Avast WEBforum
Other => General Topics => Topic started by: handcuff36 on December 24, 2008, 10:40:56 PM
-
Hello, this is my first post here, thank you. First a Merry Christmas to all.
I have been on Avast for ions and quite happy with it. Lately, I get a funny little icon that shows up near the My Computor ( Vista HB ), it does not seem to hinder the system at all, at least, nothing noted. It flashes on the screen for a flick of an eyelid. It looks like a small ghost. I have some PRn/Scrn of it, if I could find where to attach them here. I will try the +Additional Options. Stand-by. Hey, I think that I did it. If you are looking at the -4.jpg, reduce it to 5% to fill your screen.
Anybody with any idea of what this is, would earn my thankyou for sure. I wonder if it is a key-loger of sort ?
Have a nice day and thanks for the opportunity to make new friends. JP aka handcuff36
-
Do you have something like Spybot S&D or someting similar to analyze programs loaded on startup?
-
You can test your monitor with dead pixels testers.
And you can follow the general cleaning procedure:
1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! (http://www.freedrweb.com/cureit/) instead.
3. Use SUPERantispyware (http://www.superantispyware.com), MBAM (http://malwarebytes.org/mbam.php) or Spyware Terminator (http://www.spywareterminator.com/) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
5. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or this analysis site (http://www.hijackthis.de/#anl). Or even submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html).
8. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).
-
I doubt it is a dead pixel, not half the size of an icon, not one that flickers on just for a blink of an eye.
I really don't have any idea what it might be, if it remains there, right click and select properties and see what information can be gleaned.
Or check out Task Manager to see if there are any unknown processes running, etc. or the Windows Start, Run and type msconfig, this should open a window of various windows settings, etc. click on the Startup tab and se if there is anything there that you aren't aware of.
There are some diagnostic/analysis tools here, http://technet.microsoft.com/en-us/sysinternals/default.aspx (http://technet.microsoft.com/en-us/sysinternals/default.aspx), the System Internals section and Process Explorer in particular (also Autoruns) is one that gives information on running processes. Whilst these do require a degree of knowledge of what would normally be running on your system.
-
I just thought about some people I know. They adore practical jokes. What do you think about the people who has access to your PC?
-
I just thought about some people I know. They adore practical jokes. What do you think about the people who has access to your PC?
Yep this remind me when I load a screen saver onto a friend computer at work called the MS blue screen of error death messages on April fools day, god I'm so cruel and this makes me feel great when I had to pay him back big times when he got me on April fools day.
-
A large thankyou to all who took time to reply/react to my posts. I have noted all suggestions.
Nobody else uses my computor, it is password protected on booting, so nobody can play a joke on me. The MBR is also locked in BIOS, ie: no rootkit.
I have just in the last week, restored the OS to factory default and this showed up again, the ghost ! A friend and I bought the same Acer about 1 week apart, the very same Acer and he does not get this ghost.
Really baffling, is it not ? After some more tests, as suggested here, I will get back to you. Again, thanks. JP.
-
Good morning DavidR.
I had tried the right click and also the left click of the mouse on that Ghost before. No reaction at all, it is a real ghost ! :-) It does not stay on the screen very long and it makes it tough to even just get the mouse on it.
If I have time today, I will run a full scan again on the Vista box. At the moment, I am typing at you on an Ubuntu box, via Firefox. I might remove Avast from that Vista box, install Norton, just to see. I would re-install Avast after the scan. I have to try many options to see what this is.
In case that this is a key-loger, how can I search it ?
Have a great day and thanks for your attention. JP.
-
If you set a wallpaper, does it continues there?
-
Hello Tech and DavidR, the whole bunch too.
I have run all the suggested tests, nothing. I just got Avast back installed after running Norton that found nothing. Now, this last run of Avast again as for Norton, found nothing. Avast went through 45 Gigs of data on my HD and took 52 minutes for this.
Am I chasing a wild goose here ? Is this Ghost really nothing ? Should I ignore the aggravation ? It does not seem to do anything at all, the aggravation is not knowing what it is. Who/what could be generating this ?
