Avast Crashes on finding Viruses

Hi, I’m new to Avast, I have been using AVG for virus scanning for a while but started reading on some forums that AVG could miss some viruses and was generally nicer. And what do you know, as soon as I uninstalled AVG and installed Avast it found a virus. However as soon as it did that (this was during the memory scan) it disappeared and brought up the screen saying that an error had occured and that I could send a message to support (I have done but thought I might get a response here).

If I skip the memory check I can start the normal scan but again when it finds a virus on the hard drive it says an error has occured and brings up the message screen. I did manage to find out one virus file that it was refering to and delete it but obviously there must still be others on my system. I’ve tried repairing it but not totally uninstalling it yet. System is Win 98 Second Edition 4.10.2222 A with Internet Explorer 6. Can’t think of anything else that might be of help, it’s such a pain that it exits with pretty much no notification of what happened so I can’t really provide you with more details.

Welcome to the forums, identitycrisisuk ! :slight_smile:

If you can, it would be helpful to give the exact error message (word for word) you are getting. This way, you can get better help. You did good by including your OS. :slight_smile:

It crashed during the memory scan? Strange… is it repeatable? (i.e. did it crash just once, or every time you started it?)

Yes, it happens every time, during the memory scan it says ‘Memory is infected’ in the bottom left corner. The program disappears and you get the loading mouse cursor for a second then this window pops up:

http://img.photobucket.com/albums/v412/identitycrisisuk/error1.gif

EDIT: If I stop the memory scan and go straight into a disk scan it at least gives me a normal illegal operation window as well as the above contact one. Here’s the code it gives:

ASHSIMPL caused an invalid page fault in
module KERNEL32.DLL at 017f:bff7b9a6.
Registers:
EAX=00000000 CS=017f EIP=bff7b9a6 EFLGS=00000246
EBX=00699440 SS=0187 ESP=0065ea84 EBP=0065ea98
ECX=00699440 DS=0187 ESI=006994a8 FS=63a7
EDX=007821bc ES=0187 EDI=006994a8 GS=0000
Bytes at CS:EIP:
ff 76 04 e8 13 89 ff ff 5e c2 04 00 56 8b 74 24
Stack dump:
00699440 70e0eb88 006994a8 00000000 007821c0 0065ead8 70e0e28e 007821c0 0000000d 0065eac0 00000001 00699440 00000012 00000000 81792e24 00000000

When you close that window you get this :-\

ASHSIMPL caused an invalid page fault in
module ASHUINT.DLL at 017f:64b17305.
Registers:
EAX=015cf04c CS=017f EIP=64b17305 EFLGS=00010202
EBX=64b00000 SS=0187 ESP=039bfc30 EBP=039bfc4c
ECX=00eb0b80 DS=0187 ESI=64b36690 FS=2e4f
EDX=00000006 ES=0187 EDI=00000001 GS=636e
Bytes at CS:EIP:
8b 08 50 ff 51 08 8b ce 5e e9 43 8b 00 00 e9 8e
Stack dump:
64b36560 64b0437c 00000000 64b36560 039bfe28 64b21399 00000003 039bfc70 64b20c82 64b20d20 64b00000 00000000 00000001 00000000 64b00000 81794134

Hmm, may be a problem with the skinning library. Did avast! ever successfully display a skinned window (either the program interface, or in the Explorer Extension, for example)?

If I skip the memory scan then it comes up with a window, says avast! Simple User Interface in the taskbar if that’s what you mean. I can go into the menu and change skins etc. with no problems. I don’t know what you mean by the explorer extension exactly.

If you right click a file into Windows Explorer you will see an icon for avast.
It will run ashQuick.exe application which is under your avast folder.
That is the ‘Explorer Extension’ :wink:

Ah right, yeah I’ve done that and it also works but just disappears when it finds a virus. By some sleuthing and watching when the program crashes I’ve worked out that I have a file called PICSGORE.DLL in my Windows/System folder which is a virus. I can’t delete it though as it says windows is using it.

If you boot up into safe mode can you run a scan then? Is there anything unusual in your startup file or in your startup registry key? Good chance the name of the file you found is random; I can’t find anything that links picsgore.dll to a virus name, (perhaps someone from avast! can help there…) did you find any clues that might have given you an idea of the actual virus name?

avast has a virus cleaner tool … http://www.avast.com/eng/down_cleaner.html
without the virus name it’s hard to say with any certainty if it’ll work

I bet that your virus is what causes avast! to crash, if you can get rid of the virus, you’ll likely solve your problem

I cant find any info on that .dll file.Wahts it say when you right click it and click properties?.Also if you are sure its malware can you rename it to.txt to stop it running in normal or safe mode?Also its sometimes wise to have an on demand scanner as well as your resident avast.Try escan free from here
http://www.mwti.net/antivirus/free_utilities.asp
It uses kaspersky engine.Extract to a folder and use the mwavscan.com to scan and the kavupd.exe to update the virus defenitions.Its handy as a backup to avast , and is not a resident scanner.
me

This option could be tweaked at avast4.ini file on section By some sleuthing and watching when the program crashes I’ve worked out that I have a file called [Quick. See http://forum.avast.com/index.php?board=2;action=display;threadid=1647;start=15

At boot time, this should not happen, can you schedule it?
You can disable the memory test (section [UserInterface] value SplashTestMemory=0 and got access to the program in order to schedule it…

Thanks for all the advice everyone, sadly I haven’t made any progress though.

