Jump to content

Help!! i cant find the intruder...


Recommended Posts

ok, done.

maybe worth telling you the gadgets and info...

Clock....................version: 1.0.0.0 Author: Microsoft corp

CPU meter.............version: 1.0.0.0 Author: Microsoft corp

shutdown gadget....version: 1.0 Author: M.M

Weather................version 1.1.0.0 Author: Microsoft corp

Wireless Network meter..... version: 4.0 Author: AddGadget

Link to post
Share on other sites

  • Replies 119
  • Created
  • Last Reply

Top Posters In This Topic

The forum seemed to have a problem earlier. I had great difficulty to post my earlier post.

As for your gadgets, disable them all, see if the problem is gone, if so, turn them on one by one in order to see which one might be causing the problem.

Link to post
Share on other sites

hello Elise

i did what you asked but its still acting up. the gadgets have been disabled for a few days. computer freezes constantly(NOTE: usually when i wake it from hibernation or when i try and access task manager)

i'm finding files that i cant access, prompts that tell me 'program is in use' and 'i can not access'. or 'im not allowed'(something along those lines)

i attempted removal of adobe reader, but its still in my computer. i deleted shortcut, add/remove programs, emptied recycle bin, but still there. i had a good friend over yesterday who is MUCH better w computer than i am, he just shook his head and giggled... told me to get a new computer or remove and reinstall new hardware(but also added it still may be inside hiding)

i have come across files that disappear from one day to the next. i wanted to show my friend the avast Chest under programs(not though icon), but it is gone. no Chest file anymore. also found multiple identical programs. some w huge files, some w non.

in C dr i found a long 'fhgnssi223nva;lddkgodsshdo3345jg'(just made that up) file. then another different long number/letter combo(within 20 minutes) then a few hours later when i access C dr and look for it, ..gone...

these are only 2 examples of many.

any ideas? thx again Elise! :P

Link to post
Share on other sites

Folders like the one you mention, from random letters/numbers, often get created by updates (windows updates, hardware installations and so on).

However, from what you describe this indeed may point to faulty hardware.

I can tell you with absolute certainty there is no more malware hiding there.

Did you still get the security error (as in your screenshot)?

I've seen some references that this error might be caused by security programs that are not fully 64 bit compatible. You can try to uninstall Avast and see if that changes anything.

Link to post
Share on other sites

thank you Elise, i will remove Avast now. should i download a different anti virus or Avast again? Avira maybe?

btw, i have not done any downloads or updates(not manually anyway). but i did find this... is it normal??

thanks again!!! your the best :P

----------------------------------------------------------------------------------

Command: c:\609bd44e100682acb0\MPSigStub.exe WD /q

Start time: 8/23/2010 9:29 AM (version 2.1.1112.0)

================================= CacheMpSigStub =================================

Copied MpSigStub.exe to C:\Windows\system32\MpSigStub.exe

=================================== ProductSearch ==================================

Microsoft Windows Defender (Vista):

Status: Active

Product: 1.1.1600.0

Engine: 1.1.6004.0

Signatures: 1.87.2231.0

================================ PackageDiscovery ================================

AS BDE:

Engine: ?.?.?.?

AS base VDM: ?.?.?.?

AV base VDM: Not included

AS delta VDM: 1.89.175.0

AV delta VDM: Not included

================================ PatchApplication ================================

Patched mpengine.dll to 1.1.6103.0

Patched mpasbase.vdm to 1.89.0.0

================================= MpUpdateEngine =================================

Updated from c:\609bd44e100682acb0 (0x0)

================================= ValidateUpdate =================================

MpSigStub successfully updated Microsoft Windows Defender (Vista) using the AS BDE package.

