Avast! stopped working

[warmerwagen]

it's been working great for years, now it has a red circle /slash on the A-ball and clicking brings a message RPC error. I don't know what is wriong or how to fix it and get Avast! AV working again. Thanks.
Robert

[DavidR]

This is usually associated with another AV or remnants of one, but since as you say things have been working great for years this isn't so likely.

Have you recently added another security application or has your system changed in any way just prior to this ?

Try a repair of avast. Add Remove programs, select 'avast! Anti-Virus,' click the Change/Remove button and scroll down to Repair, click next and follow. This has in the past resolved this out of sync issue between reported and actual VPS version.

If that doesn't work a clean reinstall would be best:
- Download the latest version of avast http://www.avast.com/eng/download-avast-home.html and save it to your HDD, somewhere you can find it again. Use that when you reinstall. Ensure that you scroll down and select the avast direct download link for the English version and not Cnet as that is for an on-line installation (not what you want to do).

Download the avast! Uninstall Utility, find it here and save it to your HDD.

• 1. Now uninstall (using add remove programs, if you can't do that start from the next step), reboot.
• 2. run the avast! Uninstall Utility, reboot.  If step 1 failed it may be necessary to run this from safe mode, once complete reboot into normal mode.
• 3. install the latest version, reboot.

[warmerwagen]

It would'nt repair, I unistalled it, I did a clean install,  it worked about a day and then back to the red circle/slash . I did all this for a week before posting here. There is no solutiion. Should I burn my computer?

[YoKenny]

What operating system and service pack level are you running?

[DavidR]

It would'nt repair, I unistalled it, I did a clean install,  it worked about a day and then back to the red circle/slash . I did all this for a week before posting here. There is no solutiion. Should I burn my computer?

If you can answer my question that may help us.
Have you recently added another security application or has your system changed in any way just prior to this ?

Short of that we would have to ask what the previous AV was (I know it was a long time ago) and see if we cant root out any possible remnants ?

[HLS]

I had the same thing warmerwagen described happen to me last night.  I went through the steps of checking to make sure Avast was set on automatic ( it was but wasn't running), I attempted to start it but it wouldn't, I repaired it and it last for several minutes then the whole process started again. I just did it again ten minutes ago. I see that something called Antivirus Pro 2010 has installed itself on my laptop last night, which I assume started this problem. I have tried to remove it using the add/remove program but it seems to have locked up isn't responding. I assume there are some hidden files that will need to be dealt with. I am running the Avast home edition and Windows XP. I would appreciate some direction on where to go from here.   

[DavidR]

Add remove programs is unlikely to remove it, given that this is a rogue application.

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• 1.  MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
• 2. SUPERantispyware On-Demand only in free version.

Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

[HLS]

I just attempted to boot up my laptop to try the direction above and it won't boot up. Everytime it gets to the welcome screen, a system shutdown window pops up and starts a 60 second countdown to shut down. it says "initiated by NT AUTHORITY\system" and the message says " The system process C:\WINDOWS\system32\services.exe terminated unexpectedly with status code -1073741482. The system will now shut down and restart". And it does repeatedly!

[YoKenny]

I just attempted to boot up my laptop to try the direction above and it won't boot up. Everytime it gets to the welcome screen, a system shutdown window pops up and starts a 60 second countdown to shut down. it says "initiated by NT AUTHORITY\system" and the message says " The system process C:\WINDOWS\system32\services.exe terminated unexpectedly with status code -1073741482. The system will now shut down and restart". And it does repeatedly!

Looks like you have not kept your system up to date and are suffering the possibility of a Blaster or Sasser infection:
http://www.pcreview.co.uk/forums/thread-171029.php
http://forums.techguy.org/malware-removal-hijackthis-logs/692317-solved-shutdown-initiated-nt-authority.html

[DavidR]

Try booting into safe mode http://www.pchell.com/support/safemode.shtml

You could also download these and burn to a CD on a working/clean system and you can install MBAM in safe mode and run a scan in safe mode.

[HLS]

I was able to startup in safe mode and download both the files but neither seems to want to run in safe mode. Any suggestions on what I might check?

[DavidR]

Well I don't believe SAS will (or isn't designed to) install in safe mode, which is why I didn't suggest doing that, but MBAM is meant to be able to install in safe mode and certainly should be able to run in safe mode.

There is a possibility you have malware that also runs in safe mode.

Have you read the second link YoKenny gave ?

