Avast! stopped working

it’s been working great for years, now it has a red circle /slash on the A-ball and clicking brings a message RPC error. I don’t know what is wriong or how to fix it and get Avast! AV working again. Thanks.
Robert

This is usually associated with another AV or remnants of one, but since as you say things have been working great for years this isn’t so likely.

Have you recently added another security application or has your system changed in any way just prior to this ?

Try a repair of avast. Add Remove programs, select ‘avast! Anti-Virus,’ click the Change/Remove button and scroll down to Repair, click next and follow. This has in the past resolved this out of sync issue between reported and actual VPS version.

If that doesn’t work a clean reinstall would be best:

  • Download the latest version of avast http://www.avast.com/eng/download-avast-home.html and save it to your HDD, somewhere you can find it again. Use that when you reinstall. Ensure that you scroll down and select the avast direct download link for the English version and not Cnet as that is for an on-line installation (not what you want to do).

Download the avast! Uninstall Utility, find it here and save it to your HDD.

    1. Now uninstall (using add remove programs, if you can’t do that start from the next step), reboot.- 2. run the avast! Uninstall Utility, reboot. If step 1 failed it may be necessary to run this from safe mode, once complete reboot into normal mode.- 3. install the latest version, reboot.

It would’nt repair, I unistalled it, I did a clean install, it worked about a day and then back to the red circle/slash . I did all this for a week before posting here. There is no solutiion. Should I burn my computer?

What operating system and service pack level are you running?

If you can answer my question that may help us.
Have you recently added another security application or has your system changed in any way just prior to this ?

Short of that we would have to ask what the previous AV was (I know it was a long time ago) and see if we cant root out any possible remnants ?

I had the same thing warmerwagen described happen to me last night. I went through the steps of checking to make sure Avast was set on automatic ( it was but wasn’t running), I attempted to start it but it wouldn’t, I repaired it and it last for several minutes then the whole process started again. I just did it again ten minutes ago. I see that something called Antivirus Pro 2010 has installed itself on my laptop last night, which I assume started this problem. I have tried to remove it using the add/remove program but it seems to have locked up isn’t responding. I assume there are some hidden files that will need to be dealt with. I am running the Avast home edition and Windows XP. I would appreciate some direction on where to go from here.

Add remove programs is unlikely to remove it, given that this is a rogue application.

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

I just attempted to boot up my laptop to try the direction above and it won’t boot up. Everytime it gets to the welcome screen, a system shutdown window pops up and starts a 60 second countdown to shut down. it says “initiated by NT AUTHORITY\system” and the message says " The system process C:\WINDOWS\system32\services.exe terminated unexpectedly with status code -1073741482. The system will now shut down and restart". And it does repeatedly!

Looks like you have not kept your system up to date and are suffering the possibility of a Blaster or Sasser infection:
http://www.pcreview.co.uk/forums/thread-171029.php
http://forums.techguy.org/malware-removal-hijackthis-logs/692317-solved-shutdown-initiated-nt-authority.html

Try booting into safe mode http://www.pchell.com/support/safemode.shtml

You could also download these and burn to a CD on a working/clean system and you can install MBAM in safe mode and run a scan in safe mode.

I was able to startup in safe mode and download both the files but neither seems to want to run in safe mode. Any suggestions on what I might check?

Well I don’t believe SAS will (or isn’t designed to) install in safe mode, which is why I didn’t suggest doing that, but MBAM is meant to be able to install in safe mode and certainly should be able to run in safe mode.

There is a possibility you have malware that also runs in safe mode.

Have you read the second link YoKenny gave ?

You could also try DrWeb CureIt! - See http://www.freedrweb.com/cureit/ - Download ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe (Free) Fairly effective against file infectors, Virut (infects .exe, .scr, .mp3 & .wmv), more so when used in safe mode.

DrWeb also do a Live CD if you are unable to get into your system see, http://www.freedrweb.com/livecd/?lng=en, documentation ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf. This may be a better option to run the live CD version outside of windows so it may have a better chance of success.

