Author Topic: 'An untrusted program is trying to disable Avast' - How to tell what program?  (Read 10818 times)

0 Members and 1 Guest are viewing this topic.

rhyme-time

  • Guest
::TOPIC EDITED : Is more... specific of my question::

I was using FPS Creator* when SUDDENLY Avast warned me "An untrusted program is trying to disable avast" in a blue window, then disappeared and then FPS Creator had an error and had to close.
I've been using FPS Creator for years and I haven't updated it in many months so, that means I've been using the same version for many months thats never had this problem before.
Also, the other day, I was using the computer (can't remember what I was doing) and then I left it for a few minutes, when I came back, I noticed Avast mysteriously has a red X on its icon in the Taskbar and so, naturally, I clicked on the icon to see what was wrong and it said Avast was disabled!! I would NEVER disable Avast and just leave it there!
Is there a way I can find out exactly what program was trying to disable Avast?[/b] Because it might not have been FPS Creator that caused this message, it could've been a coincidence or an effect of a malware/viruses action.

I am currently doing a full scan with Malwarebytes, then I will do one with Avast & SUPERAntiSpyware, which will take a few hours, but I will post the scan results when done.

Thanks

Windows Vista 32-bit, Avast Free V8.0.1497, MBAM Free, SAS Free.

*FPS Creator is, obviously, a First Person Shoot game creator made by The Game Creators. I have been using it for many years without any problems with Avast with it...
« Last Edit: December 17, 2013, 10:07:00 PM by rhyme-time »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Monitoring

rhyme-time

  • Guest
Okay scans are done . . .

Malwarebytes - Full Scan = No malicious items found

SUPERAntiSpyware - Full Scan = Just 2 tracking cookies, I think from google, but I always get that.

Avast - Full Scan = Just some (Okay... ALOT) password protector files and a false positive with SUPERAntiSpyware I get everytime. (Because its actually not the default 'Full Scan' scan, its my Scan EVERYTHING scan.. ;) As you can imagine, I've selected every single option for scanning, plus the highest sensitivity and all those settings. So it scans memory, which I heard causes some false positives or strange results or SOMETHING I cant remember!!!! But its my custom Scan EVERYTHING scan! Anyway I just ignore that false positive since its a memory block and I can't really exclude it...)

Also, may I ask, essexboy, and excuse my stupidity, but what do you mean by 'monitoring'? Monitoring for what exactly? My.. scan results? :/ Again sorry...
« Last Edit: December 28, 2013, 02:07:41 AM by rhyme-time »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Nope, just to let you know there is someone waiting if you need further assistance.  Has Avast reported the attempted shutdown again ?

rhyme-time

  • Guest
No, not yet, I will continue to use FPS Creator and avast! and let you know if it happens again.

But, is there a way to tell what program was trying to disable avast? Does password protecting avast help?

Offline Alikhan

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
No, not yet, I will continue to use FPS Creator and avast! and let you know if it happens again.

But, is there a way to tell what program was trying to disable avast? Does password protecting avast help?

Yes, by password protecting, you'd need to enter a password to disable Avast. Bearing in mind, that the default is set to no anyways.
Windows 10 Home 64-bit • Avast Free (latest stable version) •  Malwarebytes 4 Premium (On-Demand) • Windows Firewall Control • Google Chrome • LastPass • CCleaner • O&O ShutUp10 •

rhyme-time

  • Guest
Okay it happened to me again! But I wasn't using FPS Creator so I don't think it was that...
I payed attention and it said taskmgr.exe was trying to turn off Avast! I did have task manager open but I didn't try to shutdown avast! I only just turned on this computer 11 minutes ago and the only thing I did different was open up Catalyst Control Center to see what the heck it was (Its always been there but I've never opened it, I think its got something to do with my graphics card. I just never knew exactly what it does).

