Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: REDACTED on June 15, 2016, 09:20:25 PM
-
I miss some directories and files from a couple of days ago.
It certainly was not me who deleted them, I edited the files and I still need them.
I would already be happy with a log file that showed all incoming traffic that passed the AVAST PRO Firewall.
Even better would be to know a log of all changes on the windows file system and which IP's did them. Does something like that exists in windows 10?
Moreover is this suspect? Why would my ISP change each day the Firewall mode to Public/High Risk Zone (according to AVAST PRO Firewall Log "rules")
-
If you want a computer check from a malware expert, then follow instructions here and attach requested logs
https://forum.avast.com/index.php?topic=53253.0
-
Thanks I have done this procedure before a year ago or something, for another issue, gave interesting results though.
But I don't think its a virus, because it specifically deleted my most important recent files, like someone is monitoring my computer and knows what to delete.
That's why I call it incoming traffic hackers.
Please tell me if there is an AVAST or windows log file I can check for suspicious incoming traffic AND (ideally) for corresponding suspicious changes to the windows file system.
Ideally I would see, if such a log file exists, that an IP address (not my own) deleted these files.
HOW CAN I GET PROOF THAT SOMEONE ELSE (HACKERS) DELETED THE FILES???
-
But I don't think its a virus, because it specifically deleted my most important recent files, like someone is monitoring my computer and knows what to delete.
If so it may be seen it the diagnostic logs ..... so, attach logs ;)
are you the only one with access to that computer?
-
Yes I'm the only user and my computer is in a locked room.
Where can I find diagnostic log files in AVAST Pro?
-
Yes I'm the only user and my computer is in a locked room.
Where can I find diagnostic log files in AVAST Pro?
Not avast ... Logs from the link i posted above
scroll down to second picture > Farbar Recovery Scan Tool < run it as instructed and attach the two logs here in this topic
-
Thank you for looking into this issue. So I want to know if "incoming traffic hackers" can have deleted some recent important files. And if you have evidence or maybe even proof of such a thing please explicitly say so in writing in this forum post!!! And please say also how one can see this (or what to look for).
Here are the scan logs.
-
Moreover is this suspect? Why would my ISP change each day the Firewall mode to Public/High Risk Zone (according to AVAST PRO Firewall Log "rules")
(my own quote)
I remembered it wrong, I now work on a computer without AVAST, so I could not check before, It says Firewall changed mode, seems to be done at every windows restart, even when computer is not plugged in to the internet, could be an automatically entry in log file only triggered by booting windows, strange though that it remembers the ISP specification even when not plugged in. I never used password protected WIFI under this AVAST/windows by the way, windows does not know the password, never entered it there
-
I would already be happy with a log file that showed all incoming traffic that passed the AVAST PRO Firewall.
You can check the avast firewewall log, but I doubt everything will be in it if you don't have it set to verbose logging.
Even better would be to know a log of all changes on the windows file system and which IP's did them
A IP does not change things and even has nothing to do with files.
Why would my ISP change each day the Firewall mode to Public/High Risk Zone (according to AVAST PRO Firewall Log "rules")
A ISP doesn't change things like that.
They don't even have access to the settings unless you give them remote access or something like that.
HOW CAN I GET PROOF THAT SOMEONE ELSE (HACKERS) DELETED THE FILES???
Hire a forensic IT security company like Fox-IT
They are right around the corner (Delft)
https://www.fox-it.com/nl/
-
They don't even have access to the settings unless you give them remote access or something like that.
I corrected my "misinterpretation / wrong remembering" of the log entry in my last post by the way. Please read this last post, because its strange that the entry shows up even when computer is unplugged from the internet and it can't be connected by WIFI because windows does not know the WIFI key, never connected windows with WIFI, moreover Chrome browser says "no internet connection"
EDDY PLEASE COMMENT ON THIS ONE!
-
We can only comment/respond to what you tell us.
If you remembered the log entry wrong and posted the wrong info here, doesn't change anything about what I said.
-
We can only comment/respond to what you tell us.
If you remembered the log entry wrong and posted the wrong info here, doesn't change anything about what I said.
Strange you seem not to read very carefully, and reply at random :(
-
Essexboy will be online (usually) after 15:00 european time and check your logs ;)
-
Essexboy will be online (usually) after 15:00 european time and check your logs ;)
What I don't understand of the logs:
FRST.txt has an entry for FireFox with lots of plugins and addons, I dont find FireFox in my windows programs search, I never installed it under windows 10, I have it on my UBUNTU Live USB stick which always is plugged in, even if I start from windows from SSD C: drive. Could be too in and old "Program Files" directory on D: drive from windows 7, 8 or 8.1 times, which is not active anymore (I have now as I said before windows 10)
ADDITION.txt warns 12 times in scheduled tasks for "... no file <==== ATTENTION"
PS: I see now that FireFox entries are all from plugins on the C: drive (Strange!!! What are they doing there?)