You could also try DrWeb CureIt! - See http://www.freedrweb.com/cureit/ - Download ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe (Free) Fairly effective against file infectors, Virut (infects .exe, .scr, .mp3 & .wmv), more so when used in safe mode.

DrWeb also do a Live CD if you are unable to get into your system see, http://www.freedrweb.com/livecd/?lng=en, documentation ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf. This may be a better option to run the live CD version outside of windows so it may have a better chance of success.

[HLS]

After I sent my last message, I went back into regular mode, and was able to run the SAS scan. I downloaded the mbam file and attempted to run it, but midway through, it stopped and wouldn't allow me to access it again. I'll try to reload and run the mbam again after I send this. I have all the suspect files listed below quarantined but was afraid if I reboot now I may lose some files I need to save. Here are the SAS results:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/10/2009 at 08:44 PM

Application Version : 4.28.1010

Core Rules Database Version : 4085
Trace Rules Database Version: 1978

Scan type       : Quick Scan
Total Scan Time : 00:16:46

Memory items scanned      : 517
Memory threats detected   : 1
Registry items scanned    : 611
Registry threats detected : 8
File items scanned        : 9230
File threats detected     : 93

Trojan.Unclassified/BraviaX
   C:\WINDOWS\SYSTEM32\BRAVIAX.EXE
   C:\WINDOWS\SYSTEM32\BRAVIAX.EXE
   [braviax] C:\WINDOWS\SYSTEM32\BRAVIAX.EXE
   HKU\s-1-5-21-3457135837-99430031-1591245725-1006\Software\Microsoft\Windows\CurrentVersion\Run#braviax [ C:\WINDOWS\system32\braviax.exe ]
   HKLM\Software\Microsoft\Windows\CurrentVersion\Run#braviax [ C:\WINDOWS\system32\braviax.exe ]

Rootkit.Cloaked/Service-GEN
   HKLM\system\controlset001\services\d250ed6e
   C:\WINDOWS\SYSTEM32\DRIVERS\D250ED6E.SYS
   HKLM\system\controlset003\services\d250ed6e

Adware.Tracking Cookie
   c:\documents and settings\henry\cookies\henry@lfstmedia[2].txt
   c:\documents and settings\henry\cookies\henry@questionmarket[2].txt
   c:\documents and settings\henry\cookies\henry@socialmedia[2].txt
   c:\documents and settings\henry\cookies\henry@ads.pointroll[2].txt
   c:\documents and settings\henry\cookies\henry@content.yieldmanager[3].txt
   c:\documents and settings\henry\cookies\henry@collective-media[1].txt
   c:\documents and settings\henry\cookies\henry@mediaplex[2].txt
   c:\documents and settings\henry\cookies\henry@stat.dealtime[1].txt
   c:\documents and settings\henry\cookies\henry@ad.yieldmanager[2].txt
   c:\documents and settings\henry\cookies\henry@dealtime[1].txt
   c:\documents and settings\henry\cookies\henry@casalemedia[2].txt
   c:\documents and settings\henry\cookies\henry@specificmedia[1].txt
   c:\documents and settings\henry\cookies\henry@adrevolver[2].txt
   c:\documents and settings\henry\cookies\henry@www.burstbeacon[1].txt
   c:\documents and settings\henry\cookies\henry@media.adrevolver[1].txt
   c:\documents and settings\henry\cookies\henry@atdmt[1].txt
   c:\documents and settings\henry\cookies\henry@bs.serving-sys[1].txt
   c:\documents and settings\henry\cookies\henry@yadro[2].txt
   c:\documents and settings\henry\cookies\henry@imrworldwide[2].txt
   c:\documents and settings\henry\cookies\henry@insightexpressai[1].txt
   c:\documents and settings\henry\cookies\henry@specificclick[1].txt
   c:\documents and settings\henry\cookies\henry@tribalfusion[2].txt
   c:\documents and settings\henry\cookies\henry@fastclick[1].txt
   c:\documents and settings\henry\cookies\henry@adbrite[1].txt
   c:\documents and settings\henry\cookies\henry@cache.trafficmp[1].txt
   c:\documents and settings\henry\cookies\henry@serving-sys[2].txt
   c:\documents and settings\henry\cookies\henry@apmebf[2].txt
   c:\documents and settings\henry\cookies\henry@247realmedia[2].txt
   c:\documents and settings\henry\cookies\henry@foundbanner[1].txt
   c:\documents and settings\henry\cookies\henry@burstbeacon[1].txt
   c:\documents and settings\henry\cookies\henry@cdn4.specificclick[2].txt
   c:\documents and settings\henry\cookies\henry@edge.ru4[1].txt
   c:\documents and settings\henry\cookies\henry@adserver.adtechus[1].txt
   c:\documents and settings\henry\cookies\henry@dmtracker[1].txt
   c:\documents and settings\henry\cookies\henry@ad1.clickhype[1].txt
   c:\documents and settings\henry\cookies\henry@trafficmp[1].txt
   c:\documents and settings\henry\cookies\henry@eyewonder[2].txt
   c:\documents and settings\henry\cookies\henry@find.diadoraamerica[2].txt
   c:\documents and settings\henry\cookies\henry@a1.interclick[1].txt
   c:\documents and settings\henry\cookies\henry@revsci[2].txt
   c:\documents and settings\henry\cookies\henry@www.burstnet[1].txt
   c:\documents and settings\henry\cookies\henry@realmedia[2].txt
   c:\documents and settings\henry\cookies\henry@media.adrevolver[2].txt
   c:\documents and settings\henry\cookies\henry@tunebanner352[1].txt
   c:\documents and settings\henry\cookies\henry@zedo[2].txt
   c:\documents and settings\henry\cookies\henry@content.yieldmanager[2].txt
   c:\documents and settings\henry\cookies\henry@shopping.112.2o7[1].txt
   c:\documents and settings\henry\cookies\henry@media6degrees[1].txt
   c:\documents and settings\henry\cookies\henry@advertising[1].txt
   c:\documents and settings\henry\cookies\henry@dominionenterprises.112.2o7[1].txt
   c:\documents and settings\henry\cookies\henry@interclick[1].txt
   c:\documents and settings\henry\cookies\henry@burstnet[2].txt
   c:\documents and settings\henry\cookies\henry@doubleclick[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@microsoftwindows.112.2o7[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@interclick[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
   .doubleclick.net [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .2o7.net [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .track.cbs.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .cbs.112.2o7.net [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .imrworldwide.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .imrworldwide.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .serving-sys.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .bs.serving-sys.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .247realmedia.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .atdmt.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .insightexpressai.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .insightexpressai.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .insightexpressai.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .insightexpressai.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .insightexpressai.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .insightexpressai.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .insightexpressai.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .casalemedia.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .questionmarket.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .questionmarket.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .zedo.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]
   .zedo.com [ C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\891y7pz0.default\cookies.txt ]

