Avast 5.0.594 Pro version on Dell Optiplex with XP SP3

For the last few days the pc has been slower than ususal to start and shut down

Avast appears to be working normally and seems to update normally. It Claims PC is secure.

Today I went to do a routine full scan after update.

The Avast control centre took about 3 minutes to open and the scan never started.

It was also very reluctant to close the program.
Tried restarting and as both administrator and limited user.

Any ideas please.

Did your Dell come with an AV pre-installed, if so what was it and how did you get rid of it ?

What other security software do you have installed, anti-spyware, firewall, etc. ?

The Dell is an optiplex GX270 with 1G RAM

The Windows installation was clean from a Dell XPpro CD, within the last 6 months and fully updated.

No other AV has been loaded, I didn’t include the Dell rubbish in the reinstallation.

The only firewall is Windows FW.

I did try combofix today (Avast turned of for 1 hour quite smartly to do this on right clicking)
Nothing was found; Avast still won’t load or scan.

Try a repair of avast. Add Remove programs, select ‘avast! Anti-Virus,’ click the Change/Remove button and scroll down to Repair, click next and follow. Reboot.

If that doesn’t resolve it there may be some corruption in the installation so a clean reinstall would be advised:
Download the latest version of avast, 5.0.594 http://files.avast.com/iavs5x/setup_av_free.exe and save it to your HDD, somewhere you can find it again (if you didn’t save your last download). Use that when you reinstall.

• Download the avast! Uninstall Utility, aswClear5.exe find it here and save it to your HDD (it has uninstall tools for both 4.8 and 5.0).
• 1. Now uninstall (using add remove programs, if you can’t do that start from the next step), reboot.- 2. run the avast! Uninstall Utility from safe mode, first for 4.8 if previously installed and then for 5.0, once complete reboot into normal mode.- 3. install the latest version, reboot.

OK I will try that, but why download the free version, when mine is the paid for pro?

You have not heard of a recent XP udate that might cause this?
I have heard of several problems experienced by people with MSE on XP, just recently.

Sorry though you were using the free version, here is the direct link for the Pro version - http://files.avast.com/iavs5x/setup_av_pro.exe

Well I tried ’ repair’ as directed.
It chuntered for 90 seconds, declared Avast to be repaired

But no difference was observed. It still hung on opening the Avast control window.

I then uninstalled and reinstalled Avast as directed.

The install part went well - the usual lightning install no problem.

However

But no difference was observed. It still hung on opening the Avast control window.

Since I had to kill Avast from the task manager I had no AV running so I checked Windows update was fully up to date - it is.

After the restart Avast is still behaving the same - shield protection appears to be functioning, but I can’t open the scan window and scan.

What now Boss?

I’m at a loss as this I haven’t come across as anything like this is usually a conflict of some sort involving a previous AV and we have covered that option.

I don’t want to try to teach you to suck eggs or insult your intelligence, but did you also run the avast uninstall utility from safe mode ?

What happens if you try to run avastUI.exe directly from the avast5 folder ?

Exactly the same running avastui.exe from the alwil folder.

No, you are not insulting me, (you can as much as you like if you can solve this), You are also welcome to remotely look around the pc if you like.

Everthing else works normally.

I have had Avast since I got rid of Norton on my last Dell in 2005 and been very pleased with it. I have recommended it to many others, but never seen anything quite like this before either.

I will try and attract some avast software attention to this problem as it is beyond my personal knowledge/experience.

studiot,

We can’t remotely look around your machine, but just to be sure we are not dealing with malware, check your computer for malware with Malwarebytes’ Anti-Malware (MBAM). If you do not already have this installed on your machine:
· Download free http://www.malwarebytes.org/ for an on-demand scanner.
· Double Click mbam-setup.exe to install the application.
· After install, click update so you have latest database before scanning.
· Under Settings:
o General: Automatically Save File After Scan Completes is checked off
o Scanner Settings: Check all boxes
o Updater: Download and install update if available is checked off
· Once the program has loaded, select “Perform FULL Scan”, then click Scan.
· The scan may take some time to finish, so please be patient.
· When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
· Click the “remove selected” button to quarantine anything found. You will find the infection details under the Quarantine tab.
· The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
· Copy & Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts – Click OK to either and let MBAM proceed with the disinfection process; If asked to restart the computer, please do so immediately.

Well below is the MBAM report.

