Hi - after incorrectly powering down (accidentally switched off at the switch when pc was on but screen in power save) I have been experiencing several problems, the last of which I can’t seem to solve but seems to relate to avast…
Windows XP Home Service Pack 3, Avast home 4.8.1335 (VPS 090714-0 14/07/2009), Sygate Personal firewall 5.6, Windows firewall turned off), external broadband modem, IE8 & Firefox 3.0.11, Outlook Express (POP mail via yahoo)
Symptoms (& solution where found):
chkdsk ran at every boot (ran chkdsk /f /r and this stopped),
could send but couldn’t receive pop mail (changed port to to 995 from 110).
couldn’t get to any http websites using Firefox or Explorer but could access https - could only access by pausing avast webshield
I have run spybot, ad-aware, a thorough (avast) virus check, uninstalled & reinstalled sygate, uninstalled & reinstalled avast and probably some other things that I’ve since forgotten I’ve tried and finally after much googling of port 80 problems found this: http://beer234.blogspot.com/2008/10/port-80-blocked-windows-xp.html
My value in ‘start’ was 4 and after resetting to 3, everything worked…for about 3 days…and then I encountered the same problem only this time the fix didn’t work
I have been able to access http sites in safe mode w networking - implying it’s an application problem - and given that I can only access these sites when avast webshield’s turned off, I figured it might be avast (or how it interacts with sygate?) but have dried up searching the forums…any assistance would be greatly appreciated as I’d rather have webshield on!!!
Thanks in advance / hoping someone can point me in the right direction…
The email port 995 is for secure communication and avast can’t handle SSL/TLS email even before your power off issue. By having it on port 995 avast wouldn’t be scanning that content (as it can’t, its secure) as it only monitors ports 25, 110, 119 and 143.
Changing port to 110 whilst still retaining the secure communication would cause the email collection to fail.
I believe your problems are related to your firewall actually blocking the avast processes.
Does it allow ashWebSv.exe, ashMaiSv.exe and avast.setup internet access ?
If it does delete the entries for them and do a manual update and reconnect to the internet, brows and try to collect your email (having set your email back to what it was 995) this should force the firewall to ask permission again.
Personally I would be looking for a firewall that hasn’t effectively been abandoned and sygate has holes as far as localhost loopback it concerned as it can allow processes using the localhost proxy right through without challenge, as it only seeks permission for the parent of the proxy.
Thanks - yeah, agree that I should switch to another firewall in any case but should clarify that sygate doesn’t seem to be the problem: have tried the following (a couple of times)
sygate does allow the avast entries you listed
deleted those entries anyway & reconnected etc
still can’t access port 80 or 110
turned off sygate
tried the regedit/‘start’ value (3)/reboot fix again as per the link in original post
on rebooting, still can’t access port 80 or 110 (and ‘start’ value is 4 again)
repeated the above after uninstalling sygate (with and without windows firewall turned on and off) with same result
In summary:
re: browsing, can still only access http sites when avast webshield turned off (without any firewall active)
re: pop mail download, can only access using port 995 - even when avast paused / terminated (ditto)
(Btw, have re-run an ad-aware thorough scan and also various registry cleaners etc - any other free malware programs I should try?)
So to answer my own question(s), I guess avast isn’t the main/only problem since the two ports seem to be affected differently - although the browsing problem does seem to involve avast somehow. Any ideas how I can track down the problem, even if it’s not avast-related (if so, apols for posting on an avast forum) - any pointers would be appreciated… As you can tell, I’m getting in too deep here
Outlook Express:
Your server has unexpectedly terminated the connection. Possible causes for this include server problems, network problems, or a long period of inactivity. Account: ‘pop.mail.yahoo.co.uk’, Server: ‘pop.mail.yahoo.co.uk’, Protocol: POP3, Port: 110, Secure(SSL): No, Error Number: 0x800CCC0F
Firefox & IE:
timeout
also btw: I can ping known good sites (google, microsoft, my ISP) without packet loss
yeah, unfortunately tried that too (see last few dot-points in post from 09:52:54 PM) - get the same problem with windows firewall on or off, sygate on or off, both windows & sygate on or off (incl. w sygate completely uninstalled)…
I really can’t think of how this kind of issue was caused by the system being switched off whilst running. That may well cause some corruption, but the system would normally do a chkdsk scan on the next boot recognising that the shutdown wasn’t good. This should attempt to fix or at least detect corrupt files.
Have (or did) you another AV installed in this system, if so what was it and how did you get rid of it ?
Whilst you say you reinstalled avast, I would try a clean reinstall to make sure any registry entries which may have been effected are cleared.
Download the latest version of avast http://www.avast.com/eng/download-avast-home.html and save it to your HDD, somewhere you can find it again. Use that when you reinstall. Ensure that you scroll down and select the avast direct download link for the English version and not Cnet as that is for an on-line installation (not what you want to do). - Direct download for avast Home, English version, http://files.avast.com/iavs4pro/setupeng.exe.
Download the avast! Uninstall Utility, find it here and save it to your HDD.
Now uninstall (using add remove programs, if you can’t do that start from the next step), reboot.- 2. run the avast! Uninstall Utility, reboot. If step 1 failed it may be necessary to run this from safe mode, once complete reboot into normal mode.- 3. install the latest version, reboot.
