Windows issues after Avast removed an infection

Hi all… new to the forums but a long-time Avast user here.

I run a small computer shop, and Avast has been a favorite program of mine for a while.

This past Friday, I had 3 clients, all using Avast 4.8, all experience an issue with Avast detecting an infection. As far as I’m aware, each of these clients chose to remove the infected file, and I"m unable to find the file in the virus chest. After rebooting, they each experienced a variety of Windows problems. I’ll list them to the best of my ability.

  1. Task bar is minimized & Locked. The task bar cannot be unlocked, because the option is grayed out. This happens in safe mode as well as normal.
  2. Internet Explorer will open, but immediately after opening, the program closes. This also happens within safe mode.
  3. Can load Safe Mode, but the system restore malfunctions and states: “System Restore is not able to protect your computer. Please restart your computer, and then run System Restore again.”
  4. I removed hard drive from said computer and used another system with Avast to scan the drive. Avast found that the pagefile.sys file was infected, though did not list the infection. I was able to clean pagefile.sys and Avast did not find it as infected again. This was the only infection found by Avast. I also ran a Super Antispyware scan, which came up clean, and a Malwarebytes scan which found one fake alert that was pretending to be Malwarebytes.
  5. In hopes that the virus damaged Windows and was repairable, I attempted a chkdsk /r to repair the OS files. The repair said it found and repaired issues on the drive but the problem remains. When I attempt to run a Windows Repair install, the system reboots itself. I’ve tried multiple XP SP3 cd’s and a new cd drive.
  6. I’ve tried to install Malwarebytes via Safe Mode with Networking & Normal Windows, and the installation fails stating “Runtime Error ‘372’: Failed to load control ‘vbalGrid’ from vbalsGrid6.ocx. Make sure you are using the version of the control that was provided with your application.”
  7. I now cannot boot the computer into normal windows, but safe mode still boots fine. Each time I try, I get a BSOD w/ the error code 0x0000007E.

I’m hoping that someone else has experienced these problems and that we may be able to collaborate and figure something out. If anyone has any advice, I’d be very appreciative.

Regarding MBAM, I found this on there forum.Not sure it will help. http://www.malwarebytes.org/forums/index.php?showtopic=7377
I take it whatever Avast found, was deleted, and you don’t know what it was ?

What would be of help would be what were the locations and files that were actually detected/deleted, etc. ???

Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

  • Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

When posting URLs to suspect sites, change the http to hXXp so the link isn’t active (clickable) avoiding accidental exposure.

Pagefile.sys should be excluded from scans by default, but I have also added ?:\PAGEFILE.SYS to the Standard Shield, Advanced, Add (Exclusions). The ? is a single character wildcard and would cater for having more than one pagefile.sys in a different drive.

It is possible that malware that has been removed may have some sort of hook to the missing file, but without any idea of what the file or locations were there is very little that can be done to investigate.

Normally it would be advisable to run either HiJackThis of FreeFixer to see if there is anything obvious (the hooking I mentioned), but if you have removed the HDD that isn’t going to be possible. Though it looks like you still have the computer (or one of them), so you might be able to do that.

There are a number of malware items that try to kill security software so I don’t know if that is what is going on with MBAM - See RootRepeal, http://rootrepeal.googlepages.com/ RootRepeal is a new rootkit detector currently in public beta. Scroll down the page for the download link. Also see, http://www.malwarebytes.org/forums/index.php?showtopic=12709.

In addendum to my original post… it also appears as though the problem has affected the Windows Installer service, because it will not allow me to install anything in normal Windows. Though, the Windows installer does work in safe mode.

I am going to do some digging to see if I can find the log file.

Ok, after doing some checking… I was able to find the Avast log viewer, and the only log is of some warnings on 7/24/09 in the AM. There are two listings and they are as follows:

Sign of “Win32.Rootkit-gen [Rtk]” has been found in “C:\WINDOWS\System32\svchost.exe” file.
Sign of “Win32.Rootkit-gen [Rtk]” has been found in “C:\WINDOWS\System32\dllcache\svchost.exe” file.

I was also able to determine that all network access is being blocked in both normal and safe mode. An IP Address is being resolved with my router, but no updates are allowed to function.

If they did opt to delete it, I’m surprised avast complied as svchost.exe is an important system file and it would be in use so would normally be protected by windows.

In fact avast keeps a copy of some system files, kernel32.dll, winsock.dll and wsock32.dll but not svchost.exe. I think avast should include this and a few other system files which are more commonly targeted.

If you can get a copy of svchost.exe relevant to the OS and SP version perhaps you could place it back.

Well… some more info for anyone still reading.

I found that copy/paste is disabled, as well as click & Drag. I tried to replace the svchost.exe file by copying the file from another system using the same version of XP but that failed. I tried to use the check disk feature built into Windows but that also did not help. At this point, I’ve got some antsy clients that want their computers back and don’t want to wait on me fixing the problem. So no more attempted fixes for the time being. They’ve authorized reloads of their systems, so even though that’s the “easy” way out, that’s what I’m going to do.

If anyone should happen to run into this, and find a fix, I’d be very interested in learning of it, and if I happen to stumble upon something that fixes the issue, I’ll be sure to post the details.

Thanks all.

This file is Windows core… you can’t move or rename or anything with it…

Maybe overinstallation could have done the job without losing your programs, settings, data, files, etc.
Just choose ‘Repair’ installation of Windows and install ‘over’ the old installation.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;315341
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314058
http://support.microsoft.com/?scid=kb%3Ben-us%3B315341&x=15&y=0
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/doug92.mspx

Thanks for the advice, but in my original post I stated that I’d tried this already. On the first system, the repair install failed, and forced me into a reload. On the 2nd system the procedure didn’t fail, but it also did not fix the problem.

Tech is correct, you can’t do this whilst windows is running as I said earlier:

I'm surprised avast complied as svchost.exe is an important system file and it would be in use so would normally be protected by windows.

So you have to do it outside of windows and copy the file into those locations either using DOS, Linux, or from another computer networked to the one needing the file.

I had already slaved the hard drive to a working XP system and tried to copy the file. The copy/paste itself did not fail, but it simply did not fix the problem. Though it is a protected windows file… Avast somehow managed to change or move this file to its chest. It should not have been able to happen, but it did.

I would however like to add, that since I’ve had 4 of these systems come in… I did try the repair install (over load) of Windows again on one of the systems and this time it fixed the problem. I’ve already tested the hard drive of the system where the repair install failed and everything is OK. I’ve completely reloaded XPSP3 and all of their software and it’s running like a champ. I’m clueless as to why the repair install of Windows failed on that system, but I’ll keep my fingers crossed and hope that the same procedure fixes the next two. I’m in the process of updating and loading some spyware scanning tools like Super Antispyware and Malwarebytes and do some quick scans.

Most certainly weird.

Hope it keep in this way.
Feel free to come back any time you need further help.