First off the MBAM scan froze after 10 minutes at

c:\docs&settings\somerset.daisy\appdata\sun\java\deployment\systemcache\6.0\29\2d9f109d-7eafac72.idx

Now java updates have been nagging for a while, but haven’t succeeded because I normally run as limited user. However for this exercise I had temporarily upgraded to administrator.

After restart I updated java and re-ran MBAM, which went very quickly unlike Avast.

This time no problem, scanned all 3 drives.

Two false positives were listed

Keyfinder on the work drive
and
x.exe on the system drive in somerset.daisy (as the java problem), which it called trojan.avkill.

Now somerset.daisy is not an active user, just a copy of user data from an old computer.

However I removed x.exe and x.log, which seems to be associated with ‘my connection pc lite’
Since this program was an expired trial I also uninstalled it.

I also checked the registry, but there was nothing calling x.exe.

I also tried to call avastui from the run box, but it was no better.

With all this the problem with the Avast scan remains the same.

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4451

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

20/08/2010 10:41:43
mbam-log-2010-08-20 (10-41-43).txt

Scan type: Full scan (C:|D:|W:|)
Objects scanned: 212379
Time elapsed: 35 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
W:\Eric\kf151\keyfinder.exe (Application.FindKey) → No action taken.
C:\Documents and Settings\somerset.DAISY\x.exe (Trojan.KillAV) → No action taken.

Although no one has asked here is a hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 16:57:54, on 20/08/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\BUFFALO\NASNAVI\nassvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Studiot\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = “C:\Program Files\Outlook Express\msimn.exe”
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [Adobe ARM] “C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Common Files\Java\Java Update\jusched.exe”
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265618991859
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: NAS PM Service (NasPmService) - BUFFALO INC. - C:\Program Files\BUFFALO\NASNAVI\nassvc.exe

Why do you think that this is a FP? Since these items are not in quarantine, please run an OTL log:

OTL is currently our primary tool for searching key areas of the registry and other system locations for the telltale signs of malware. It generates a comprehensive log, and offers an initial diagnosis.

Important note: HijackThis has been replaced by OTL in this guide. Since being acquired by TrendMicro, HijackThis has not been regularly updated. Many infections are now able to hide partly, or completely from a HijackThis scan. It includes all the scan locations of HijackThis and more. It’s not only a more comprehensive scan tool, but also offers more powerful removal features.
Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Check the box that says [b]Scan All Users[/b]
* Under the Custom Scan box paste this in:

netsvcs
%SYSTEMDRIVE%*.*
%systemroot%\Fonts*.com
%systemroot%\Fonts*.dll
%systemroot%\Fonts*.ini
%systemroot%\Fonts*.ini2
%systemroot%\Fonts*.exe
%systemroot%\system32\spool\prtprocs\w32x86*.*
%systemroot%\REPAIR*.bak1
%systemroot%\REPAIR*.ini
%systemroot%\system32*.jpg
%systemroot%*.jpg
%systemroot%*.png
%systemroot%*.scr
%systemroot%*._sy
%APPDATA%\Adobe\Update*.*
%ALLUSERSPROFILE%\Favorites*.*
%APPDATA%\Microsoft*.*
%PROGRAMFILES%*.*
%APPDATA%\Update*.*
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu*.lnk /x
%systemroot%\system32\config\systemprofile*.dat /x
%systemroot%*.config
%systemroot%\system32*.db
%PROGRAMFILES%\Internet Explorer*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch*.lnk /x
%USERPROFILE%\Desktop*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

* Click the [u]Run Scan[/u] button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      o When the scan completes, it will open two notepad windows. [b]OTL.Txt[/b] and [b]Extras.Txt[/b]. These are saved in the same location as OTL (desktop).
      o [b]Post both logs at an [u]Attachment[/u][/b] to your next post.

Thank you.

Here are the scans.

I notice that avastui.exe was listed as already running. Is this correct or is the system somehow trying to open a second copy when I try to scan?

I am referring you to our Certified Malware Expert, Essexboy. I’m not sure if he will be checking in over the weekend or not. He will respond to you and ask you additional questions and give you further instructions in this thread. Please look for his posts and I will monitor in the background.

In the meantime, please to not make any additional changes to your system (other than doing your normal Avast definitions update) or you will be required to repeat the steps you have already taken (MBAM and OTL). Thank you very much.

Thank you.

I will await developments.

You’re welcome.

Hi I see you have run Combofix - could I see the log please - it is at C:\combofix.txt

Here is the combofix log from a few days ago.