Original: Updated to:

Engine: 1.1.6004.0 1.1.6103.0

AS base VDM: 1.87.0.0 1.89.0.0

AS delta VDM: 1.87.2231.0 1.89.175.0

Set DeltaUpdateFailure to 0

Deleted c:\609bd44e100682acb0\mpengine.dll._p

Deleted c:\609bd44e100682acb0\mpasbase.vdm._p

Deleted c:\609bd44e100682acb0\mpasbase.vdm

Deleted c:\609bd44e100682acb0\mpasdlta.vdm

Deleted c:\609bd44e100682acb0\mpengine.dll

End time: 8/23/2010 9:29 AM

----------------------------------------------------------------------------------

----------------------------------------------------------------------------------

Command: MpSigStub.exe /program c:\c44c639e117908b339442e22fe\MpMiniSigStub.exe WD /q

Start time: 8/24/2010 8:09 AM (version 2.1.1112.0)

=================================== ProductSearch ==================================

Microsoft Windows Defender (Vista):

Status: Active

Product: 1.1.1600.0

Engine: 1.1.6103.0

Signatures: 1.89.175.0

================================ PackageDiscovery ================================

AS BDD:

Engine: Not included

AS base VDM: Not included

AV base VDM: Not included

AS delta VDM: 1.89.207.0

AV delta VDM: Not included

================================ PatchApplication ================================

Patched mpasdlta.vdm to 1.89.207.0

================================= MpUpdateEngine =================================

Updated from c:\c44c639e117908b339442e22fe (0x0)

================================= ValidateUpdate =================================

MpSigStub successfully updated Microsoft Windows Defender (Vista) using the AS BDD package.

Original: Updated to:

AS delta VDM: 1.89.175.0 1.89.207.0

Set BddUpdateFailure to 0

Deleted c:\c44c639e117908b339442e22fe\1.89.175.0_to_1.89.207.0_mpasdlta.vdm._p

Deleted c:\c44c639e117908b339442e22fe\mpasdlta.vdm

End time: 8/24/2010 8:09 AM

----------------------------------------------------------------------------------

----------------------------------------------------------------------------------

Command: MpSigStub.exe /program c:\79ac2c0f551556c5b60c\MpMiniSigStub.exe WD /q

Start time: 8/27/2010 10:01 AM (version 2.1.1112.0)

=================================== ProductSearch ==================================

Microsoft Windows Defender (Vista):

Status: Active

Product: 1.1.1600.0

Engine: 1.1.6103.0

Signatures: 1.89.207.0

================================ PackageDiscovery ================================

AS BDD:

Engine: Not included

AS base VDM: Not included

AV base VDM: Not included

AS delta VDM: 1.89.471.0

AV delta VDM: Not included

================================ PatchApplication ================================

Patched mpasdlta.vdm to 1.89.471.0

================================= MpUpdateEngine =================================

Updated from c:\79ac2c0f551556c5b60c (0x0)

================================= ValidateUpdate =================================

MpSigStub successfully updated Microsoft Windows Defender (Vista) using the AS BDD package.

Original: Updated to:

AS delta VDM: 1.89.207.0 1.89.471.0

Set BddUpdateFailure to 0

Deleted c:\79ac2c0f551556c5b60c\1.89.207.0_to_1.89.471.0_mpasdlta.vdm._p

Deleted c:\79ac2c0f551556c5b60c\mpasdlta.vdm

End time: 8/27/2010 10:01 AM

----------------------------------------------------------------------------------

Link to post
Share on other sites

This confirms your Windows Defender was updated and there was a temporary folder on C:\ consisting of some random numbers, which explains one of your problems/questions. :P It also explains it was gone later, since that was a temporary folder that got deleted once the update was done.

How are things now that Avast is uninstalled? Do you notice any difference?

We definitely need to reinstall an antivirus application, but lets first decide whether avast was causing these system issues or not.

Link to post
Share on other sites

Windows Defender- history

name: Unknown Alert level: unknown Acton taken: Permit Date: 8/17/2010 Status; Succeeded

Description:

This program has potentially unwanted behavior.

Advice:

Permit this detected item only if you trust the program or the software publisher.

