Author Topic: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!  (Read 45076 times)

0 Members and 1 Guest are viewing this topic.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
As soon as I saw Acelerador Terra I thought "Oh no!".

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
As soon as I saw Acelerador Terra I thought "Oh no!".

Hi alanrf. I haven't had a chace to look this up. Mind filling me in please.

ZStorm

  • Guest
Guys

Im online as the 2 of you are. Im posting a reply for oldman considering his post.

alanrf... you are giving me the creeps now!

oldman... im replying to you next.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Sorry I did not want to spook anyone. 

Oldman - please see my post in the evangelists forum.

Oldman said that some concerns had been raised with the Webshield.  It seems you have an "accelerator" function installed (or halway installed/uninstalled).  We have seen in the past that accelerator software can conflict with the working of the Webshield (and also with the Internet Mail provider too).  Even though the avast team have made no changes to the Webshield in the new avast 4.8 release we are seeing a few more issues in the forum with the Webshield in this release and the forum helpers as well as the avast team are looking into them. 

So sorry for alarming you. Oldman's advice to try turning off the Webshield to see if that restores Web access is the best trouble shooting next step. 
« Last Edit: April 19, 2008, 03:54:33 AM by alanrf »

ZStorm

  • Guest

Otmoveit2 will create a folder with the removed files/folders in. Since you placed it in a sub folder otmoveit may have used that path to store the files you removed. The files you tried to remove, where did you find them afterwards. In the otmoveit subfolder or original location?

Nothing we removed should have interfered with your connection. Did you install a third party firewall or did you get that far?

There has been an issue raised with webshield. Try Terminating it, can you browse with webshield off?

System restore will most likely fail, unless you turn off avast's self protection.

Tell me more about the contents of C:\327882R2FWJFW. You said it was similar to combo-fix. In what way.

Don't do too much right now other than answer as best as you and try turning webshield off.


.:   OTMoveit was in a subfolder but it DID went away after 1st reboot ran - wasnt from the root but it killed itself (already tried to search for files and no result, so it might be clear for that install). As I had it installed back again to remove other files/folders... then it was installed on Desktop... where its still placed... Folder C:\OTMOVEIT. Thats the location Ive got the restore files from - I didnt have to look for them - it was the default location for the Restore option, only containing besides the *.res files, the subfolders for the RP (actually I have here 3 folders but only 2 *.res files - I guess the first folder goes for the first crash and it didnt keep the restoring info - in case if that really happened for me to install OTMoveit one after another without booting as I described before and causing that).


.:   About third parts... NO... was trying to get rid of extra load before installin anything, so no, nothing was installed as firewall or anything, besides an update for Shockwave plugin which was automatic when browsing.


.:   Webshield comes from Crawler when you install SpywareTerminator, right? If thats so, I already had it uninstalled on the Control Panel uninstall Ive mentioned on my post. It was not activated besides for a couple quick connection sessions, so I dont think it would be a prob. Also I searched for any evidences for webshield.* on pc, an nothing shows up, not even on processes running on Task Manager (I ran a dialup connection to test if it would show up if connected, but no positive).


.:   Succeed on System Restore by disabling Avast! protection? I guess I did call for the stopping the On-Access Protection and still the result was the same. Avast! doesnt show on safe mode besides for the icon, no resident protection. If on normal mode, it gave me the no-go result. Right now I disabled the On-Access Protection and tried to restore system. NO GOOD again. Ugh! I cant 'kill' the Avast! processes running on Task Manager... so all I can think of is to UNINSTALL AVAST so that to work... if that will be the only option, lets do it. You guys tell me what to do and I will folllow.


.:   About the contents of

>> C:\327882R2FWJFW... has 4.37M and 92 files, created 20080417 1352. Files on it... C.BAT, COMBOBATCH.BAT, COMBO-FIX.SYS, FIND3M.BAT, QOO.BAT,

>> C:\COMBO-FIX... has 4.99M and 144 files, created 20080417 1335. Files on it... C.BAT, COMBOBATCH.BAT, COMBO-FIX.SYS, FIND3M.BAT, QOO.BAT are there as well.

I think the first folder was a temp, considering time and size, but somehow it wasnt deleted when Combo did the job. Thats only a wild guess as I have nfi of how ComboFix works. I just compared those 2 folders in at first look sight.



......


I aint doing anything before you guys tell me what to do next.


As soon as I saw Acelerador Terra I thought "Oh no!".

Hi alanrf. I haven't had a chace to look this up. Mind filling me in please.


