resident protection disabled

[amaru]

Hi,
Just installed Avast 4 home edition.  The install went ok.  Set Avast to do a boot scan at the next boot, that went ok. Then when win 2000 finished loading up and I looked at the system tray (the one next to the clock) to see the little blue "a" and the little blue "f" they were not there.
I re started the Pc and this time the little blue "a" and "f" were on the system tray ok, but the little blue "a" had a little red circle on it.
Now comes the fun part.  When I did come close to the little blue "a" with the mouse it disappeared. Also no matter what I do to the Avast moniker to activate the resident protection it re sets itself to disabled.
Question, is it possible that I have virus that is dis abling the resident protection?  Any ideas? Suggestions? This all started since we installed a Verizon DSL service.
Thanks
Amaru:o

[whocares]

hi,
- try repairing or un- & reinstalling avast in SafeMode (F8-Boot)

read the link "VirusRemoval" below in my sig and
- try some Onlinescanner, e.g. Trend, RAv, COD
- post a hijackthis-Log for diagnosis..

Did you do the Install as Admin-User, or as real "Administrator" ?

Do or did you ever have another AV on the system (maybe preinstalled) ? especially NORTON-AV gives troubles even after normal uninstall

[amaru]

Hi and thanks for the reply,
I did try to boot on safe mode ([F8]) and received the following message:
KMODE_EXCEPTION_NOT_HANDLED
preceeded by a lot of strange hex numbers and followed by a set of instructions to the effect that I should just re-boot the PC if this is the first time that I have seen this message, else, contact my hardware/software BIOS vendor for help, or something to the effect that the caching and shadowing of the BIOS should be stopped.  Anyway, in other words, I cannot do a safe boot.
I installed Avast as an administrator, which is the only option I have on this Toshiba 850 laptop.
This morning (Its five to six hours earlier here in Hawaii) I did an internet scan with software from HOUSECALL.  It was an inter active scan.  This scan found two viruses (virii?) but were not reparable.  When the scan ended I manually deleted the files and rebooted.  
The problem with the resident protection has changed somehow.  Now the blue "a" on the system tray stays on for a while (still has the little red circle on it) and when I try to activate it I get a message:
AAVM system detected and RPC error. Operation could not be completed.
As far as other AV software I was using Grisoft's AVG free edition before Avast.  It was de installed and all its files deleted.  AVG free edition seemed to have been disabled by whatever virus got into my Pc.  It would only scan so many files and then die without any messages or reason.

Thanks for your response.  I will now de install Avast and try to re installled again and see what happens.

Amaru  

[Lisandro]

Now the blue "a" on the system tray stays on for a while (still has the little red circle on it) and when I try to activate it I get a message:
AAVM system detected and RPC error. Operation could not be completed.

Thanks for your response.  I will now de install Avast and try to re installled again and see what happens.

Definetivelly, avast is not well installed...
RPC (Remote Procedure Call) error could, generally, be corrected with uninstall/install again. Please, better if you can close your firewall before.
I'm wondering you have not any 'trash' left behind by AVG...

You can even try the 'Repair' function on the Add/Remove programs applet on Control Panel  

[amaru]

Hi,
I did the un-install of Avast and re installed it again. The little blue "a" was on the system tray after I did a reboot.  I was able to enter the registration number after I right clicked the little blue "a" on the system tray.  However the little blue "a" still has the red circle on it. After I finished entering the registration number the little blue "a" still disappeared.  No messages.
Then I went to the computer icon and right clicked it.  I then clicked manage and clicked on services and application.  After that I clicked on services. At this point I could see that the resident protection of Avast was set to load automatically but was not started.  I right clicked Avast's resident protectionit and set it to start.  It seemed that it was started OK. Then I looked at the RPC service and saw that it was loaded automatically and was started.  Just for sanity's sakes I right clicked the resident protection of Avast again and looked at its properties.  By this time it showed that the resident protection of Avast was not started.  I set it to start and got this message half way through the start process:
"Could not start Avast! anti virus service on local computer.
The service did not return an error.
This could be an internal Windows error or an internal service error.
If the problem persists contact your systems administrator."
Help please! Somebody?
Thanks,
Amaru

[Lisandro]

I did the un-install of Avast and re installed it again ... the little blue "a" still disappeared.  No messages.

Maybe into the log viewer, set the lower level (Debug) and try to see under Administrative Tools > Events > antivirus section if you got any useful information to guide us through the solution.

Then I looked at the RPC service and saw that it was loaded automatically and was started.

Not necessary. Without RPC you won't have even Windows working...  
It's an absolutely necessary service.

[Eddy]

While there (at the log file section) also check the system and event logs. They may have some additional info. Looking at all the info you have provided, it looks to me that your os installation is corrupted.

ps: You do a great job with the info you provide. Wish everyone did that, would make it easier for us to provide accurate help.