Booted into safe mode, the same crashes occur when scanning with avast. My Startup folder has nothing other than Shockwave init and I’m not quite sure what registry entry is for startup but I seached the whole thing and found nothing abnormal. I’ve tried the avast cleaner but it hasn’t found anything, though it did say a couple of dat files couldn’t be scanned, there is also a picsgore.dat which I can delete but comes back when you restart.

I’ve also tried the kaspersky based one but that also didn’t find anything other than a few registry entries it thought were wrong, I think from previous viruses. There is nothing special in the properties for picsgore.dll btw.

I get the feeling that this may need to be sorted at boot time but the schedule boottime scan option in avast is greyed out, is this something only in the professional edition? If so is there anything simple but effective I could get for scanning at boot time, an exe I can just add at the top of autoexec.bat or something? I mean I could start up and go to the command line so windows is never in the equation but maybe deleting picsgore.dll will not get everything and it’ll keep re-appearing just like the dat file.

Try booting up in dos and renaming your config.sys and autoexec.bat files as config.old and autoexec.old using the “ren” command.

I.E> ren c:\config.sys c:\config.old …enter

Then reboot into safe mode and scan from there. 98 will actually start without autoexec and config.

You can always rename them later if it doesn’t work

Alternatively, boot into dos and navigate to c:\windows\system and use del to delete the file/files and then reboot into 98.

I think the problem is not on avast, not only, we need to solve other thing that is crashing the computer :cry:

I was talking about avast4.ini file and not the Windows Registry. Did I misunderstand you?

I’ve never heard about that file but could be normal that dat files are blocked by the system and cannot be scanned by avast ::slight_smile:

Do you mean on-line scanning I suppose? ??? Do you install Kaspersky?

Boot time scanning is a Windows 2k/XP feature. Home and Professional version of avast have it, it’s an OS problem not avast. You can’t make an autoexec.bat or link for it. You can edit the Windows Registry but I’m afraid this won’t be the best moment for that. If you want, I can guide you…

About memory scanning, you can try:

“C:\Program Files\Alwil Software\Avast\ashQuick.exe” “*MEMORY”
The *MEMORY parameter causes avast! to scan the operating memory of the computer: the true virtual memory.

“C:\Program Files\Alwil Software\Avast\ashQuick.exe” “*STRT-MEM-SHORT”
The *STRT-MEM-SHORT scans (besides the startup items) the modules loaded in memory: the corresponding files, not the real memory.

While the *MEMORY parameter may catch unknown (packed) variants of viruses that may not be detected on disk (they can be found since the packed file is already unpacked to memory), it may also fail to detect the viruses for which only a packed variant exists (and the VPS does not contain a signature for the unpacked code). Generally, avast! virus database is optimized (and checked) for the file detection - the memory scan is rather a special additional feature.

“C:\Program Files\Alwil Software\Avast\ashQuick.exe” “*STARTUP”
The *STARTUP parameter will scan all startup user accounts items.

“C:\Program Files\Alwil Software\Avast\ashQuick.exe” “*STARTUP-SHORT”
The *STARTUP parameter will scan the current user startup items.

So, if you want a real thorough check of the memory/ startup, I’d rather recommend using both the parameters *STRT-MEM-SHORT and *MEMORY together (or, *MEMORY, *MEMORY-SHORT and *STARTUP for all the user accounts).

Like this: “C:\Program Files\Alwil Software\Avast\ashQuick.exe” “*MEMORY” “*STRT-MEM-SHORT” “*STARTUP” “*STARTUP-SHORT”

Right, I think I’m sorted now.

Tried a few more things and they didn’t work so I went for the brute force, boot into dos and delete the offending files option. I also searched the windows registry and removed any references to picsgore (there were about 5 little odd ones). I’ve just performed a full scan with avast and there were no crashes and no viruses ;D

Only weird thing is that the skin for avast has changed itself from the blue one to something very ‘standard’ looking. Maybe this links back to what was said right at the start about it being a skinning problem, who knows.

Thanks again all, I will be continuing to use avast! ;D

Download the skins you want, double click (run) them and choose the one you like best…

Skins: http://www.avast.com/eng/download/skins/index.html