Trojan.Unknown Origin
   HKLM\Software\xpre
   HKLM\Software\xpre#execount

Rogue.XP AntiSpyware2009-Trace
   C:\WINDOWS\system32\_scui.cpl

Rogue.XP AntiSpyware 2009
   HKU\s-1-5-21-3457135837-99430031-1591245725-1006\Control Panel\don't load#wscui.cpl [ No ]

Trojan.Dropper/Gen
   C:\DOCUMENTS AND SETTINGS\HENRY\LOCAL SETTINGS\TEMP\~.EXE
   C:\WINDOWS\SYSTEM32\~.EXE
   C:\WINDOWS\Prefetch\~.EXE-10AA984B.pf

Trojan.Agent/Gen-FakeDrop[BraviaX]
   C:\UDTCNN.EXE

Rootkit.Agent/Gen-UAC
   C:\WINDOWS\SYSTEM32\DRIVERS\UACD.SYS

[DavidR]

The cookies as I said are no issue at all.

The other detections all seem to be valid given their locations, they are trying to make out that they are system files when they aren't.

See http://www.systemlookup.com/search.php?type=filename&client=malwaresearch-ff&search=BRAVIAX.EXE

This is I believe the major one causing the problem by masking all the others, etc.
Rootkit.Agent/Gen-UAC
   C:\WINDOWS\SYSTEM32\DRIVERS\UACD.SYS

This file name is associated with trojan activity, it isn't a system file.

The ~.exe is equally suspect, so I doubt that a reboot would cause the same kind of problems you had before. At some point in time you are going to have to reboot.

[HLS]

I did reboot and then performed another scan. It seems that SAS has cleaned all those files out but the problem start up copied below problem persists.  I've looked on Microsofts support site but so far haven't located anything with the same status code.

(Everytime it gets to the welcome screen, a system shutdown window pops up and starts a 60 second countdown to shut down. it says "initiated by NT AUTHORITY\system" and the message says " The system process C:\WINDOWS\system32\services.exe terminated unexpectedly with status code -1073741482. The system will now shut down and restart". And it does repeatedly!)