Avast preventing Windows XP from starting correctly

Avast does a boot sector search (or something like that) when my computer just starts up, at least is used to.

I just ran Mawarebytes Anti Malware and it found 7 items and I Ok’d them to be deleted, and then restarted my computer.

As it turns out one or more of the files it deleted had something to do with the boot sector search done by Avast.

Now my computer will not start windows, not even safe mode.
It gets up to the point where Avast starts its search…and after only 1 second it immediately reboots my computer, and it does this continually restart up to Avast search, restart…etc

Basically my computer will not restart correctly or run windows.
I have managed to get it to run Windows Command (black screen with command line c:\WINDOWS> )

Can someone tell me how to stop AVAST from doing the boot sector test and perhaps my computer will be able to get windows to run.

Thanks in advance for your assistance.

Deletion (or do you mean Remove, the option in MBAM, see image) is never a good first choice, but fortunately MBAM usually sends the copy to the Quarantine area, so perhaps all is not lost.

What would have been helpful would have been the MBAM log file of what it found (displayed at the end of the scan) otherwise we are working in the dark. The log may have been saved, depending on your settings and you can check the Logs tab.

You can open MBAM again and click on the Quarantine tab and let us know what is in it.

It also isn’t clear what you mean by boot sector scan, avast has a boot-time scan that runs after installation (if you reply yes to the question, see image2), this scan only runs when you schedule it to run and not on every boot. Is this what you meant ?

Have (or did) you another Anti-Virus installed in this system, if so what was it and how did you get rid of it ?

I have managed to get XP to run again by booting from Windows CD, getting a command prompt, running chkdsk /r.
I have included the mbam-log below and HJT log

This entire issue started with trying to get rid of google search results links being redirected.

I have down loaded and run AVAST, Malwarebytes, Ad-aware, spybot search & destroy
all in an effort to find and get rid of the google redirecting of the search results.

Malwarebytes’ Anti-Malware 1.41
Database version: 3111
Windows 5.1.2600 Service Pack 3

11/8/2009 12:37:24 AM
mbam-log-2009-11-08 (00-37-24).txt

Scan type: Full Scan (C:|I:|)
Objects scanned: 445323
Time elapsed: 1 hour(s), 6 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\?\globalroot\systemroot\system32\gasfkyfdxarvpr.dll (Trojan.TDSS) → Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) → Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.SearchPage) → Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.Google.com/) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) → Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) → Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
\?\globalroot\systemroot\system32\gasfkyfdxarvpr.dll (Trojan.TDSS) → Quarantined and deleted successfully.

**************************************************88
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:47 PM, on 11/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\MioNet\MioNetManager.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Thirty Day Challenge Toolbar - {7104ec46-5dfb-4609-84f0-915970e383d7} - C:\Program Files\Thirty_Day_Challenge\tbThir.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Thirty Day Challenge Toolbar - {7104ec46-5dfb-4609-84f0-915970e383d7} - C:\Program Files\Thirty_Day_Challenge\tbThir.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Thirty Day Challenge Toolbar - {7104ec46-5dfb-4609-84f0-915970e383d7} - C:\Program Files\Thirty_Day_Challenge\tbThir.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [MioNet] C:\Program Files\MioNet\MioNetLauncher.exe /p
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avgnt] “C:\Program Files\Avira\AntiVir Desktop\avgnt.exe” /min
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] “C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe” /runcleanupscript
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.2 - res://C:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS
O23 - Service: Google Update Service (gupdate1c9cee09812a166) (gupdate1c9cee09812a166) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MioNet - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS
O24 - Desktop Component 0: (no name) - (no file)


End of file - 6153 bytes

what I thinks is your problem is that your running two antivirus program at the same time. the hjt log shows entries of Avast and Avira. so I suggest you uninstall one of them and see if that help. malware in those entries. I’m not an expert to see so lets wait for another person tho check that up and write if there are any entries that should be removed.

Hi Comet,

To continue David support, and based on your hijackthis log report there is some application that you need to concern :

[b]C:\Program Files\Avira\AntiVir Desktop\sched.exe[/b] (Please deleted this avira useless folder to avoid crash with other antivirus)
[b]C:\Program Files\Avira\AntiVir Desktop\avguard.exe[/b]

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS
O24 - Desktop Component 0: (no name) - (no file)
(Please delete and fixed it with Hijackthis tool)

This one could well have been the root of the problem as it is a rootkit and a pretty persistent one at that, which could hide other malware:
gasfkyfdxarvpr.dll (Trojan.TDSS)

Following on from mikaelrask and Yanto.Chiang’s advice you really need to get rid of the second resident AV as far from provide twice the protection it can cause conflicts that could leave you more vulnerable.

On to the google redirects thing:
– GOOGLE.GOORED - Browser popping up ads and or google search redirects.
Please download GooredFix and save it to your Desktop. - Double-click Goored.exe to run it.

  • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.

  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). - Note: Do not run Option #2 yet.

I hope I did the gooredFix correctly.

Here is the log.

GooredFix by jpshortstuff (09.11.09.1)
Log created at 10:55 on 11/11/2009 (Dan)
Firefox version 3.5.5 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\{1FEF9123-94FE-4C4E-A40D-B2BB9C65E193} → Success!
Deleting C:\Documents and Settings\Dan\Local Settings\Application Data{1FEF9123-94FE-4C4E-A40D-B2BB9C65E193} → Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\{CDA44755-043F-47C1-9700-C3AA19E736EB} → Success!
Deleting C:\Documents and Settings\Administrator.HEIDI\Local Settings\Application Data{CDA44755-043F-47C1-9700-C3AA19E736EB} → Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions
sotfone-tracker@sotfone.ru [03:53 15/06/2008]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [03:40 07/11/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(none)

-=E.O.F=-

Goored Scan:
Looks like you proceeded with step two, the cleaning of suspect goored entry points.

But it looks like it removed two FF extension registry entries and associated application data keys. So to my untrained eye it looks like a positive start.

Goored Log:
Now the relating to sotfone-tracker at sotfone.ru is suspect and I don’t know if goored did anything with it but you should run goored again and allow it to remove this also.

This appears to be related to AntiSpyCheck, a rogue program, see here for more information on removal, etc. http://www.bleepingcomputer.com/virus-removal/antispycheck. Though this says that MBAM should be able to have removed it, so since you got rid of the TDSS rootkit before I would suggest running MBAM again and post the log fife.

After the gooredfix are you still seeing any redirects on google searches ?