After I sent my last message, I went back into regular mode, and was able to run the SAS scan. I downloaded the mbam file and attempted to run it, but midway through, it stopped and wouldn’t allow me to access it again. I’ll try to reload and run the mbam again after I send this. I have all the suspect files listed below quarantined but was afraid if I reboot now I may lose some files I need to save. Here are the SAS results:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/10/2009 at 08:44 PM

Application Version : 4.28.1010

Core Rules Database Version : 4085
Trace Rules Database Version: 1978

Scan type : Quick Scan
Total Scan Time : 00:16:46

Memory items scanned : 517
Memory threats detected : 1
Registry items scanned : 611
Registry threats detected : 8
File items scanned : 9230
File threats detected : 93

Trojan.Unclassified/BraviaX
C:\WINDOWS\SYSTEM32\BRAVIAX.EXE
C:\WINDOWS\SYSTEM32\BRAVIAX.EXE
[braviax] C:\WINDOWS\SYSTEM32\BRAVIAX.EXE
HKU\s-1-5-21-3457135837-99430031-1591245725-1006\Software\Microsoft\Windows\CurrentVersion\Run#braviax [ C:\WINDOWS\system32\braviax.exe ]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#braviax [ C:\WINDOWS\system32\braviax.exe ]

Rootkit.Cloaked/Service-GEN
HKLM\system\controlset001\services\d250ed6e
C:\WINDOWS\SYSTEM32\DRIVERS\D250ED6E.SYS
HKLM\system\controlset003\services\d250ed6e

Adware.Tracking Cookie
c:\documents and settings\henry\cookies\henry@lfstmedia[2].txt
c:\documents and settings\henry\cookies\henry@questionmarket[2].txt
c:\documents and settings\henry\cookies\henry@socialmedia[2].txt
c:\documents and settings\henry\cookies\henry@ads.pointroll[2].txt
c:\documents and settings\henry\cookies\henry@content.yieldmanager[3].txt
c:\documents and settings\henry\cookies\henry@collective-media[1].txt
c:\documents and settings\henry\cookies\henry@mediaplex[2].txt
c:\documents and settings\henry\cookies\henry@stat.dealtime[1].txt
c:\documents and settings\henry\cookies\henry@ad.yieldmanager[2].txt
c:\documents and settings\henry\cookies\henry@dealtime[1].txt
c:\documents and settings\henry\cookies\henry@casalemedia[2].txt
c:\documents and settings\henry\cookies\henry@specificmedia[1].txt
c:\documents and settings\henry\cookies\henry@adrevolver[2].txt
c:\documents and settings\henry\cookies\henry@www.burstbeacon[1].txt
c:\documents and settings\henry\cookies\henry@media.adrevolver[1].txt
c:\documents and settings\henry\cookies\henry@atdmt[1].txt
c:\documents and settings\henry\cookies\henry@bs.serving-sys[1].txt
c:\documents and settings\henry\cookies\henry@yadro[2].txt
c:\documents and settings\henry\cookies\henry@imrworldwide[2].txt
c:\documents and settings\henry\cookies\henry@insightexpressai[1].txt
c:\documents and settings\henry\cookies\henry@specificclick[1].txt
c:\documents and settings\henry\cookies\henry@tribalfusion[2].txt
c:\documents and settings\henry\cookies\henry@fastclick[1].txt
c:\documents and settings\henry\cookies\henry@adbrite[1].txt
c:\documents and settings\henry\cookies\henry@cache.trafficmp[1].txt
c:\documents and settings\henry\cookies\henry@serving-sys[2].txt
c:\documents and settings\henry\cookies\henry@apmebf[2].txt
c:\documents and settings\henry\cookies\henry@247realmedia[2].txt
c:\documents and settings\henry\cookies\henry@foundbanner[1].txt
c:\documents and settings\henry\cookies\henry@burstbeacon[1].txt
c:\documents and settings\henry\cookies\henry@cdn4.specificclick[2].txt
c:\documents and settings\henry\cookies\henry@edge.ru4[1].txt
c:\documents and settings\henry\cookies\henry@adserver.adtechus[1].txt
c:\documents and settings\henry\cookies\henry@dmtracker[1].txt
c:\documents and settings\henry\cookies\henry@ad1.clickhype[1].txt
c:\documents and settings\henry\cookies\henry@trafficmp[1].txt
c:\documents and settings\henry\cookies\henry@eyewonder[2].txt
c:\documents and settings\henry\cookies\henry@find.diadoraamerica[2].txt
c:\documents and settings\henry\cookies\henry@a1.interclick[1].txt
c:\documents and settings\henry\cookies\henry@revsci[2].txt
c:\documents and settings\henry\cookies\henry@www.burstnet[1].txt
c:\documents and settings\henry\cookies\henry@realmedia[2].txt
c:\documents and settings\henry\cookies\henry@media.adrevolver[2].txt
c:\documents and settings\henry\cookies\henry@tunebanner352[1].txt
c:\documents and settings\henry\cookies\henry@zedo[2].txt
c:\documents and settings\henry\cookies\henry@content.yieldmanager[2].txt
c:\documents and settings\henry\cookies\henry@shopping.112.2o7[1].txt
c:\documents and settings\henry\cookies\henry@media6degrees[1].txt
c:\documents and settings\henry\cookies\henry@advertising[1].txt
c:\documents and settings\henry\cookies\henry@dominionenterprises.112.2o7[1].txt
c:\documents and settings\henry\cookies\henry@interclick[1].txt
c:\documents and settings\henry\cookies\henry@burstnet[2].txt
c:\documents and settings\henry\cookies\henry@doubleclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@interclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
.doubleclick.net [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.track.cbs.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.cbs.112.2o7.net [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.bs.serving-sys.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.247realmedia.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]

Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount

Rogue.XP AntiSpyware2009-Trace
C:\WINDOWS\system32_scui.cpl

Rogue.XP AntiSpyware 2009
HKU\s-1-5-21-3457135837-99430031-1591245725-1006\Control Panel\don’t load#wscui.cpl [ No ]

Trojan.Dropper/Gen
C:\DOCUMENTS AND SETTINGS\HENRY\LOCAL SETTINGS\TEMP~.EXE
C:\WINDOWS\SYSTEM32~.EXE
C:\WINDOWS\Prefetch~.EXE-10AA984B.pf

Trojan.Agent/Gen-FakeDrop[BraviaX]
C:\UDTCNN.EXE

Rootkit.Agent/Gen-UAC
C:\WINDOWS\SYSTEM32\DRIVERS\UACD.SYS

The cookies as I said are no issue at all.

The other detections all seem to be valid given their locations, they are trying to make out that they are system files when they aren’t.

See http://www.systemlookup.com/search.php?type=filename&client=malwaresearch-ff&search=BRAVIAX.EXE

This is I believe the major one causing the problem by masking all the others, etc.
Rootkit.Agent/Gen-UAC
C:\WINDOWS\SYSTEM32\DRIVERS\UACD.SYS

This file name is associated with trojan activity, it isn’t a system file.

The ~.exe is equally suspect, so I doubt that a reboot would cause the same kind of problems you had before. At some point in time you are going to have to reboot.

I did reboot and then performed another scan. It seems that SAS has cleaned all those files out but the problem start up copied below problem persists. I’ve looked on Microsofts support site but so far haven’t located anything with the same status code.

(Everytime it gets to the welcome screen, a system shutdown window pops up and starts a 60 second countdown to shut down. it says “initiated by NT AUTHORITY\system” and the message says " The system process C:\WINDOWS\system32\services.exe terminated unexpectedly with status code -1073741482. The system will now shut down and restart". And it does repeatedly!)

Another thing I’ve noticed while chasing down this problem is that the Avast system isn’t starting up automatically when I boot up. I have alway had it set up to start and update automatically something seem to be preventing that from happening. I’m wondering if that allowed this virus to get in or if the virus caused this problem also. I found the info below in the FAQs and have repeated the procedure all the way through “repair” at least 5x in the last 24 hrs and everytime I reboot it is back to the previous condition.

Q: There´s a red circle on avast! a-ball icon in system tray and when I click on it, the error message appears saying “the AAVM subsystem detected a RPC error”. How to fix this?

A: First, use Windows Update to be sure that all Windows components (including “RPC”) is up to date. Then restart your computer and check if the problem persists. If it persists, follow these instructions:
Right-click the icon MY COMPUTER and select MANAGE.
In left column unroll SERVICES AND APPLICATIONS.
Click on SERVICES.
In the right column, look at the state of service avast! Antivirus.
If the service isn’t set to start automatically, set it that way (right-click it and select PROPERTIES and the STARTUP TYPE set to AUTOMATIC). Restart the computer after making the change.
If it was already set to “Automatic”, check the status of the service. If it not “Started”, try to start it (right-click it and select START).
If the service cannot be started, your avast! installation might be corrupted. Try repairing the avast! installation: click START → CONTROL PANEL → ADD/REMOVE PROGRAMS → avast! Antivirus → CHANGE/REMOVE and select REPAIR.
This solution works on Windows NT, 2000, XP and 2003 only.

I finally got connected to support at Microsoft and they determined I have a rootkit virus. They are taking it to level 2 and will be contacting me by phone to work through it.

Hi read my thread here.
http://forum.avast.com/index.php?topic=48584.0
Do a file repair of windows go to run type cmd press enter, then in the command window type sfc /scannow it will ask you for your windows cd I put mine in and it still asks for it 1000 times just keep clicking retry or cancel.
Also check the boot loader in Control Panel/System/Advanced/Startup and Recovery.
If it has things missing from it or is blank you will have problems and will need to replace the text.