-
The only way I could see someone getting in would be either through Citrix or G2M
When you finish with the computer do you shut down or engage the firewall lock
-
The only way I could see someone getting in would be either through Citrix or G2M
When you finish with the computer do you shut down or engage the firewall lock
I sometimes do not shut computer down at night, maybe 3 nights a week or so. I do not use Firewall lock, never heard about it
Did you look at the FRST.txt and ADDITION.txt logs? See my message about it
-
The only way I could see someone getting in would be either through Citrix or G2M
When you finish with the computer do you shut down or engage the firewall lock
G2M? http://www.sonuus.com/forum/viewtopic.php?f=5&t=763 (http://www.sonuus.com/forum/viewtopic.php?f=5&t=763) ?
-
G2M? http://www.sonuus.com/forum/viewtopic.php?f=5&t=763 (http://www.sonuus.com/forum/viewtopic.php?f=5&t=763) ?
AHA by accident I saw in Google GOTOMEETING, please do not use such cryptic titles like G2M when you actually mean GOTOMEETING :(
-
The only way I could see someone getting in would be either through Citrix or G2M
When you finish with the computer do you shut down or engage the firewall lock
AHA by accident I saw in Google GOTOMEETING, please do not use such cryptic titles like G2M when you actually mean GOTOMEETING :( ADDITION.txt indeed says 10 times CITRIX/GOTOMEETING directories for exe's and dll's. However its not in the windows start menu and windows programs search menu. I can't therefore start GOTOMEETING myself, maybe the hackers can. I think GOTOMEETING was for a webinar months ago, I'm not sure why it seems to be latent present on my windows computer.
Moreover "switch Firewall mode to Public/High Risk: TELE2 ISP network" message in Firewall Log "rules", there is even a log entry when my modem is off (I mean disconnected from the electric grid AND as I said before also when on but unplugged from the internet. However in these cases Google Chrome always said "no internet connection") Can you explain this ESSEXBOY? It can be that my computer is on another WIFI network in my neighborhood, but this than would be a stealth connection, since Chrome does not see it!!! Maybe the GOTOMEETING shit on my computer, makes this stealth connection, however coincidentally this is also the same TELE2 ISP as my genuine internet connection, but this makes it not more unrealistic.
WHY DOES MY AVAST PRO NOT PROTECT OR WARN ME FOR THIS "GOTOMEETING HACK"? OR IS THIS IMPOSSIBLE? :-(
-
I think GOTOMEETING was for a webinar months ago, I'm not sure why it seems to be latent present on my windows computer.
That is easy to explain.
It was installed and never removed (properly).
Moreover "switch Firewall mode to Public/High Risk: TELE2 ISP network" message in Firewall Log "rules"...
So, your ISP is Tele2 and the firewall has detected that at some point.
Since it is a software firewall, it doesn't matter if modem is on or off.
However in these cases Google Chrome always said "no internet connection"
It would strange/suspicious if Chrome said there was a connection when the modem is off.
If that happens you should start to worry.
It can be that my computer is on another WIFI network in my neighborhood
No, it can't or Chrome would notice it and use it.
Maybe the GOTOMEETING shit on my computer, makes this stealth connection, however coincidentally this is also the same TELE2 ISP as my genuine internet connection, but this makes it not more unrealistic.
No, G2M doesn't make a stealth connection.
It uses your existing connection.
WHY DOES MY AVAST PRO NOT PROTECT OR WARN ME FOR THIS "GOTOMEETING HACK"?
There is no reason for avast to warn because it is no hack.
It is fully legitimate software that you (or someone there) installed for the webinar.
http://www.gotomeeting.nl/
-
Thanks Eddy for your frank talk!
However I don't recall the software was installed by me at all. But must have been for a webinar or so. Than GOTOMEETING was exploited by hackers, while I left my computer on while I was sleeping for 8 hours or so. I imagine it works like a kind of PCANYWHERE? I was a sleep but I would have seen mouse movements and windows open en close would have heard clicks in the speakers etc. while the hackers were deleting files.
Could have been that the webinar was in my windows 8.1 period and partly removed during windows 10 upgrade, thats why its latent now on my windows 10 machine?
ESSEXBOY says GOTOMEETING can be exploited by hackers (he thinks)
-
Well someone installed it and it is as they say 99,99% sure it is not done and/or used by hackers.
-
Well someone installed it and it is as they say 99,99% sure it is not done and/or used by hackers.
