Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: DAV2 on January 04, 2011, 05:56:58 PM
-
How do you get Avast web shield to slow down? IT scans 10's of thousands without finding anything and slows down the computer in the process. It is set at defalt. Thanks.
-
The web site is 96.17.106.39
-
The web site is 96.17.106.39
that's Akamai, so what?
-
What is Akamai and why does it get scanned 10 of thousands of times?
-
What is Akamai and why does it get scanned 10 of thousands of times?
might be because Akamai is associated with thousands and thousands of ISPs and web sites to offer a few million mirrors worldwide ;D
http://en.wikipedia.org/wiki/Akamai_Technologies
-
Thanks. So why is Akamai mirroring my computer and how do I stop it and does this have anything to do with Avast file system shield not working and how do I fix it? Thanks in advance.
-
Thanks. So why is Akamai mirroring my computer and how do I stop it and does this have anything to do with Avast file system shield not working and how do I fix it? Thanks in advance.
Akamai mirroring your computer ??? are you serious? ;D Akamai is mirroring some sites that you browse, and most likely your ISP's servers ok? ;)
And on aside note, neither the FS shield nor the webshield slow down anything when browsing. If it's the case for you then either your Avast setup is broken, or something conflicts with it etc... may be have a look at other software (especially security software) installed on your PC.
-
Thanks. Do you think this has anything to do with Malwarebytes saying it is over 14 days old each time I run it daily after update. I am running it on 2 identical secured computers and only one is acting this way. Thanks in advance.
-
Thanks. Do you think this has anything to do with Malwarebytes saying it is over 14 days old each time I run it daily after update. I am running it on 2 identical secured computers and only one is acting this way. Thanks in advance.
no this shouldn't be related. You got the paid version of MBAM (resident)?... as to your message, no idea, update/license issue?
-
Ok I turned off Bloomberg and the scan slowed down, but the computer remains slow. The other computer does not do the 10 of thousand of scans with Bloomberg. This computer still does not do the File system shield. How do I fix it? Thank you in advance.
-
Ok I turned off Bloomberg and the scan slowed down, but the computer remains slow. The other computer does not do the 10 of thousand of scans with Bloomberg. This computer still does not do the File system shield. How do I fix it? Thank you in advance.
look it's hard to say without a direct access to your computer, could be million of things... may be as a first step uninstall Avast, reboot, and re-install it. See if there is any difference. Also get rid of other security software if any (except mbam). btw what do MBAM scans say, nothing, no infection? As to Bloomberg that you said you "turned off", does that mean that you excluded it from the web shield scope? or do you have any bloomberg related desktop utilities?
-
Thanks and sorry about being so vague. Mbam always says clean on scan except on the original load of Genuine Win 7 Pro. The Bloomberg was only Bloomberg TV on IE 8. I closed the page. I will try to reload Avast. Thanks.
-
Thanks for all the help. Removing Avast fixed the problems. I was wondering why every time I closed Microsoft Word I got the error message trying to print, even though I never told it to print. It now is back to full speed and Mbam scans in about less than 15 minutes like usual instead of nearly forever. I wish Avast would tell me in a friendlier way when it is broken. Thanks again.
-
might have been just an issue with the behavior shield. It got slightly modified in version 5.1, and there are issues. So you could have just uninstalled the module instead of uninstalling Avast completely. May be try to re-install, but choose "custom setup" and uncheck "behavior shield".
-
"Trojan.FakeMS" was found by Mbam after Avast removed. Do you know what this does? First one found by Mbam after over 1 yr of scanning.
-
edit: I'm googling that...
did mbam remove it as well?
-
oups, someone says here that mbam can detect it but not remove it
http://social.answers.microsoft.com/Forums/en-US/vistasecurity/thread/2250456c-1a67-464c-ae2d-583bf531b064
edit: just notified Essexboy (he's a malware specialist here).
-
Hi lets have a quick look see at your system to see if we can resolve this
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop and double-click on it to run it
- Make sure you close all other programs and don't use the PC while the scan runs.
- Select All Users
- Under additional scans select the following
Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan
- Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
- When the scan is complete Notepad will open with the report file loaded in it.
- Please attach the log in your next post.
-
Thanks. Ots.txt is attached as requested. Mbam removed Trojan.FakeMS from this computer earlier today. Rescan says clean. Trojan.FakeMS is still in Mbam Quarantine. Thanks for your help.
-
oh okay, if mbam already removed it then... thought it didn't, just detected. Anyway if any remnant of that are still in your system, OTL will tell.
-
Hi looks like MBAM did it right this time
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Files/Folders - Created Within 30 Days]
NY -> #ISW.FS# -> C:\Users\DAV\AppData\Roaming\#ISW.FS#
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
-
Thanks. Do I paste this into all the computers that had Trojan.fakeMS removed by Mbam or is there a simpler way to finish cleaning?
-
Ah there was more than one ?
No this was specific to the one machine I saw - it may be different for the others
-
@ Essexboy: don't think that it matters, anyway I noticed in the OTS report that there were several unmounted/unloaded drives (truecrypted or bitlockered)... is it very unlikely that the malware could have affected data on those drives?
-
So what do I do with the others? I run Mbam almost daily. I do not know how this got onto so many non connected computers. They share a router, but they are all configured not to talk to each other and they are all 2 way firewalled. How do these programs (OTS)find all the places I can not find to hide files? I see 0104211etc in notepad, but it is lost to me. It says all processes killed etc.
-
As they are encrypted drives it would be highly unlikely, not impossible but improbable ;D
Are you getting redirects on th esystems ?
Run OTS on each system and post the logs (naming each system) and then I can do a specific fix if required
-
As they are encrypted drives it would be highly unlikely, not impossible but improbable ;D
well they must be mounted/unlocked off and on, and then they're vulnerable like any other drive ;)
edit: well if encrypted volumes aren't mounted at boot time and the malware can only hit when the system boots, then they're safe ;D
-
OK. Here is another that had Trojan.FakeMS just removed today. Does it need a fix code? Thanks.
-
Is this Trojan.FakeMS a key logger?