Resources:

regkey:

HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Normandy

file:

C:\Windows\sysWOW64\drivers\Normandy.sys

Category:

Not Yet Classified

*********

avast loggs from Event Viewer, Audit failure, details, xml view

138 audit failures in 24 hours, 1642 in 7 days....

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 8/31/2010 4:59:24 AM

Event ID: 5038

Task Category: System Integrity

Level: Information

Keywords: Audit Failure

User: N/A

Computer: BedigandMary-PC

Description:

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Program Files\Alwil Software\Avast5\Setup\INF\aswSP.sys

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />

<EventID>5038</EventID>

<Version>0</Version>

<Level>0</Level>

<Task>12290</Task>

<Opcode>0</Opcode>

<Keywords>0x8010000000000000</Keywords>

<TimeCreated SystemTime="2010-08-31T11:59:24.834Z" />

<EventRecordID>66383</EventRecordID>

<Correlation />

<Execution ProcessID="4" ThreadID="52" />

<Channel>Security</Channel>

<Computer>BedigandMary-PC</Computer>

<Security />

</System>

<EventData>

<Data Name="param1">\Device\HarddiskVolume1\Program Files\Alwil Software\Avast5\Setup\INF\aswSP.sys</Data>

</EventData>

</Event>

********************************

File Name: AvastUI.exe

Display Name: avast! Antivirus

Description: avast! Antivirus

Publisher: AVAST Software

Digitally Signed By: VeriSign Class 3 Code Signing 2004 CA

File Type: Application

Auto Start: No

File Path: C:\Program Files\Alwil Software\Avast5\AvastUI.exe

File Size: 2837864

File Version: 5, 0, 594, 0

Date Installed: 3/20/2010 12:55:45 PM

Process ID: 3192

User Name: BedigandMary-PC\BedigandMary

Classification: Permitted

Ships with Operating System: No

SpyNet Voting: Not applicable

Protocol Local Address Foreign Address State

TCP 192.168.1.104:49444 74.55.78.90:80 CLOSE_WAIT

TCP 192.168.1.104:49445 74.55.78.90:80 CLOSE_WAIT

********

information log, was 6 in last hour, within 1 minute after i copied/pasted some details, went back to previous page to get the 7 day number,.. and somehow 6 errors in the last hour became 4 errors(then to 5). 24 hour errors= 227 (7 day is 2384).

general: The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.

Details: xml view

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

<Provider Name="Service Control Manager" Guid="{555908D1-A6D7-4695-8E1E-26931D2012F4}" EventSourceName="Service Control Manager" />

<EventID Qualifiers="16384">7036</EventID>

<Version>0</Version>

<Level>4</Level>

<Task>0</Task>

<Opcode>0</Opcode>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2010-08-31T18:49:18.000Z" />

<EventRecordID>69883</EventRecordID>

<Correlation />

<Execution ProcessID="0" ThreadID="0" />

<Channel>System</Channel>

<Computer>BedigandMary-PC</Computer>

<Security />

</System>

- <EventData>

<Data Name="param1">WinHTTP Web Proxy Auto-Discovery Service</Data>

<Data Name="param2">running</Data>

</EventData>

</Event>

in the 'saved logs' folder i see 3 security folders, security, security1 and system.

'Security' folder

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 3/20/2010 3:10:32 PM

Event ID: 4672

Task Category: Special Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: BedigandMary-PC

Description:

Special privileges assigned to new logon.

