Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: DAV2 on January 04, 2011, 05:56:58 PM

Title: Avast Web shield
Post by: DAV2 on January 04, 2011, 05:56:58 PM
How do you get Avast web shield to slow down? IT scans 10's of thousands without finding anything and slows down the computer in the process. It is set at defalt. Thanks.
Title: Re: Avast Web shield
Post by: DAV2 on January 04, 2011, 06:00:15 PM
The web site is 96.17.106.39
Title: Re: Avast Web shield
Post by: Hermite15 on January 04, 2011, 06:01:59 PM
The web site is 96.17.106.39

that's Akamai, so what?
Title: Re: Avast Web shield
Post by: DAV2 on January 04, 2011, 06:04:18 PM
What is Akamai and why does it get scanned 10 of thousands of times?
Title: Re: Avast Web shield
Post by: Hermite15 on January 04, 2011, 06:07:55 PM
What is Akamai and why does it get scanned 10 of thousands of times?

might be because Akamai is associated with thousands and thousands of ISPs and web sites to offer a few million mirrors worldwide ;D

http://en.wikipedia.org/wiki/Akamai_Technologies
Title: Re: Avast Web shield
Post by: DAV2 on January 04, 2011, 06:12:31 PM
Thanks. So why is Akamai mirroring my computer and how do I stop it and does this have anything to do with Avast file system shield not working and how do I fix it? Thanks in advance.
Title: Re: Avast Web shield
Post by: Hermite15 on January 04, 2011, 06:18:10 PM
Thanks. So why is Akamai mirroring my computer and how do I stop it and does this have anything to do with Avast file system shield not working and how do I fix it? Thanks in advance.

Akamai mirroring your computer ??? are you serious? ;D Akamai is mirroring some sites that you browse, and most likely your ISP's servers ok? ;)

 And on aside note, neither the FS shield nor the webshield slow down anything when browsing. If it's the case for you then either your Avast setup is broken, or something conflicts with it etc... may be have a look at other software (especially security software) installed on your PC.
Title: Re: Avast Web shield
Post by: DAV2 on January 04, 2011, 06:24:32 PM
Thanks. Do you think this has anything to do with Malwarebytes saying it is over 14 days old each time I run it daily after update. I am running it on 2 identical secured computers and only one is acting this way. Thanks in advance.
Title: Re: Avast Web shield
Post by: Hermite15 on January 04, 2011, 06:31:16 PM
Thanks. Do you think this has anything to do with Malwarebytes saying it is over 14 days old each time I run it daily after update. I am running it on 2 identical secured computers and only one is acting this way. Thanks in advance.

no this shouldn't be related. You got the paid version of MBAM (resident)?... as to your message, no idea, update/license issue?
Title: Re: Avast Web shield
Post by: DAV2 on January 04, 2011, 06:32:50 PM
Ok I turned off Bloomberg and the scan slowed down, but the computer remains slow. The other computer does not do the 10 of thousand of scans with Bloomberg. This computer still does not do the File system shield. How do I fix it? Thank you in advance.
Title: Re: Avast Web shield
Post by: Hermite15 on January 04, 2011, 06:38:00 PM
Ok I turned off Bloomberg and the scan slowed down, but the computer remains slow. The other computer does not do the 10 of thousand of scans with Bloomberg. This computer still does not do the File system shield. How do I fix it? Thank you in advance.

look it's hard to say without a direct access to your computer, could be million of things... may be as a first step uninstall Avast, reboot, and re-install it. See if there is any difference. Also get rid of other security software if any (except mbam). btw what do MBAM scans say, nothing, no infection? As to Bloomberg that you said you "turned off", does that mean that you excluded it from the web shield scope? or do you have any bloomberg related desktop utilities?
Title: Re: Avast Web shield
Post by: DAV2 on January 04, 2011, 06:47:34 PM
Thanks and sorry about being so vague. Mbam always says clean on scan except on the original load of Genuine Win 7 Pro. The Bloomberg was only Bloomberg TV on IE 8. I closed the page. I will try to reload Avast. Thanks.
Title: Re: Avast Web shield
Post by: DAV2 on January 04, 2011, 07:56:25 PM
Thanks for all the help. Removing Avast fixed the problems. I was wondering why every time I closed Microsoft Word I got the error message trying to print, even though I never told it to print. It now is back to full speed and Mbam scans in about less than 15 minutes like usual instead of nearly forever. I wish Avast would tell me in a friendlier way when it is broken. Thanks again.
Title: Re: Avast Web shield
Post by: Hermite15 on January 04, 2011, 08:04:11 PM
might have been just an issue with the behavior shield. It got slightly modified in version 5.1, and there are issues. So you could have just uninstalled the module instead of uninstalling Avast completely. May be try to re-install, but choose "custom setup" and uncheck "behavior shield".
Title: Re: Avast Web shield
Post by: DAV2 on January 04, 2011, 08:18:51 PM
"Trojan.FakeMS" was found by Mbam after Avast removed. Do you know what this does? First one found by Mbam after over 1 yr of scanning.
Title: Re: Avast Web shield
Post by: Hermite15 on January 04, 2011, 08:24:27 PM
edit: I'm googling that...

did mbam remove it as well?
Title: Re: Avast Web shield
Post by: Hermite15 on January 04, 2011, 08:30:57 PM
oups, someone says here that mbam can detect it but not remove it
http://social.answers.microsoft.com/Forums/en-US/vistasecurity/thread/2250456c-1a67-464c-ae2d-583bf531b064

edit: just notified Essexboy (he's a malware specialist here).


Title: Re: Avast Web shield
Post by: essexboy on January 04, 2011, 09:26:09 PM
Hi lets have a quick look see at your system to see if we can resolve this

Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop and double-click on it to run it
Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan


Title: Re: Avast Web shield
Post by: DAV2 on January 04, 2011, 10:06:01 PM
Thanks. Ots.txt is attached as requested. Mbam removed Trojan.FakeMS from this computer earlier today. Rescan says clean. Trojan.FakeMS is still in Mbam Quarantine. Thanks for your help.
Title: Re: Avast Web shield
Post by: Hermite15 on January 04, 2011, 10:14:47 PM
oh okay, if mbam already removed it then... thought it didn't, just detected. Anyway if any remnant of that are still in your system, OTL will tell.
Title: Re: Avast Web shield
Post by: essexboy on January 04, 2011, 10:22:09 PM
Hi looks like MBAM did it right this time

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Files/Folders - Created Within 30 Days]
NY ->  #ISW.FS# -> C:\Users\DAV\AppData\Roaming\#ISW.FS#
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.
Title: Re: Avast Web shield
Post by: DAV2 on January 04, 2011, 10:32:03 PM
Thanks. Do I paste this into all the computers that had Trojan.fakeMS removed by Mbam or is there a simpler way to finish cleaning?
Title: Re: Avast Web shield
Post by: essexboy on January 04, 2011, 10:34:31 PM
Ah there was more than one ?

No this was specific to the one machine I saw - it may be different for the others
Title: Re: Avast Web shield
Post by: Hermite15 on January 04, 2011, 10:44:41 PM
@ Essexboy: don't think that it matters, anyway I noticed in the OTS report that there were several unmounted/unloaded drives (truecrypted or bitlockered)... is it very unlikely that the malware could have affected data on those drives?

Title: Re: Avast Web shield
Post by: DAV2 on January 04, 2011, 10:47:40 PM
So what do I do with the others? I run Mbam almost daily. I do not know how this got onto so many non connected computers. They share a router, but they are all configured not to talk to each other and they are all 2 way firewalled. How do these programs (OTS)find all the places I can not find to hide files? I see 0104211etc in notepad, but it is lost to me. It says all processes killed etc.
Title: Re: Avast Web shield
Post by: essexboy on January 04, 2011, 10:49:35 PM
As they are encrypted drives it would be highly unlikely, not impossible but improbable  ;D

Are you getting redirects on th esystems ?