Is it PCANYWHERE like (GOTOMEETING)? Its from CITRIX ;)
-
Moreover "switch Firewall mode to Public/High Risk: TELE2 ISP network" message in Firewall Log "rules"...
So, your ISP is Tele2 and the firewall has detected that at some point.
Since it is a software firewall, it doesn't matter if modem is on or off.
Its an entry at every boot!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Does the firewall have a broken memory or something? THINKS HE IS AGAIN CONNECTED BUT IS IN FACT NOT??????
-
Guess what happens at every boot...
The firewall starts and initializes.
It just reads the settings and put a entry in the log.
Perfectly normal.
-
The tasks highlighted by FRST are just old ones left over from the windows 10 update and are not active now
If you have avast internet security you can block connection to the net with one click when you leave the computer
-
Guess what happens at every boot...
The firewall starts and initializes.
It just reads the settings and put a entry in the log.
Perfectly normal.
;D ;D ;D Thanks for your help and patience! OK It does not say "there is a FRESH connection to ... network established" but indeed only a firewall setting log entry, which is just a little bit misleading
-
You're welcome.
If you see him, say hello to Ketelbinkie ;D
Staat nog steeds op Katendrecht toch ?
-
You're welcome.
If you see him, say hello to Ketelbinkie ;D
Staat nog steeds op Katendrecht toch ?
Ja het beeld staat daar, is ook een restaurant in Rotterdam, en een stripfiguur ;-) Maar dat wist je wel JIJ BENT ROTTERDAMMER!!??
-
Ben er ooit geboren, lang geleden.
Ben er al zeker zo'n 25 jaar niet meer geweest.
Ben nu een wereldburger die in Hengelooo woont.
-
Ben er ooit geboren, lang geleden.
Ben er al zeker zo'n 25 jaar niet meer geweest.
Ben nu een wereldburger die in Hengelooo woont.
GAAF!!! Doe jij AVAST Forum evangelist voor de kost? Als ik vragen mag :(
-
English please.... :)
-
English please.... :)
I asked Eddy if AVAST Forum Evangelist was his paid job? I also said I would understand if he did not answer this question, in a Dutch way
-
English please.... :)
I asked Eddy if AVAST Forum Evangelist was his paid job? I also said I would understand if he did not answer this question, in a Dutch way
Only those with Avast Team in their details are Avast team members. Everyone else including Avast Evangelist are volunteer avast users, who freely give their time to try and help other avast users.
-
English please.... :)
I asked Eddy if AVAST Forum Evangelist was his paid job? I also said I would understand if he did not answer this question, in a Dutch way
Only those with Avast Team in their details are Avast team members. Everyone else including Avast Evangelist are volunteer avast users, who freely give their time to try and help other avast users.
DAVIDR: Do you think a latent GOTOMEETING installation, reminiscence present from windows 8.1 to 10 upgrade, can be exploited by hackers? Is a kind of PCANYWHERE I think. I mean reminiscence from was partly removed during windows 10 upgrade, maybe entries removed from registry, because its not under windows 10 in start menu or program search.
My NORTON Utilities cleans every day 10's to 100's registry settings (repairs also) by the way, maybe this makes the GOTOMEETING latent
-
Sorry, I have to defer to essexboy's experience as a qualified malware removal specialist and instructor at geekstogo.com.
In virtually all programs where there is a will there is likely to be a way, first find a vulnerability and craft an exploit. Recently in the forums there were complaints because avast's software updater automatically downloaded a and installed a Skype update.
Now I would never have begun to think that there would be a vulnerability that could be exploited (some would call hacked), so it must have been a serious threat for avast to take the unprecedented action of automatically updating it.
-
Sorry, I have to defer to essexboy's experience as a qualified malware removal specialist and instructor at geekstogo.com.
In virtually all programs where there is a will there is likely to be a way, first find a vulnerability and craft an exploit. Recently in the forums there were complaints because avast's software updater automatically downloaded a and installed a Skype update.
Now I would never have begun to think that there would be a vulnerability that could be exploited (some would call hacked), so it must have been a serious threat for avast to take the unprecedented action of automatically updating it.
Oh thanks very much! :) Yes! There was even a famous day zero exploit in something as "simple" as a hash algorithm implementation, I saw on TV, if I recall correctly
-
English please.... :)
BOB3160: Do you think a latent GOTOMEETING installation, reminiscence present from windows 8.1 to 10 upgrade, can be exploited by hackers? Is a kind of PCANYWHERE I think. I mean reminiscence from was partly removed during windows 10 upgrade, maybe entries removed from registry, because its not under windows 10 in start menu or program search.
My NORTON Utilities cleans every day 10's to 100's registry settings (repairs also) by the way, maybe this made the GOTOMEETING latent
-
Sorry, not a fan of Norton Utilities. These types of utilities usually do more harm than good.