Fun anyway. A nice 09 to all. JP aka handcuff36
-
I really don't know as there isn't enough information to say what it is so we can't say one way or the other if it is a wild goose chase.
Adding Norton to the mix is potential for other issues possibly more painful than what you have.
A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039)
All I can suggest is getting google on the case, http://www.google.co.uk/search?q=mystery+icon+on+desktop (http://www.google.co.uk/search?q=mystery+icon+on+desktop), if nothing there try a different search string that is closer to your issue. Try and keep the search string simple (like my example search) or it will greatly reduce the results.
-
Good afternoon, David R.
Remember these Ghost .jpg that I posted here ? Well, I believe that I found out the solution. Brace yourself.
This shows up when the MBR is locked in the BIOS. This is the selection where a warning is sounded and activity is stopped if anything/anybody ( rootkit ) is trying to write to that sector. Who would have thought of this.
Would you try it on your system and let me know as a confirmation of sort, please. I have toggled this protection ON and OFF a few times and this seems to confirm what I just typed, it would be great to have it also confirmed by an expert.
I am on an Acer-Vista system, if you ask, I would come back with a BIOS version and name. I do not think that Vista has anything to do with it, this BIOS would work the same regardless of the OS, methinks.
Have a great 2009, to Tech too. JP. aka handcuff36
-
Man... how could we correlate the ghost with a rootkit and the MBR locked by the BIOS? ??? ???
Do you mean you unlocked the MBR in the BIOS and now the ghost disappear? ???
-
Tech, hello.
>>Man... how could we correlate the ghost with a rootkit and the MBR locked by the BIOS? ??? ???
>>Do you mean you unlocked the MBR in the BIOS and now the ghost disappear? ???
Yes !
I am sure that this ghost is manifested as the MBR is locked. Your statement above seem to imply the opposite. There is no rootkit so no need to correlate the ghost to one. The MBR is ALWAYS locked on all my systems that allow this in BIOS, therefore, I have not rootkit, if this is the way it works. I will have to look into the Award site to see if they have anything to say in this regard.
Thanks for your attention and a Happy 09 to you. JP. aka handcuff36.
-
Tech, me again. This is what I found on the Award site, in this regard but no reference to the Ghost.
Anti-Virus
When this icon is selected from the Security section of the WINBIOS Setup main menu, AMIBIOS issues a warning when any program (or virus) issues a Disk Format command or attempts to write to the boot sector of the hard disk drive. The settings are Enabled or Disabled. If enabled, the following appears when a write is attempted to the boot sector. You may have to type N several times to prevent the boot sector write. Boot Sector Write!!!Possible VIRUS: Continue (Y/N)? _
The following appears after any attempt to format any cylinder, head, or sector of any hard disk drive via the BIOS INT 13 Hard Disk Drive Service: Format!!!Possible VIRUS: Continue (Y/N)? _
What do you make of this ? JP. aka handcuff36
-
I too would have never though it related to MBR locking in BIOS, mainly because I have never locked it down, possibly because on older BIOS version it probably isn't even an option. But mainly I wouldn't like to actually do that (lock the MBR) as there must be times when the MBR is adjusted legitimately.
Good find though, it would be nice if the image/icon was more user friendly.
-
AMIBIOS issues a warning when any program (or virus) issues a Disk Format command or attempts to write to the boot sector of the hard disk drive.
Are you formating the disk? Why does the message appear?
-
Good morning DavidR and a Happy 2009.
As I do not have any explanation for this ghost, I am simply stating what I see and there might be no corelation to this, as Tech asked. But it seems strange that it would appear ( ghost are want to do this ) on the screen at bootup. No other link.
I keep the MBR locked in my BIOS on account of the new virus going'round. Mebkit ??? I once got the warning when installing a PRG, I forget which one that was, I think that it was when installing Ubuntu in a Windows Vista system, where a double-boot option is installed by a Boot Manager. I have had no other warning, mind you, I do not surf much on any of my many putors.