Thanks - I’m fairly sure that’s what I tried a few days ago but will give it a go again and report back.
ps. in answer to your question, I used to have AVG Free (ages ago - prob >1yr) but uninstalled it. The problem described in this thread appeared about 2wks ago and like you can’t think a) why chkdsk didn’t solve it and b) why the fix I mentioned [http://beer234.blogspot.com/2008/10/port-80-blocked-windows-xp.html] seemed to work for 3 days / reboot cycles and then reverted back. First thought was some malware but doesn’t seem to be the case, going by ad-aware, avast etc…
…no luck - no change after reinstalling avast as per instructions…
[incidentally, when I boot in safe mode, it hangs at a347bus.sys - after a bit of googling, it seemed Alcohol 120 might be to blame so I uninstalled Alcohol - however it still hangs at this file; not sure if this is related to my other problems or just another can of worms]
Well avast doesn’t run in safe mode so there should be zero interaction with/from avast on safe mode boots.
I don’t know what version of AVG you had, if avg8 - AVG8 Remover, download tool from here, http://www.grisoft.com/ww.download-tools there is a 32bit and 64 bit windows version, ensure you use the correct one.
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. - 2. SUPERantispyware On-Demand only in free version.
Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Thanks for those suggestions, no change I’m afraid…
ran AVG8 32bit remover (no traces found as far as I could see)
ran superantispyware (only a couple of cookies)
ran malwarebytes anti-malware (log file contents pasted below)
Any other thoughts or is it time for a windows repair / format? Any way I can find out what process is changing HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vsdatant\start value to 4 (if this is relevant)?
Malwarebytes’ Anti-Malware 1.39
Database version: 2453
Windows 5.1.2600 Service Pack 3
The process TrueVector Device Driver belongs to the software TrueVector Device Driver or vsdatant or ZoneAlarm or ZoneAlarm with Antivirus or ZoneAlarm Security Suite or ZoneAlarm Pro or ZoneAlarm Anti-virus by Zone Labs Inc (www.zonelabs.com) or Zone Labs, LLC or Zone Labs LLC (www.zonelabs.com).]vsdatant.sys file information
The process TrueVector Device Driver belongs to the software TrueVector Device Driver or vsdatant or ZoneAlarm or ZoneAlarm with Antivirus or ZoneAlarm Security Suite or ZoneAlarm Pro or ZoneAlarm Anti-virus by Zone Labs Inc (www.zonelabs.com) or Zone Labs, LLC or Zone Labs LLC (www.zonelabs.com).
So have you ever had zone alarm installed on this system as it appears there might be remnants ?
That could well have a large impact with possible conflict not just with the web shield proxy but with sygate.
Check for the existence of vsdatant.sys and report your findings ?
Download and run HJT and post the contents of the log file (cut and paste or attach the log file) into this topic, you may need to split it over two or more posts depending on how large it is.
I had a very similar problem yesterday when after a forced shut down and system restart Web Shield would block everything. I suspect that the firewall rules were damaged or something. What I did was remove the firewall rule for ashWebSv.exe and let Outpost firewall create a new rule. This restored Web Shield functionality again.
I don’t believe that this is the case here as we have already gone through those steps and disables Sygate.
The point I’m making here is that there appears to be remnants of another firewall not previously mentioned, so the same as not having two AV, having two firewalls or remnants could have the same conflicting issues.
hmm, no, have never had ZoneAlarm installed - did the search: no sign of ‘vsdatant.sys’
have run hijackthis, log pasted below
thanks
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:39 PM, on 19/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
I don’t see anything zone alarm related but that registry key is most certainly related to ZA, why it is even there is beyond me.
I also don’t really know what the start values are, just guessing 4 is disabled as if ZA didn’t exist then I don’t know if the OS would be clever enough to disable it. Then when MBAM does its scan seeing it disabled perhaps it believes that to be a malicious act and flags it. Though there is nothing about that in the log, just your comment about it.
I don’t generally recommend poking around in the registry as it can seriously spoil your whole day if you modify or delete anything important.
Why did you mention the changing of this value ?
e.g. does it throw up and error and if so what is the error and what application alerts you (registry protection, etc.).
Does it in anyway impede your use of the computer ?
You might want to check out this info and decide if you need this service:
– How To Uninstall or Remove Bonjour mDNSResponder.exe
Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware and yours is way out of date. First remove All Older Versions From Add/Remove Programs.
I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.
point taken about fiddling w registy - to be honest, I was just poking around in the dark (as mentioned a while back, found this http://beer234.blogspot.com/2008/10/port-80-blocked-windows-xp.html and my value in ‘start’ was 4 and after setting to 3, everything worked…for about 3 power cycles…and then the port 80 problem came back and the value was 4 again; was probably on the wrong track)
It wasn’t so much a criticism of your looking in the registry, but me not wanting you to delete this particular key as effectively it should be redundant, if you don’t have ZA installed.
Then again why would it make any difference what the value was if it was effectively redundant and why would the value get changed. So I think you can see with these type of things going on deletion of the key could have other implications, I hate mysteries.
(btw, I ran another “chkdsk /f /r” yesterday just in case but volume reported clean and no change with port 80 etc)
looks like it will only be fixed if I formatted and started again :-\ may do this eventually but will post again if anything miraculously changes in the meantime