Like David, I'll defer to essexboy on any speculation as to this infection. He's the expert. :)
-
If you do not use any internet facing programme like go to meeting or team viewer then I would always recommend that you uninstall it
-
Just as info.
I replied to him in a pm.
-
If you do not use any internet facing programme like go to meeting or team viewer then I would always recommend that you uninstall it
I have, somewhat twisted = I mean as in complicated , proof that these files (art photo's) were deleted by incoming traffic hackers (stalking, hunting and tracking me down):
- I uploaded them to gmail message
- Then I saw a day later they were deleted
- But were not in recycle bin
- Older deleted photo's are still in recycle bin
- So they were there! Because how could I have uploaded them to gmail?
- Or "Search Everything" is fooling me :( https://www.voidtools.com/ (https://www.voidtools.com/)
- Search Everything can't find them, and also not the directory they were in
Strange that the deleted files are not with the older deleted files in the recycle bin, the only way that that is possible is to my knowledge if you have for example an USB stick with files, if you delete them on the USB stick then they would also not appear in the recycle bin, however they are still deleted from the USB stick. OK this proof than does not hold water for the authorities.
The by incoming traffic hackers files were on the D: drive. To get water tight proof of this fact would cost me US $ 5,000 at Fox-IT Delft, they probably scan the layers of the D: drive hard disk. I can only spend a couple of hundred euro (US $ 100 to 200) >:(
-
Just as info.
I replied to him in a pm.
PUBLIC: My files are suddenly back somehow. I know it sounds weird. Moreover they were deleted on AVAST / windows 10 / Cable sessions. And got back on UBUNTU / WIFI sessions. The only explanation I can think of is a hardware virus (or firmware virus). I have heard these viruses can be in all computer parts embedded programs or integrated in the microchips. So in the mother board, hard disks, CPU, network adapter you name it straight from the factory. There is lots of money in user data, so your internet activity could go to hundreds of bonafide and malicious third parties. Can be used to monitor and to PCANYWHERE stealth remote control too. Wolf packs playing, stalking, tracking and hunting me down. :P
-
Hardware viruses are just proof of concept, they are exceedingly difficult to install.. If the files are not being seen by windows but are by Ubuntu then maybe run disc check
-
Hardware viruses are just proof of concept, they are exceedingly difficult to install.. If the files are not being seen by windows but are by Ubuntu then maybe run disc check
They are back under windows too, however I had 2 consecutive sessions with UBUNTU that the OS could not mount DATA (D: drive), DATA could have been locked by a hackers process??? However UBUNTU constantly freezes and WIFI is very unstable under UBUNTU
PS: In the DEBIAN forum someone said for another issue that they (hardware viruses) are straight from the factory BUILD IN could be bugs in the hardware integrated circuits, firmware day zero exploits. GET IT???
-
http://betanews.com/2016/06/19/gotomypc-hacked/
Just found this
No anything done under windows does not affect Linux when it looks at the drive. Although the drive being locked may indicated a HDD problem
-
http://betanews.com/2016/06/19/gotomypc-hacked/
Just found this
No anything done under windows does not affect Linux when it looks at the drive. Although the drive being locked may indicated a HDD problem
If hardware viruses are build in straight from the factory, there is nothing you can do, the hackers have won, the internet is now only a battlefield between black hat hackers and bigbrother, the poor genuine users are in no manś land, between the frontlines
:( :( :(
-
http://betanews.com/2016/06/19/gotomypc-hacked/ (http://betanews.com/2016/06/19/gotomypc-hacked/)
Just found this
No anything done under windows does not affect Linux when it looks at the drive. Although the drive being locked may indicated a HDD problem
If hardware viruses are build in straight from the factory, there is nothing you can do, the hackers have won, the internet is now only a battlefield between black hat hackers and bigbrother, the poor genuine users are in no manś land, between the frontlines
:( :( :(
Please stop spreading Doom and Gloom. Things aren't as bad as you seem to think.
If this is really what you believe, better get off the internet. Stop spreading malarkey. :)
-
http://betanews.com/2016/06/19/gotomypc-hacked/ (http://betanews.com/2016/06/19/gotomypc-hacked/)
Just found this
No anything done under windows does not affect Linux when it looks at the drive. Although the drive being locked may indicated a HDD problem
If hardware viruses are build in straight from the factory, there is nothing you can do, the hackers have won, the internet is now only a battlefield between black hat hackers and bigbrother, the poor genuine users are in no manś land, between the frontlines
:( :( :(
Please stop spreading Doom and Gloom. Things aren't as bad as you seem to think.
If this is really what you believe, better get off the internet. Stop spreading malarkey. :)
These were my famous last words ;) (in this thread)
thank you all for the comments