-
No it is not a keylogger it is a trigger to download other malware - similar fix for this one
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Files/Folders - Created Within 30 Days]
NY -> #ISW.FS# -> C:\Users\I7\AppData\Roaming\#ISW.FS#
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
-
Thank you. I think I got the pattern now. The report says all processes killed etc. As you may have noticed, I run Avast and a 2 way firewall on both machines. I scan almost daily with Mbam and although sharing a NAT router, they are configured not to talk to each other. How did this happen, so I can make it NOT happen again? Thank you in advance. (The fix even got back my home page on IE8. It was blank before fix. Thanks)
-
yeah, would be interesting to know where you got the trojan from...
-
The 2 way firewall scans all downloads and certifies them clean, before I can even open them. How did this happen?
-
Both computers were locked in a secure vault that only I have access to. How did this happen?
-
The 2 way firewall scans all downloads and certifies them clean, before I can even open them. How did this happen?
no idea, firewalls don't scan downloads btw, so I wonder how they could certify anything... firewalls control ports and protocols used by applications, they're not anti-viruses ;)... now the question is how is that that your AV (Avast I suppose) didn't detect it... remains where you got the trojan from, can be a drive by download (ie something you're not aware of when it happens; you might even get it by visiting a legit and supposed to be clean site; but the site has been hacked and the owner of that site doesn't know it either).
-
This 2 way firewall does scan all downloads. It double scans all suspicious files and certifies them to be free of anything that even acts suspicious. (It is actually part of the browser.) I am still wondering how it happened, so I can make it NOT happen again. Thanks. (Is this a key logger?)
-
could you name this "firewall" ?
edit: and again, how do you want us to tell the origin of that trojan... you're the one surfing on your computer. If Avast was running when your system got infected, the best way to avoid a further infection is still to submit it to...Avast. Use for that the file submission utility included in the softwtare UI.
-
You already know it. It is in the log file I sent you. A competitor.
-
You already know it. It is in the log file I sent you. A competitor.
no I don't, 'cause I didn't read it all but okay, I'll have a look...
ps: I edited my last post above, read that ;)
-
Thanks. I am not an expert like you and I just wanted to better understand, if simply connecting to a site and not downloading anything gets this infection, or I actually do need to download a file. I will check all my logs and try to see where it could have possibly come from. Thanks again. (I did not realize the infection until Avast stopped working.)
-
okay no big deal, this should be Zone Alarm, probably including an scanning plugin for your browser, what they call "advanced download protection" ;D ... and this should as I say mean that the plugin is scanning for viruses, not much to do with a firewall >>> I mean even if ZoneAlarm flagship product is the firewall, you may have noticed that your suite contains a "Antivirus/Spyware Scan Engine" okay? so it's that that allowed your trojan to get through. Firewalls don't scan okay? ::)
And if there's a place where you may need to complain, it's on ZoneAlarm forums ;D they'll tell you how this could happen. Okay, this said, ZoneAlarm is... a very outdated piece of software, conflicting with many things on a PC, especially other security software. You'd be better off if you got rid of it. Now I understand that you probably paid a subscription, so that's your choice ;)
-
anyway, no doubt that your system was crawling with both ZA suite and Avast installed :D ... again, ZA is very good at conflicting with any other security software, + running two AV's etc... is the worse you can do, they will deny eachother access to malware by requesting exclusive access.
-
Thank you Logos. Actually the real time scanner is Avast. The other only looks at downloads before they can be opened. It tests them in a secure environment before I can open them and will tell me if they have any suspicious behavior before that happens. If I do not download, but only connect to a site, can I get this infection? Thanks in advance. (I have been considering the total Avast package. Thanks for the advice.) I am also wondering why Mbam missed it until today
-
Thank you Logos. Actually the real time scanner is Avast. The other only looks at downloads before they can be opened. If I do not download, but only connect to a site, can I get this infection? Thanks in advance. (I have been considering the total Avast package. Thanks for the advice.) I am also wondering why Mbam missed it until today
even if you deactivate real time scanners on one side, their drivers load, and that's not good. This does slow systems when loaded from two separate security programs.
And yes, some infections as said can be transmitted online without downloading purposely anything. + your ZA download scanner is probably conflicting with Avast web shield in the first place. I don't even know if the ZA suite does that locally or with a cloud scanner. Anyway if you want to keep using Avast, again get rid of anything ZA related.
-
I have been testing a lot of security programs. Norton, Mca.., Zone.., Essen.., defen.. and Avast to name a few and I scan with Mbam almost daily. Yes, I try to avoid any and all conflicts and never have 2 AV at the same time. I am testing the ZA E on one computer, but it was the other that did not have ZA E on it where Avast failed. Thanks for your help.
-
your report file showed that both Avast and ZA were installed on that one and same infected computer :)
avastsvc.exe -> C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -> [2010/12/31 14:06:34 | 000,040,384 | ---- | M | MD5 = F868DEED98DCEA4338F3986D5C5D5E96] (AVAST Software)
zlclient.exe -> C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe -> [2010/08/29 02:53:14 | 001,039,360 | ---- | M | MD5 = A81C2966F7D74E9710D58F359DE363B8] (Check Point Software Technologies LTD)
-
I am sorry. I may not have been very clear. ZA E is on the computer with Avast and they both run very well. I have the AV of ZA E disabled and testing it. The computer that Avast failed has only ZA P that does not contain an AV. I have Defender and Mbam disabled until I use them to scan. Thanks
-
okay, just ZA P (ie firewall) installed with Avast free has been a source of trouble for many users. As to ZA E, deactivating an AV on one side doesn't prevent conflicts. I already described that.
And if you think that Avast failed, submit the sample that mbam probably quarantined to Avast.
-
I have been having a lot of security problems. Win firewall immediately disables itself after new load and I have checked it to see that it was working. Then the computer loads my network password all by itself and starts communicating with the net. The only thing I have found to block this is Zone Alarm. Mca.., failed completely and would not even go to its own site to load the program. I will try to get the quarantined Trojan to Avast. The Avast real time scanner just stopped and would not restart and the web scanner scanned 10 of thousands of non virus containing pages, that slowed down the browser considerably. Again, thanks.
