xp. this is a friends computer and they already told me that would be fine if i did that. they have nothing too important to save. they are away this week on vacation and told me i can just do whatever to it. so ill just take the easy road out! :wink: oh… and i DID run those programs in the order you said to. i had mbam remove everything it found, then i did the avast scan. i too, noticed avast found stuff mbam should have removed. weird… oh well.

DavidR, i want to thank you for all your help. although im calling it quits on this issue, ive been extremely greatful to have an expert such as yourself stick with me here and try to help me out. you take care. ill see you around these forums!

Rob

I can agree with you robbie. I just download MBAM and he find a lot virus hidden on my registry and now i swear im happy to got it on my cpu.

You’re welcome.

Yes there comes a point when you would be quicker starting from from scratch as I feel that system was seriously compromised.

It isn’t too unusual to have avast find things MBAM didn’t and vice versa, which is why a multi application approach to defence is better (provided the programs don’t conflict, these ones shouldn’t) as no single program is going to give 100% protection.

The fact that they kept coming back indicates another element hidden (rootkit) or undetected (strange with multiple application scans) restoring or re-downloading them and a firewall with outbound protection is essential (if they didn’t have one).

Good luck.

Well having Avast! and MBAM is like a combo. I did see many video that Avast! and MBAM was cooperating together and they did cleaned all malwares for sure.