Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: rangoon_fr on July 12, 2006, 10:11:22 AM
-
Hello,
I have XP Home SP2 which I just reinstalled.
I have also reinstalled Avast and updated it (automatic Avast update), but now I have this avast popup error "ashMailSv has been modified do you really want to run this program ? Yes / No".
Besides, avast "need to restart your machine" all the time.
I also have this issue with ashWebSv but not with other services (files, IM, ...)
I used to have Avast for the past 3 or 4 years, and I never had any issue with it, but now I can't use it anymore !
I've been through the Windows reinstall process many times these days to try to solve this issue, and came to the conclusion it is closely linked to SP2 installation.
Any idea about it ?
Any solution ?
Many thanks to you all !
-
1. Are you sure this is an avast message about ashMaiSv.exe and not either your firewall or other security software ?
What other security based software do you have that might block new startup entries, e.g. Spybot S&D (TeaTimer), AdAware (AdWatch), SpySweeper, PrevX, WinPatrol, ProcessGuard, etc. ?
2. I trust you did reboot and the prompt keps coming ?
This could be solved, in some systems, by deleting the file C:\Program Files\Alwil Software\Avast4\Setup\reboot.txt
-
I did reboot indeed : same issue. I couldn't fing the reboot.txt, and this time it doesn't ask for reboot.
see attached screenshot o popup in original post, it looks as an avast message.
If i click "non" (=no), it come back over and over, if I click "oui" (=Yes) no more popup.
any help ?, thanks ! :-)
-
Yes it does look like it is generated by avast.
Can you answer my second question in item 1, it could have a bearing if there are other security programs that might hook into either of those programs though why is beyond me.
Was reboot.txt present in the location I gave ? did you delete it ?
-
What if you delete the file ashMaiSv.exe (you'll have to stop the ashMaiSv service before that) and invoke a program update (or VPS update, or program repair... doesn't really matter). Or, you may just rename the file to something else, even without stopping the service, and then invoke the update.
The correct version of the file should be regenerated.
If the message appears again, I'd probably suggest to send us the file... so that we can check what modifications have occurred.
-
Can you answer my second question in item 1, it could have a bearing if there are other security programs that might hook into either of those programs though why is beyond me.
no other security program than Windows' Firewall and its security stuff (being "windows updated")
Was reboot.txt present in the location I gave ? did you delete it ?
it was not present, and after the last reboot I did before going back to work, it stopped asking for reboot.
hence currently only remain with the ashMaiSrv / ashWebSv problem.
-
What if you delete the file ashMaiSv.exe (you'll have to stop the ashMaiSv service before that) and invoke a program update (or VPS update, or program repair... doesn't really matter). Or, you may just rename the file to something else, even without stopping the service, and then invoke the update.
The correct version of the file should be regenerated.
I did the following :
- install with a newly downloaded 4.7 version, same issue. So I thought I had this issue because of an error in Avast 4.7 package (sorry for this thought...),
- uninstall 4.7 version then reboot then install an old 3.x version then I asked for update using the interface options. It has updated correctly (no error popped up) but the popup problem was still there.
I can install a 4.7 and do you test tonight if you think it could help in anyway ?
If the message appears again, I'd probably suggest to send us the file... so that we can check what modifications have occurred.
I'll do this at first time when I'm back, where should I them them to ?
Could you provide me with the time/date/octets size and versions of all exes related to avast, I'll compare those informations with the files I have later when I'm back from work.
thanks !
-
The installer has various self-checks, so it wouldn't install corrupted files (but display an error message instead). If you reinstalled avast!, then the correct file really should be there...
The ashMaiSv.exe file from avast! 4.7.844 has 245808 bytes - but I'd rather check the content (compare it to the original one), the size doesn't say that much.
Maybe the file is actually OK and the problem is somewhere else... but I find it rather unlikely; if there was a bug in the file-verification code, many people would experience the same problem (which is not the case).
-
I completly agree, but you know how users are, it's always editor's fault, then, maybe, it can be ours...! ::)
I'll send you the *.exe from the installation folder, can you tell me where I should send those ?
-
I'm afraid I've got a bad news for you.
The files really are modified - in particular, they are infected by a virus that avast! currently doesn't detect, unfortunatelly. The virus will be analyzed and detection added in the next VPS update - but it means that many of your other files are probably infected as well... :(
Sorry for the troubles.