Run OTS on each system and post the logs (naming each system) and then I can do a specific fix if required
Title: Re: Avast Web shield
Post by: Hermite15 on January 04, 2011, 10:51:31 PM
As they are encrypted drives it would be highly unlikely, not impossible but improbable  ;D

well they must be mounted/unlocked off and on, and then they're vulnerable like any other drive ;)

edit: well if encrypted volumes aren't mounted at boot time and the malware can only hit when the system boots, then they're safe ;D
Title: Re: Avast Web shield
Post by: DAV2 on January 04, 2011, 11:40:01 PM
OK. Here is another that had Trojan.FakeMS just removed today. Does it need a fix code? Thanks.
Title: Re: Avast Web shield
Post by: DAV2 on January 04, 2011, 11:43:42 PM
Is this Trojan.FakeMS a key logger?
Title: Re: Avast Web shield
Post by: essexboy on January 04, 2011, 11:45:30 PM
No it is not a keylogger it is a trigger to download other malware - similar fix for this one

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Files/Folders - Created Within 30 Days]
NY ->  #ISW.FS# -> C:\Users\I7\AppData\Roaming\#ISW.FS#
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.
Title: Re: Avast Web shield
Post by: DAV2 on January 05, 2011, 12:02:47 AM
Thank you. I think I got the pattern now. The report says all processes killed etc. As you may have noticed, I run Avast and a 2 way firewall on both machines. I scan almost daily with Mbam and although sharing a NAT router, they are configured not to talk to each other. How did this happen, so I can make it NOT happen again? Thank you in advance. (The fix even got back my home page on IE8. It was blank before fix. Thanks)
Title: Re: Avast Web shield
Post by: Hermite15 on January 05, 2011, 12:05:31 AM
yeah, would be interesting to know where you got the trojan from...
Title: Re: Avast Web shield
Post by: DAV2 on January 05, 2011, 12:14:14 AM
The 2 way firewall scans all downloads and certifies them clean, before I can even open them. How did this happen?
Title: Re: Avast Web shield
Post by: DAV2 on January 05, 2011, 12:19:08 AM
Both computers were locked in a secure vault that only I have access to. How did this happen?
Title: Re: Avast Web shield
Post by: Hermite15 on January 05, 2011, 12:20:08 AM
The 2 way firewall scans all downloads and certifies them clean, before I can even open them. How did this happen?

no idea, firewalls don't scan downloads btw, so I wonder how they could certify anything... firewalls control ports and protocols used by applications, they're not anti-viruses ;)... now the question is how is that that your AV (Avast I suppose) didn't detect it... remains where you got the trojan from, can be a drive by download (ie something you're not aware of when it happens; you might even get it by visiting a legit and supposed to be clean site; but the site has been hacked and the owner of that site doesn't know it either).
Title: Re: Avast Web shield
Post by: DAV2 on January 05, 2011, 12:26:11 AM
This 2 way firewall does scan all downloads. It double scans all suspicious files and certifies them to be free of anything that even acts suspicious. (It is actually part of the browser.) I am still wondering how it happened, so I can make it NOT happen again. Thanks. (Is this a key logger?)
Title: Re: Avast Web shield
Post by: Hermite15 on January 05, 2011, 12:29:31 AM
could you name this "firewall" ?

edit: and again, how do you want us to tell the origin of that trojan... you're the one surfing on your computer. If Avast was running when your system got infected, the best way to avoid a further infection is still to submit it to...Avast. Use for that the file submission utility included in the softwtare UI.
Title: Re: Avast Web shield
Post by: DAV2 on January 05, 2011, 12:32:57 AM
You already know it. It is in the log file I sent you. A competitor.
Title: Re: Avast Web shield
Post by: Hermite15 on January 05, 2011, 12:34:09 AM
You already know it. It is in the log file I sent you. A competitor.

no I don't, 'cause I didn't read it all but okay, I'll have a look...

ps: I edited my last post above, read that ;)
Title: Re: Avast Web shield
Post by: DAV2 on January 05, 2011, 12:37:51 AM
Thanks. I am not an expert like you and I just wanted to better understand, if simply connecting to a site and not downloading anything gets this infection, or I actually do need to download a file. I will check all my logs and try to see where it could have possibly come from. Thanks again. (I did not realize the infection until Avast stopped working.)
Title: Re: Avast Web shield
Post by: Hermite15 on January 05, 2011, 12:43:23 AM
okay no big deal, this should be Zone Alarm, probably including an scanning plugin for your browser, what they call "advanced download protection" ;D ... and this should as I say mean that the plugin is scanning for viruses, not much to do with a firewall >>> I mean even if ZoneAlarm flagship product is the firewall, you may have noticed that your suite contains a "Antivirus/Spyware Scan Engine" okay? so it's that that allowed your trojan to get through. Firewalls don't scan okay?  ::)

 And if there's a place where you may need to complain, it's on ZoneAlarm forums ;D they'll tell you how this could happen. Okay, this said, ZoneAlarm is... a very outdated piece of software, conflicting with many things on a PC, especially other security software. You'd be better off if you got rid of it. Now I understand that you probably paid a subscription, so that's your choice ;)
Title: Re: Avast Web shield
Post by: Hermite15 on January 05, 2011, 12:56:41 AM
anyway, no doubt that your system was crawling with both ZA suite and Avast installed :D ... again, ZA is very good at conflicting with any other security software, + running two AV's etc... is the worse you can do, they will deny eachother access to malware by requesting exclusive access.
Title: Re: Avast Web shield
Post by: DAV2 on January 05, 2011, 12:59:26 AM
Thank you Logos. Actually the real time scanner is Avast. The other only looks at downloads before they can be opened. It tests them in a secure environment before I can open them and will tell me if they have any suspicious behavior before that happens. If I do not download, but only connect to a site, can I get this infection? Thanks in advance. (I have been considering the total Avast package. Thanks for the advice.) I am also wondering why Mbam missed it until today
Title: Re: Avast Web shield
Post by: Hermite15 on January 05, 2011, 01:07:29 AM
Thank you Logos. Actually the real time scanner is Avast. The other only looks at downloads before they can be opened. If I do not download, but only connect to a site, can I get this infection? Thanks in advance. (I have been considering the total Avast package. Thanks for the advice.) I am also wondering why Mbam missed it until today

even if you deactivate real time scanners on one side, their drivers load, and that's not good. This does slow systems when loaded from two separate security programs.

 And yes, some infections as said can be transmitted online without downloading purposely anything. + your ZA download scanner is probably conflicting with Avast web shield in the first place. I don't even know if the ZA suite does that locally or with a cloud scanner. Anyway if you want to keep using Avast, again get rid of anything ZA related.
Title: Re: Avast Web shield
Post by: DAV2 on January 05, 2011, 01:18:39 AM
I have been testing a lot of security programs. Norton, Mca.., Zone.., Essen.., defen.. and Avast to name a few and I scan with Mbam almost daily. Yes, I try to avoid any and all conflicts and never have 2 AV at the same time. I am testing the ZA E on one computer, but it was the other that did not have ZA E on it where Avast failed. Thanks for your help.
Title: Re: Avast Web shield
Post by: Hermite15 on January 05, 2011, 01:23:02 AM
your report file showed that both Avast and ZA were installed on that one and same infected computer :)


Quote
avastsvc.exe -> C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -> [2010/12/31 14:06:34 | 000,040,384 | ---- | M | MD5 = F868DEED98DCEA4338F3986D5C5D5E96] (AVAST Software)

zlclient.exe -> C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe -> [2010/08/29 02:53:14 | 001,039,360 | ---- | M | MD5 = A81C2966F7D74E9710D58F359DE363B8] (Check Point Software Technologies LTD)
Title: Re: Avast Web shield
Post by: DAV2 on January 05, 2011, 01:35:13 AM
I am sorry. I may not have been very clear. ZA E is on the computer with Avast and they both run very well. I have the AV of ZA E disabled and testing it.  The computer that Avast failed has only ZA P that does not contain an AV. I have Defender and Mbam disabled until I use them to scan. Thanks
Title: Re: Avast Web shield
Post by: Hermite15 on January 05, 2011, 01:44:28 AM
okay, just ZA P (ie firewall) installed with Avast free has been a source of trouble for many users. As to ZA E, deactivating an AV on one side doesn't prevent conflicts. I already described that.