Seems Acelerador Terra has a lot do with the matter and all I can hope is for you to have faced this kinda problem before and sorta know how to proceed. Actually, Ive got a feeling that program wasnt good news. If not faced before, lets work on what is suppose to be worked. I still have a temporary link with Terra (ISP) and I think I can manage to get tech support if needed.


Looking forward to hear from you


Peace out.

ZStorm

  • Guest

Sorry I did not want to spook anyone. 

Oldman - please see my post in the evangelists forum.

Oldman said that some concerns had been raised with the Webshield.
Oldman's advice to try turning off the Webshield to see if that restores Web access is the best trouble shooting next step. 



Sorry alanrf but I saw your post after I posted my previous one.

And sorry again but seems Ive made a confusion about the processes as well... guess you were talking about Avast! Webshield and not the Crawlers one.

OK! I tried just again to connect and before disabled the Webshield at Avast! On-Access Protection. Unfortunatelly, no good again. Same as before.


Looking forward to hear from you.


Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
You have found the right websield (avast's).

C:\327882R2FWJFW can go.

Did you terminate weshield or just pause it?

We can try this to see if we can repair your connection.

LSPfix

http://www.bleepingcomputer.com/files/lspfix.php

Download it to it's own folder, for example C:\LSPfix

Disconnect from the internet  (unplug the cable)

navigate to where you saved the file and double-click on it to start the application.

Click finish.

If possible, before you click finish, please copy the information in the left hand box (keep) and post it here.


To turn off avast self protection

right click the"a" icon, select program settings, trouble shooting. Check Diasable self protection.

ZStorm

  • Guest

Did you terminate weshield or just pause it?

We can try this to see if we can repair your connection.

LSPfix
Download it to it's own folder, for example C:\LSPfix
Disconnect from the internet  (unplug the cable)
navigate to where you saved the file and double-click on it to start the application
Click finish.

If possible, before you click finish, please copy the information in the left hand box (keep) and post it here.


To turn off avast self protection

right click the"a" icon, select program settings, trouble shooting. Check Diasable self protection.



.:  Definetely, Avast! Weshield was terminated.

.:  Downloaded and use my MP3 to copy the file from lappy to pc. No worries about being connected... the pc is not connecting at all <hehe>. Application ran ok, printscreen go attached. Clicked on finish. Resulting screen go attached as well.

.:  Avast! Self- Protection disabled as instructed.

.:  Tested with the dialup connection, and WOOHOO! Apparently worked.


............


Im moving my 3G back to pc, will test it and post back.


About that folder, I think it can wait for this connection matter to be solved for good first.


QUESTIONS:  What caused the internet block? If I boot pc, what will happen, I mean, shall I always from now on need to check if the Avast! Self-Protection to be disabled as well its Webshield? Do disabled Avast! items cause any threat concerning security during internet connection/navigation?



ZStorm

  • Guest
On pc now, connected under 3G and so far so good.


Im afraid to switch off pc now so to rest a bit, wake up in a few hours, turn it on and... a countdown sequence pops up on my screen... and BOOM ME! :P


Standing by for your reply and, once again, THANK YOU.


ZStorm

  • Guest

Oldman said that some concerns had been raised with the Webshield.  It seems you have an "accelerator" function installed (or halway installed/uninstalled).  We have seen in the past that accelerator software can conflict with the working of the Webshield (and also with the Internet Mail provider too). 

So sorry for alarming you. Oldman's advice to try turning off the Webshield to see if that restores Web access is the best trouble shooting next step.



Hi alanrf

Sorry for not replying properly earlier.. as you already know I was busy eating my toes.

Id like to say till before 12 hours ago, I never had any kind of problem what so ever concerning Avast! and the ISP 'accelerator'. Even when my infection started almost 2 (yes TWO) weeks ago, one of the first things to pop up was a message for the SMTP port coming from Acelerador Terra. Avast! by then, was 4.7 version and wasnt even running, blocked by malware. So, I aint that sure the issue would be Avast! Webshield x Terra tool, specially cause disabling only Webshield wasnt enough to put internet back on.

Im very grateful for oldmans instructions for installing LSPFix and Avast! setup... at least I could have connection back. Still the matter remains... if I didnt have that 'accelerator' would I have faced that bug? Is Terra 'accelerator' a software that should be reviewed by Terra or maybe should Terra be warned about the conflict, if it does exist? What really happened - was Avast! which conflicted with the 'accelerator' or vice-versa?