Now also a good morning to Tech and a Happy 2009 to you too.
No, I was not formatting my HD, the text that I Cut & Pasted was from the Award site and it explained how to lock the MBR against malware. But you knew this ! I am still chasing this ghost. Yesterday, I completely dumped all cookies and this morning on bootup, no ghost. I was also looking over some old saved apps and I chanced on one called Ad-Aware, it ran in Vista and showed me one bad item referring to "Double-Click". I chased it, it was in the cookies file/folder. That gave me the push to delete all of them again and now no ghost. This ghost is a brain stimulating effort, I will keep looking for more pointers to why it comes around. In the mean time, your attention is appreciated.
JP. aka handcuff36
-
I much prefer to have a good recovery system in the form of hard disk imaging software, that take an exact image of your system, so if you experience a problem you can restore your last partition/disk image.
I do a weekly image of my C: and E: HDD partitions, saving the images to a third partition, I then make a copy of those images on an external HDD should the worst happen and I have a HDD failure on my internal HDD. I must treat my new system to a second internal HDD (like my old system) so back-ups are on the 2nd HDD and external HDD.
A Happy New Year to you too.
-
Good morn David R.
I much prefer to have a good recovery system in the form of hard disk imaging software, that take an exact image of your system, so if you experience a problem you can restore your last partition/disk image.
I do a weekly image of my C: and E: HDD partitions, saving the images to a third partition, I then make a copy of those images on an external HDD should the worst happen and I have a HDD failure on my internal HDD. I must treat my new system to a second internal HDD (like my old system) so back-ups are on the 2nd HDD and external HDD.
I do likewise, I use TrueImage and about once/month, I image the Vista to a USB HD. Better safe than sorry.
As I said recently, I got rid of all cookies and no ghost. Which one was the culprit ? I might never know but this sounds more like the cause than the BIOS being locked or not. I am still keeping an eye on this, just as a curiosity more than a fear of being "invaded". at the moment, my BIOS is locked and no ghost, is this an achievement ? Time will tell. I will thank you and Tech for your interest and time.
My #2 system runs double boot of XPP and Ubuntu, on that one, I have not done the U'u image yet. Both systems own their own HD, the Master ( IDE 0 ) is XPP and the Slave ( IDE 1 ) is U'u. Like you, I shall do an image of this soon. What imaging app are you using ?
-
One day I might have a dabble with Linux again, the last time I tried it using a Live CD version (can't even recall the distro) was years ago.
-
David, give me an address at handcuff36atgmaildotcom and I will mail you a CD. Fun this is. JP.
One day I might have a dabble with Linux again, the last time I tried it using a Live CD version (can't even recall the distro) was years ago.
-
It's OK, it is more of a setting aside some time to do it rather than difficulty in getting a Live CD or regular distro. Thanks for the offer though.
-
David, hello.
I was quite reluctant to go to U'u but I was dared into it. It is quite viable, you know. It does all that IE can do, not any better, just equally. Food for thought, there is never a virus present.
FWIW, after cleaning all the cookies, that ghost has not shown up again, touch wood ! No such problem in U'u, just in Vista.
Be good. JP aka handcuff36
-
there is never a virus present
"Hardly ever" would be more accurate. :)
-
Hello handcuff36 !
"As I said recently, I got rid of all cookies and no ghost. Which one was the culprit ?"
I was going to suggest getting another monitor, connecting it to see if "The Ghost" is just a fault of your current monitor, i.e. a Hardware problem with your monitor . Seems a logical step to take, which from what I can understand you have not checked ?
-
I was going to suggest getting another monitor, connecting it to see if "The Ghost" is just a fault of your current monitor, i.e. a Hardware problem with your monitor . Seems a logical step to take, which from what I can understand you have not checked ?
Or, if you don't have another one, just use a Live CD with Linux to check...
-
Abraxas, good morning.
"As I said recently, I got rid of all cookies and no ghost. Which one was the culprit ?"
