Anyone have experience with unsecapp.exe?

[login123]

Just wondered if anyone has any direct experience with this exe suddenly autostarting.

I have done a google search, read a lot, so please don't google yourselves to tears.  

I know we mustn't give malware advice, but if you have any ideas . . .

 

Never saw this before 16 jun 2014 when it showed up in process explorer.

Never had done so before. 
No other unidentified processes show up.

 

Occurred after stopping my net connection using the tray icon,
- connection didn't shut off correctly,
- wouldn't reconnect.
- after restart was already connected, even though the tray icon did not show at shutdown
- had allowed (once) some part of avast ? related connection with a long string of characters for a name??

- maybe related, had unzipped opera portable 1217 ??

- starts immediately after C:\WINDOWS\system32\wbem\wmiprvse.exe
- does not cause error messages
- does not cause noticeable slowdown
- continues to run a long time, until you kill it afaik
- uses little or no resources
- can be killed by process explorer,
- does not restart until reboot, but does start on reboot
- can not seem to start it manually

 

EDIT

Unsecapp.exe does not auto start in safe mode.
Like the poster in Nergal's link below, I renamed it to unsecapp._xe and so far everything is working fine here.

- properties & hasher show
C:\WINDOWS\system32\wbem\unsecapp.exe    md5 c7000f2db2a5515c64c257478769a481
C:\WINDOWS\system32\wbem\unsecapp.exe -Embedding

-----------------------------------------

fixes tried:
- system restore does not work now
- system restore in safe mode does not work now
- MBAM free scan OK
- Avast scan of C:\ OK
- Avast scan of D:\ OK

- virustotal shows a file w/ the same hash sum to be OK
- AVZ scan iffy, hit on a file in D:\, maybe some showed odd jumps, logs kept

[Nergal]

It's possible that this file is autostarting via Avast. This link says it's how Avast runs system monitoring:

http://forums.guru3d.com/showthread.php?s=c70b5fa4978ba44ebf45bdb861ccca6e&p=4829264

[kroozer]

Runs at startup on both PCs. Vista x86, Win7 x64

 

Vista 
C:\Windows\winsxs\x86_microsoft-windows-wmi-core_31bf3856ad364e35_6.0.6001.18000_none_b95403151f989ff3\unsecapp.exe
C:\Windows\winsxs\x86_microsoft-windows-wmi-core_31bf3856ad364e35_6.0.6002.18005_none_bb3f7c211cba6b3f\unsecapp.exe
C:\Windows\Prefetch\UNSECAPP.EXE-A02905A6.pf

Win7
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\Prefetch\UNSECAPP.EXE-A02905A6.pf

[login123]

Thanks.  That's right on point, Nergal.  Same thing started here, maybe I know why the different date. 

I watch process explorer pretty closely, am quite sure it was not starting before the 16th.

 

Avast tries to run a bunch of stuff that i don't need (Grime Fighter, Browser Cleanup, maybe others i forget).

Before the 15th I had always blocked them until I had Powershadow running, but that day I let something connect, just don't remember what, and the next day there is unsecapp autostarting. 

 

So it probably is Avast.  When time permits, I'll rename unsecapp.exe and see what happens.  

There don't seem to be any objectionable outgoing connections, so no rush, afaik. 

 

Hi, Kroozer.  Where you been?  None of my business, I know, but you were missed.

Thanks for the info.  Have not been on win 7 or 8 for a long time, will check them out also.

 

Edit:  Kroozer, are the Vista & win 7 computers running Avast?

[kroozer]

Where you been?

. . . are the Vista & win 7 computers running Avast?

Been avoiding tech while enjoying nature.

Yes, Avast runs on both units.

 

. . . properties & hasher show . . . C:\WINDOWS\system32\wbem\unsecapp.exe ► md5 c7000f2db2a5515c64c257478769a481

How did you obtain the MD5 hash?

[login123]

"How did you obtain the MD5 hash?"