-
I have been having a lot of security problems. Win firewall immediately disables itself after new load and I have checked it to see that it was working. Then the computer loads my network password all by itself and starts communicating with the net. The only thing I have found to block this is Zone Alarm. Mca.., failed completely and would not even go to its own site to load the program. I will try to get the quarantined Trojan to Avast. The Avast real time scanner just stopped and would not restart and the web scanner scanned 10 of thousands of non virus containing pages, that slowed down the browser considerably. Again, thanks.
may be time for a new Windows install, no? your system seems to be particularly unstable. What network password are you talking about?
-
I reloaded Xp Pro more times than I have fingers from scratch. Win 7 Pro has been reloaded from scratch more than I can remember, because it has been so many that I have lost count. I am again sorry about my terminology. What I meant was the Workgroups name. I make them up and it knew it before I could even put it in for the first time after re stripping/fdisk/reformatting.
-
you might be better off upgrading your other PC to W7 as well, and then start to use "homegroup" instead of "workgroup". W7 homegroups are more secure, stable and extremely easy to setup ;)
ps: on a side note, I can't see how a workgroup name could be remembered after a new setup, that's hardly possible... or see may be at router level, but I never saw that happen.
(..also, not sure if ZA firewall conflicts with Avast webshield, but this could well be the case)
-
(..also, not sure if ZA firewall conflicts with Avast webshield, but this could well be the case)
A clear yes to ZA conflicting with avast sometimes...!!
asyn
-
Logos, I thank you for all your help. Mbam now scans hard disks in 5 minutes instead of 15 and the browser is back to being almost instantaneous instead of my waiting 10 of seconds to get the favorites displayed. I am also able to get a non blank homepage after clean code was applied. Yes, I am having router problems also. Some of the hard wire connections have become intermittent for unknown reasons. The encrypted wireless seems to remain intact. Thanks for the "homegroup" suggestion. I found out that reload from scratch was only good if it was done when the computer was disconnected from the net. If it was done while connected to the net, it did things like described above. Now I use a kill disk to zero out the drive before re stripe/fdisk/reformat/reload. (I replaced too many controllers and hard disks before this routine) Then I wind up as above with 2 way firewall and AV scanner failing and Trojans placed that then download other malicious programs. I am still looking for a working/stable security system. I have also been exploring Hija.. and Comb.., but none yet seem foolproof. Now I do have to get to work kill disk etc. to several non functioning computers. Yes, I have had Microsoft techs along with security techs working live to verify all was working correctly and they say their product is functioning as designed. Seems like "design" is the problem.
-
Logos, sometimes it just is that I do not always understand results. Can you shine some light on attached result? Thank you in advance.
-
That occurs when you start a scan and at some point avast! clears up old virus definitions, so they are queued up but gone before being scanned. avast! is reporting this to you.
The is a post here by igor (avast! team) , showing that it is not a problem:
http://forum.avast.com/index.php?topic=63582.msg537439#msg537439
-
I was wondering since I had a Mbam expert, why Mbam now scans in 5 minutes when it for the last 1yr and many fdisk/reformat/reinstalls of Win 7P, has always taken in the 10 to 15+ minute range. In other words, why the 3 x speed of the Mbam scan after OTS clean? I also noticed that Avast became dysfunctional after latest update to new version. Why doesn't Avast warn when it is dysfunctional? It restored functionality with a reinstall. FYI: I have never used a kill disk on this computer. (I tried but something interferes with the boot process of the kill disk on this computer, so I reserved that to another time.) Thank you in advance.
-
Again, sometimes it just is that I do not always understand results. Can you shine some light on attached result? I have not accessed D: today. Why does this activity occur all by itself? Thank you in advance.
-
I think this may be related to windows updates - most probably windows defender updates. Have you had a recent update (chekc through Action Centre)?
-
I think this may be related to windows updates - most probably windows defender updates. Have you had a recent update (chekc through Action Centre)?
yes :) (I mean yes that's WinDef)
-
I thank you both for your sharing your expertise. Yes, defender did update today. It resides on C:. What if D: was not active? Would it have updated entirely on C: and ignored D:? Why is it accessing D: to update to C:? It is not active and is not scanning. Just the Win update is automatic. Thanks in advance.
-
I think that perhaps defender just defaults to the drive with most free space.
-
Someone else on Microsoft answers thinks so too.
Rob KochMVP, Moderator
I suspect it is on D: because it uses a drive that has lots of free space like Office does when storing the installer files and some other installs and updates.
-steve ~ Microsoft MVP Windows Live ~ Windows Live OneCare| Live Mesh|MS Security Essentials Forums Moderator ~
That's correct, the Windows update system always defaults to the volume with the most space available to place its temporary files.
Rob
-
Also when you ran OTL I had it clear all of your temporary files - hence a lot less for MBAM to look at ;D
-
Thanks. You are all very good at this and I am learning why these things happen. I have used (Ccleaner), always do regular Windows disk cleanup and full browser deletes of files along with reloads as described above and never got Mbam to run as fast as this. I guess I still have a lot to learn. Thanks again.
-
Rather than CC you could try this - it uses the same routines as OTL
Clear Cache/Temp Files
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- It will close all programs when run, so make sure you have saved all your work before you begin.
- Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
- Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
-
After clearing the above trogon and reloading fresh after running kill disk, Avast found Win32:hupigon-onx [trj] and win32:emold [drp] in the backup of the original load that it crashed on. Is there a way to adjust Avast to find these when the load is working? Also I noticed in the network shield of the new clean load that Avast shows clean logons to sites I have never heard of before. Is there any way to block this activity and limit network contact only to sites of my choosing? Thank you in advance.
-
I searched the load for unsigned drivers and failed in deleting any of them. I then tried to upload them to online virus checker and failed. The files were not findable in the upload search window, even though I could clearly see them in my computer. Is this normal for Windows?
-
What are these files ? I.e. name and location
-
The only drivers on the new load are directly from Win 7 pro update by MS. No unsigned drivers were loaded. See attached. The signed drivers are in the directory, but the unsigned are not in the directory.
-
Corrupted Data Recovery -- Filename - aeadiext.dll.
