v7 Behaviour Shield gone Paranoid

Yeah yeah, I know. Don’t rabbit on about upgrading.

OK, normally Behavior Shield keeps a low profile. Every now and then I’ll get a question, and sometimes I’ll say “Allow” and sometimes I’ll say “Allow and add to Trusted…”

But today I got 8 (count 'em!) queries. I have not changed any settings in the last couple of weeks, even the CryptoPrevent upgrade was two weeks ago, and I thought that would generate a heap of queries.

The responsible exe’s are wermgr and taskhost (ntdll.dll) and sidebar (explorer.exe). The action requested is “Modification of: \REGISTRY\USER\S-1-5-21-539054013-3449729138-3425354382-1010\Software\Microsoft\Windows\CurrentVersion\Run”

What could have caused this sudden jump to attention?

I have attached a notification screenshot, and the relevant entries from the Behaviour Shield report.

Gordon.

I’m no expert but since Avast “7” has not changed then something on your PC has.
Not sure what O/S you are on but if you did the latest software security updates did it start after this ?
As some of the other posts have said…Avast does have compatibility concerns of older versions…not sure if this is issue but you might want to think about going to Avast 2014 (V9)…stable now. Unless you are a fan of their “Tools” I’d recommend a basic install…just choose CUSTOM…see attached. Make sure if you DO upgrade to do a CLEAN uninstall and new install…not a in-program upgrade.

Avast Clean Un- & Re-Install

  1. Download Avastclear, Rejzors uninstall tool and the appropriate Avast program edition.
    Avastclear : http://files.avast.com/iavs9x/avastclear.exe
    Rejzors Uninstall tool: http://rejzor.wordpress.com/avast-cleanup-tool/

Here are the Avast installer links. Note: You need to be ONLINE during this install.
http://files.avast.com/iavs9x/avast_free_antivirus_setup_online.exe
http://files.avast.com/iavs9x/avast_pro_antivirus_setup_online.exe
http://files.avast.com/iavs9x/avast_internet_security_setup_online.exe
http://files.avast.com/iavs9x/avast_premier_antivirus_setup_online.exe

…Now…
2. Uninstall Avast by Control Panel>Programs [If you don’t have Avast in control Panel go to #4]
3. Run Avastclear in Normal Mode and allow it to Reboot PC into Safe Mode to complete the removal process.
4. Run Rejzors Uninstall Utility in Normal Mode (removes traces avastclear doesn’t) - reboot.
5. Be Sure To Check PC’s Device ManagerControl Panel>System Once Uninstall is Complete.
Make sure to show any hidden devices by selecting pull-down menu Device Manager>View>Show Hidden Devices
If there is anything related to Avast with a yellow triangle then uninstall it (highlight, right click) and reboot.
If you get an error just right-click & delete.
6. Install the Avast version you downloaded.
7. Reboot.

Also, the other possibility is you have some Virus, Malware, etc…may want to run thru this:
https://forum.avast.com/index.php?topic=53253.0

Just some ideas.

*Rejzor’s Avast Cleanup Tool is recommended to run in safe mode by pressing f8

After you install avast it will do a quick start-up system scan. Once that is done. Reboot your computer manually and register your copy of Avast.

P.S.: The final release of Avast 2015 is not too far away. Currently it’s on RC3 (Release Candidate 3)

OS is in sig, W7. I confess to being a complete jaapi here, I don’t do security updates. Period.

The last activity is:

  • KM74 installed 12-10
  • Opera 12.17 installed 14-10
  • Database Browser for SQLite installed 16-10
  • Java 8 u 25 x32 x64 installed 17-10

But I can’t see these would make this behaviour. Or maybe Java might, they changed the way it installs, and the registry entries as well. It used to be in HKCU, but now goes into HKLM, probably a good thing, but for some reason the install folder doesn’t show in Program and Features.

...compatibility concerns of older versions...
Well, built-in senility [b]would[/b] be a good way of persuading us to upgrade, wouldn't it? :D :o (I am looking at v10, it seems they've put in a few things which could be useful.)

I suppose I could download MBAM… I would expect any half-way self-respecting malware to do a better job than this though. But surely that registry key gets altered several times a day every day? Why the fuss now? No, it can’t be the Quick Scan (System drive, Rootkits (very quick scan), Auto-start programs) I did yesterday, surely?

Gordon.

Ran MBAM, only detection was in Recycler.

Log is attached.

I hate it when software tries to think for itself. >:( It always gets it wrong. :frowning:

Gordon.

You are so right in that v2015 has some enhancements. avast released v2015 Release Candidate 3 yesterday
and it is very stable, in fact the whole beta test has been relatively smooth.

FYI the “old” behavior shield has been replaced by “deepscreen”. Deepscreen uses technology
that the old behavior shield could only dream about. Other technologies include “hardened mode”
and most if not all of the “old” file shield is now cloud based (deepscreen). Another new technology
is the “ng” for systems that can run it.

Quote from https://forum.avast.com/index.php?topic=157166.msg1136272#msg1136272

• AVAST NG
A hardware based virtualization solution capable of running each Windows process in standalone safe virtualized environment (VM) and fully integrated to your desktop. Each process is executed in its own instance of VM, which means totally isolated from your other applications. This feature is now powering the Avast DeepScreen, resulting in better detection. The technology will also eventually power the Sandbox and SafeZone components (although it does not now).