No worries about the alarm. It was a quite good one, actually. Many ppl in Latin America (Terra is present in 19 countries total) sign up for Terra services and if their tool doesnt work ok with Avast!, clients and users should be aware of it at the very least. If my thread would be of service for those who might look for reference concerning that conflict so to get a solution or light at the end of the tunnel, its all worthed.



Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
There was a bit of misunderstanding. You didn't need to disable avast self protection. I only posted the instructions if you needed to do a system restore.

If you did everything in order, I would say a corrupt accelerator install was the cause of the connection failure. Or possibly a conflict between it and webshield. Lpsfix removed one file reference belonging to Acelerador Terra. This file may have went missing when you removed the program causing a break in the chain.

The original problem may have been a conflict, as both programs may have been  monitoring port 80 traffic. When you partly removed the accelorator program the dll was removed. This would have caused a break as the file wouldn't have been found. Both situations, though different, would have seemed the same.
 
If it was a conflict, this may be one of the things Alwil is trying to address at this time.

Webshield does not become part of the chain. You should be able to re-enable webshield and the self protection. Though I think you should forgo accelerator for now.

ZStorm

  • Guest
There was a bit of misunderstanding. You didn't need to disable avast self protection. I only posted the instructions if you needed to do a system restore.

Webshield does not become part of the chain. You should be able to re-enable webshield and the self protection. Though I think you should forgo accelerator for now.


.:  Oh so sorry oldman... I mixed up things yes... got On-Access Protection for Self-Protection ... DUH ME!  :-[ One thing was to disable Webshield on Avast! and other to disable Self-Protection on program settings. I really missed the point about the last being to make System Restore to work. All cleared on my mind here now and Webshield and Self-Protection are enabled again.

.:  C:\327882R2FWJFW and C:\Combo-Fix deleted.

.:  Information about InetPub got and processed. Im gonna keep the folder there for now. No harm.

................


So what now should I do? Can I still remove the remaints of Acelerador Terra and X-Cript so to wrap up OTMoveit? Its still installed here.

In the mean time, Im checking for the firewall options.


Have a great weekend.


Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
InetPub shouldn't cause any problems if you leave it.

If the 2 programs have been uninstalled, using OTMOVEIT2 to remove the folders is ok.

When you get the 3rd party firewall, please keep in mind, these three avast files will need internet access. avast.setup- for updates, ashwebsv.exe- webshield, and ashmalsv.exe- mail. Even if you don't use the internet mail provider, (outlook express), the internet mail provider can be a tool to alert you of a spambot infection. The mail icon will appear on your taskbar whenever traffic on port 110 or 25 is detected. If you are not sendding mail, then you will know further investigation is needed.

As Alanrf mentioned, there seems to be an ongoing issue with avast 4.8's webshield and mail provider coupled with any other programs monitoring the same ports. Hopefully Alwil will find the cause/cure shortly.

ZStorm

  • Guest

Even if you don't use the internet mail provider, (outlook express), the internet mail provider can be a tool to alert you of a spambot infection. The mail icon will appear on your taskbar whenever traffic on port 110 or 25 is detected. If you are not sendding mail, then you will know further investigation is needed.



Hi there

.:  Sorry for being away for the last couple of days but I was busy updating programs according to Secunia analysis. Everything is up to date now :D

.:  I noticed RenV was still on my desktop and I deleted it as there wasnt any other evidence of it on pc. I suppose it was ok.

.:  Ive read about the firewalls and seems Comodo wins by far on public opinion. I just installed it (with the Defense+ feature) and seems to be all good so far. It asked me tho for a scan at the moment of install and I accepted at first but after 10 minutes I realized it would take hours then I canceled it.

But something odd popped... it pointed 2 files being infected by Trojan.Win32.Patched.m (D:\WINDOWS\$hf_mig$\KB840987\SP1QFE\winlogon.exe and D:\WINDOWS\$hf_mig$\KB841533\SP1QFE\winlogon.exe). Funny thing is Ive scanned many times already my second hard drive and never ever it pointed any threat or malware. Comodo asked for deletion, so it was done. What do you think about that malware pointed by Comodo?

............


So, what happens now? You think Im clear of malware and ready to be happy again?  ::)


Waiting to hear from you.

Have a great week.



Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
It was ok to delete Renv. Your logs looked good.

The files that comodo found look to be windows secutiry patches/updates. The path and KB# are legit. Without the files to test or compare sizes, I would say false positive.

Lot of people don't use that feature of comodo. Where the files deleted or quarantined?