They appear to be related to Andrea-Electronics-Corporation file recovery programme
Could you copy and paste the full file location as opposed to a screen shot please
-
I would if I could. That is the only thing Win 7 pro gives. It says they are unsigned and reside in c:\windows\system32, but the only files there are the signed drivers. The files Win 7 pro finds with "sigverif" are not in that directory even though Win pro 7 says that they are there. My concern is more in that should unsigned drivers be coming from Win pro 7 MS update site in the first place?
-
That is intriguing, I have a few unsigned drivers on my system - but I do not think any came from MS
Do you have - or have you used that file recpvery programme ?
-
No I am not familiar with recpvery. I was also wondering if multiple hardiskvolumeshadowcopy4, 5, 6, 7, 8, 9, 10, and 11 were normal. They are all being reported as corrupt. Is this normal for Win pro 7?
-
No that is not normal, what are your current problems ?
-
Ok, after the more than 100th crash of Win Pro 7, I did a complete reinstall from scratch/kill. (The more than 30th in last 1 year.) Avast found another Trojan in the memory dump of the crash and Win pro was already well along on its usual self destructive behavior, that starts with its erasing its logs and downloading Trojans/viruses from the net with contact only. (I try to only load necessary updates from MS only and this load has only signed drivers now, unlike the LAST THAT HAD UNSIGNED DRIVERS AND NOT WHERE WIN PRO 7 SAID THEY WERE. This is also what WP7 does before it self destructs. It looses tract of its own drivers. It says they are in directories that they are not or they are in directories that WP7 can not find.) I was also wondering if it was normal to have hidden partitions on the drives that WP7 can not find? It can find only the root and the system hidden, but it can not find the others and I was wondering if this was normal?
I stopped using Zonealarm after it failed 9 of 9 tests and tried Avast FW, but it failed 5 of the 9 tests, so I went to Com. It passed 9 for 9 of the tests, but I can not recommend it, for other reasons.
Can Avast be configured to stop the Trojans during the active load and not just find them in the backups and memory dumps? Can Avast be configured to stop the placement of the Trojans before the erasures of logs and the moving of drivers that become unsigned to directories WP7 can not find and creation of hidden partitions that WP7 can not see? Thanks.
-
Ok, after the more than 100th crash of Win Pro 7, I did a complete reinstall from scratch/kill. (The more than 30th in last 1 year.)
Dude, dunno what you are doing really, but:
0/ Read Best Free Drive Imaging Program (http://www.techsupportalert.com/best-free-drive-imaging-program.htm) article, make your choice, install, make an image of fresh clean OS+applications install.
1/ Change your surfing habits, stop surfing/working under admin account and stop downloading and installing crap such as warez, keygens, cracks etc. from dubious sources. Browsing random pr0n does not help either.
2/ If you are really unwilling to do the above, at least get yourself something like Avast Pro/AIS (paid) or Sandboxie (paid or free) and browse sandboxed and use all the stuff mentioned above in sandbox.
3/ No idea what kind of FW tests you have conducted but if they were the leak tests Matousec style (as the Comodo results would suggests) then you are not really testing firewall functionality.
With 30+ reinstalls per year, the problem is between the chair and the keyboard apparently. ::)
-
Thanks. I would work more to the image, but the problems stated above start with contact to the net and the working load needs contact to the net to start working before the load of software. The sights are not contacted by me. They are contacted by MS WP7. I do not surf sights per say. I do log on to sights like this to get help only. That is when the above starts to disintegrate WP7.
Thanks for the info see attached test result of Avast. (Avast Pro/AIS (paid)) Com... passed this test.
-
Thanks. I would work more to the image, but the problems stated above start with contact to the net and the working load needs contact to the net to start working before the load of software.
Absolutely no idea what are you trying to say ??? ??? ???
The sights are not contacted by me. They are contacted by MS WP7.
Windows does not contact warez/p0rn sites. If you are infected yet again, go wipe the drive and reinstall once again from scratch. After you have finished installing, make an image of clean system.
Thanks for the info see attached test result of Avast. (Avast Pro/AIS (paid)) Com... passed this test.
Never heard about AWFT but as said again, leak tests are essentially useless.
-
Thanks again. Win Pro 7 is loaded by Genuine Holographic and verified by MS load disk, but before it will work it needs to be updated and allowed by MS through contact with the net. All the problems stated above start at this point and before install of software (except Avast etc.). I do not contact porn sites and the only sights I contact are like this and programmers running sights like this. All I am trying to do is get and keep a working load of WP7 that does not log onto sights that I have never seen and load Trojans that Avast only finds in memory dumps and backups. I do not think that that is asking too much? You are correct, that I am trying to learn how best to evaluate security software that actually works and addresses the issues above.
I actually do not know the sights that WP7 contacts. All I know is that it must be designed to do that, because it does it by itself. What I would like to know is if the above stated is normal or not and then start addressing how to stop any abnormal and forget about normal. Hidden partitions that WP7 can not see other than working and hidden system that WP7 does see? Directories of drivers that WP7 does not see, but reports being in other directories that they are not? etc. Thanks.
-
??? ??? ???
-
Thanks again. Win Pro 7 is loaded by Genuine Holographic and verified by MS load disk, but before it will work it needs to be updated and allowed by MS through contact with the net. All the problems stated above start at this point and before install of software (except Avast etc.)
Yeah, and the problem exactly is? Like, can't you let the computer update itself without infecting it meanwhile by browsing stupid sites? Just leave it alone until it's updated, do not browse and do not install anything downloaded from god knows what source. Wait until it's done. Are you racing somewhere, or what?
What I would like to know is if the above stated is normal or not and then start addressing how to stop any abnormal and forget about normal. Hidden partitions that WP7 can not see other than working and hidden system that WP7 does see? Directories of drivers that WP7 does not see, but reports being in other directories that they are not? etc. Thanks.
Yeah the hidden partition is normal, the second thing is also normal - Windows maintains a list of last used locations in registry and doesn't check whether you have deleted or moved the drivers somewhere else meanwhile... All this is also completely off-topic here.
