[Resolved] Avast Warning System is Unsecured and Service not running

I noticed an x in the Avast icon and it says the system is unsecured and the service has been stopped. I clicked on the button to start Avast and to Fix Avast, but it didn’t work. I tried a boot scan and full scan, but all modules are not running. I rebooted the computer a few times, but that didn’t help.

I went into services.msc and started the Avast service, but Windows said it started and then stopped.

This morning Seamonkey wouldn’t open, or task manager - then I lost all icons on the desktop and used the tower button to shut down the computer. When it was turned on later, everything seemed okay until I noticed Avast not running this evening.

This is an XPHomesp3 computer, fully updated with ZoneAlarm, Defensewall HIPS, script sentry, spywareblaster, MSVP Hosts file and spywareguard.

I made an image of the computer last month and allowed COMSurrogate to access the internet - this occurred during the image so I thought it had to do with the program. The registry does NOT have the run registry entries for that malware.

I was not able to update malwarebytes (I posted in that forum too) but I was able to update Superantispyware - which only found tracking cookies.

I would appreciate any help.

Sincerely, Libra

Hi Libra,

I see that you are ZoneAlarm, Defensewall HIPS, script sentry. Any one of these can overlap and conflict with Avast. There have been many users with ZA issues and Avast, so I would suggest uninstalling it and replacing it with something else, if for now Windows Firewall while we troubleshoot.

You have a few issues going on. First you are not using the most current version of Avast, which is 5.0.594, so you should do an uninstall and clean install to see if this fixes the problem.

  1. Save a copy of newest version of Avast (5.0.594) for the version you need and save it to your HDD:
    Freehttp://files.avast.com/iavs5x/setup_av_free.exe
    Prohttp://files.avast.com/iavs5x/setup_av_pro.exe
    AIShttp://files.avast.com/iavs5x/setup_ais.exe
  2. Download the Avast Uninstall Utility, aswClear5.exe http://www.avast.com/uninstall-utility and save it to your HDD.
  3. Disconnect from the Internet at this time; turn off your connection from the Internet.
  4. Uninstall Avast through “Add/Remove Programs” through Control Panel.
  5. Boot into Safe Mode (hit F8 repeatedly) and run the Avast Uninstall Tool.
  6. Reboot twice.
  7. Clean your computer up (clean up cache, temporary Internet files, etc.).
  8. Install the newest version of Avast and reboot twice.
  9. Get Internet access and update Avast definitions.
  10. Register your copy or add the license key for Free, Pro or AIS.
  11. Reset your settings, if needed.

Next, try updating MBAM and run a scan. Please post your results. If you can’t, please let us know and we will give you further directions.

Thank you for your reply Safesurf. I thought I edited my profile. I have Avast 5.0.594 installed on both computers. I installed in on XPHomesp3 on June 18. I had to manually update it after the install, but it’s been running fine until now.

Since I already have 5.0.594 installed should I remove it and follow your instructions? (If so should I be unchecking the Avast self protection module?) Or do something else?
I’m going to sleep now, but I’ll wait for your advice. Thank you.

Sincerely, Libra

Hi!
My advice is simple: Avast + Win-FireWall = protrection enough.

You do not need ZoneAlarm (or Comodo), neither you need AdAware or SpyBot.

Sorry to rain on your parade, but the XP Firewall being inbound only isn’t enough.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

Whilst I’m no big fan of Zone Alarm, there are others excluding Comodo which comes in suite form and includes an AV (a no, no), which you would have to remove.

Many forum users are using these:

  • PC Tools Firewall seems to have the least user headaches as it doesn’t seem to be constantly asking the user questions about this and that.
  • Online Armor for the most parts fine but it has caused some users grief after avast program updates and that is something you have to watch out for.
  • Outpost Firewall 2009 free, a cut down version of the Outpost Firewall Pro version, which should still provide good protection, http://free.agnitum.com/. Download, http://www.filehippo.com/download_outpost_firewall/

DavidR. is correct in the firewall issue unless you are behind a NAT router as well. The FW’s with the least headaches for Avast users seem to be the ones David listed.

  1. Update MBAM if you can, and run a scan to make sure you are clean. I would still uninstall the programs I mentioned in my original post; reboot twice in between each uninstall of software.

  2. If you are still having problems after doing the above, then try Fix/Repair of Avast. If this doesn’t work, then try the uninstall/CLEAN install that I posted in purple in my original post.

3a. If this doesn’t work, then here is additional information on how to invoke a memory dump file: http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=71.

3b.Please, zip and upload the C:\Windows\Memory.dmp file to this anonymous ftp server and name it uniquely: ftp.avast.com/incoming. The Avast Team will analyze it.

Please let me know how this works out for you.

Well a NAT router unless it specifically mentions it has outbound firewall checking suffers from the same issue, any outbound connection will pass right through the NAT router on the way back in, it would pass any SPI check as it originated from the/a local computer.

I have a few things to mention. I’m sorry this is so long:

I tried control panel>Repair on Avast and it didn’t work, although two processes from Avast were in task manager - I had to shut down the computer to stop it after an hour.