 And if you think that Avast failed, submit the sample that mbam probably quarantined to Avast.
Title: Re: Avast Web shield
Post by: DAV2 on January 05, 2011, 01:46:16 AM
 I have been having a lot of security problems. Win firewall immediately disables itself after new load and I have checked it to see that it was working. Then the computer loads my network password all by itself and starts communicating with the net. The only thing I have found to block this is Zone Alarm. Mca.., failed completely and would not even go to its own site to load the program. I will try to get the quarantined Trojan to Avast. The Avast real time scanner just stopped and would not restart and the web scanner scanned 10 of thousands of non virus containing pages, that slowed down the browser considerably. Again, thanks.
Title: Re: Avast Web shield
Post by: Hermite15 on January 05, 2011, 01:58:48 AM
I have been having a lot of security problems. Win firewall immediately disables itself after new load and I have checked it to see that it was working. Then the computer loads my network password all by itself and starts communicating with the net. The only thing I have found to block this is Zone Alarm. Mca.., failed completely and would not even go to its own site to load the program. I will try to get the quarantined Trojan to Avast. The Avast real time scanner just stopped and would not restart and the web scanner scanned 10 of thousands of non virus containing pages, that slowed down the browser considerably. Again, thanks.

may be time for a new Windows install, no? your system seems to be particularly unstable. What network password are you talking about?
Title: Re: Avast Web shield
Post by: DAV2 on January 05, 2011, 02:08:00 AM
I reloaded Xp Pro more times than I have fingers from scratch. Win 7 Pro has been reloaded from scratch more than I can remember, because it has been so many that I have lost count. I am again sorry about my terminology.  What I meant was the Workgroups name. I make them up and it knew it before I could even put it in for the first time after re stripping/fdisk/reformatting.
Title: Re: Avast Web shield
Post by: Hermite15 on January 05, 2011, 11:58:08 AM
you might be better off upgrading your other PC to W7 as well, and then start to use "homegroup" instead of "workgroup". W7 homegroups are more secure, stable and extremely easy to setup ;)

ps: on a side note, I can't see how a workgroup name could be remembered after a new setup, that's hardly possible... or see may be at router level, but I never saw that happen.

(..also, not sure if ZA firewall conflicts with Avast webshield, but this could well be the case)
Title: Re: Avast Web shield
Post by: Asyn on January 05, 2011, 12:47:55 PM
(..also, not sure if ZA firewall conflicts with Avast webshield, but this could well be the case)

A clear yes to ZA conflicting with avast sometimes...!!
asyn
Title: Re: Avast Web shield
Post by: DAV2 on January 05, 2011, 03:37:16 PM
Logos, I thank you for all your help. Mbam now scans hard disks in 5 minutes instead of 15 and the browser is back to being almost instantaneous instead of my waiting 10 of seconds to get the favorites displayed. I am also able to get a non blank homepage after clean code was applied. Yes, I am having router problems also. Some of the hard wire connections have become intermittent for unknown reasons. The encrypted wireless seems to remain intact. Thanks for the "homegroup" suggestion. I found out that reload from scratch was only good if it was done when the computer was disconnected from the net. If it was done while connected to the net, it did things like described above. Now I use a kill disk to zero out the drive before re stripe/fdisk/reformat/reload. (I replaced too many controllers and hard disks before this routine) Then I wind up as above with 2 way firewall and AV scanner failing and Trojans placed that then download other malicious programs. I am still looking for a working/stable security system. I have also been exploring Hija.. and Comb.., but none yet seem foolproof. Now I do have to get to work kill disk etc. to several non functioning computers. Yes, I have had Microsoft techs along with security techs working live to verify all was working correctly and they say their product is functioning as designed. Seems like "design" is the problem.
Title: Re: Avast Web shield
Post by: DAV2 on January 05, 2011, 06:24:54 PM
Logos, sometimes it just is that I do not always understand results. Can you shine some light on attached result? Thank you in advance.
Title: Re: Avast Web shield
Post by: spg SCOTT on January 05, 2011, 06:50:28 PM
That occurs when you start a scan and at some point avast! clears up old virus definitions, so they are queued up but gone before being scanned. avast! is reporting this to you.

The is a post here by igor (avast! team) , showing that it is not a problem:
http://forum.avast.com/index.php?topic=63582.msg537439#msg537439
Title: Re: Avast Web shield
Post by: DAV2 on January 07, 2011, 02:53:13 PM
I was wondering since I had a Mbam expert, why Mbam now scans in 5 minutes when it for the last 1yr and many fdisk/reformat/reinstalls of Win 7P,  has always taken in the 10 to 15+ minute range. In other words, why the 3 x speed of the Mbam scan after OTS clean? I also noticed that Avast became dysfunctional after latest update to new version. Why doesn't Avast warn when it is dysfunctional? It restored functionality with a reinstall. FYI: I have never used a kill disk on this computer. (I tried but something interferes with the boot process of the kill disk on this computer, so I reserved that to another time.) Thank you in advance.
Title: Re: Avast Web shield
Post by: DAV2 on January 07, 2011, 06:01:06 PM
Again, sometimes it just is that I do not always understand results. Can you shine some light on attached result? I have not accessed D: today. Why does this activity occur all by itself? Thank you in advance.
Title: Re: Avast Web shield
Post by: MAG on January 07, 2011, 06:28:39 PM
I think this may be related to windows updates - most probably windows defender updates. Have you had a recent update (chekc through Action Centre)?
Title: Re: Avast Web shield
Post by: Hermite15 on January 07, 2011, 06:43:20 PM
I think this may be related to windows updates - most probably windows defender updates. Have you had a recent update (chekc through Action Centre)?

yes :) (I mean yes that's WinDef)
Title: Re: Avast Web shield
Post by: DAV2 on January 07, 2011, 07:07:01 PM
I thank you both for your sharing your expertise. Yes, defender did update today. It resides on C:. What if D: was not active? Would it have updated entirely on C: and ignored D:?  Why is it accessing D: to update to C:? It is not active and is not scanning. Just the Win update is automatic. Thanks in advance.
Title: Re: Avast Web shield
Post by: MAG on January 07, 2011, 07:10:09 PM
I think that perhaps defender just defaults to the drive with most free space.
Title: Re: Avast Web shield
Post by: MAG on January 07, 2011, 07:22:30 PM
Someone else on Microsoft answers thinks so too.
Rob KochMVP, Moderator
 

    I suspect it is on D: because it uses a drive that has lots of free space like Office does when storing the installer files and some other installs and updates.

    -steve ~ Microsoft MVP Windows Live ~ Windows Live OneCare| Live Mesh|MS Security Essentials Forums Moderator ~


That's correct, the Windows update system always defaults to the volume with the most space available to place its temporary files.

