My wifes computer was infected with the “windows security essentials” trojan. I ran malwarebytes and removed what I could find. I uninstalled Avast using the unistaller and rebooted several times in regular and safe mode.

When i try to install the new version a message pops up mid installation saying:

Setup has detected another program that requires your computer to reboot. You must reboot the computer before installing avast. Once the system is rebooted, you must restart setup. If you continue avast may not work correctly.

I have tried to reboot and i get the same message. I have continued and installed and Avast does not operate.

Does anyone have some advice??

I suggest an installation from scratch:

1. Download the latest version of avast! Uninstall Utility and save it.
2. Download the latest avast! version and save it.
3. Uninstall avast from Control Panel (if possible). If, for any reason, you can’t run it, try booting in Safe Mode and doing it from there. Anyway, boot after that.
4. Run the avast! Uninstall Utility saved on 1. If, for any reason, you can’t run it, try booting in Safe Mode and doing it from there. Anyway, boot after you’ve run it.
5. Install avast! using the setup saved on 2. Boot.
6. Register your free copy or add the license key for Pro.
7. Check and post the results.

Then I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster.
9. Check if you have insecure applications with Secunia Software Inspector.

Thanks for the quick reply.

I actually saw your advice posted to another person with a similar problem. I followed your steps and I still am getting that error message.

Hmmm…
Did you have any other antivirus before avast?
Did you run the avast uninstall tool?

yes, the machine had antivir on it.

Have you tried running Avira removal tool and then try Tech suggestion again ?

you can find it here http://uninstallers.blogspot.com/

Guys, I have tried everything I can think of here and it’s just not going through…urrrgh.

I wonder if you still have remnants of the Windows Security Essentials Fake. Have you tried Malwarebytes, SuperAntispyware or DrWeb CureIT that were recommended by Tech? Make sure that they are fully updated before scanning. You may still have registry entries of WSE Fake.

Have you tried running MSCONFIG to see what programs are starting up? Are there any programs starting that you do not recognize?

Yes, I have run malwarebytes quite a few times in safe mode with networking. I will download and run spyware dr. and drweb cureIT and will post with my findings.

I will also run msconfig and post the programs that are running.

Here is the Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:11:48 PM, on 11/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: BrowserHelper Class - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - C:\Program Files\SGPSA\SearchAssistant.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Common Files\Java\Java Update\jusched.exe”
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nmctxth] “C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe”
O4 - HKLM..\Run: [nmapp] “C:\Program Files\Pure Networks\Network Magic\nmapp.exe” -autorun -nosplash
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [LELA] “C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe” /minimized
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\RunOnce: [Malwarebytes’ Anti-Malware] C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

–
End of file - 7792 bytes

I see that AVG link scanner has been installed at some time. Have you tried running AVG’s removal tool?

No, should I try that also?

just ran AVG removal…still same problem

Below is what I would try. Kind of having doubts though.

1. Need the HiJack log to be with windows started normally. (not in safe mode)

2. Definitely upgrade Internet Explorer from 7 to 8.

3. All previous antivirus has been removed using uninstall tool.

4. I personally wouldn’t have Viewpoint on my computer.

5. Run SuperAntispyware and DrWebCureit. Make sure that you post ALL things that you have tried and the results so that others will know.

6. Run windows update to make sure it is up to date.

7. Use ccleaner to clean up computer and check for registry errors.
   http://www.piriform.com/ccleaner/download

8. Another free registry cleaner.
   http://www.eusing.com/free_registry_cleaner/registry_cleaner.htm

9. Make sure you use the avast uninstall tool before re-installing avast each time.

10. Are all devices in device manager running properly?

11. You do not have any firewall other than windows firewall do you?

Just to add to the post above:

1. If you need to post a log, please use the attachment feature of the forum post so that your posts are not too long and as public. How to make an attachment: While in the post page > Additional Options > Attach > Browse > Post. This is especially true for Dr.WebCureIt and any OTL logs (which I suggest → you can find here: http://forum.avast.com/index.php?topic=53253.0 under the first post from our certified malware expert, Essexboy.

2. If using CCleaner, there is a Slim version available as well at http://www.piriform.com/ccleaner/builds - 4th option down. If you download the regular version and you do not do a Custom Install, you will accidentally download adware (Ask_Toolbar) if you are not watching what you click as you install. :o The Slim version does the same thing without the toolbar.

Just to confirm, you did run these for the Avira uninstaller:

• Avira RegistryCleaner: http://www.avira.com/en/support-download-avira-registrycleaner
• How to Remove Antivir Antivirus: http://www.pchell.com/virus/uninstallantivir.shtml
• Uninstall Avira Antivir Completely:
  http://www.themisteriosos.com/uninstall-avira-antivir-completely.htm
• Reboot.

If you are running the Avira or any other security uninstaller tool, you should try a repair of Avast first, If this fails, then uninstall/clean install of Avast needs to be done.

Thank you.

Just an update for everyone:

I ran Malware a couple more times, in different modes, found one more infected file after running in normal mode. I got the same popup when I tried to install Avast! again I got the reboot notification, but I installed Avast! anyways… started it up and it actually started to run! Ran a full scan, and then a boot-time scan with nothing found. Doing some CCleaner now and hopefully I’ll be all set. Thanks for the help guys, it was instrumental at getting this thing back up and running.

@ copgtp,

When you ran MBAM or Avast scans and you found something (infection/virus), did you quarantine it or put it in the Virus Chest or do anything else with it?

If you still got the pop-up on installation, even though things appear to be working, my concern is that you still have something (malware) hidden inside your machine.

• Had you uninstalled the previous AV’s prior to installing Avast?
• Did you run Dr.WebCureIt, and what were the results? How about OTL?
• Did you update your software? Here is an easy way to update your software with the free Senunia Software Inspector: http://secunia.com/vulnerability_scanning/personal/ - it will give you the vendor’s direct download link making it easy to install patches if needed. Many of us scan our machines weekly since software changes so often.
• Does your machine appear to be running/acting normally?