Behavior Blocker Event - Open File for Writing

Hello,

The symptom is, Open File for Writing pops up frequently, and in the More Information block, it indicates that the Windows XP® has its svchost.exe trying to Open File for Writing on File Name: C:\System Volume Information.…\A0113512.dll, and every few minutes this window pops up, wanting to be assigned one of three dispositions, “Allow,” Allow All," or “Deny.”

Now, in ordinary normal operation with Windows XP, why should anything be trying to modify a file in the “System Volume Information” folder? Every few minutes, this Avast! Behavior Blocker Event window (dialog box only) pops up. Each time, the filename is somewhat different. Using Windows® Explorer (not IE 8.0), it is seen that the files in question are dated as of last change, and these dates are several weeks ago. This raises the suspicion that a file may be altered by virus action.

Please advise. Does this alert show a problem, or is it routine? If so, why; and if not, why not? Please explain, why; and, if not, why not! Also, please tell us what to do for best results.

Should we allow this as routine and not malicious?

Falling Rock

OS: Windows® XP Professional SP 3, 32b, regularly patched by Windows® Update except when the install fails
SYST: HP Pavilion a1040n
CPU: Intel P4 519J 3.065GHz
RAM: 2GB DDR 3200
HD: 158 GB free on system partition
AV: Avast! Home Edition - Free v4.8.1368, files updated typically 2x per day
AS: Windows Defender updated every two to six days since Oct. '08.
AS: Ad-Aware v8.0.0.0
FRWL: Comodo (free) v3.13.121240.574
BRWSRS: Firefox v3.5.6 preferred, also available - M$ IE 8.0
Firefox Extensions: NoScript 1.9.9.22; Java Quick Starter; AVG Toolbar and Safe Search; WOT; IE Tab; Forecastfox; Flagfox; DownloadHelper; Move Media Player; LinkedIn Companion; Screengrab.
Firefox Plugins: *-IE Tab Plug-in for Mozilla/Firefox; *npmnqmp 989898989877; *Default Plug-in; *NPRuntime Script Plug-in Library for Java™ Deploy; *getplusplusadobe16241; *Adobe PDF Plug-In For Firefox and Netscape; *NPCIG 1.0.0.3; *Office Plugin for Netscape Navigator; *Shockwave Flash 10.0 r32; *Adobe Shockwave for Director Netscape plug-in, version 11.5; *Windows Presentation Foundation (WPF) plug-in for Mozilla browsers; *Next Generation Java Plug-in 1.6.0_15 for Mozilla browsers; *DRM Netscape Network Object; *Npdsplay dll; *DRM Store Netscape Plugin

What are your Standard Shield settings, e.g. have you been tweaking (sounds like it) ?

See image of default settings, if you change any of these you are going to be nagged to death, if they are for common operations. I have none selected and the only one I would select if so inclined would be Formatting.

It is possible that this is XP indexing (which I have disabled as a waste of time), I don’t know for sure if this is it but there are some options in the OS that whilst they may only be reading still have the higher open for writing level.

David R,

Thank you for the reply, and for the excellent questions. I beg your pardon for my having not responded promptly after you replied to me so nicely, but I was offline for several days due to some issues that prevented my replying to your helpful post.

I will give the best answers to your questions that I can. [Note: I have spent three+ hours on this reply, tonight, making it as good as I can.]

FYI, I am on Avast! v8.1.3 Home Edition-Free now, and I can see only the simple GUI, and I have been unable tonight to evoke the dialog box that you included here. When I clicked on the Resident Protection: Standard item in the simple GUI, it showed me a small graphic at the bottom of its frame in its left, a graphic having the highlight bar in the middle position and word, “Standard.” I cannot find any other access to Standard Shield status in this GUI. So, I suppose that I MUST be on the Default settings in Standard Shield.
Is that supposition necessarily valid, based upon this observed evidence?

AVG 8.5 was installed, yes; and some unknown event a month ago caused it to stop working. I downloaded and installed Avast! Free for the trial that extends to Jan. 27, 2010. (I am considering the upgrade to Professional versus working out the AVG Uninstall problem and installing AVG 9.0)
At the initial event, AVG icon vanished from the Tray, and the AVG shortcut would not Start the app. Some of AVG’s processes were seen in Microsoft® WindowsXP® Task Manager still running, but no UI for AVG could be seen; stopping the remaining AVG processes took numerous tries and a reboot to make them go away. Add/Remove Programs reports, at every attempt, that the Change/Remove button (uninstall) on its AVG line fails!
After I ran the Uninstall that failed, and then I rebooted, I have not seen AVG as a running Application and not any AVG files listed by the Task Manager on its Processes tab. I tried to install AVG 9.0 back during this confusion, but it would not install, reporting that AVG 8 must be uninstalled first, before installing 9.0. And of course, as we have seen, AVG 8 will not uninstall, first.

Zone Alarm firewall also was killed by this event, and so I turned ON the Microsoft® Windows® firewall as quickly as I could, and then installed Comodo Free for trial as the fully capable firewall.