Rob
Title: Re: Avast Web shield
Post by: essexboy on January 07, 2011, 07:32:23 PM
Also when you ran OTL I had it clear all of your temporary files - hence a lot less for MBAM to look at  ;D
Title: Re: Avast Web shield
Post by: DAV2 on January 07, 2011, 07:57:27 PM
Thanks. You are all very good at this and I am learning why these things happen. I have used (Ccleaner), always do regular Windows disk cleanup and full browser deletes of files along with reloads as described above and never got Mbam to run as fast as this. I guess I still have a lot to learn. Thanks again.
Title: Re: Avast Web shield
Post by: essexboy on January 07, 2011, 09:05:53 PM
Rather than CC you could try this - it uses the same routines as OTL

Clear Cache/Temp Files
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Title: Re: Avast Web shield
Post by: DAV2 on February 17, 2011, 07:03:40 PM
After clearing the above trogon and reloading fresh after running kill disk, Avast found Win32:hupigon-onx [trj]  and win32:emold [drp] in the backup of the original load that it crashed on. Is there a way to adjust Avast to find these when the load is working? Also I noticed in the network shield of the new clean load that Avast shows clean logons to sites I have never heard of before. Is there any way to block this activity and limit network contact only to sites of my choosing? Thank you in advance.
Title: Re: Avast Web shield
Post by: DAV2 on February 17, 2011, 07:26:33 PM
I searched the load for unsigned drivers and failed in deleting any of them. I then tried to upload them to online virus checker and failed. The files were not findable in the upload search window, even though I could clearly see them in my computer. Is this normal for Windows?
Title: Re: Avast Web shield
Post by: essexboy on February 17, 2011, 08:29:31 PM
What are these files ? I.e. name and location
Title: Re: Avast Web shield
Post by: DAV2 on February 18, 2011, 02:19:19 AM
The only drivers on the new load are directly from Win 7 pro update by MS. No unsigned drivers were loaded. See attached. The signed drivers are in the directory, but the unsigned are not in the directory.
Title: Re: Avast Web shield
Post by: essexboy on February 18, 2011, 08:20:40 PM
Corrupted Data Recovery -- Filename - aeadiext.dll.

They appear to be related to Andrea-Electronics-Corporation file recovery programme

Could you copy and paste the full file location as opposed to a screen shot please
Title: Re: Avast Web shield
Post by: DAV2 on February 18, 2011, 09:30:20 PM
I would if I could. That is the only thing Win 7 pro gives. It says they are unsigned and reside in c:\windows\system32, but the only files there are the signed drivers. The files Win 7 pro finds with "sigverif" are not in that directory even though Win pro 7 says that they are there.  My concern is more in that should unsigned drivers be coming from Win pro 7 MS update site in the first place?
Title: Re: Avast Web shield
Post by: essexboy on February 18, 2011, 11:21:10 PM
That is intriguing, I have a few unsigned drivers on my system - but I do not think any came from MS


Do you have - or have you used that file recpvery programme ?
Title: Re: Avast Web shield
Post by: DAV2 on February 23, 2011, 03:36:44 AM
No I am not familiar with recpvery. I was also wondering if multiple hardiskvolumeshadowcopy4,    5,    6,   7,  8,   9,   10,   and   11 were normal.  They are all being reported as corrupt. Is this normal for Win pro 7?
Title: Re: Avast Web shield
Post by: essexboy on February 23, 2011, 07:43:33 PM
No that is not normal,  what are your current problems ?
Title: Re: Avast Web shield
Post by: DAV2 on March 17, 2011, 05:00:40 PM
Ok, after the more than 100th crash of Win Pro 7, I did a complete reinstall from scratch/kill. (The more than 30th in last 1 year.) Avast found another Trojan in the memory dump of the crash and Win pro was already well along on its usual self destructive behavior, that starts with its erasing its logs and downloading Trojans/viruses from the net with contact only. (I try to only load necessary updates from MS only and this load has only signed drivers now, unlike the LAST THAT HAD UNSIGNED DRIVERS AND NOT WHERE WIN PRO 7 SAID THEY WERE. This is also what WP7 does before it self destructs. It looses tract of its own drivers. It says they are in directories that they are not or they are in directories that WP7 can not find.)  I was also wondering if it was normal to have hidden partitions on the drives that WP7 can not find? It can find only the root and the system hidden, but it can not find the others and I was wondering if this was normal?
I stopped using Zonealarm after it failed 9 of 9 tests and tried Avast FW, but it failed 5 of the 9 tests, so I went to Com. It passed 9 for 9 of the tests, but I can not recommend it, for other reasons.
Can Avast be configured to stop the Trojans during the active load and not just find them in the backups and memory dumps? Can Avast be configured to stop the placement of the Trojans before the erasures of logs and the moving of drivers that become unsigned to directories WP7 can not find and creation of hidden partitions that WP7 can not see? Thanks.
Title: Re: Avast Web shield
Post by: doktornotor on March 17, 2011, 05:10:34 PM
Ok, after the more than 100th crash of Win Pro 7, I did a complete reinstall from scratch/kill. (The more than 30th in last 1 year.)

Dude, dunno what you are doing really, but:

0/ Read Best Free Drive Imaging Program (http://www.techsupportalert.com/best-free-drive-imaging-program.htm) article, make your choice, install, make an image of fresh clean OS+applications install.
1/ Change your surfing habits, stop surfing/working under admin account and stop downloading and installing crap such as warez, keygens, cracks etc. from dubious sources. Browsing random pr0n does not help either.
2/ If you are really unwilling to do the above, at least get yourself something like Avast Pro/AIS (paid) or Sandboxie (paid or free) and browse sandboxed and use all the stuff mentioned above in sandbox.
3/ No idea what kind of FW tests you have conducted but if they were the leak tests Matousec style (as the Comodo results would suggests) then you are not really testing firewall functionality.

With 30+ reinstalls per year, the problem is between the chair and the keyboard apparently.  ::)
Title: Re: Avast Web shield
Post by: DAV2 on March 17, 2011, 05:38:19 PM
Thanks. I would work more to the image, but the problems stated above start with contact to the net and the working load needs contact to the net to start working before the load of software. The sights are not contacted by me. They are contacted by MS WP7. I do not surf sights per say. I do log on to sights like this to get help only. That is when the above starts to disintegrate WP7.
Thanks for the info see attached test result of Avast. (Avast Pro/AIS (paid)) Com... passed this test.
Title: Re: Avast Web shield
Post by: doktornotor on March 17, 2011, 05:48:18 PM
Thanks. I would work more to the image, but the problems stated above start with contact to the net and the working load needs contact to the net to start working before the load of software.

Absolutely no idea what are you trying to say ??? ??? ???

The sights are not contacted by me. They are contacted by MS WP7.

Windows does not contact warez/p0rn sites. If you are infected yet again, go wipe the drive and reinstall once again from scratch. After you have finished installing, make an image of clean system.

Thanks for the info see attached test result of Avast. (Avast Pro/AIS (paid)) Com... passed this test.

Never heard about AWFT but as said again, leak tests are essentially useless.
Title: Re: Avast Web shield
Post by: DAV2 on March 17, 2011, 06:41:37 PM
Thanks again. Win Pro 7 is loaded by Genuine Holographic and verified by MS load disk, but before it will work it needs to be updated and allowed by MS through contact with the net. All the problems stated above start at this point and before install of software (except Avast etc.). I do not contact porn sites and the only sights I contact are like this and programmers running sights like this. All I am trying to do is get and keep a working load of WP7 that does not log onto sights that I have never seen and load Trojans that Avast only finds in memory dumps and backups. I do not think that that is asking too much? You are correct, that I am trying to learn how best to evaluate security software that actually works and addresses the issues above.
I actually do not know the sights that WP7 contacts. All I know is that it must be designed to do that, because it does it by itself. What I would like to know is if the above stated is normal or not and then start addressing how to stop any abnormal and forget about normal. Hidden partitions that WP7 can not see other than working and hidden system that WP7 does see? Directories of drivers that WP7 does not see, but reports being in other directories that they are not? etc. Thanks.
Title: Re: Avast Web shield
Post by: Hermite15 on March 17, 2011, 06:47:11 PM
 ??? ??? ???
Title: Re: Avast Web shield
Post by: doktornotor on March 17, 2011, 06:53:49 PM
Thanks again. Win Pro 7 is loaded by Genuine Holographic and verified by MS load disk, but before it will work it needs to be updated and allowed by MS through contact with the net. All the problems stated above start at this point and before install of software (except Avast etc.)

