Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Namea on June 27, 2013, 11:23:17 PM
-
I typically install Avast on any computer that I do repairs on and I've never had any issues with it whatsoever. I use it on my own system (Purchase version) but the free version works great for every other system I've encountered. Recently I started to work on my brother-in-law's system for him to try and fix it. After finally getting it to a point where it would run programs again I ran a malwarebytes scan. It came up with 822 infected objects (I am not even joking.) And I removed them. Now here's the problem:
I installed Avast perfectly, no issues whatsoever.
When I click on the icon, even when running it as admin nothing happens. Nada. No error message or loading symbol at all. The process isn't running and I cannot even do a manual start through the services menu. I tried completely uninstalling it with the utility in safe mode then reinstalling but it still didn't work.
Any suggestions or help would be welcome, I'm about at my wits end here. I've done everything else but I refuse to give the computer back to him without having it scanned by Avast and able to use it easily.
-
It came up with 822 infected objects (I am not even joking.) And I removed them.
maybe the computer is still not clean....
see the guide at top in virus and worms forum section "logs to assist in cleaning malware"
attach the requested logs and a removal expert will help you
AdwCleaner / Malwarebytes / OTL / aswMBR
-
What were the infections that were found ?
-
Mostly basic toolbar adware and registry changing stuff. I double checked to see and I haven't noticed any lingering effects but I'll double check with the guide posted above and get back to you guys.
-
Attached three of the four still waiting on OTL to finish.
-
All attached.
-
hmm....i was about to ask where.... when i see you have edited and attached to first post....
anyway, guess essexboy is in bed now so check back late tomorrow. ;)
-
Hi if you edit your post I will not receive a notification for it..
OK Avast has been targeted using the IFEO debug check, on completion of this run let me know if Avast starts properly
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
O2 - BHO: (no name) - {1036AD63-AEAC-460B-9060-C96005D4DC86} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - !{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - !{95B7759C-8C7F-4BF1-B163-73684A933233} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{95B7759C-8C7F-4BF1-B163-73684A933233} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [ROC_roc_ssl_v12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12 File not found
O27:64bit: - HKLM IFEO\avastSvc.exe: Debugger - C:\Windows\SysNative\svchost.exe (Microsoft Corporation)
O27:64bit: - HKLM IFEO\avastUI.exe: Debugger - C:\Windows\SysNative\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\avastSvc.exe: Debugger - C:\Windows\SysWow64\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\avastUI.exe: Debugger - C:\Windows\SysWow64\svchost.exe (Microsoft Corporation)
O33 - MountPoints2\{9e4541d0-d07a-11de-a3ba-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{9e4541d0-d07a-11de-a3ba-806e6f6e6963}\Shell\AutoRun\command - "" = D:\install.EXE id= ver=1.0.0.0
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Here's the new OTL report after running that fix.
-
Are you able to start Avast now ?
-
Nope. Here's the newest OTL Log, that one was the report after the fix ran.
-
OK the IFEO's are still there, lets try a stronger tool
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
It's still running fine although explorer.exe and related processes seem to have slowed immensely. Also I suddenly can't connect to the internet on that computer. I had to put the log onto a thumbdrive to get it here. It seems that the laptop can no longer detect proxy settings. Anyway, here's the log from the last program, still no avast though.
Also new Malwarebytes log. It was at 0 threats last night but 3 as of today.
-
OK lets now kill those IFEO's they are resilient. What error are you getting when you try to connect ?
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Registry::
[-HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\image file execution options\avastSvc.exe]
[-HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\image file execution options\avastUI.exe]
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
-
Just that it won't detect the networks proxy settings. Here's the new log.
-
OK you need to set LAN to no proxy, could you run the MSFixit here please http://support.microsoft.com/kb/2289942
These reg keys are extremely resilient
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger2/download.php) by Swandog46 to your Desktop.- Right click on the Avenger.zip folder and select "Extract All..."
- Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
(https://dl.dropbox.com/u/73555776/avenger.jpg)
Begin copying here:
Registry keys to delete:
HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\image file execution options\avastUI.exe
HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\image file execution options\avastSvc.exe
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
- Right click on the window under Input script here:, and select Paste.
- You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
- Click on Execute
- Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a freshOTL log .
-
I ran avenger but it is not creating a log at all. I searched the computer and there is no avenger.txt file. Here is the new otl file though:
-
OK do you feel confident enough to do this manually ?
Go Start and in the search box type regedit
Regedit.exe will appear in the list
Right click this and select "Run as Administrator "
Navigate to the following keys using the little arrows to open each major group
HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\image file execution options\avastUI.exe
HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\image file execution options\avastSvc.exe
(See screenshot below)
Right click each one in turn and select delete
Agree the warnings
If you are unable to delete please let me know what error you get is
-
Here's a screen of the error.
-
Could you now try to take ownership of those two registry keys as detailed here http://www.howtogeek.com/77878/take-ownership-of-or-assign-full-permission-for-a-registry-key-in-windows-7/
-
It's still saying access is denied. Unfortunately his uncle usually fixes his computer and gives only himself administrative properties on a separate account and won't give them to anyone else. He refuses to give the passwords to anyone even though he's the one who ruined this computer. I keep getting the "Access is denied" error message.
-
In that case I am locked out, he will need to get his uncle to delete those two registry keys
-
Unfortunately despite having admin priveledges now it's still telling me access is denied. Sorry I vanished, didn't have internet for a week while we moved.
-
Could you re-run the Avenger fix a few posts above.. See if that can kill it now