Subject:

Security ID: SYSTEM

Account Name: SYSTEM

Account Domain: NT AUTHORITY

Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege

SeTcbPrivilege

SeSecurityPrivilege

SeTakeOwnershipPrivilege

SeLoadDriverPrivilege

SeBackupPrivilege

SeRestorePrivilege

SeDebugPrivilege

SeAuditPrivilege

SeSystemEnvironmentPrivilege

SeImpersonatePrivilege

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />

<EventID>4672</EventID>

<Version>0</Version>

<Level>0</Level>

<Task>12548</Task>

<Opcode>0</Opcode>

<Keywords>0x8020000000000000</Keywords>

<TimeCreated SystemTime="2010-03-20T22:10:32.212Z" />

<EventRecordID>111</EventRecordID>

<Correlation />

<Execution ProcessID="608" ThreadID="3112" />

<Channel>Security</Channel>

<Computer>BedigandMary-PC</Computer>

<Security />

</System>

<EventData>

<Data Name="SubjectUserSid">S-1-5-18</Data>

<Data Name="SubjectUserName">SYSTEM</Data>

<Data Name="SubjectDomainName">NT AUTHORITY</Data>

<Data Name="SubjectLogonId">0x3e7</Data>

<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege

SeTcbPrivilege

SeSecurityPrivilege

SeTakeOwnershipPrivilege

SeLoadDriverPrivilege

SeBackupPrivilege

SeRestorePrivilege

SeDebugPrivilege

SeAuditPrivilege

SeSystemEnvironmentPrivilege

SeImpersonatePrivilege</Data>

</EventData>

</Event>

Security1 folder..

Special privileges assigned to new logon

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 3/20/2010 3:10:32 PM

Event ID: 4672

Task Category: Special Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: BedigandMary-PC

Description:

Special privileges assigned to new logon.

Subject:

Security ID: SYSTEM

Account Name: SYSTEM

Account Domain: NT AUTHORITY

Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege

SeTcbPrivilege

SeSecurityPrivilege

SeTakeOwnershipPrivilege

SeLoadDriverPrivilege

SeBackupPrivilege

SeRestorePrivilege

SeDebugPrivilege

SeAuditPrivilege

SeSystemEnvironmentPrivilege

SeImpersonatePrivilege

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />

<EventID>4672</EventID>

<Version>0</Version>

<Level>0</Level>

<Task>12548</Task>

<Opcode>0</Opcode>

<Keywords>0x8020000000000000</Keywords>

<TimeCreated SystemTime="2010-03-20T22:10:32.212Z" />

<EventRecordID>111</EventRecordID>

<Correlation />

<Execution ProcessID="608" ThreadID="3112" />

<Channel>Security</Channel>

<Computer>BedigandMary-PC</Computer>

<Security />

</System>

<EventData>

<Data Name="SubjectUserSid">S-1-5-18</Data>

<Data Name="SubjectUserName">SYSTEM</Data>

<Data Name="SubjectDomainName">NT AUTHORITY</Data>

<Data Name="SubjectLogonId">0x3e7</Data>

<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege

SeTcbPrivilege

SeSecurityPrivilege

SeTakeOwnershipPrivilege

SeLoadDriverPrivilege

SeBackupPrivilege

SeRestorePrivilege

SeDebugPrivilege

SeAuditPrivilege

SeSystemEnvironmentPrivilege

SeImpersonatePrivilege</Data>

</EventData>

</Event>

System folder..

Log Name: System

Source: Microsoft-Windows-Eventlog

Date: 3/20/2010 3:10:41 PM

Event ID: 104

Task Category: Log clear

Level: Information

Keywords:

User: BedigandMary-PC\BedigandMary

Computer: BedigandMary-PC

Description:

The Application log file was cleared.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />

<EventID>104</EventID>

<Version>0</Version>

<Level>4</Level>

<Task>104</Task>

<Opcode>0</Opcode>

<Keywords>0x8000000000000000</Keywords>

<TimeCreated SystemTime="2010-03-20T22:10:41.026Z" />

<EventRecordID>251</EventRecordID>

<Correlation />

<Execution ProcessID="976" ThreadID="3568" />

<Channel>System</Channel>

<Computer>BedigandMary-PC</Computer>

<Security UserID="S-1-5-21-1819561654-1787420719-1570195635-1000" />

</System>

<UserData>

<LogFileCleared xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">

<SubjectUserName>BedigandMary</SubjectUserName>

<SubjectDomainName>BedigandMary-PC</SubjectDomainName>

<Channel>Application</Channel>

<BackupPath>

</BackupPath>

</LogFileCleared>

</UserData>

</Event>

i dont know what all this means, but i found it while uninstalling avast(which i have not done yet, but will do now) i have over 6800 errors in 7 days(total)

critical, error, warning, information, audit success and audit failure total around 6800+

its still crashing everyday, some other files i came across seam to utilize these crashes(my assumption) ill remove avast now.