Yeah, and the problem exactly is? Like, can't you let the computer update itself without infecting it meanwhile by browsing stupid sites? Just leave it alone until it's updated, do not browse and do not install anything downloaded from god knows what source. Wait until it's done. Are you racing somewhere, or what?

What I would like to know is if the above stated is normal or not and then start addressing how to stop any abnormal and forget about normal. Hidden partitions that WP7 can not see other than working and hidden system that WP7 does see? Directories of drivers that WP7 does not see, but reports being in other directories that they are not? etc. Thanks.

Yeah the hidden partition is normal, the second thing is also normal - Windows maintains a list of last used locations in registry and doesn't check whether you have deleted or moved the drivers somewhere else meanwhile... All this is also completely off-topic here.

P.S. And kindly don't tell me that all the trojans keep spreading mysteriously out of nowhere to your computer without you doing anything -> BS.  ::)
Title: Re: Avast Web shield
Post by: DAV2 on March 24, 2011, 05:12:18 PM
Doktornotor, thanks. I apologize for not being a computer expert like yourself, but I rarely download anything from the net. I have never contacted a "warez/p0rn sites" to the best of my knowledge. As far as MS software, that is what I am trying to understand the security applications like Avast. I know that MS has the ability to disable its own firewall all by itself, because I saw it do it as I was waiting on manual verification/validation from MS. The only software loaded at the time was MS. I also let MS load all its updates before I load others, except Avast etc.
Would like Avast to tell me when it stops running. Now I only see it when real time shield stops working or win logs state it, before MS erases them automatically. Com... at least tells me it has stopped working and I need to reboot.(a lot)
Also would like to get MS IE8 to keep protected mode on. It drops it every time I connect to my brokers web site. These are a few of the security problems I am still trying to fix in MS. Thanks for your help.
Thanks for clarifying all the hidden partitions that MS does not see and are only visible when I do a kill disk and thanks for clarifying all the drivers that MS moves automatically then forgets where it placed them.
Title: Re: Avast Web shield
Post by: DAV2 on April 13, 2011, 06:02:51 PM
"trojans keep spreading mysteriously" That is the problem. I am trying to understand how this happens consistently. All I know that I try to download only essential/needed software, like Avast and needed updates only. I never do p to p or any porn/copy site. I do not know why Win puts all the hidden partitions on the drives that it can not see other than its hidden system partition, but it does all by itself and then it loses tract of its drivers, but it does. Then sfc/scannnow becomes so dysfunctional, that it can not recover, that it does consistently for last year on multiple rebuilt computers and all reloads and this still mystifies me, as why IE9 loads pictures and files on the computer to its history file that have never been on the net, yet appear along side of the history of visited web pages. I still do not understand why Avast only finds the trojans in backups and crash memory dumps and not during the active running load, but it doesn't. I am very willing to modify my behavior, but I am hopping that Win/Avast will help in correcting any security flaws.
Title: Re: Avast Web shield
Post by: dansorin on April 13, 2011, 08:37:23 PM
unplug your computer from the network cable (or from the router) and install W7. even if not validated, W7 will run for 30 days. install avast, then connect to the internet. do you still have problems now? because W7 is not configured to serve you with malware the second you install it. if this is the case you have a modified(?) install kit of W7.
Title: Re: Avast Web shield
Post by: essexboy on April 13, 2011, 09:49:36 PM
Windows 7 has a hidden partition where the recovery console is installed.  You will not see it through the OS

Quote
I did a complete reinstall from scratch/kill
Did you reformat the drive ?

Quote
but before it will work it needs to be updated and allowed by MS through contact with the net.
Windows 7 works right out of the box.. It will ask to update but you can deny that until you are ready, the system will still work.  That is how I installed my copy, no need to even connect to the net until you are ready 

Quote
"trojans keep spreading mysteriously" That is the problem. I am trying to understand how this happens consistently
If you over install rather than reformat this will happen, especially if you have an MBR infection 
Quote
Would like Avast to tell me when it stops running.
It does with the exclamation mark

I must admit I am still not sure what the problem is -
Title: Re: Avast Web shield
Post by: DAV2 on April 14, 2011, 10:35:06 PM
Dansorin, thanks. I apologize for not being an expert in Win/security and I thank you for your input. Yes, Win comes from a Holograph disk and states genuine when validated by Win and the sfc/scannow works out of the box. I also have learned to pull the network plug during install. I also frisk and reformat before install after wiping with kill disk. I learned this after doing this with re-raiding, but still plugged into the net, that problems started right out of the box.
Title: Re: Avast Web shield
Post by: DAV2 on April 14, 2011, 10:53:49 PM
Essexboy, thanks and I again apologize that I am not an expert in Win/security. Kill/format/fdisk yes.  Yes, I unplug from the net now before loading Avast etc. The only way I know Avast is not working is when it stops doing real time screening or a message appears in Win log that it has stopped. Com... firewall gives an error message that it has encountered an unknown problem and stops. The latest concern was stated above when I noticed that pictures and files on the computer were listed in the history of IE9 as if I visited them on the web, which was impossible, since they never left the computer. At this time Avast and Com.. fw says clean and Malw...... says clean, but the pictures and files still appear in the history file of IE9. Sfc/scannow is clean and the driver scanner says all drivers are signed. Is the appearance of some pictures/files on the computer in the history of IE9 normal, even though they never were associated by me with IE9? The files are selective and only pertain to sensitive material on the computer that I would never want out on the net. Is this normal?
Title: Re: Avast Web shield
Post by: essexboy on April 14, 2011, 11:01:36 PM
Quote
Com.. fw
does that mean you have commodo firewall as well
Title: Re: Avast Web shield
Post by: Dieselman on April 14, 2011, 11:08:54 PM
Quote
Com.. fw
does that mean you have commodo firewall as well

That would be Comodo Firewall.  ;D
Title: Re: Avast Web shield
Post by: essexboy on April 14, 2011, 11:16:02 PM
Ah I must have been thinking of the dragon  ;D
Title: Re: Avast Web shield
Post by: Dieselman on April 14, 2011, 11:20:59 PM
Ah I must have been thinking of the dragon  ;D

I guess not cause then that would be "Komodo". LOL.

http://en.wikipedia.org/wiki/Komodo_dragon
Title: Re: Avast Web shield
Post by: essexboy on April 14, 2011, 11:23:42 PM
It depends on where you were drug up and edumikated
Title: Re: Avast Web shield
Post by: DAV2 on April 15, 2011, 04:26:35 PM
http://forum.avast.com/index.php?action=dlattach;topic=68839.0;attach=61359
The above was what I got with Avast fw, so I tried Com.... fw and all testable leaks were plugged. Is it normal for files and pictures on the computer to appear in the history of IE9, that have never been associated with it? Thanks
Title: Re: Avast Web shield
Post by: essexboy on April 15, 2011, 08:35:59 PM
Personally I do not give much truck to the firewall leak tests

You will see some elements from your computer if you open html files or certain picture files that open in a browser

