(infection?) Avast AV 8 Crashes on SVC scan

Viruses and worms
1

Avast Free Antivirus 8.0.1483
Virus definitions 130425-0
Windows XP

When performing a Full System Scan with default settings, Avast consistently crashes on my machine while on this step:

Processed file: SVC: {66B65111-D27B-4B82-86E0-682EF9C8A768} > ? ? ?

The error:

AvastSvc.exe - Application Error
The instruction at “0x7c910f1e” referenced memory at “0x00000000”. The memory could not be “read”.
(OK/Cancel)

Other malware scanners give this machine a clean bill of health (MBAM, HitmanPro) but this is awfully suspicious, and I was getting Avast blocking warnings last night while browsing–which is what prompted the scan in the first place.

Any thoughts on what might be going on here?

2

attach OTL and aswMBR diagnostic logs

http://forum.avast.com/index.php?topic=53253.0

3

Here you are.

Note that although there is a boatload of malware-fighting equipment showing up, this is my only support post on this topic on any forum.

Thank you for checking them out.

4

malware specialist notified, should be online soon…

5

I see you have recently run Combofix, could you attach the log please

6

(update–grabbed the wrong files, one moment…)

7

Here we are.

8

Essexboy is in bed now…check back tomorrow :wink:

9

Could you temporarily disable the drivers for Vbox and see if the scan runs through then

10

I disabled the VirtualBox network driver in the Network control panel and re-ran the scan. Similar result, although this time the crash was on

SVC: WZCSVC > C:\Windows\System32\svchost.exe

Same information in the crashbox, though:

AvastSvc.exe - Application Error
The instruction at “0x7c910f1e” referenced memory at “0x00000000”. The memory could not be “read”.
(OK/Cancel)

If we need to go deeper into stripping away VirtualBox, we can, but you may need to give me more specific guidance on that point.

11

Could you upload the dump files to ftp.avast

Windows Key + R (to get the run box), copy and paste explorer “ftp://ftp.avast.com/incoming
(without the quotes) and drag the file into the window, from another explorer window.

I will alert Avast to the incoming dump files as it is a memory reading error

12

Of course, now that I’ve turned Dr. Watson on, it ran just fine. (and had zero hits.)

I will re-run to try to reproduce the error (which was happening over and over again before!)

In the meantime, do my logs appear clear to you?

13

So turning on Dr Watson cleared the problem ?

Yes the logs looked clean

14

I don’t think it actually cleared the problem, it just behaves differently now. What seems to be happening now is that it gets stuck on a SVC, and then does one of two things:

  • Thinks for a minute, then simply terminates the scan saying “complete” (but only having checked about 8 GB or so.) This happened the first time.

  • Thinks endlessly about the same service, making no progress. Right now it has been on SVC: WmiApRpl > ? ? ? for about 12 minutes and counting. (It is also at the 8.0 GB mark this time.)

Either way it does not seem like the scan is performing as intended, but I don’t know how to provide more information to Avast if it won’t actually crash. Can we turn on some sort of internal debugging mode in the AV app and send that in to them?

15

You can generate a package…

Open Avast and select Support > Generate support package
Leave at the default settings
Once done tick the Send to Avast box
Update Avast and that will then upload the package