again, thanks for your patience and help!!!!! :)

Link to post
Share on other sites

came across more files, MANY more,

i cut & pasted to notepad, it is a lot... ive been using the computer for a few hours, all these logs are from today,

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 8/31/2010 4:59:24 AM

Event ID: 5038

Task Category: System Integrity

Level: Information

Keywords: Audit Failure

User: N/A

Computer: BedigandMary-PC

Description:

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 8/31/2010 10:33:31 AM

Event ID: 4608

Task Category: Security State Change

Level: Information

Keywords: Audit Success

User: N/A

Computer: BedigandMary-PC

Description:

Windows is starting up.

This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 8/31/2010 10:33:31 AM

Event ID: 4624

Task Category: Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: BedigandMary-PC

Description:

An account was successfully logged on.

Subject:

Security ID: NULL SID

Account Name: -

Account Domain: -

Logon ID: 0x0

Logon Type: 0

New Logon:

Security ID: SYSTEM

Account Name: SYSTEM

Account Domain: NT AUTHORITY

Logon ID: 0x3e7

Logon GUID: {00000000-0000-0000-0000-000000000000}

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 8/31/2010 10:33:31 AM

Event ID: 4902

Task Category: Audit Policy Change

Level: Information

Keywords: Audit Success

User: N/A

Computer: BedigandMary-PC

Description:

The Per-user audit policy table was created.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 8/31/2010 10:33:31 AM

Event ID: 4902

Task Category: Audit Policy Change

Level: Information

Keywords: Audit Success

User: N/A

Computer: BedigandMary-PC

Description:

The Per-user audit policy table was created.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 8/31/2010 10:33:31 AM

Event ID: 4648

Task Category: Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: BedigandMary-PC

Description:

A logon was attempted using explicit credentials.

Subject:

Security ID: SYSTEM

Account Name: BEDIGANDMARY-PC$

Account Domain: WORKGROUP

Logon ID: 0x3e7

Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:

Account Name: SYSTEM

Account Domain: NT AUTHORITY

Logon GUID: {00000000-0000-0000-0000-000000000000}

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 8/31/2010 10:33:31 AM

Event ID: 4624

Task Category: Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: BedigandMary-PC

Description:

An account was successfully logged on.

Subject:

Security ID: SYSTEM

Account Name: BEDIGANDMARY-PC$

Account Domain: WORKGROUP

Logon ID: 0x3e7

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 8/31/2010 10:33:31 AM

Event ID: 4672

Task Category: Special Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: BedigandMary-PC

Description:

Special privileges assigned to new logon.

Subject:

Security ID: SYSTEM

Account Name: SYSTEM

Account Domain: NT AUTHORITY

Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege

SeTcbPrivilege

SeSecurityPrivilege

SeTakeOwnershipPrivilege

SeLoadDriverPrivilege

SeBackupPrivilege

SeRestorePrivilege

SeDebugPrivilege

SeAuditPrivilege

SeSystemEnvironmentPrivilege

SeImpersonatePrivilege

Log Name: Security

Source: Microsoft-Windows-Eventlog

Date: 8/31/2010 10:33:35 AM

Event ID: 1101

Task Category: Event processing

Level: Error

Keywords: Audit Success

User: N/A

Computer: BedigandMary-PC

Description:

Audit events have been dropped by the transport. The real time backup file was corrupt due to improper shutdown.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 8/31/2010 10:33:54 AM

Event ID: 5032

Task Category: Other System Events

Level: Information

Keywords: Audit Failure

User: N/A

Computer: BedigandMary-PC

Description:

Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Error Code: 2

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 8/31/2010 10:41:39 AM

Event ID: 4672

Task Category: Special Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: BedigandMary-PC

Description:

Special privileges assigned to new logon.