-
I hope that everyone who reads it take a lesson out of it.
NEVER go online without proper protection.
Here is how to install a OS properly:
1) install the OS
2) install motherboard drivers
3) install other drivers
4) install firewall
5) install av software
Do this BEFORE going online!
6) get ALL security updates and patches.
-
Well, in this particular case, it wouldn't help much - as avast! doesn't detect this virus yet (sorry about it).
-
thanks you very much Igor for your close follow up!
I fear to see how deep my PC is infected, I just hope it is limited to Avast...
I look forward the new VPS!
Thanks,
Rangoon
-
I hope that everyone who reads it take a lesson out of it.
NEVER go online without proper protection.
Here is how to install a OS properly:
(...)
Hello Eddy,
though I agree with this "lesson", I just wanted to precise that your procedure is my base one and it lead me to infection however :-(
Besides, I keep wondering how can a virus come to My PC if I did not even start "surfing" but on editor's websites for latest version or updates downloads. I'll try to find this out when the new virus definition come out ! ;-)
For the past 10 year on internet, it the very first time I get a virus, I've been using ThunderByte, InoculateIT, PC Cillin, and finally avast for the past 2 or 3 years. During this time I had very few alerts.
-
Windows fileinfector that wasn't detected by avast! ? Isn't that a bit unusual considering there isn't many file infectors ?
-
Windows fileinfector
Never heard of this, what is it ?
a resident evil virus ?
-
file infector is just a "proper" term for virus. So "file infector" = "virus"
-
how dummy am I... I could have guessed it...
anyway,
I ran a Housecall (TrendMicro, http://fr.trendmicro-europe.com/consumer/housecall/housecall_launch.php) on my PC and it has found "PE.VIRUT.A", also known as "W32.VIRUT.A" at symantec : http://www.sarc.com/avcenter/venc/data/w32.virut.a.html
FYI : panda's online scanning tool crashed when scanning for viruses, I don't know why.
It had infected all my windows .exe, .cmd and all program files.
HouseCall can repair it, if you infected, don't be afraid, just a short bad time to go through ;-)
This virus appeared may 14th, I don't know when/where I got it from :(
Thank you all, now I just have to repair... and wait for the new VPS...
-
<<
14.07.2006 - 0628-5
Win32:Beagle-ME [Trj], Win32:Virut
>>
Great !!! Thanks ! :D
-
Are repair routines included to fix infected files?
-
well... hard to say.
File are first marked as repared (avast created a .RBO version kepping the original file in place but with a different length). And when the scan is finished, avast says that it finnaly couldn't repare some files, a it show the complete list of RBO files, along with some exe's.
I do not understand if the files with the original extension are safe or not and why avast finally states that
files where not repared.
I hope this helped ::)
-
No, special cleaning for this virus has not been implemented.
avast! doesn't create any .rbo files.. so I don't think it has anything to do with avast! ???
-
Interesting...
http://filext.com/detaillist.php?extdetail=RBO
-
Igor :
thoses files were marked as VIRUT infected (when .RBO is Magister.B according to Rejzor's url), they have been successfully delete by avast! with the scan report/log.
Rejzor :
If I'm right Magister propagates via email ? I haven't restored my mails yet (I wait for the pc to be completly clean). How could it have executed, i wonder.
what is possible is that housecall didn't check those files, although I'm quite sure they were not present when I used it. however, Avats! didn't warn for a Magister.B infected file.
really strange ! ??? :-\
I'm running a new house call, so far no virus found, yessss !!
Igor, I really want to thank you for following your posts and dummy users of avast! so closely, thanks !
Rangoon
-
I don't think it's related, though still interesting that some RBO files started appearing on your PC.
-
BTW, I have a copy of LoveLetter and Homepage (very old viruses i know) in TXT files, they are marked by Housecall but nothing in avast!, how come ? because of the extension ? I could even open the txt file without any warning :-\
-
Thats because txt is a plain text and you can run it whatever you like.
Stuff in such form is benign and can't hurt your system.
You have to use High Standard Shield sensitivity in order to detect stuff in txt files.
-
truly, i tried to rename it as .vbs and was kicked off by Avast!, great thing! ;D