P.S. And kindly don't tell me that all the trojans keep spreading mysteriously out of nowhere to your computer without you doing anything -> BS. ::)
-
Doktornotor, thanks. I apologize for not being a computer expert like yourself, but I rarely download anything from the net. I have never contacted a "warez/p0rn sites" to the best of my knowledge. As far as MS software, that is what I am trying to understand the security applications like Avast. I know that MS has the ability to disable its own firewall all by itself, because I saw it do it as I was waiting on manual verification/validation from MS. The only software loaded at the time was MS. I also let MS load all its updates before I load others, except Avast etc.
Would like Avast to tell me when it stops running. Now I only see it when real time shield stops working or win logs state it, before MS erases them automatically. Com... at least tells me it has stopped working and I need to reboot.(a lot)
Also would like to get MS IE8 to keep protected mode on. It drops it every time I connect to my brokers web site. These are a few of the security problems I am still trying to fix in MS. Thanks for your help.
Thanks for clarifying all the hidden partitions that MS does not see and are only visible when I do a kill disk and thanks for clarifying all the drivers that MS moves automatically then forgets where it placed them.
-
"trojans keep spreading mysteriously" That is the problem. I am trying to understand how this happens consistently. All I know that I try to download only essential/needed software, like Avast and needed updates only. I never do p to p or any porn/copy site. I do not know why Win puts all the hidden partitions on the drives that it can not see other than its hidden system partition, but it does all by itself and then it loses tract of its drivers, but it does. Then sfc/scannnow becomes so dysfunctional, that it can not recover, that it does consistently for last year on multiple rebuilt computers and all reloads and this still mystifies me, as why IE9 loads pictures and files on the computer to its history file that have never been on the net, yet appear along side of the history of visited web pages. I still do not understand why Avast only finds the trojans in backups and crash memory dumps and not during the active running load, but it doesn't. I am very willing to modify my behavior, but I am hopping that Win/Avast will help in correcting any security flaws.
-
unplug your computer from the network cable (or from the router) and install W7. even if not validated, W7 will run for 30 days. install avast, then connect to the internet. do you still have problems now? because W7 is not configured to serve you with malware the second you install it. if this is the case you have a modified(?) install kit of W7.
-
Windows 7 has a hidden partition where the recovery console is installed. You will not see it through the OS
I did a complete reinstall from scratch/kill
Did you reformat the drive ?
but before it will work it needs to be updated and allowed by MS through contact with the net.
Windows 7 works right out of the box.. It will ask to update but you can deny that until you are ready, the system will still work. That is how I installed my copy, no need to even connect to the net until you are ready
"trojans keep spreading mysteriously" That is the problem. I am trying to understand how this happens consistently
If you over install rather than reformat this will happen, especially if you have an MBR infection
Would like Avast to tell me when it stops running.
It does with the exclamation mark
I must admit I am still not sure what the problem is -
-
Dansorin, thanks. I apologize for not being an expert in Win/security and I thank you for your input. Yes, Win comes from a Holograph disk and states genuine when validated by Win and the sfc/scannow works out of the box. I also have learned to pull the network plug during install. I also frisk and reformat before install after wiping with kill disk. I learned this after doing this with re-raiding, but still plugged into the net, that problems started right out of the box.
-
Essexboy, thanks and I again apologize that I am not an expert in Win/security. Kill/format/fdisk yes. Yes, I unplug from the net now before loading Avast etc. The only way I know Avast is not working is when it stops doing real time screening or a message appears in Win log that it has stopped. Com... firewall gives an error message that it has encountered an unknown problem and stops. The latest concern was stated above when I noticed that pictures and files on the computer were listed in the history of IE9 as if I visited them on the web, which was impossible, since they never left the computer. At this time Avast and Com.. fw says clean and Malw...... says clean, but the pictures and files still appear in the history file of IE9. Sfc/scannow is clean and the driver scanner says all drivers are signed. Is the appearance of some pictures/files on the computer in the history of IE9 normal, even though they never were associated by me with IE9? The files are selective and only pertain to sensitive material on the computer that I would never want out on the net. Is this normal?
-
Com.. fw
does that mean you have commodo firewall as well
-
Com.. fw
does that mean you have commodo firewall as well
That would be Comodo Firewall. ;D
-
Ah I must have been thinking of the dragon ;D
-
Ah I must have been thinking of the dragon ;D
I guess not cause then that would be "Komodo". LOL.
http://en.wikipedia.org/wiki/Komodo_dragon
-
It depends on where you were drug up and edumikated
-
http://forum.avast.com/index.php?action=dlattach;topic=68839.0;attach=61359
The above was what I got with Avast fw, so I tried Com.... fw and all testable leaks were plugged. Is it normal for files and pictures on the computer to appear in the history of IE9, that have never been associated with it? Thanks
-
Personally I do not give much truck to the firewall leak tests
You will see some elements from your computer if you open html files or certain picture files that open in a browser
With windows 7 I think gif files do that - although I will need to test it out
-
Essexboy, thanks. I know that if I opened a html file or something that opened in a browser that it would be in the IE9 history file, but these are documents from Word and other files that I have never associated with IE9 on my side in any way. These appear in the history of IE9 and I am stumped as to how. A programmer told me this was normal for IE9, but I can not see how. They were selective and only the sensitive kind. The tester gave ZA 0 for 9, Avast 5 for 9 and Com... went 9 for 9 without leaking any material from the computer. ZA blocked access to its site as did Avast, where Com... allowed access to all support sites and Avast and Malw... both scanned clean during the test. Thanks for all your help.
-
Essexboy, the posted files are an example of 2 files that I found in the history file of IE9. There were others, but all were never associated with IE9 by me. Is this normal or is something else going on that needs to be addressed? Thanks.
-
Did you access that online ?
-
None of the files that appear in the IE9 history were ever accessed on line. They only reside inside the computer and until I sent you copies of 2 of them, they never were on line.
-
I have checked on my system and all gif files open with IE - Th thing is though I empty my caches as the browser closes- so I rarely have more than a few hours history at any one time
-
Essexboy, thank you for your input. I just am trying to confirm the normalcy of observed behavior, since I have been having so much trouble with Win security in general. Thank you for confirming this normalcy. Now I hope that all the other non picture files were similarly opened in IE9, even though I still do not see why they would be. Thanks in any case. Now maybe I can get back to perfecting making money. Thanks.