I removed and reinstalled malwarebytes according to their instructions and the new installation updated and I ran a scan. (Zone Alarm alerted and asked permission for a new version of malwarebytes.) It found:

(Script Sentry didn’t allow the first)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command(default) (Broken.OpenCommand) → Bad: (C:\Program Files\Script Sentry\ScriptSentry.exe “%1” %*) Good: (regedit.exe “%1”) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel\HomePage (Hijack.HomePageControl) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\User\Local Settings\Temp\fatemp-icon.exe (Trojan.Dropper) → Quarantined and deleted successful


After Malwarebytes I tried to turn on and fix Avast, but it didn't work.  I noticed (although it's not running) the Web Shield lists INFECTED ITEMS = 2.  Why didn't the Web Shield protect my computer??  It is set to scan all files and action is abort connection.  The exclusions is checked for mime etc., but this is the default setting and I thought if it is default it is safe.  I don't have pups or suspicious checked on any module, since I don't know if that would create a lot of false positives.  I found the report with explorer:

* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, July 16, 2010 12:43:59 PM
*

7/19/2010 3:33:34 PM	ht tp://rakiyek.lecastelas.be/lisa8420/?x=entry:entry100704-192858 [L] HTML:Script-inf (0)
7/19/2010 3:33:49 PM	ht tp://rakiyek.lecastelas.be/lisa8420/?x=entry:entry100704-192858 [L] HTML:Script-inf (0)
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, July 20, 2010 1:20:41 AM
*

What is this? I didn’t do any maintenance, so it was accessed by a limited account user.

I remember Avast 4.8 wouldn’t let me connect to a suspicious page - should I be installing 4.8 instead? My daughter said she got no warning at all at that time.

Thank you for your reply. I plan to hopefully remove Avast now and would like to know what settings I should use or if I should install 4.8 instead?

Sincerely, Libra

I want to report that I used add/remove and it seems to have successfully removed Avast 5.0.594 - it said it was successful and I have the Windows alert saying I have no antivirus installed.

I need to know what settings to use if I install 5.0.594 again - since the Web Shield didn’t protect my computer.

Right now there is no antivirus and it is unplugged from the internet.

I’d also like to know why the web shield didn’t protect my computer.

Sincerely, Libra

Leave the settings at the default, that is the idea to see if a reinstall resolves the problem, possibly damaged original install. If you start changing lots of default settings (there is no restore defaults button/feature, then we wouldn’t know the condition of the install.

Thank you, David. I just installed Avast 5.0.594 and plugged in the ethernet cable and updated it. On your advice, I didn’t change any settings at all (I didn’t even check for it to generate a report yet). I am running a full system scan right now. It’s at 29%. I will let you know the results and would like to know what settings I can change and what I should change them to when you feel I can do that. I don’t feel I was protected by Avast for this to have happened.

Sincerely, Libra

The honest answer is not to change anything, leave it on the default settings for a while until you get to know how avast works on your system. Then if you have any questions ask rather than change things where you might not understand the implications of that change.

Spend some time rummaging through the avast User Interface and get to know where things are, spend some time browsing the avast Help Center (help file).

Avast have provided in the default settings, what is a good balance between performance and protection.

There are no settings related to this that will make you any better protected, if the system is reporting unsecured that is a shield level report and shield settings won’t change that.

It looks like you have a corrupt installation and the reinstall should have resolved that. Or has been mentioned having too many security applications running that might conflict, I don’t know how the script sentry or spywareguard work so I don’t know if they might have conflicted with some of avasts services starting.

You have to have a period of time running on the defaults or you will never know how avast runs for you on these settings.

Thank you again, David. I did a full system scan which showed no infections and a boot scan of all drives which showed:

07/22/2010 18:15
Scan of all local drives

Number of searched folders: 5678
Number of tested files: 274751
Number of infected files: 0

Script Sentry protects against scripts (if I want to merge a file into the registry, Script Sentry will ask if I want to allow it before it is merged). SpywareGuard protects the IE Home Page from being changed - it will alert me and give me a choice to accept change or keep old.) I doubt very much that these programs would interfere with Avast. I’ve had Avast 4.8 on this computer for quite a while without any problems.

I installed Avast on this computer on June 18 - would it take a month to show a corrupt installation? Plus, prior to Avast showing “System Unsecured and System not running” I found a Report of the Web Scanner saying:

7/19/2010 3:33:34 PM ht tp://rakiyek.lecastelas.be/lisa8420/?x=entry:entry100704-192858 [L] HTML:Script-inf (0)
7/19/2010 3:33:49 PM ht tp://rakiyek.lecastelas.be/lisa8420/?x=entry:entry100704-192858 [L] HTML:Script-inf (0)

and the statistics showed 2 infections on 7/19 at 3:33 pm.

The web scanner should have aborted the connection. Obviously it didn’t. Does the above show that it stopped the infection?

Previously I had Avast set to scan “all files”. I’ll leave the settings at default for now. (I remember you told me that having it clean an infection usually doesn’t work and that’s the first option in the scanner, followed by chest and then do nothing.)