Actually AvastClear runs in Safe Mode, Rejzor’s runs in Normal mode.
Here is the bulletproof steps from many inputs consolidated.

Avast Clean Un- & Re-Install

  1. Download Avastclear, Rejzors uninstall tool and the appropriate Avast program edition.
    Avastclear : http://www.avast.com/uninstall-utility
    Rejzors Uninstall tool: http://rejzor.wordpress.com/avast-cleanup-tool/

Here are the Avast installer links. Note: You need to be ONLINE during this install.
http://files.avast.com/iavs9x/avast_free_antivirus_setup_online.exe
http://files.avast.com/iavs9x/avast_pro_antivirus_setup_online.exe
http://files.avast.com/iavs9x/avast_internet_security_setup_online.exe
http://files.avast.com/iavs9x/avast_premier_antivirus_setup_online.exe

…Now…
2. Uninstall Avast by Control Panel>Programs [If you don’t have Avast in control Panel go to #4]
3. Re-Boot PC into Safe Mode…F8 Key After POST & Before Windows Logo…Run Avastclear & reboot into Normal Mode.
4. Run Rejzors Uninstall Utility in Normal Mode.
5. Be Sure To Check PC’s Device ManagerControl Panel>System Once Uninstall is Complete.
Make sure to show any hidden devices by selecting pull-down menu Device Manager>View>Show Hidden Devices
If there is anything related to Avast with a yellow triangle then uninstall it (highlight, right click) and reboot.
If you get an error just right-click & delete.
6. Install the Avast version you downloaded.
7. Reboot.

I personally also run CCLeaner after the above uninstall steps…call it step 5.5.

With all due respect, why even bother with the device manager?
It defies all logic since…

  1. The OP is going to re-install.
  2. Using both the avast uninstaller and RejZor’s cleanup tool and CCleaner you don’t need to do anything
    with the device manager.
  3. Using the new avast uninstaller you don’t even need to run RejZor’s tool.
  4. Download the new avast uninstaller here.

It seems you are going around your elbow to get to your thumb.

I admit…maybe redundant…but since I don’t know what is in these cleanup tools I try to cover all basis…only takes few more minutes…but appreciate the update…noted. Thx !

RejZor himself has stated in one of his posts that the avast removal tool has greatly improved and probably does a better job at cleaning up than his tool.
Just use the Avast removal tool in regular mode and when asked, allow it to reboot your system into safe mode to do it’s work.

Good morning all! Thanks for all the tips, especially on Avastclear vs Rejzors Uninstall. Getting rid of some apps can really be a RPITA!

Anyway, ran a bootscan this AM:

Number of searched folders: 26289
Number of tested files: 495778
Number of infected files: 0
2x ZIPs corrupted aka "I don't know how to open what everyone else can"
1x CAB   corrupted ---------------------------"------------------------

One hopes that DeepScreen can be configured better than Behaviour Shield.

I’m at a loss to figure why I’m getting all these alerts for no apparent reason. I did think that somehow the Heuristics had gotten switched on again, but it seems not, my settings have not altered.

This is annoying, as I’m reluctant to mark files/apps as “Trusted” without VERY good reason, and being Windows system apps is NOT a qualification! OTOH, what choice do I have?

I am encouraged by all the positive beta testing of v10–it seems to be a huge improvement over v9 :slight_smile:

Gordon

Not sure but this would possibly alarm me since you are getting messages on Windows files.
Have you tried to run SFC ? http://pcsupport.about.com/od/toolsofthetrade/ht/sfc-scannow.htm

Also, so why do you not install Windows Security updates ? ???

Oh, the Boot Scan is always coming up with that one. The standard reason is “The {CAB|ZIP} is probably non-standard.” I can actually believe that, as (especially in W9x) there were a lot of CABs that even CabViewer could not show me, they would open up with a blank screen–many KB of blank screen ???

Microsoft is not the first software group to disobey their own rules ::slight_smile: and they sure won’t be the last!

However, all 3 of those “corrupted” archives were individually scanned with no errors, so all is good. Maybe.

Do you know I actually forgot SFC? I’ll run it as soon as I get off this :P.

Windows Security updates ?
This sounds silly. I don't need to. I actually do seek out and install useful updates--I have been known to lecture people quite sternly about the need for ALL Service Packs! But endless streams of updates do nothing but keep my connection occupied. My record speaks for itself: one only infection (a PIF) since 1996, and that was my fault, trying to alter the extension to .txt so as to look at it in NotePad in W98FE. I had already removed the box from the LAN, and I double clicked the file accidentally. The repair was simple, about 10 minutes to find the payload and shift-del them into hyper-space... But the experience was hairy enough for a newbie like myself that I never repeated it. I had even disabled our AV for the excercise! Can't remember what it was called, an Australian company, very good, it had actually told me about the threat and isolated it.

EDIT: it was VET Antivirus, picked up by CA a couple of years later and totally absorbed 2 years after that. END EDIT.

But my record is such that I overheard my daughter, long ago, expressing her disappointment with a friend’s family: “You should get my Dad to look after your computer. Our’s never gets infected!” So…

Gordon.

EDIT:

C:\Windows\system32>sfc /verifyonly

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

C:\Windows\system32>