-
Essexboy, I have removed some unidentified networks set up by Win and placed some attached computers into the banned list by Mac, because I do not know who they are. Is it better to allow only my computers to attach to my network or to ban the strange computers by Mac in the router? The router only gives the option to ban by Mac or allow by Mac. Thanks.
-
Essexboy, I have removed some unidentified networks set up by Win and placed some attached computers into the banned list by Mac, because I do not know who they are. Is it better to allow only my computers to attach to my network or to ban the strange computers by Mac in the router? The router only gives the option to ban by Mac or allow by Mac. Thanks.
It depends on how much work you want to do. If you if you choose to ban certain MAC addresses, then you'll have to constantly have to look at your router's log to find new MAC addresses that have tried to connect to it, and ban them manually.
Or, you could just put the two computer's MAC addresses in the allow list and never have to worry about it again until you get another computer, replace a NIC, or remove a computer (obviously, the better choice).
Still trying to figure out how a completely reformatted and reinstalled computer gets random things in the browser history, and no, that's not "supposed" to happen. Seems like you have some gremlins in your computer accessing sites while you sleep.
-
Scythe944, thanks. The reason I asked, is because I can see devices on the other side of the router and they can see me, both by Mac, but the router does not see them. This makes me wonder how best to configure the router. Yes, it would be nice to only have 2 computers. For now, I have blocked the offending computers that were attached and I am watching for any others. Thanks.
-
Sorry, reading through the threads quickly it seemed as though you only had two computers on your network.
You can continue adding unauthorized MAC addresses to the block list, or gather a list of MAC addresses that are known to be good, and then add them to the allow list on your router.
I guess I don't know what kind of environment you're working in, whether it be a work / home / school /etc. environment and I don't know what type of routers / servers you are running.
If you had a Windows DHCP controller, you could easily see the authorized computers on your network, and pull the MAC addresses from there. If your only DHCP server is your router, then you have to rely on it to provide you with the relevant information.
-
Scythe944, Thanks. I am noticing that Windows Security pop up box has replaced all my passwords with an 11 digit password that I do not know. How do I stop this. It has happened on more than 1 computer and it is 11 digits on both. I also noticed that the router is constantly being port scanned by a lot of Chinese sights. Is there anyway to stop that?
-
What? no seriously, you must have some pretty serious infections on your network if all of a sudden all of your passwords are replaced with an 11 digit password. How the heck do you even know they are 11 digits anyway? Are they windows passwords, wifi, website, FTP, what?
That doesn't even make any sense.
Blocking chinese IP's wouldn't be hard, but we'd need to know what router you are using in order to give you specific instructions.
Otherwise, just look for an "IP block" of some sort in the router under the firewall or maybe it has a section where you can block connectivity to certain IP's. At any rate, if you rebuild a computer from scratch and it instantly gets infected by things I'd be much more worried about other infected computers on the network or lack of a firewall at the gateway. Look into wireshark http://www.wireshark.org/ and analyze the traffic on your network to see where the hell all of this stuff is coming from because you certainly can't be infected immediately after installing windows from a OEM disk.
-
Scythe944, thanks again. Router is Dlink Dir-825. Both Malwarebytes and Avast "boot" scan say clean. Boot scan takes a long time and the drive sounds just like low level formatting when it locked out bad sectors when I originally set it up. Is that normal for Avast? The 11 digit PW is on the Windows pop up box where it offers to automatically put in the PW for me. I know it is not correct even though it is all dots, because the only 11 digit PW I use is on one of my Email accounts and the passwords for the security cameras are not 11 digits. Windows also offers the 11 digit PW for the cable modem PW that is also not 11 digits. The router log shows all the blocked port scans, so after I changed its default security setting from allow all to block all, it shows all the port scans from all the Chinese sights, so I think it may already be blocking them. I was just concerned about the speed of the router having to log all the blocks and giving me slow/intermittent internet connects now.
-
Thanks for the router info, I'll try to look up info on it and give you better instructions on blocking strange IP's. I think it's most important to not use any port forwarding or DMZ features of the router unless you absolutely need them (and I'm not saying that you even have any setup).
I still don't understand the password thing. When Windows is set to automatically login, it's usually because you only have one user and no password, thus just logging you in automatically when you start the computer.
If you have a password, it should ask you for it, not automatically put it in for you. Windows only stores passwords for web sites and network resources, not for windows itself. See here for managing windows stored passwords: http://support.microsoft.com/kb/306541
Do you have a program installed that is supposed to remember your windows password?
Did you do something in the control panel > User Accounts to make it automatically log you in with a password?
Something really wrong must be going on here, or you must be "pulling our chain".
Alas, I cannot attest to the boot time scans because I rarely have to run them. The last time I ran one was with Avast 4.8 and I can't remember how long it took because I had it do it overnight and it didn't find anything.
-
Just had a look at the DLINK's emulator for your router model.
You can block IP's (and entire blocks of IP's for that matter).
Login to the Router, Click on the Advanced tab, click on Inbound Filter on the left side pane, then input a name (to help you remember what IP's are blocked by whatever rule that you are creating).
Then, input an IP address or a range of IP addresses that you'd like to block (I don't know how you're going to find out all of the ones that you want to block, but I guess you can try with doing WHOIS queries on IP addresses that you want to block, then block that entire subnet or something).
Keep doing that for as many IP's as you want to block.
Once done, I'd also click on the Firewall Settings pane and make sure that SPI is enabled, UDP Endpoint Filtering is Address Restricted and TCP Endpoint Filtering is Port and Address Restricted, also the Anti-Spoof Checking is enabled.
Keep the DMZ OFF unless you have something that needs full access to the internet (like a Vonage box or similar), and if you don't use or know what a VPN is, you can probably turn off PPTP and IPSec, both of which need to be ON for VPN use, but unnecessary if you don't use VPN.