Actually although Avast wasn’t running, the computer was working fine in spite of that.

Sincerely, Libra

A file or files could become corrupt for a number of reasons and there is no time line that it might follow.

In 4.8 the Repair function I can’t ever recall an instance on the forums where this was of any use as for the most cases the infection wasn’t a virus, you can’t actually repair a trojan say as the complete content is malicious.

In avast5 the default action for on-access detections is to move the the chest. For on-demand scans it is usually listed to be move the the chest but that can be changes on a per detection instance. Personally it is safest to use the chest as that can be reversed if required. avast5 has a number of repair options for certain virus infections.

The stats are showing detections/alerts not physical infections, since it is showing a web location and not a system address, like the browser cache or temp location. I don’t believe the two are related as I would expect to see detections on the system; if it got past the web shield and was saved to the hard disk, that should have triggered a file system shield scan.

The web shield does abort the connection, but some browsers don’t honour that and continue trying to download that failed/aborted connection, thinking it is doing you a favour. That should as I said trigger the file system shield.
What browser are you using ?

Where were you setting this Scan All files option ?

Hi David,

On the XP computer we use Seamonkey but my daughter also has AOL installed, which uses the IE browser (which is IE8). My malwarebytes scan found this:

Files Infected:
C:\Documents and Settings\User\Local Settings\Temp\fatemp-icon.exe (Trojan.Dropper) → Quarantined and deleted successful

You’re right, the action is Move to Chest, Delete, No Action.

I had Scan all Files in the File System Shield, scan when opening and scan when writing.

Web Shield also has scan all files, but that must be default. The only change I’ve made is if an infected file is in an archive to delete the whole archive.

I see PUPS and suspicious files listed here and there in the settings. I’ve never checked them since I don’t know if that would generate a lot of false/positives.

Thanks for explaining that the web shield may just have noticed the infection and it didn’t get on the computer. Do you know what that item is that malwarebytes detected?

I’m still confused about this. We have the XP computer 6 years and never had an infection on it.

Sincerely, Libra

I’m not sure where you got that virus from but malware is becoming more and more prevalent, so don’t be too harsh on yourself or your daughter. We as users just need to be more vigilant.

I would do the following to assure you are malware free:

  1. Update your Avast definitions, if not done already, and run a Full and Boot-time scan.
  2. Update and run another MBAM scan.

The reason for repeating the scans is to make sure all is gone, plus the boot scan is different than the other scans.

  1. Use a more secure browser than IE for aol. I would suggest your daughter moving to FF and using the aol webmail https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&seamless=novl&offerId=newmail-en-us-v2&authLev=0&siteState=ver%3A4|rt%3ASTANDARD|at%3ASNS|ld%3Awebmail.aol.com|uv%3AAOL|lc%3Aen-us|mt%3AAOL|snt%3AScreenName|sid%3A69115569-e09b-479b-bce8-652ee20343f3&locale=us (still has full features, but you need to enable flash and scripts and that is why I suggest using this with on FF with the suggested add-on’s). With FF, you can enable NoScript, BetterPrivacy, AdblockPlus, and other add-on’s to increase your security.

As mentioned in earlier posts, leave the Avast settings at default for now.

@ Libra
OK, that scan All files option is I believe overkill as you are going to be scanning files that aren’t at risk of infection, etc. The default settings are going scan any file considered at risk, plus it also depends on the term opening, it is possible to open some files without running/executing them. That is covered by default in the Scan when executing tab, if a file is to be executed it will first be scanned and why there is no such scan all files option.

To me the same is true of scan when writing as these would mostly be data files capable of being written to. Executable files if they were written to it is most likely as a result of a true virus infection/injection and these files would be scanned under the when files are created or modified the FSS.

I have left these scan all files at the default as I don’t believe avast would have that as the default setting if it were dangerous to do so.

The web shield default is to scan all files, so that it can attempt to detect malware and abort the connection, stopping it from being saved on the system.

I don’t know why MBAM detected this as other than the log data there is no way to analyse the file, it could well be that it wasn’t detected by avast as no AV will give 100% protection. That is true of MBAM also but it compliments avast and I run a weekly update and scan though it has never found anything (though I don’t really expect it to) other than a couple of FPs, which is true of all security applications, none are FP free or will give 100% detection.

Hi DavidR,

I’m sorry for the delay in getting back. You make a good case for leaving the settings at the default :). I’ll leave them that way. Thank you for explaining the logic behind them.

Hi Safesurf,

I ran a full scan and a boot scan and came up clean. I had already updated Malwarebytes and ran another scan, which also came up clean.

I appreciate both of your advice and asssistance with this.

Sincerely, Libra

Libra,

That’s good news! :slight_smile:

If you feel that your issue is now resolved/fixed, please go back to the open post in this topic, click the modify button in that Post and change the title/subject, add [Resolved] to the beginning of the title so this thread can be closed. Thank you. Let us know if we can be of help in the future.

No problem, glad I could help.