 

Used HashMyFiles by Nirsoft, neat app:  

http://www.nirsoft.net/utils/hash_my_files.html 

Glad you're getting to enjoy nature.  Glad you're back.

[kroozer]

Thanks, nice utility. I like the drag 'n drop, copy features.

Vista ×86 . . 25873356e52849c3f5b3f1b02317e8c8
Win7 ×64 . . 521202aa6f2b74fccc6bc7e162109d71

 

Edited reason for liking.

[Alan_B]

WARNING - DO NOT TRUST MD5.

 

Collisions can be generated with MD5, so a hacker can replace one portion of code with his own version to do what the hacker wishes,

and yet the MD5 checksums will be identical

 

it is trivial to generate collisions using nothing more than algebra. SHA0 and SHA1 are also broken, although unlike md5() no one has generated a SHA1 collision, but it is believed to be computationally feasible with our current technology.

http://stackoverflow.com/questions/2768913/if-md5-is-broken-what-is-a-better-solution

 

If AVAST is a proper security company then it ought to provide SHA-2 (or better) hash checksums ( which Nirsoft HashMyFiles also handles )

though SHA-1 is probable good enough for now unless a powerful government body (you know who I mean) wants to fake something.

 

MD5 is perfectly good for indicating an extremely high probability than a file has NOT suffered a random error due to an Internet transmission or Disk connection,

BUT is considered to be BROKEN and should NOT be trusted by any security company.

 

[login123]

It may be that the mystery is solved but a problem remains.
It appears that unsecapp.exe is (recently) being started by one of the avast functions, like browser cleanup, software updater, etc, etc.
Also that Unsecapp.exe can transmit messages, allows communication between computers, and resolves compatibility problems.

https://forum.avast.com/index.php?topic=150673.0

Have not yet  found any comment from the Avast coders about why avast recently began to do this, but will keep checking.

I don't want to send any such messages so renamed it and everything still seems to work.
If anything crashes I'll post back.

[login123]

Posted the question over at Avast! forums, replies are in progress.  

[login123]

Turns out that unsecapp.exe is started by the Avast! browser cleanup tool and does not autostart if that is turned off. 

Post #30 at the link in post #9 above shows how to turn it off. 

1. Control Panel -> Add/Remove programs -> avast! -> change/uninstall
2. Click on 'Change'.
3. Untick BCT and click OK.
4. Reboot.

[sebapee]

i was also worried about this, turns out for me that unsecapp.exe was started with system monitoring on ccleaner. when i turned of system monitoring unsecapp was also closed.

[login123]

Hi sebapee.  Welcome to the forum. 

 

You're right.  Unsecapp.exe runs or stops depending on if you start or stop CCleaner's system monitor. 

It turns on or off w/ one tick of the system monitor box. Avast is a little more trouble to disable (not much). 

Never used that before, so just tried it.  Checked it with Process Explorer from Sysinternals. 

 

Shazam, ya learn somethin' every day. 

 

Afaik, system monitor isn't available in the CCleaner free version, someone will correct me i that's wrong, I'm sure.

[mta]

Afaik, system monitor isn't available in the CCleaner free version, someone will correct me i that's wrong, I'm sure.

looks like it (or some sort of cut-down version of it) was added to the free version today.

[eL_PuSHeR]

... But it's borked at the moment...

[Nergal]

 

Hi, You can now download v4.18.4844. This version allows for easier control of the new Active Monitoring feature. Active Monitoring can be disabled by: 1.    Open CCleaner, then click Options > Monitoring2.    Disable System Monitoring by unticking the box next to "Enable System Monitoring"3.    Disable Active Monitoring by unticking the box next to "Enable Active Monitoring", and click Yes when the confirmation box appears

[login123]

The latest versions of CCleaner, 4.18.4844, free or pro, turn unsecapp.exe on when "monitor" is running and off when it is not.

If monitoring is off, CCleaner leaves no residual processes running.

[Nergal]

Necromatic thread locked. op can request we reopen but locked for now. Was spammed in