Cant enable system boot scan

I follow instructions, right click on the avast symbol in task bar and go to “Start “avast” Antivirus”, but nothing comes up. http://www.digitalred.com/avast-boot-time.php

Have (or did) you another Anti-Virus installed in this system, if so what was it and how did you get rid of it ?

What other security based software do you have installed ?

What happens if your run C:\Program Files\Alwil Software\Avast4\ashSimpl.exe directly ?

That worked!! Thanks alot David ! I was able to lunch avast with the ashSimple.exe directly from its folder. Now to jus run the bootscan and see what it comes up with.

I used to have kaspersky and I just uninstalled it.

What happened was I acidently clicked on a wrong file once :P, and it was some weird virus that didn’t let me use kaspersky or install any new antivirus software, all except avast ;), so it got me up and running, but i think I still have some issues, so I want to do a deep scan.

Download and Run this utility to remove all traces of Kaspersky from the registry:
http://support.kaspersky.com/faq/?qid=208279463. You might want to print the instructions on the page for use of-line.

Once you have done that try using the “Start “avast” Antivirus” option again and see if it works.

If not try a repair of avast. Add Remove programs, select ‘avast! Anti-Virus,’ click the Change/Remove button and scroll down to Repair, click next and follow. This has in the past resolved this out of sync issue between reported and actual VPS version.

  1. In bootscan, avast found one windows file that was infected with a virus. I deleted it, (sorry for not writing down its name though), and windows lunched and went to the page that validates windows. It said I have valide windows and let me proceed.

However I still couldnt lunch Avast from taskbar. Also, I downloaded adware and microtend’s housecall to see if those would work. They didn’t.

  1. I tried the kaspersky removal tool, but it said no kaspersky to remove here.

  2. I repaired Avast through the uninstall feature in control panel, like u said. And now I can lunch avast from task bar, and I can use housecall and Adware and all seems to be good.

Windows used to crash during lunch half the time, but now working fine every time.

Thanks David!!

Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

Check the C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt using notepad as that should contain information of the files, locations and malware name of all detections during the boot-time scan ?

There is a possibility that this was no windows file but malware in the windows/system folders, a common tactic.

Hopefully the removal of the file and the avast repair has resolved any problem.

12/10/2009 10:33
Scan of all local drives

File C:\Windows\System32\cngaudit.dll is infected by Win32:Trojan-gen, Deleted
Number of searched folders: 28449
Number of tested files: 198443
Number of infected files: 1

Cngaudit.dll is the virus boot scan found.

Resident protection is disabled, the avast symbol in task bar the stop symbol next to it. When I lunch it, Resident protection is disabled, and I can’t enable it.
When I try to turn it on in the windows sec center, error message says, "program cannot activate shield part(standard shield provider not found)

Whilst that file name is a legit windows file name there is no guarantee of that as it is common that malware uses the same file name but locates it in a different folder to the real one.

A search of my XP Pro OS doesn’t find any occurrence of this file, Cngaudit.dll.
What is your OS ?
So depending on your OS it is possible this file could also be legit and that is why deletion is so dangerous.

This file name is also associated with malware that uses rootkits to prevent or make removal difficult.

Given that it is possible that the boot-time scan could get in before the rootkit has a chance to protect it. However, the other symptoms are also pointing at avast may have been disabled.

Try a repair of avast. Add Remove programs, select ‘avast! Anti-Virus,’ click the Change/Remove button and scroll down to Repair, click next and follow.

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

It is possible that these too might be disabled if my above suspicion is proven correct.

Anti_Malwre found 4 things infected and successfully removed them. After I restarted my computer, avast is now up and running. All seems to be good for now.

Malwarebytes’ Anti-Malware 1.42
Database version: 3348
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

12/12/2009 1:16:57 AM
mbam-log-2009-12-12 (01-16-39).txt

Scan type: Quick Scan
Objects scanned: 97948
Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) → No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\Tasks{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) → No action taken.
C:\Windows\Tasks{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) → No action taken.

Encountered a problem installing SuperAntiSpyware Free Edition. It said Error 1321. Windows Installer has insufficient privileges to modify this file: C:\Program Files|SUPERAntiSpyware\SUPERAntiSpyware.exe. I ignored it to finnish install, but then when I ran the program it says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

O, and I have windows Vista 32 bit

Anti_Malwre found 4 things infected and successfully removed them.

No, your log says “No action taken” you have to scan again and when finish click on “remove selected” button, this will move the infectons to quarantine

HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) → No action taken.
C:\Windows\Tasks{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) → No action taken.
C:\Windows\Tasks{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) → No action taken.

Got SuperAntispyware up and running, here is what the quick scan found.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/13/2009 at 06:25 PM

Application Version : 4.31.1000

Core Rules Database Version : 4365
Trace Rules Database Version: 2207

Scan type : Quick Scan
Total Scan Time : 00:24:48

Memory items scanned : 648
Memory threats detected : 0
Registry items scanned : 454
Registry threats detected : 0
File items scanned : 31129
File threats detected : 5

Adware.Tracking Cookie
C:\Users\CountDuku\AppData\Roaming\Microsoft\Windows\Cookies\countduku@statse.webtrendslive[2].txt
C:\Users\CountDuku\AppData\Roaming\Microsoft\Windows\Cookies\countduku@apmebf[1].txt
C:\Users\CountDuku\AppData\Roaming\Microsoft\Windows\Cookies\countduku@mediaplex[1].txt

Rogue.Agent/Gen-Nullo[DLL]
C:\WINDOWS\SYSTEM32\ASPRTMM8.DLL

Trojan.Agent/Gen-FSG
D:\D\PROJECTS\ZTUTSNSTUFF\PIXOLOGIC ZBRUSH 3.1 UPDATE + KEYGEN\KEYGEN.EXE

All seems to be perfect now. Running MalwareBytes Anti-Malware and SuperantiSpyware finished the job!!!

Thanks for all your help

Count Duku

You’re welcome.