-
Scythe944, Thank you very much for all your help. The Windows pop up I am referring to is inside IE9 and not the log on to start windows. It pops up with the 11 digit PW that is the wrong number of digits to sign in to see the security cameras local computer only and not over the internet and likewise the modem local from the computer and not over the internet. The only 11 digit PW I use is on an Email account that is over the internet. Thank you again for all the other help. Still trying to figure out what is normal and what needs to be addressed. Thanks. I was thinking on replacing the Dlink 825 with a more secure one. (Since its default security was set to allow all and yes mac 0:0:0:0:0:0 was attached along with another and I changed the default to block.) Any recommendations?
-
2.4 N signals are strong. At 2000' I am seeing Sids outside, but none inside. A research inside reveals yet another non-computer device attaching directly to the router. Very complicated setting up a secure router. Thanks for the help.
-
I am getting a lot of "outgoing" connection attempts from a computer that scans clean with Avast boot. Is that normal and how do I stop it? I set the router as was suggested. Most all other computers do not do this. Thanks
-
Outgoing connection attempts from what application, port, protocol, etc. more details please ?
-
These are from the router log, so ??? application??? 63.135.86.43 from port 50654 74.120.140.21 from port 50589 208.71.125.131 from port 50609 204.77.30.86 from port 50601 All to port 80. Repeated many times. All TCP packets. I am still trying to learn what is normal. Still getting hundreds of port scans incoming, but I guess that is normal. Thanks.
-
I was wondering if there might have been more information from a software firewall log as that normally indicates the program/process responsible for the connection. See image example of my firewall log.
The first IP is for myspace-inc.com, second is turn.com, 3rd is 247realmedia.com, 4th is Coremetrics, Inc. (with a reference to us.ibm.com). So I don't know if any of those ring any bells as the fact they are TCP to port 80 would appear to be regular browsing.
As for inbound port scanning there are many speculative attempt to find computers that are open, these use random IP addresses in the hope of finding one. For the most part if your system is fully stealthed and doesn't respond to any port scan, it isn't something I would be overly concerned with. Most software firewalls do record these.
Personally I don't stick my nose in the logs unless there is something specific that I'm looking for as it can cause more grief that reassurance.
-
Thanks for your input. None of those ring any bell at all. I only use that computer to trade world markets through a server not in any of those regions and computers that I do use to browse do not have those places in them. In fact they usually only try to make contact with the security software sites for updates etc. and no other contact. It was only the trading computer that did this activity all by itself. I am still trying to see normal from abnormal and just want to be reasonably assured that there are not glaring security holes that still need to be addressed. The port scans are only in the hundreds per day and I think the router can handle that without being overloaded, but if it isn't stoped, eventually it could be overwhelmed with them. As the Chinese have super computers developed for them by American companies, that day may not be far off. Thanks.
-
You're welcome.
It is possible I guess for the TCP to port 80 not going through your browser as there are examples of this when avast.setup does the virus signature updates on TCP port 80 and the avast free, avastUI.exe also uses TCP but on port 443 (secure) and they aren't using the browser.
This is why I favour the software firewall log as it actually tells you what is establishing the connection and that is more reassuring than a bunch of anonymous data.
-
You could run "netstat -a" from your computer to see if it's the one making the requests.
Again, a wireshark analysis of your network traffic would help, but you might not know how to use it. I barely do.
-
Thanks and thanks again. Avast will not run real-time nor update in safe mode?
Why is svchost.exe trying to target forexstrategybuilder.exe and why is it owned by an unknown and not deleatable? Thanks (The unknown owner will not show itself nor let the administrator or system to take control of it. What is the best way to delete it and are there other parts of it causing svchost to target it that I also need to remove?) Avast boot says clean and Malware says clean, but Com.... says VIRUS. Who is correct and what should I do? Avast and Malw... safemode scans say clean.
-
Thanks and thanks again. Avast will not run real-time nor update in safe mode?
Why is svchost.exe trying to target forexstrategybuilder.exe and why is it owned by an unknown and not deleatable? Thanks (The unknown owner will not show itself nor let the administrator or system to take control of it. What is the best way to delete it and are there other parts of it causing svchost to target it that I also need to remove?) Avast boot says clean and Malware says clean, but Com.... says VIRUS. Who is correct and what should I do?
Because you are infected (may have come over IPV6).
You may want another thread for this.
Not a specialist on trojan/worm removal. Don't get them (knock on wood).
-
OK I GOT AVAST TO WORK AGAIN.
If there is a virus??? What should I do now, since Avast and Malw.... both do not see it at boot or in safemode? The target file is only a download and not in the programs directory.
-
Always wondered what that last one was or for that mater of fact, what most are.
[fe80: :75d4 ...... etc. What is that?
Should any of this mean anything to me? Thanks.
-
Ok, I know I am having a lot of computer security problems and it is very obvious that I am no computer expert and I apologize for that, but please can anybody shed some light on weather or not Win 7.1 Pro is setting its network up securely by defaulting to "Teredo Tunneling Pseudo-Interface" whatever that is and what is "[fe80: :.......... etc. anyway? "ForexStrategyBuilder.exe that resides in downloads directory and is being targeted by svchost.com is larger than 5 megabytes. If it is a virus??? is its size have something to do with Malw... not seeing it, or is something else causing this targeting? I realize that Win 7.1 Pro is the most unstable release of Windows yet, but I am getting tired of reformatting and reloading it so often to get it to work for so short of a time. Suggestions on removing "ForexS.... and/or what is causing it to be targeted???? Thanks.
-
I'm coming back to this topic to this a little late so I haven't gone over the complete topic again.
Do you actually use Forex ?
If not then ForexStrategyBuilder.exe would be somewhat suspect.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here the URL in the Address bar of the VT results page.
Have you tried a scan with MalwareBytes AntiMalware (MBAM) - I don't believe size should be an issue in the mbam scan as there is no option not to scan files over a certain size in the mbam settings, Scanner Settings tab.
- Unlocker http://ccollomb.free.fr/unlocker/ (http://ccollomb.free.fr/unlocker/) is an option it can not only delete the files but stop any process that is stopping you from deleting a file (unlock).
-
Always wondered what that last one was or for that mater of fact, what most are.
[fe80: :75d4 ...... etc. What is that?
