Laptop freezes when 75% through full Avast scan on C:\WINDOWS\Installer\156...

Help! I hope someone can help me fix this problem.
Every time I do a Full System Scan with Avast, it freezes at C:\WINDOWS\Installer\156…etc.
I have to hold down the on/off button, then reboot.

hey and welcome to the forum.

we need a bit more information from you to be able to help you.

what os you using?
what version of avast you using? free/pro/suite
what version of avast are you using? 7.0…?

have you tried a quick scan so you get the same problem?

Hi there. I am using Windows XP.
I have been using the latest free Avast but thought I would trial the latest Avast Antivirus for a few days.
Unfortunately, nothing has changed, still have the same problem when scanning.
The quick scan is fine…no problem there.
Hope you can help.
Cheers

hey again I’m not sure, but according to Norton if you can trust them the file C:\WINDOWS\Installer\156 should be a malware

http://community.norton.com/t5/Norton-Internet-Security-Norton/Trojan-Zeroaccess-B-Trojan-Gen-2-QUADS-please-help/td-p/745640.

If it is, best to be on the safe side.
Please follow this guide and attach your logs a a malware expert will guide you from there.

http://forum.avast.com/index.php?topic=53253.0.

Hi there,
Many thanks for your instructions.
Here is the log attached:
Database version: v2012.09.03.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Judy :: NUNU [administrator]

Protection: Enabled

4/09/2012 10:53:22 a.m.
mbam-log-2012-09-04 (10-53-22).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 239051
Time elapsed: 20 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 46
HKCR\CLSID{8a7d2060-824d-4b17-b00a-759b1b5f30d9} (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\CLSID{a0154e07-2b48-475c-a82a-80efd84ea33e} (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{A0154E07-2B48-475C-A82A-80EFD84EA33E} (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{A0154E07-2B48-475C-A82A-80EFD84EA33E} (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\CLSID{ab56dfde-0c14-45b3-9df6-7b0eba617870} (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{AB56DFDE-0C14-45B3-9DF6-7B0EBA617870} (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{AB56DFDE-0C14-45B3-9DF6-7B0EBA617870} (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\CLSID{df22384f-cf68-4d19-969f-10423715528b} (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{DF22384F-CF68-4D19-969F-10423715528B} (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{DF22384F-CF68-4D19-969F-10423715528B} (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.DynamicBarButton (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.DynamicBarButton.1 (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.FeedManager (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.FeedManager.1 (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.HTMLMenu (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.HTMLMenu.1 (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.HTMLPanel (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.HTMLPanel.1 (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.MultipleButton (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.MultipleButton.1 (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.PseudoTransparentPlugin (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.PseudoTransparentPlugin.1 (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.Radio (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.Radio.1 (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.RadioSettings (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.RadioSettings.1 (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.ScriptButton (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.ScriptButton.1 (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.SettingsPlugin (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.SettingsPlugin.1 (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.SkinLauncher (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.SkinLauncher.1 (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.SkinLauncherSettings (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.SkinLauncherSettings.1 (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.ThirdPartyInstaller (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.ThirdPartyInstaller.1 (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.UrlAlertButton (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.UrlAlertButton.1 (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.XMLSessionPlugin (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCR\TotalRecipeSearch_14.XMLSessionPlugin.1 (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCU\Software\TotalRecipeSearch_14 (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKLM\SOFTWARE\TotalRecipeSearch_14 (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TotalRecipeSearch_14bar Uninstall (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKLM\SOFTWARE\MozillaPlugins@TotalRecipeSearch_14.com/Plugin (PUP.MyWebSearch) → Quarantined and deleted successfully.

Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{A0154E07-2B48-475C-A82A-80EFD84EA33E} (PUP.MyWebSearch) → Data: aN H+\G¨*€ïØN£> → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser{A0154E07-2B48-475C-A82A-80EFD84EA33E} (PUP.MyWebSearch) → Data: → Quarantined and deleted successfully.
HKLM\SOFTWARE\Mozilla\Firefox\Extensions|14ffxtbr@TotalRecipeSearch_14.com (PUP.MyWebSearch) → Data: C:\Program Files\TotalRecipeSearch_14\bar\1.bin → Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) → Bad: (1) Good: (0) → Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

hey and the other logs is needed plaese follow the guide to the end i posted in my previous post.

Hi. Sorry I hope I have done what I am supposed to this time. It’s hard to understand some of this stuff from a mere (non-geek) mortal.
Please bear with me. I appreciate your help.
Thanks

hey np you have provide the nessacery logs for a malware expert. i will send pm now to one of them so they could jion this thread.

Thanks!

Hi nothing jumps out at me from that log so I will look in the installer folder to see what is there

But first

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

https://dl.dropbox.com/u/73555776/AdwCleaner.GIF

Once done it will ask to reboot, allow this
On reboot a log will be produced please attach that

THEN

[*]Run OTL.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
C:\WINDOWS\Installer /s
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Hi Essexboy.
Many thanks for helping me - I really appreciate it.
Here are the 3 logs you require (attached).
Cheers.

Nothing untoward there could you run another scan to see if the problem still exists

Hi there…I just ran another Avast Full System Scan and at 1 hr:49 minutes it stopped scanning at C:\WINDOWS\Installer\156db06.msp
I just happened to see it happen. Always about 75% off the way through the scan and always stops at C:\WINDOWS\Installer\156…etc.
Hmmmm…what do we do now?
Really appreciate your help.
Cheers

OK lets remvoe that from the equation and quarantine it … Once done then retry the scan

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
C:\WINDOWS\Installer\156db06.msp

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered.

Hello.
Is there anything missing from your instructions and/or is your screen-print exactly as it should be…because I followed your instructions explicitly and I don’t think anything happened as it was super quick and didn’t need to re-boot? Attached is the log that came up within 30 seconds.
Look forward to your reply.
Cheers

Sorry - forgot to add that when my laptop freezes during Avast Full Scan, it is always at C:\WINDOWS\Installer\156… followed by different numbers. Last time it froze at …\Installer\156db06.msp, but other times it has been…156dac1.msp and other numbers after 156? Just had to clarify for you.
Many thanks - I appreciate your help.

Ah you spotted my error :-[

Could you run this script

C:\WINDOWS\Installer\156db06.msp[/b]

Hellooo. I opened OTL and followed your new instructions and here is log attached.
Cheers

Hi. Just ran another Avast Full System Scan to check…and indeed…my laptop froze up as per usual, this time at WINDOWS\Installer\156db96.msp. Had to hold down on/off button to close down and then had to restart.
Bye for now.

The file there is not malicious, but I would not recommend excluding the installer folder from the scan though I will need to have a thunk about this