Avast freezes at startup

[gopal]

Hi
I installed as administrator avast home on my laptop - XP prof

when I log with another username (with administrative rights) the computer freezes:
The clock on the system tray appears
The Avast! blue icon does not appear

It is impossible to:
select an icon in the desktop
open the start menu

but it is possible to:
press ctrl-alt-del and the disconnect (or stop the system)

after six-seven disconnect-reconnect it may happens that the system start

very often when I stop the system I receive the message that a process does not stop asking me if I want to terminate it
the process is 'explorer.exe' or 'IEXPLORE.EXE'

this behavior disappear when I uninstall avast

this happens either logged as administrator or as the other unluck user (that is the main user of the laptop)

I search in your FAQ-Forum so:
I uninstalled avast in safe mode from the ctrl panel->Add Remove Programs->Avast->Uninstall
I restarted and I execute the aswclear.exe utility
I restarted again and then re installed avast!
I restarted again and logging as the user the problem still remains

Avast! is the first and only antivirus I ever installed in this system
this problem starts about one week ago


have anyone any suggest?
thanks

[mauserme]

Hi gopal - and welcome.

Where is iexplore.exe located on your computer?  Does the process start by itself or have you started it?

[Lisandro]

Is there any other security program in your computer? Any other antivirus?
Are you using the Home version or the Trial (Professional) one?

[gopal]

Hi Mauserme & Tech
thank you for the reply

The version is Home
No antivirus is installed (except for avast! obviously)
No security programs are installed
The system is XP Prof SP 1


I execute a search in my local disk and the only IEXPLORE.EXE is the executable of Internet Explorer located in
%PROGRAM_DIR%\Internet Explorer

I have a IEXPLORE.EXE-1BA17782.pf in my windows\Prefetch dir and it is modified today

I do not start explicitly the process by miself but

I noticed that
A-I log as Administrator
B-I check the active process and no IEXPLORE.EXE exists
C-I start manually the virus definition update of avast!
D-The process of update ends
E-I check the active process now and IEXPLORE.EXE is there, the user name is Administrator
F-After a few minutes I check again the active process and IEXPLORE.EXE is disappeared
G-the system stops normally

so I restart and repeat this process til point E
now I stop the system immediately after the avast! update
It appears the windows 'the system is closing the program IEXPLORE.EXE' where I can hit the button 'Terminate immediately' (I'm sorry but my system is italian and my translation could be poor)

[mauserme]

iexplore.exe is does not run on my computer when I manually update.  Rather, it should be avast.setup.

Can you run a boot scan and let us know if anything is found?

Also scan with Ewido which you can download here:

http://www.ewido.net/en/download/

[Lisandro]

The system is XP Prof SP 1

SP2 won't be bad  

I have a IEXPLORE.EXE-1BA17782.pf in my windows\Prefetch dir and it is modified today

No harm. This is the prefetch file, made by Windows in order to 'accelerate' the application load.

I do not start explicitly the process by miself
I check the active process and no IEXPLORE.EXE exists
I start manually the virus definition update of avast!
I check the active process now and IEXPLORE.EXE is there, the user name is Administrator

avast does NOT start iexplore.exe process to update... no...
You should run a full avast scanning, better at boot time.
Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.

Better if you can download, install, update and run www.ewido.net too.

[igor]

A log from HijackThis might help (or maybe even the list of installed LSPs from lspfix).

[gopal]

Sorry I was a little engaged in various stuff

I scanned the system with Ewido and it found
trackingCoookie.Atdmt
trackingCoookie.Tribalfusion

I noticed that every time I start IE this cookie remanifests themselves
I avoided this changing my startpage from msn to google

anyway the 'not called' process IEXPLORE.exe often appears in my process list

Avast bootscan found
some adware.generic in c:\system volume information\_restore(hexnumbers)

this is the output of hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 15.45.06, on 29/06/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://FICOM1:80/array.dll?Get.Routing.Script
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://FICOM1:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\svchost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6D2DA6A-E150-4030-A724-CA073AD64C2B}: NameServer = 151.99.125.2,151.99.250.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe

thanks

[DavidR]

A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft's windowsupdate site to download the newest version of the service pack.
     
            We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum.

With an out of date OS you are liable to exploits from vulnerabilities that have long since been patched by MS.
With no active firewall you are also liable to numerous malware infestations.
Both of the above are going to make your system vulnerable and any resolution more difficult.

For an on-line analysis of your log file check this link:
http://hijackthis.de/logfiles/34c9e69998f57524a19ac52fbc9ae2c1.html

[mauserme]

I'm no expert on reading hijackthis logs, but is that F2 entry suspicious?

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\svchost.exe

[essexboy]

I would concur on that, as svchost is a service and the file should be in system32 not windows

[DavidR]

It isn't the svchost that is suspicious but the registry entry for system.ini and the file userinit.exe calling and using svchost.exe.

http://www.liutilities.com/products/wintaskspro/processlibrary/userinit/

Much of the potential for this would probably be negated if a firewall with outbound protection were present.

[mauserme]

Aren't both true - svchost.exe should not be in c:\windows and it should not be called from the ini


edit - spelling correction

[DavidR]

It is correct that it should be in system32 as is shown to be correct in the early part of HJT log 'C:\WINDOWS\System32\svchost.exe' so yes the location of this is also suspicious, I'm not sure if this could be a remnant of an earlier OS update from win98 say, but perhaps not as it would probably be in the windows\system folder.

In either case it is suspicious.

[mauserme]

@ gopal

There have been 2 or 3 VPS updates since you first posted.   If you haven't done any scans since your first post please make sure you have the latest update and try another boot scan. 

If avast! still doesn't identify anything see if you find c:\windows\svchost.exe on your computer.  If found, send a sample to Jotti

http://virusscan.jotti.org/

Post again with the results.

Also, do as Tech said about installing SP2, and as David said about installing a third party firewall (not the Windows Firewall).