With windows 7 I think gif files do that - although I will need to test it out

Title: Re: Avast Web shield
Post by: DAV2 on April 17, 2011, 10:03:07 PM
Essexboy, thanks. I know that if I opened a html file or something that opened in a browser that it would be in the IE9 history file, but these are documents from Word and other files that I have never associated with IE9 on my side in any way. These appear in the history of IE9 and I am stumped as to how. A programmer told me this was normal for IE9, but I can not see how. They were selective and only the sensitive kind. The tester gave ZA 0 for 9, Avast 5 for 9 and Com... went 9 for 9 without leaking any material from the computer. ZA blocked access to its site as did Avast, where Com... allowed access to all support sites and Avast and Malw... both scanned clean during the test. Thanks for all your help.
Title: Re: Avast Web shield
Post by: DAV2 on April 19, 2011, 03:39:39 PM
Essexboy, the posted files are an example of 2 files that I found in the history file of IE9. There were others, but all were never associated with IE9 by me. Is this normal or is something else going on that needs to be addressed? Thanks.
Title: Re: Avast Web shield
Post by: essexboy on April 19, 2011, 07:16:38 PM
Did you access that online ?
Title: Re: Avast Web shield
Post by: DAV2 on April 20, 2011, 12:52:54 AM
None of the files that appear in the IE9 history were ever accessed on line. They only reside inside the computer and until I sent you copies of 2 of them, they never were on line.
Title: Re: Avast Web shield
Post by: essexboy on April 20, 2011, 06:44:17 PM
I have checked on my system and all gif files open with IE - Th thing is though I empty my caches as the browser closes- so I rarely have more than a few hours history at any one time
Title: Re: Avast Web shield
Post by: DAV2 on April 20, 2011, 07:35:43 PM
Essexboy, thank you for your input. I just am trying to confirm the normalcy of observed behavior, since I have been having so much trouble with Win security in general. Thank you for confirming this normalcy. Now I hope that all the other non picture files were similarly opened in IE9, even though I still do not see why they would be. Thanks in any case. Now maybe I can get back to perfecting making money. Thanks.
Title: Re: Avast Web shield
Post by: DAV2 on May 03, 2011, 02:18:39 PM
Essexboy, I have removed some unidentified networks set up by Win and placed some attached computers into the banned list by Mac, because I do not know who they are. Is it better to allow only my computers to attach to my network or to ban the strange computers by Mac in the router? The router only gives the option to ban by Mac or allow by Mac. Thanks.
Title: Re: Avast Web shield
Post by: scythe944 on May 03, 2011, 07:48:16 PM
Essexboy, I have removed some unidentified networks set up by Win and placed some attached computers into the banned list by Mac, because I do not know who they are. Is it better to allow only my computers to attach to my network or to ban the strange computers by Mac in the router? The router only gives the option to ban by Mac or allow by Mac. Thanks.

It depends on how much work you want to do.  If you if you choose to ban certain MAC addresses, then you'll have to constantly have to look at your router's log to find new MAC addresses that have tried to connect to it, and ban them manually.

Or, you could just put the two computer's MAC addresses in the allow list and never have to worry about it again until you get another computer, replace a NIC, or remove a computer (obviously, the better choice).

Still trying to figure out how a completely reformatted and reinstalled computer gets random things in the browser history, and no, that's not "supposed" to happen.  Seems like you have some gremlins in your computer accessing sites while you sleep.
Title: Re: Avast Web shield
Post by: DAV2 on May 03, 2011, 11:52:57 PM
Scythe944, thanks. The reason I asked, is because I can see devices on the other side of the router and they can see me, both by Mac, but the router does not see them. This makes me wonder how best to configure the router. Yes, it would be nice to only have  2 computers. For now, I have blocked the offending computers that were attached and I am watching for any others. Thanks.
Title: Re: Avast Web shield
Post by: scythe944 on May 04, 2011, 06:16:04 PM
Sorry, reading through the threads quickly it seemed as though you only had two computers on your network.

You can continue adding unauthorized MAC addresses to the block list, or gather a list of MAC addresses that are known to be good, and then add them to the allow list on your router.

I guess I don't know what kind of environment you're working in, whether it be a work / home / school /etc. environment and I don't know what type of routers / servers you are running.

If you had a Windows DHCP controller, you could easily see the authorized computers on your network, and pull the MAC addresses from there. If your only DHCP server is your router, then you have to rely on it to provide you with the relevant information.
Title: Re: Avast Web shield
Post by: DAV2 on May 11, 2011, 04:42:29 PM
Scythe944, Thanks. I am noticing that Windows Security pop up box has replaced all my passwords with an 11 digit password that I do not know. How do I stop this. It has happened on more than 1 computer and it is 11 digits on both. I also noticed that the router is constantly being port scanned by a lot of Chinese sights. Is there anyway to stop that?
Title: Re: Avast Web shield
Post by: scythe944 on May 12, 2011, 05:28:34 AM
What? no seriously, you must have some pretty serious infections on your network if all of a sudden all of your passwords are replaced with an 11 digit password.  How the heck do you even know they are 11 digits anyway?  Are they windows passwords, wifi, website, FTP, what?

That doesn't even make any sense.

Blocking chinese IP's wouldn't be hard, but we'd need to know what router you are using in order to give you specific instructions.

Otherwise, just look for an "IP block" of some sort in the router under the firewall or maybe it has a section where you can block connectivity to certain IP's.  At any rate, if you rebuild a computer from scratch and it instantly gets infected by things I'd be much more worried about other infected computers on the network or lack of a firewall at the gateway.  Look into wireshark http://www.wireshark.org/ and analyze the traffic on your network to see where the hell all of this stuff is coming from because you certainly can't be infected immediately after installing windows from a OEM disk.
Title: Re: Avast Web shield
Post by: DAV2 on May 12, 2011, 05:23:48 PM
Scythe944, thanks again. Router is Dlink Dir-825. Both Malwarebytes and Avast "boot" scan say clean. Boot scan takes a long time and the drive sounds just like low level formatting when it locked out bad sectors when I originally set it up. Is that normal for Avast?  The 11 digit PW is on the Windows pop up box where it offers to automatically put in the PW for me. I know it is not correct even though it is all dots, because the only 11 digit PW I use is on one of my Email accounts and the passwords for the security cameras are not 11 digits. Windows also offers the 11 digit PW for the cable modem PW that is also not 11 digits. The router log shows all the blocked port scans, so after I changed its default security setting from allow all to block all, it shows all the port scans from all the Chinese sights, so I think it may already be blocking them. I was just concerned about the speed of the router having to log all the blocks and giving me slow/intermittent internet connects now.
Title: Re: Avast Web shield
Post by: scythe944 on May 12, 2011, 06:10:53 PM
Thanks for the router info, I'll try to look up info on it and give you better instructions on blocking strange IP's.  I think it's most important to not use any port forwarding or DMZ features of the router unless you absolutely need them (and I'm not saying that you even have any setup).

I still don't understand the password thing.  When Windows is set to automatically login, it's usually because you only have one user and no password, thus just logging you in automatically when you start the computer.

If you have a password, it should ask you for it, not automatically put it in for you.  Windows only stores passwords for web sites and network resources, not for windows itself.  See here for managing windows stored passwords: http://support.microsoft.com/kb/306541

Do you have a program installed that is supposed to remember your windows password?

Did you do something in the control panel > User Accounts to make it automatically log you in with a password?

Something really wrong must be going on here, or you must be "pulling our chain".


Alas, I cannot attest to the boot time scans because I rarely have to run them.  The last time I ran one was with Avast 4.8 and I can't remember how long it took because I had it do it overnight and it didn't find anything.
Title: Re: Avast Web shield
Post by: scythe944 on May 12, 2011, 06:15:13 PM
Just had a look at the DLINK's emulator for your router model.

You can block IP's (and entire blocks of IP's for that matter).

Login to the Router, Click on the Advanced tab, click on Inbound Filter on the left side pane, then input a name (to help you remember what IP's are blocked by whatever rule that you are creating).

Then, input an IP address or a range of IP addresses that you'd like to block (I don't know how you're going to find out all of the ones that you want to block, but I guess you can try with doing WHOIS queries on IP addresses that you want to block, then block that entire subnet or something).

Keep doing that for as many IP's as you want to block.

Once done, I'd also click on the Firewall Settings pane and make sure that SPI is enabled, UDP Endpoint Filtering is Address Restricted and TCP Endpoint Filtering is Port and Address Restricted, also the Anti-Spoof Checking is enabled.

