NG creating new instances on each new boot.

[REDACTED]

Greetings Avast community,

I have attempted repeatedly to figure out why NG keeps wanting to reinstall it's self after serveral boots.

I am using the latest version of Avast, I have also done the following

1) using avast clear utilility in boot mode to remove old copy of avast.
2) Looked at the event viewer. It seems that the disk becomes corrupt after Avast is uninstalled! (I suspect maybe the shadowcopies of the old NG service are left behind.)

14.01.2015 21:04:10.506  5308 | error: TypeLib(Un)Register :\Program Files\AVAST Software\Avast\ng\vbox\VBoxC.dll, error 0x8002801c
14.01.2015 21:04:10.678  5308 | Installing VirtualBox...
14.01.2015 21:04:27.096  5308 | Creating snapshot...
14.01.2015 21:05:54.383  5308 | Volume shadow set: {REMOVED}
14.01.2015 21:05:54.820  5308 | BCD volume: \\?\\REMOVED
14.01.2015 21:05:55.850  5308 | Windows volume: \\?\\REMOVED
14.01.2015 21:05:55.897  5308 | Creating new hive files...
14.01.2015 21:07:34.506  5308 | Cloning NTFS volumes...
14.01.2015 21:11:06.435  5308 | Creating a new VM machine...
14.01.2015 21:11:12.159  5308 | Starting VM machine to create initial snapshot, it can take a couple of minutes...
14.01.2015 21:18:07.223  5308 | error: PrepareNGSource/HgcmRpcExecuteVirtualProcess failed, error: 0x0000010b
14.01.2015 21:20:00.848  5308 | OK
14.01.2015 21:20:01.688  5308 | New Ng_REMOVED machine has been created, uuid: REMOVED
14.01.2015 21:20:03.064  5308 | New Ng_REMOVED machine has been created, uuid: REMOVED
14.01.2015 21:20:04.073  5308 | New Ng_REMOVED machine has been created, uuid: REMOVED
14.01.2015 21:20:04.138  5308 | CmdAvastInstallWrapper done (result: 0x00000000)


Inside the event viewer;

"The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume REMOVED5."

I have recently done a chkdsk and found no errors with the disk. I also ran the normal disk diagnoistics utilities to see if it was hardware causing the probem. No issues found on those systems. Then i  realised something, Each time i have had the Ntfs problem it has been After i uninstalled Avast.. It seems the NG service isn't cleaning up copies it's making when being uninstalled. When you attempt to reinstall Avast the NTFS warnings come up as the clearing utility doesn't remove the shadowcopy left by the previous NG/Virtualbox manager.


Any ideas what i can do to fix this?

Thank You
Oliver

[REDACTED]

just attempted to check to see if NG is running.

Used the commandline to locate the NG folder, then ran the following command.

ngtool.exe isready

the output was

NG machines are ready to use.


I'm about to reboot the computer and see if this helps.


I'll update the post after doing so.

[mchain]

Hi OliPicard,

We, as volunteer helpers and users, can't directly help you with this issue.  You're right, this shouldn't be happening.

I've gone and contacted an avast team member to assist you.  Please be patient as they may not be at work atm. 

Understand you've got avast completely uninstalled using avastclear.exe, yet this is still running?

[REDACTED]

Hi mchain,

Many thanks for the prompt response, The volenteers of the Avast community are awesome! I will be more than happy to share the data with the avast team to try and figure out what's causing the mysterious ghost reinstallation of NG.

To Clarify on what i was saying above, I had to reinstall Avast after I was unable to re-enable the web shield after disabling it to download an extention (a well trusted one which for some reason the HTTPs service likes to block).

I attempted to re-enable the modules but kept getting told that some modules couldn't be enabled. (checking the logs i could see that the Avast DNS service was hanging.) I decided to remove Avast using the clear utilility following the steps to remove the application via a safe boot. I noticed after doing so two things.

1) The NTfs service was saying that the disk was corrupt (in volumes used by the NG/Virtualbox service.)
2) The NG service was creating new HIVE Clusters every time the client would boot but without removing traces of the old shadowcopies. (hence why the disk is reporting corruption on the disk.)


Hope this can clarify whats going on.

Many Thanks
Oiver

[REDACTED]

Rebooted the computer, was slow at boot. (Black screen indicating that NG was booting up the Sandbox VMs.)

When i was finally able to get into the system I decided to run the same command via ngtool.exe isready and got the same response back
14.01.2015 21:51:05.268  | NG machines are ready to use.

I am going to keep monitoring the computer over the next 24 hours. Would be more than happy to send the diganostics over to a rep of Avast.

[pk]

@OliPicard, I really appreciate your NG testing...

I have attempted repeatedly to figure out why NG keeps wanting to reinstall it's self after serveral boots.

What do you mean by "keeps wanting to reinstall..."? How do you know NG needs to be reinstalled? NG should be prepared after installation process and then it should be ready until system removes a shadowcopy.

(I suspect maybe the shadowcopies of the old NG service are left behind.)

it's ok if shadowcopy are not deleted, they're maintained by Windows and they'll be deleted automatically later; when avast is uninstalled, we should also remove our shadowcopies, i'll recheck if it's working correctly, thanks

as for volume corruption, NG doesn't modify your volume/disk, so we should cause this error... strange

[REDACTED]

Hi Pk,

It's my pleasure, i'm hoping to shed some light and respond to your questions.

What do you mean by "keeps wanting to reinstall..."? How do you know NG needs to be reinstalled? NG should be prepared after installation process and then it should be ready until system removes a shadowcopy.

If you check the ProgramData log file for NG you can see repeated attempts at the NG service creating it's first set of virtual computers. (normally 3.) each time on boot a script was causing the NG service to create 3 additional boxes per boot (according to logs.), This was causing an endless loop of NG attempting to setup the virtual boxes. Normal Behavior of this script is to only create 3 vm boxes and 1 tester vm during the install process however it seems the 3 box creation was a loop during one of the installations.

it's ok if shadowcopy are not deleted, they're maintained by Windows and they'll be deleted automatically later; when avast is uninstalled, we should also remove our shadowcopies, i'll recheck if it's working correctly, thanks

Understood, Not sure if my OS was corrupt as during boot cycles the average time til a clean boot would take 6 minutes. I am actively investigating hardware and software failures.

as for volume corruption, NG doesn't modify your volume/disk, so we should cause this error... strange

This was a pretty strange event that occured. I decided to run multiple tests before coming that conclusion, still not sure as to why it happens but wanted to make the team aware.

Going to attempt some repairs this weekend... Hopefully we can figure out what the problem is!

Oliver

[REDACTED]

Greetings everyone,

I tried to get onto the system today, took us 10 minutes to boot up. Once the booting seqence had finished i noticed a DCOM error.

DCOM got error "1053" attempting to start the service AvastVBoxSvc with arguments "" in order to run the server:
{REMOVED}

then miliseconds later i got the following message

The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy{0}.


I'm going to run a repair this weekend and see if that helps.
I'll keep you all posted.
Oliver