[amaru]

Hi,
Sorry it has taken me so long to get back to this forum, but I did not want to just take up any more time from the kind people that had taken the time to look at my problem and respond.
It turns out that I did have some kind of virus (I don't know what kind it was or how it got into my PC.).  It also turns out that NONE of the antivirus scanners that I tried were able to detect this little monster (Avast!, AVG free edition, Symantic, McAfee, Panda Etc. Etc.).

The symptoms of the little creature are:
1.- It will disable any antivirus software and prevent it from doing a complete scan for virus.
2.- If there are any resident protection modules it will disable them.
3.- It sets itself as a memory resident task (Avast memory scan did not detect it!)
4.- It copies itself into the C: drive root directory and into WINNT\system32 directory.
5.- AND ITS NAME IS:
     msiexec.exe.

HOW DID I FIND THE BUGGER?

I did an ALT+CNTL+DELETE and looked at the tasks currently running.  I wrote the names of each of the tasks and then clicked cancel.
Next I right clicked on the computer icon and clicked on the manage entry of the displayed menu options.  This took me to a selection of choices one of which is system information.  I clicked the little plus sign to expand this menu and then clicked the little plus sign on the software environment option.  There I click on the running tasks.  After the system refreshed I was able to see the same running tasks that I had seen when I did the ALT+CNTL+DELETE except that now I could see the path , version, size of file, and most importantly the file date.
I knew that I had been infected some time around the 5th of September 2004. Well, the only running task that had a file date of September 5th was a little fellow named "msiexec.exe".  It had a path of WINNT/system32.
I went to the WINNT\system32 path and found the little bugger.  I renamed it and changed its extension (Yes windows complained a lot about this but I knew that it was the only way to kill the fellow).
Then I did an ALT+CNTL+DELETE  and under running tasks I stopped the fellow.
I then rebooted my PC and Lo and Behold, Avast resident protection was on and active, and I could do complete virus scans again.
I now did the ultimate, I went to WINNT\system32 and deleted the file I had previously renamed.  Then I did a C: drive search for all the possible entries with the original name "msiexec.exe".  The search found another copy of the bugger on the C: drive root directory.  I deleted this copy also.
I did another reboot and all was still fine.  All the time that I was doing this I was not connected to the DSL network.
I think that I am free of the virus or whatever this thing was.
I wrote this detailed explanation in the hope that maybe it will help someone with the same problem and even perhaps some antivirus vendor will look into this and investigate why it was that this thing was not detected by their respective softwares.

Thank you all for your time and help.

Aloha, Amaru

[bob3160]

Amaru,
You better take a look at this because you may have cause a problem not solved one.

msiexec - msiexec.exe - Process Information
Process File: msiexec or msiexec.exe
Process Name: Windows Installer Component
 
Description:
msiexec.exe belongs to the Windows Installer Component and is used to install new programs that use Windows Installer package files (MSI). This program is important for the stable and secure running of your computer and should not be terminated.
 
Author: Microsoft Corp.
Part Of: Windows
 
System Process: Yes
Virus: No
Spyware: No
Background Process: No
Uses Network: No
Hardware Related: No
 
Security Risk (0-5): 0
Common Errors: N/A

[galooma]

Have you been able to install anything since removing the corrupted file?
 would Amaru not be able to re-install the missing file from his os disk ?

[amaru]

Hi,
Yes, you are all correct, I would be in deep trouble had I deleted "msiexec.exe" just like that.  However, when I did a complete C drive search for the object "msiexec.exe" and found several instances of it in several directory locations I did right click on each one of the instances of the object to see its properties.  All of the objects that I looked at had "general" and a "version" tab on the properties menu, except the one that I deleted from my system.  
By the way the "msiexec.exe"s that had a version tab on the options menu you could clearly see that they were Microsoft objects showing "company name" , "internal name", "language", "legaltrademarks" , Etc. Etc.  The one that I deleted showed no information at all, other than the system generated date of installation.
Thanks for pointing this out.  Obviously it is an important part of the research that I omitted to mention.

Again, Mahalo and Aloha,
Amaru

[amaru]

Hi Again,
As to having been able to install anything on my system, the answer is yes.  I have installed a couple of new programs OK and also I have installed ZoneAlarm Pro Ok.  The programs are functioning ok and Zone Alarm Pro is doing its job just fine.
Thanks,
Aloha
Amaru

[Eddy]

Just a suggestion. If you get another BSOD (Blue Screen Of Death) with a error, try the MS-knowledgbase this is article I found there when searching for the error you told us in your first post in this thread.
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q294/7/28.ASP&NoWebContent=1

ps: Ofcourse I hope noone gets the BSOD.