Should any of this mean anything to me? Thanks.
the strange numbered address is an IPv6 address, as is the Toredo Tunneling interface (IPv6 to IPv4).
You could disable IPv6 if you wanted to: http://support.microsoft.com/kb/929852
As for the Forex problem, as David stated, unless you use that program it shouldn't be there.
The netstat -a screenshot you posted is good to see what your computer is accessing (and being accessed by). The only problem is sometimes it only shows IP addresses, which of course you'll have to lookup yourself to find out who owns those addresses.
A netstat -no command will give you Process ID numbers (PID), which you could then open the task manager to find the corresponding program that is running with that PID and you could kill it if needed.
-
Thank you David. At the first site above, the file will not allow itself to be uploaded. At the second site above I only get "Erreur 503 - Service indisponible". I will continue to try, but is the network setup above making any sense to you? Thanks.
-
Thank you Scy.... No I would really like to get rid of the 5MB file. How???
The current connections are apparently only Avast and Com...., but I will be watching. Thanks
-
If unlocker won't do it, you might try safe mode with networking. Then you can follow David's recommendation of submitting it to virustotal.
While in safe mode, do a Malwarebytes scan also.
-
Thanks again Scy..... I will try your advice. I already tried a Malw.... scan in safe mode and it was clean, as was the Avast scans in boot and in safe mode. Thanks. Are Avast real-time shields designed to stop working in safe mode?
-
Thank you David. At the first site above, the file will not allow itself to be uploaded. At the second site above I only get "Erreur 503 - Service indisponible". I will continue to try, but is the network setup above making any sense to you? Thanks.
Find the file and try making a copy and place it in a different folder.
Try this location to download Unlocker http://www.filehippo.com/download_unlocker/ (http://www.filehippo.com/download_unlocker/).
You didn't say if you actually use Forex ?
-
...I would really like to get rid of the 5MB file. How???
http://www.malwarebytes.org/products/fileassassin
Warning: Please use caution with FileASSASSIN as deleting critical system files may cause system errors.
-
Thank you for your help. I definitely am no computer expert and I again apologize for that. I noticed on another computer that there was a TCP connection running in Windows task manager and not being managed by Avast. TCP 96.17.164.29 it had pid 4636 and I went to services to kill it and it was not there. What am I doing wrong?
There are 3 pages of Task manager pids and netstat -no and -a attached. Thanks and especially thanks if you could look at it and assure me it is ok and I am simply no computer expert and that is why I do not understand what I am doing.
As far as Forex, I look at all world markets and downloaded that ForexStra....... program into a download directory from what I thought was a clean trading
-
last 2 pages.
The file " ForexStrategyBuilder.exe" is in a download directory and not in the working programs directory of Windows. TCP 96.17.164.29 is I think a Bloomberg tv feed, but since it was running outside Avast I was going to see if it could be found and killed, but I could not find the pid. I do not think there is any virus at work, but I am no expert.
-
Going back to the first post on this page, Reply #120, I don't know how the forex software works in trying to get its live data. That really is something which you would need to look into on the Forex forums. Whilst some would say that when trading on-line it has to be secure, so that could account for your not being able to probe it for information.
Why the ForexStrategyBuilder.exe needs to connect and more importantly why it can't connect on its own, rather than svchost.exe being used is another mystery. Normally the only process that I see that uses the svchost.exe to connect to the internet is windows update.
So when this happens again, please capture the alert image.
-
Thank you again David. From your reply. I guess the above post of task manager and netstat are normal and I can focus in on finding out why the file Forexst..... that is not running/loaded and not even in the working programs directory, but is fixed in the download directory file only is getting targeted. I again apologize for not being computer literate. Thanks.
-
Well I suspect that they are OK. However I haven't the slightest idea how the Forex software works, which is why it really needs someone who uses the software to confirm that this is how it works on their system.
-
David thank you for all your help. In another couple of decades, I might just become a computer expert. I noticed that today is "IPv6" day. I disabled IPv6, but the test of its function says it is working just fine with "Teredo" connectivity directly to IP's. That is normal? Maybe that is why Win7 Pro sets up "Teredo" by default and starts unknown networks by default??? I am still working on that decade learning curve. Can you reassure me that this is OK. Thanks.
(The computer successfully connected to a IPv6 site in the test without any security notification whatsoever, but it states it will not work in a browser. In other words, the computer/Win Pro 7 can connect IPv6 (through all security programs without notification), but I blocked my use of it in my browser. Is this normal?) See attached. IPv6 is disabled. (but 3544 is the IPv6 port)
-
IPv6 day won't effect anyone directly as far as I'm aware it just checks if those accessing sites can do so using an IPv6 IP address. If they can't then they would access it normally using IPv4.
Personally I'm not even thinking about IPv6 as it is still some way off and this my main system (XP Pro) and my netbook (win7) both fail the IPv6 test. This is no doubt due to my ISP not yet being ready for IPv6 and that is outside my control, so not something that I am going to worry about.
I really have no idea about the IPv6 port (never looked into it, but the actual IP address is an IPv4 IP address. So I can't see the purpose in their using that port in conjunction with IPv4. Other than to possible see if it is able to use the protocol.
So the upshot is I really don't know if it is normal or not.
-
David, thanks. This load is very very very old. Maybe 1-2 months. Maybe I need to trash it (Win7 Pro flavor 7.1) and start over for the ??? time. I am starting to get all sorts of error/crashes/instability. I have not run an Avast scan of a full backup, but that is where I start to see trogons/etc. Stopped doing that, because that was the only way I could figure out to stop it. I will have to give this some thought. In any event, I am learning as I trash. Thanks again for all the help. (I blocked IPv6 at the router, since disabling it only gave absolute control of it to Windows to connect to whatever IP and no oversight of it to myself)
-
Is Avast designed NOT to work in safe mode? Is Avast designed NOT to allow bootscan from safe mode? Thanks.
-
That is the whole purpose of 'safe mode' it runs a minimal program set so you can resolve conflicts, etc.
You can manually start avast in safe mode to do an on-demand scan, but I don't know if it extends to being able to make changes to the registry (required) to be able to schedule a boot-time scan.