>>>I was going to suggest getting another monitor, connecting it to see if "The Ghost" is just a fault of your current monitor, i.e. a Hardware problem with your monitor . Seems a logical step to take, which from what I can understand you have not checked ?<<<
Indeed, a very logical step to trouble shoot with another monitor. But, have you had a good look at the Ghost that I U/L'd here ? They are too well defined to be a monitor fault and then, it would move around a little, in the same area of about 2" x 2", near My Computor, in Vista. Once, it showed up behind My Computor. I really had to be watching for it and not blink an eye as it was there for a fraction of a second.
Since the cookies was cleansed, no more ghost. I totally ignore which cookie was causing this if indeed a cookie was. I even had the Vista redone to factory state using the two DVDs made when brand new, it took about a week for the ghost to reappear. I make it a routine now to flush the cookies. I also had Ubuntu on this system for a while, running in Windows and there was no ghost on the screen when looking at U'u.
Thanks for your attention all the way from down-under. JP. aka handcuff36
-
Hello Tech.
>>>I was going to suggest getting another monitor, connecting it to see if "The Ghost" is just a fault of your current monitor, i.e. a Hardware problem with your monitor . Seems a logical step to take, which from what I can understand you have not checked ?<<<
>>>Or, if you don't have another one, just use a Live CD with Linux to check...<<<
I am quite sure that this was not a monitor problem, and I did at one time have U'u running on this Vista, no ghost then. If you have read my previous comments, you will remember that a cleaning of the cookies "seems" to have sent the ghost to oblivion. This is still a new system, it will be one year old this February 29th, ooops, March 1st this year. The monitor is LCD and in prima shape. Your suggestions were very valuable, thanks a mega.
Time will tell now if the cookies were the cause of this curious occurrence, cleaning them out routinely now is a little pain as it takes all "saved" names and passwords out of the system, this might be a safer way to operate anyway.
Have a great day. JP. aka handcuff36.
-
Hello David R and Tech.
Well it does seem like the "Cleaning cookies" cured the ghost or at least scrared him away, if I remember to do the clearing, Ghost begone, I try to do this just before shutting down !
Now this bring a question.... how can I actually see the Cookies folder in Vista. Not finding it, I use the IE Tools menu, go to Internet Options and using that dialogue, I empty all the cookies. A while back, I could see a dimmed folder called "Low" and there see all the cookies. I have been locked out for a while, I do not see that folder anymore. Can you help me in this ? I have allowed to see all foldes in "Folder Options" and that LOW used to show before, I have used it and could see all the cookies.txt. I am interested in seeing them again to try and find which one is the Ghost hatcher.
In the mean time, I hope that 09 is good to you. Hnadcuff aka JP.
-
The cookie folder is hidden into the Users directory.
Use CCleaner to remove cookies form the most common browsers.
-
Hi Tech,
Good advice, I use ClearProg and ATF Cleaner for this every time before I shut down the computer after a session using the browser etc,
polonus
-
Hi Tech,
Good advice, I use ClearProg and ATF Cleaner for this every time before I shut down the computer after a session using the browser etc,
polonus
I use CCleaner /AUTO /SHUTDOWN (http://forum.piriform.com/index.php?s=452ce886a4de211695682abbdc229069&showtopic=16551) to shutdown my computers.
-
Hi rdmaloy,
That is clever, thanks for the heads up on this solution,
pol
-
1
-
Hello Tech and thanks for your continued support.
The cookie folder is hidden into the Users directory.
Use CCleaner to remove cookies form the most common browsers.
I first was able to directly delete all cookies from a folder in Users -> Default Users -> Low, now that folder has disappeared. Do you have that one ? And then, I should not push my luck, since the last MS Updates, that ghost has not shown up again. There was a security KBxxxx to install and it might have closed a hole. That folder was "greyed out" and it was required to select "Show all folders" to see it.
Rest assured that if it shows up again, I will let all know. I routinely delete all my cookies in IE -> Tools -> Options; it seems to have done it. Have a great day. handcuff aka JP.