Subject:

Security ID: SYSTEM

Account Name: SYSTEM

Account Domain: NT AUTHORITY

Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege

SeTcbPrivilege

SeSecurityPrivilege

SeTakeOwnershipPrivilege

SeLoadDriverPrivilege

SeBackupPrivilege

SeRestorePrivilege

SeDebugPrivilege

SeAuditPrivilege

SeSystemEnvironmentPrivilege

SeImpersonatePrivilege

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 8/31/2010 10:41:39 AM

Event ID: 4624

Task Category: Logon

Level: Information

Keywords: Audit Success

User: N/A

Computer: BedigandMary-PC

Description:

An account was successfully logged on.

Subject:

Security ID: SYSTEM

Account Name: BEDIGANDMARY-PC$

Account Domain: WORKGROUP

Logon ID: 0x3e7

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 8/31/2010 10:42:11 AM

Event ID: 4905

Task Category: Audit Policy Change

Level: Information

Keywords: Audit Success

User: N/A

Computer: BedigandMary-PC

Description:

An attempt was made to unregister a security event source

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 8/31/2010 10:42:11 AM

Event ID: 4904

Task Category: Audit Policy Change

Level: Information

Keywords: Audit Success

User: N/A

Computer: BedigandMary-PC

Description:

An attempt was made to register a security event source.

Subject :

Security ID: SYSTEM

Account Name: BEDIGANDMARY-PC$

Account Domain: WORKGROUP

Logon ID: 0x3e7

i have about 50. these are partial but i do have full(it would take up a page)

ive never had a $ anywhere in my name... i did not change anything.

please let me know if i should post the full logs.

in the meantime, i'll continue to remove av.

thx

Link to post
Share on other sites

my apologies for posting redundant questions.....

i removed avast, loaded Avira. have not run a 'full test' yet, but already had 4 IP blocks in the last 2 hours...

68.105.28.12 twice

69.36.51.162

208.43.didnt catch the rest

199.7.52.didnt catch the rest

i removed avast but alwil-avast5-etc is still listed under programs. i also removed all Adobe but still on my comp.

going to reboot again and run full scan w Avira now

few questions,..

do you recommend Avira? or should i install a different one.

is this a normal binary code? (sorry if i keep asking stupid questions....)

<Binary>31002E003100000030000000570069006E0064006F00770073002000560069007300740061002

000280054004D002900200048006F006D00650020005000720065006D00690075006D00000036002

E

0030002E00360030003000320020004200750069006C006400200036003000300032002000530065

0

07200760069006300650020005000610063006B002000320000004D0075006C00740069007000720

0

6F0063006500730073006F00720020004600720065006500000036003000300032002E0076006900

7

300740061007300700032005F006700640072002E003100300030003600300038002D00300034003

5

00380000003400620061003500330033006400320000004E006F007400200041007600610069006C

0

0610062006C00650000004E006F007400200041007600610069006C00610062006C0065000000390

0

0000320000003400300035003900000034003000390000004200650064006900670061006E006400

4

D006100720079002D005000430000000000</Binary>

Link to post
Share on other sites

too soon to say, about the same, maybe a bit better

reason is similar to avast: when i reboot, avira sheild told me "firewall is not on" but i made sure to turn off windows firewall and set Avira to automatically turn on. i immediately opened my control panel and checked windows firewall(indeed it was off). quickly checked Avira, setting was off, changed in front of me. by the way, internet was working and wireless lan was on. i checked everything. then, somehow, it turned itself on...

if i erased avast, why is it still under programs? i erased recycle bin, checked and double checked, rebooted, etc, still there.

since posting this. i've had 5 IP blocks(20ish mins)

192.168.1.1 four times

72.215.225.9

i have Avira set to 'block all incoming IP' i know mine starts w 192.168, should i soften up my settings? current settings i chose are very strict.

but NO manual reboots since yesterday. i will spend some time 'surfing' the web today rather than inspect random areas of this stupid laptop. i will report back to you.

anything you would like me to do in the mean time?