Keep the DMZ OFF unless you have something that needs full access to the internet (like a Vonage box or similar), and if you don't use or know what a VPN is, you can probably turn off PPTP and IPSec, both of which need to be ON for VPN use, but unnecessary if you don't use VPN.
Title: Re: Avast Web shield
Post by: DAV2 on May 12, 2011, 08:26:09 PM
Scythe944, Thank you very much for all your help. The Windows pop up I am referring to is inside IE9 and not the log on to start windows. It pops up with the 11 digit PW that is the wrong number of digits to sign in to see the security cameras local computer only and not over the internet and likewise the modem local from the computer and not over the internet. The only 11 digit PW I use is on an Email account that is over the internet. Thank you again for all the other help. Still trying to figure out what is normal and what needs to be addressed. Thanks. I was thinking on replacing the Dlink 825 with a more secure one. (Since its default security was set to allow all and yes mac 0:0:0:0:0:0 was attached along with another and I changed the default to block.) Any recommendations?
Title: Re: Avast Web shield
Post by: DAV2 on May 15, 2011, 04:41:00 PM
2.4 N signals are strong. At 2000' I am seeing Sids outside, but none inside. A research inside reveals yet another non-computer device attaching directly to the router. Very complicated setting up a secure router. Thanks for the help.
Title: Re: Avast Web shield
Post by: DAV2 on May 25, 2011, 04:37:44 PM
I am getting a lot of "outgoing" connection attempts from a computer that scans clean with Avast boot. Is that normal and how do I stop it? I set the router as was suggested. Most all other computers do not do this.  Thanks
Title: Re: Avast Web shield
Post by: DavidR on May 25, 2011, 05:27:14 PM
Outgoing connection attempts from what application, port, protocol, etc. more details please ?
Title: Re: Avast Web shield
Post by: DAV2 on May 26, 2011, 12:58:03 AM
These are from the router log, so ??? application??? 63.135.86.43 from port 50654   74.120.140.21 from port 50589  208.71.125.131 from port 50609   204.77.30.86 from port 50601   All to port 80. Repeated many times. All TCP packets. I am still trying to learn what is normal. Still getting hundreds of port scans incoming, but I guess that is normal. Thanks.
Title: Re: Avast Web shield
Post by: DavidR on May 26, 2011, 03:13:13 AM
I was wondering if there might have been more information from a software firewall log as that normally indicates the program/process responsible for the connection. See image example of my firewall log.

The first IP is for myspace-inc.com, second is turn.com, 3rd is 247realmedia.com, 4th is Coremetrics, Inc. (with a reference to us.ibm.com). So I don't know if any of those ring any bells as the fact they are TCP to port 80 would appear to be regular browsing.

As for inbound port scanning there are many speculative attempt to find computers that are open, these use random IP addresses in the hope of finding one. For the most part if your system is fully stealthed and doesn't respond to any port scan, it isn't something I would be overly concerned with. Most software firewalls do record these.

Personally I don't stick my nose in the logs unless there is something specific that I'm looking for as it can cause more grief that reassurance.
Title: Re: Avast Web shield
Post by: DAV2 on May 26, 2011, 02:43:41 PM
Thanks for your input. None of those ring any bell at all. I only use that computer to trade world markets through a server not in any of those regions and computers that I do use to browse do not have those places in them. In fact they usually only try to make contact with the security software sites for updates etc. and no other contact. It was only the trading computer that did this activity all by itself. I am still trying to see normal from abnormal and just want to be reasonably assured that there are not glaring security holes that still need to be addressed. The port scans are only in the hundreds per day and I think the router can handle that without being overloaded, but if it isn't stoped, eventually it could be overwhelmed with them. As the Chinese have super computers developed for them by American companies, that day may not be far off. Thanks.
Title: Re: Avast Web shield
Post by: DavidR on May 26, 2011, 02:56:34 PM
You're welcome.

It is possible I guess for the TCP to port 80 not going through your browser as there are examples of this when avast.setup does the virus signature updates on TCP port 80 and the avast free, avastUI.exe also uses TCP but on port 443 (secure) and they aren't using the browser.

This is why I favour the software firewall log as it actually tells you what is establishing the connection and that is more reassuring than a bunch of anonymous data.
Title: Re: Avast Web shield
Post by: scythe944 on May 26, 2011, 04:42:40 PM
You could run "netstat -a" from your computer to see if it's the one making the requests.

Again, a wireshark analysis of your network traffic would help, but you might not know how to use it.  I barely do.
Title: Re: Avast Web shield
Post by: DAV2 on May 31, 2011, 07:01:38 PM
Thanks and thanks again. Avast will not run real-time nor update in safe mode?
Why is svchost.exe trying to target forexstrategybuilder.exe and why is it owned by an unknown and not deleatable? Thanks    (The unknown owner will not show itself nor let the administrator or system to take control of it. What is the best way to delete it and are there other parts of it causing svchost to target it that I also need to remove?) Avast boot says clean and Malware says clean, but Com.... says VIRUS.  Who is correct and what should I do? Avast and Malw... safemode scans say clean.
Title: Re: Avast Web shield
Post by: justchecking on May 31, 2011, 07:30:35 PM
Thanks and thanks again. Avast will not run real-time nor update in safe mode?
Why is svchost.exe trying to target forexstrategybuilder.exe and why is it owned by an unknown and not deleatable? Thanks    (The unknown owner will not show itself nor let the administrator or system to take control of it. What is the best way to delete it and are there other parts of it causing svchost to target it that I also need to remove?) Avast boot says clean and Malware says clean, but Com.... says VIRUS.  Who is correct and what should I do?

Because you are infected (may have come over IPV6).

You may want another thread for this.

Not a specialist on trojan/worm removal.  Don't get them (knock on wood).
Title: Re: Avast Web shield
Post by: DAV2 on May 31, 2011, 07:32:21 PM

OK I GOT AVAST TO WORK AGAIN.


If there is a virus??? What should I do now, since Avast and Malw.... both do not see it at boot or in safemode? The target file is only a download and not in the programs directory.
Title: Re: Avast Web shield
Post by: DAV2 on May 31, 2011, 09:45:52 PM
Always wondered what that last one was or for that mater of fact, what most are.
[fe80: :75d4  ......  etc.    What is that?


Should any of this mean anything to me? Thanks.
Title: Re: Avast Web shield
Post by: DAV2 on June 01, 2011, 03:47:35 PM
Ok, I know I am having a lot of computer security problems and it is very obvious that I am no computer expert and I apologize for that, but please can anybody shed some light on weather or not Win 7.1 Pro is setting its network up securely by defaulting to "Teredo Tunneling Pseudo-Interface" whatever that is and what is "[fe80: :..........   etc. anyway? "ForexStrategyBuilder.exe that resides in downloads directory and is being targeted by svchost.com is larger than 5 megabytes. If it is a virus??? is its size have something to do with Malw... not seeing it, or is something else causing this targeting? I realize that Win 7.1 Pro is the most unstable release of Windows yet, but I am getting tired of reformatting and reloading it so often to get it to work for so short of a time. Suggestions on removing "ForexS....  and/or what is causing it to be targeted???? Thanks.
Title: Re: Avast Web shield
Post by: DavidR on June 01, 2011, 05:29:43 PM
I'm coming back to this topic to this a little late so I haven't gone over the complete topic again.
 
Do you actually use Forex  ?
If not then ForexStrategyBuilder.exe would be somewhat suspect.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here the URL in the Address bar of the VT results page.

Have you tried a scan with MalwareBytes AntiMalware (MBAM) - I don't believe size should be an issue in the mbam scan as there is no option not to scan files over a certain size in the mbam settings, Scanner Settings tab.

- Unlocker http://ccollomb.free.fr/unlocker/ (http://ccollomb.free.fr/unlocker/) is an option it can not only delete the files but stop any process that is stopping you from deleting a file (unlock).