Also, in task manager at around the same time taskmgr.exe tried to disable avast, there were a couple of msiexec.exe in task manager and I think Windows was trying to install an update: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2833941). My computer has been having trouble installing it, giving me errors or getting stuck half way and makes my computer completely unresponsive.


Why would taskmgr.exe be trying to disable Avast... on its own?

Offline Alikhan

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
For the sake of it.. could you upload the file to:

http://virustotal.com and post the results
Windows 10 Home 64-bit • Avast Free (latest stable version) •  Malwarebytes 4 Premium (On-Demand) • Windows Firewall Control • Google Chrome • LastPass • CCleaner • O&O ShutUp10 •

rhyme-time

  • Guest
I scanned taskmgr.exe with virustotal and none of the antiviruses detected it as a threat.

Offline Alikhan

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
So that means it's not an infected version of taskmgr (or a modified one),

This is odd...

You mentioned your windows updates updates not working correctly but even if that were to be the case, it wouldn't disable avast!.

Could you check in device manager if any avast! drivers have a yellow triangle... you may need to go to view>show hidden devices and look at non-plug and play drivers

Could you check in Task Scheduler (should be in Administrative Tools in XP) if there is anything related to avast! OTHER than avast! emergency update?
Windows 10 Home 64-bit • Avast Free (latest stable version) •  Malwarebytes 4 Premium (On-Demand) • Windows Firewall Control • Google Chrome • LastPass • CCleaner • O&O ShutUp10 •

rhyme-time

  • Guest
I checked and I dont see a yellow triangle on anything in device manager...

I checked in Task Scheduler, all I could find that looked like it was related to avast! was the emergency updates, I showed hidden tasks aswell.

Also, Windows Update does update correctly, but its just this one update that constantly has errors or freezes.
Heres what it says in event viewer about the update attempt it tried today:

Log Name:      System
Source:        Microsoft-Windows-WindowsUpdateClient
Date:          28/12/2013 8:55:12 AM
Event ID:      20
Task Category: Windows Update Agent
Level:         Error
Keywords:      Failure,Installation
User:          SYSTEM
Computer:      User-PC
Description:
Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2833941).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-WindowsUpdateClient" Guid="{945a8954-c147-4acd-923f-40c45405a658}" />
    <EventID>20</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>1</Task>
    <Opcode>13</Opcode>
    <Keywords>0x8000000000000028</Keywords>
    <TimeCreated SystemTime="2013-12-28T00:55:12.531Z" />
    <EventRecordID>247595</EventRecordID>
    <Correlation />
    <Execution ProcessID="1112" ThreadID="1032" />
    <Channel>System</Channel>
    <Computer>User-PC</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="errorCode">0x80070643</Data>
    <Data Name="updateTitle">Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2833941)</Data>
    <Data Name="updateGuid">{343E12E8-8772-4A72-9982-570122E959DB}</Data>
    <Data Name="updateRevisionNumber">203</Data>
  </EventData>
</Event>
« Last Edit: December 28, 2013, 06:38:32 AM by rhyme-time »

Offline Cast

  • Sr. Member
  • ****
  • Posts: 302
I also had problems with that .net 1.1 on my mothers xp laptop. I went ahead and just uninstalled the program and hid the update.

olddog

  • Guest
Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2833941).

This might help  http://support.microsoft.com/kb/976982

rhyme-time

  • Guest
Thanks, I'll try the fixes later.
The thing that mainly concerns me is taskmgr.exe was trying to disable avast!.
Would it say that taskmgr.exe was trying to disable avast! if I were to end the process through task manager?(Though thats not what I did)

NoelC

  • Guest
You might open an elevated CMD window and type the command:

SFC /VERIFYONLY

This runs the Windows System File Checker to see if all files under system protection are as expected.

If this returns any errors, that could indicate that malware (or something) has modified your Windows system files.  There is a similar command to correct errors.  The one listed above just checks; it doesn't attempt any restorative activity.

-Noel
« Last Edit: December 28, 2013, 05:25:21 PM by NoelC »