Link to post
Share on other sites

ok, this is getting weirder for me Elise.... i "attempted" to turn windows firewall on. control, security, etc. it was off. w admin rights i turned it ON, clicked ok, then noticed this warning "windows firewall is not using the recommended settings to protect your computer" i click the "what are the recommended settings" and my windows firewall TURNED OFF right in front of my eyes "your computer is not protected: turn on Windows firewall"

while typing this, i've seen it change to "not using recommended settings" to "not protected at all" within a tenth of a second. its done it now 12 or more times, bounced back and forth between those 2 setting, both of which are telling me "firewall off" or "firewall settings are not recommended" usually followed by an IP block, which has been the same since posting this 192.168.1.1

also, when setting up Avira, it did say to turn off windows firewall, actually did it for me, i checked to make sure(windows fw disabled) and assumed the avira program knew to do that. unless i am completely computer illiterate(chances are very high), Avira does have firewall. maybe since i have the free trial version its not a function i can use??? thats all i can think of...

but no manual reboots yet ;) thats one thing i've noticed, by now i would've rebooted at least once or twice.

please help!

and thank you......for the millionth time....

Link to post
Share on other sites

usually followed by an IP block, which has been the same since posting this 192.168.1.1
That IP address is your router.

Please click Start > Programs > Accessories, right click on Command Prompt and select "run as administrator".

Type netsh firewall reset and press enter.

Restart your computer and let me know how things are.

Link to post
Share on other sites

avira scan is in progress, i'll reset when done.

i opened firewall settings, exceptions, and found 'core networking' and 'remote assistance' both allowed.. i turned them both off. NOTE: i never changed these exceptions..

few more IP blocks since last post:

217.160.173.234 many times

206.253.225.8 once or twice.

Avira scan is 62% complete. once done, ill reset, reboot, and post back.

Link to post
Share on other sites

i dont know what to say...

yesterday's scan was still running this morning(21 hours +) i turned off my comp(the right way, start, shutdown, waited 5 minutes, restarted) and ran avira again.

stuck on 21.9% complete since a few minutes into it..

Scanned files=0

Scanned directories= 0

scanned archives=0

Objects scanned=128977

yesterday it was 128971, 0 on everything else, just like today.

Status: hidden objects search is running!

last object:

c\:window\winsxs\...\usbmon.dll

going on 44+ minutes now. still 21.9%, still scanning

3 IP blocks today.

64.4.52.182

65.55.200.139

206.253.225.8

what shall i do now?

Link to post
Share on other sites

i restarted the computer since avira was still on 21.9% w a run time of over 2 hours.

GRC Port Authority Report created on UTC: 2010-09-04 at 22:00:24

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,

119, 135, 139, 143, 389, 443, 445,

1002, 1024-1030, 1720, 5000

0 Ports Open

0 Ports Closed

26 Ports Stealth

---------------------

26 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,

- NO unsolicited packets were received,

- NO Ping reply (ICMP Echo) was received.

----------------------------------------------------------------------

----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2010-09-04 at 22:03:04

Results from scan of ports: 0-1055

0 Ports Open

0 Ports Closed

1056 Ports Stealth

---------------------

1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,

- NO unsolicited packets were received,

- NO Ping reply (ICMP Echo) was received.

Link to post
Share on other sites

If Avira still does hang on this file, just stop it.

Can you restart your computer and let me know how things are running.

After that, we will have a closer look at these IP blocks. Please do NOT include any more logs, just report to me how things are running!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.