Title: Re: Avast Web shield
Post by: scythe944 on June 01, 2011, 05:51:34 PM
Always wondered what that last one was or for that mater of fact, what most are.
[fe80: :75d4  ......  etc.    What is that?


Should any of this mean anything to me? Thanks.

the strange numbered address is an IPv6 address, as is the Toredo Tunneling interface (IPv6 to IPv4).

You could disable IPv6 if you wanted to: http://support.microsoft.com/kb/929852

As for the Forex problem, as David stated, unless you use that program it shouldn't be there.

The netstat -a screenshot you posted is good to see what your computer is accessing (and being accessed by).  The only problem is sometimes it only shows IP addresses, which of course you'll have to lookup yourself to find out who owns those addresses.

A netstat -no command will give you Process ID numbers (PID), which you could then open the task manager to find the corresponding program that is running with that PID and you could kill it if needed.
Title: Re: Avast Web shield
Post by: DAV2 on June 01, 2011, 05:52:06 PM
Thank you David. At the first site above, the file will not allow itself to be uploaded. At the second site above I only get "Erreur 503 - Service indisponible". I will continue to try, but is the network setup above making any sense to you? Thanks.
Title: Re: Avast Web shield
Post by: DAV2 on June 01, 2011, 05:56:04 PM
Thank you Scy....  No I would really like to get rid of the 5MB file. How???

The current connections are apparently only Avast and Com...., but I will be watching. Thanks
Title: Re: Avast Web shield
Post by: scythe944 on June 01, 2011, 06:01:47 PM
If unlocker won't do it, you might try safe mode with networking.  Then you can follow David's recommendation of submitting it to virustotal.

While in safe mode, do a Malwarebytes scan also.
Title: Re: Avast Web shield
Post by: DAV2 on June 01, 2011, 06:14:02 PM
Thanks again Scy..... I will try your advice. I already tried a Malw.... scan in safe mode and it was clean, as was the Avast scans in boot and in safe mode. Thanks. Are Avast real-time shields designed to stop working in safe mode?
Title: Re: Avast Web shield
Post by: DavidR on June 01, 2011, 06:28:55 PM
Thank you David. At the first site above, the file will not allow itself to be uploaded. At the second site above I only get "Erreur 503 - Service indisponible". I will continue to try, but is the network setup above making any sense to you? Thanks.

Find the file and try making a copy and place it in a different folder.

Try this location to download Unlocker http://www.filehippo.com/download_unlocker/ (http://www.filehippo.com/download_unlocker/).
You didn't say if you actually use Forex ?
Title: Re: Avast Web shield
Post by: Asyn on June 01, 2011, 10:03:44 PM
...I would really like to get rid of the 5MB file. How???

http://www.malwarebytes.org/products/fileassassin

Warning: Please use caution with FileASSASSIN as deleting critical system files may cause system errors.
Title: Re: Avast Web shield
Post by: DAV2 on June 03, 2011, 03:26:29 PM
Thank you for your help. I definitely am no computer expert and I again apologize for that. I noticed on another computer that there was a TCP connection running in Windows task manager and not being managed by Avast.   TCP  96.17.164.29 it had pid 4636 and I went to services to kill it and it was not there. What am I doing wrong?

There are 3 pages of Task manager pids and netstat -no and -a attached. Thanks and especially thanks if you could look at it and assure me it is ok and I am simply no computer expert and that is why I do not understand what I am doing.

As far as Forex, I look at all world markets and downloaded that ForexStra....... program into a download directory from what I thought was a clean trading
Title: Re: Avast Web shield
Post by: DAV2 on June 03, 2011, 03:28:27 PM
last 2 pages.

The file " ForexStrategyBuilder.exe" is in a download directory and not in the working programs directory of Windows. TCP 96.17.164.29 is I think a Bloomberg tv feed, but since it was running outside Avast I was going to see if it could be found and killed, but I could not find the pid. I do not think there is any virus at work, but I am no expert.
Title: Re: Avast Web shield
Post by: DavidR on June 03, 2011, 05:35:45 PM
Going back to the first post on this page, Reply #120, I don't know how the forex software works in trying to get its live data. That really is something which you would need to look into on the Forex forums. Whilst some would say that when trading on-line it has to be secure, so that could account for your not being able to probe it for information.

Why the ForexStrategyBuilder.exe needs to connect and more importantly why it can't connect on its own, rather than svchost.exe being used is another mystery. Normally the only process that I see that uses the svchost.exe to connect to the internet is windows update.

So when this happens again, please capture the alert image.
Title: Re: Avast Web shield
Post by: DAV2 on June 03, 2011, 07:37:27 PM
Thank you again David. From your reply. I guess the above post of task manager and netstat are normal and I can focus in on finding out why the file Forexst..... that is not running/loaded and not even in the working programs directory, but is fixed in the download directory file only is getting targeted. I again apologize for not being computer literate. Thanks.
Title: Re: Avast Web shield
Post by: DavidR on June 03, 2011, 09:22:10 PM
Well I suspect that they are OK. However I haven't the slightest idea how the Forex software works, which is why it really needs someone who uses the software to confirm that this is how it works on their system.
Title: Re: Avast Web shield
Post by: DAV2 on June 09, 2011, 08:44:20 PM
David thank you for all your help. In another couple of decades, I might just become a computer expert. I noticed that today is "IPv6" day. I disabled IPv6, but the test of its function says it is working just fine with "Teredo" connectivity directly to IP's. That is normal? Maybe that is why Win7 Pro sets up "Teredo" by default and starts unknown networks by default??? I am still working on that decade learning curve. Can you reassure me that this is OK. Thanks.
(The computer successfully connected to a IPv6 site in the test without any security notification whatsoever, but it states it will not work in a browser. In other words, the computer/Win Pro 7 can connect IPv6 (through all security programs without notification), but I blocked my use of it in my browser.  Is this normal?) See attached. IPv6 is disabled. (but 3544 is the IPv6 port)
Title: Re: Avast Web shield
Post by: DavidR on June 09, 2011, 09:36:23 PM
IPv6 day won't effect anyone directly as far as I'm aware it just checks if those accessing sites can do so using an IPv6 IP address. If they can't then they would access it normally using IPv4.

Personally I'm not even thinking about IPv6 as it is still some way off and this my main system (XP Pro) and my netbook (win7) both fail the IPv6 test. This is no doubt due to my ISP not yet being ready for IPv6 and that is outside my control, so not something that I am going to worry about.

I really have no idea about the IPv6 port (never looked into it, but the actual IP address is an IPv4 IP address. So I can't see the purpose in their using that port in conjunction with IPv4. Other than to possible see if it is able to use the protocol.

So the upshot is I really don't know if it is normal or not.
Title: Re: Avast Web shield
Post by: DAV2 on June 10, 2011, 03:38:08 AM
David, thanks. This load is very very very old. Maybe 1-2 months. Maybe I need to trash it (Win7 Pro flavor 7.1) and start over for the ??? time. I am starting to get all sorts of error/crashes/instability. I have not run an Avast scan of a full backup, but that is where I start to see trogons/etc. Stopped doing that, because that was the only way I could figure out to stop it. I will have to give this some thought. In any event, I am learning as I trash. Thanks again for all the help. (I blocked IPv6 at the router, since disabling it only gave absolute control of it to Windows to connect to whatever IP and no oversight of it to myself)
Title: Re: Avast Web shield
Post by: DAV2 on June 14, 2011, 06:53:49 PM
Is Avast designed NOT to work in safe mode? Is Avast designed NOT to allow bootscan from safe mode? Thanks.
Title: Re: Avast Web shield
Post by: DavidR on June 14, 2011, 07:32:43 PM
That is the whole purpose of 'safe mode' it runs a minimal program set so you can resolve conflicts, etc.

You can manually start avast in safe mode to do an on-demand scan, but I don't know if it extends to being able to make changes to the registry (required) to be able to schedule a boot-time scan.