As for XP indexing, you may well be right. I will add that I am now seeing the Open File for Writing box asking me to approve …\Documents and Settings.…\MSS.exe much more frequently than I see the files in System Volume Information subfolders. The MSS.exe is shown by Avast to be invoked by “Program: searchindexer.e” (NOT searchindexer.exe) and “searchindexer.exe” is seen continually in Task Manager. It can be terminated by Task Manager, but in a few seconds, it reappears there, and I cannot get rid of it. Every time I reboot, the Indexing icon reappears in the Tray; and then I use its right-click menu to left-click upon the word, “Exit” and the icon vanishes from the Tray, but the program “searchindexer.exe” stays active in Task Manager>Processes. I found that I can stop the program in Task Manager>Processes. However, then the program re-opens in a few seconds, and this repeats every time I stop it with End process or End process tree in Task Manager.

I would stop that Indexer permanently, as you did, if you will, please, tell me how to make it happen!
:slight_smile: By the way - if you could encourage Avast to include in next update a “fix” that would show the full path to the “Program:” and also the full path to the File that is being opened for editing, it would be a helpful improvement. The dialog box itself is not wide enough horizontally now, but this can be fixed easily by wrapping the lines and making the dialog box to stretch itself wider vertically, to fit the added lines. :slight_smile:

I still am troubled by whatever is behind the “Program: svchost.exe” that is repeatedly trying to “Open File for Writing” on these A[number].dll files. I thought it was the data for use in a System Restore operation, but I really do not know that. And if it is for System Restores, I should think that changing those files would invalidate the file as to the restoration of its specific date for restoration. Of course, I fear that this may be a signal, indicating that there is a persistent virus or bot or rootkit in my system.
Can you confirm for me, what is the System Volume Information used for? Why should these files be “written”? or even, why should the files be “read”? when there is no System Restore being performed at the time. ??

Your helpfulness is appreciated. I am very grateful to have your expert help!

Falling Rock

OS: Windows XP Professional SP3, 32b, regularly patched by Win Update / SYST: HP Pavilion a1040n / CPU: Intel P4 519J 3.065 GHz
RAM: 2GB DDR 4200 / HD: 155 GB free on system partition / AV: Avast! 4.8 Home Edition-Free, updated typically 2x per day
AS: Windows Defender updated every two to six days since Oct. '08. / Ad-Aware Free 8.1.3 / FIREWALL: Comodo 3.13.126709.581.
Firefox Extensions: NoScript 1.9.9.35; Java Quick Starter 1.0; IE Tab; Forecastfox; Flagfox; DownloadHelper; FireDownload; PDF Download; Move Media Player 7; LinkedIn Companion; Screengrab; WOT.
Firefox Plugins: *-IE Tab Plug-in for Mozilla/Firefox; *npmnqmp 989898989877; *Default Plug-in; *NPRuntime Script Plug-in Library for Java™ Deploy; *getplusplusadobe16241; *Adobe PDF Plug-In For Firefox and Netscape; *NPCIG 1.0.0.3; *Office 2003 Plugin for Netscape Navigator; *Shockwave Flash 10.0 r32; *Adobe Shockwave for Director Netscape plug-in, version 11.5; Windows Genuine Advantage 1.9.9.1; *Windows Presentation Foundation (WPF) plug-in for Mozilla browsers [Disabled]; *Npdsplay dll; *Next Generation Java Plug-in 1.6.0_17 for Mozilla browsers; *DRM Netscape Network Object; *DRM Store Netscape Plugin; npybrowserplus_2.4.21

Left click on the avast Icon:

  • That should open the On-Access Scanner window.
  • If you see a Details… >> button, click that.

Now you will have a list of the avast Shields:

  • select the Standard Shield one.
  • click the Customize… button.
  • now you should see the image I posted.
  • Clear the Blocking Operations options (this is the default setting) and that should stop all the pop-ups.
    If you want to leave the Format option enabled, that shouldn’t get any activity unless someone/thing tried a format command.

Even assuming I’m right on the XP Indexing, resetting the avast Blocking Operations to the defaults should resolve this anyway. What it won’t do is stop the indexing activity, which as I said for the benefits it brings, the CPU and HDD activity are a greater penalty in my opinion.

You would be surprised just how helpful the Windows Help and Support from the Control Panel (or Start button, depends on your settings) is, search on indexing and in the list is ‘Using Indexing Service,’ click that and all the information is there.

The Anumber.dll or Anumber.exe files, etc. are in the System Volume Information folder (my educated guess) and would be related to system restore, but that depends on what you were doing at the time.
Where were you monitoring that activity and Why were you monitoring it ?

Re AVG - It may be worth running this removal tool to ensure that all remnants are gone:

  • AVG8.x (or higher) Remover, download tool from here, http://www.avg.com/download-tools there is a 32bit and 64 bit windows version, ensure you use the correct one.

OK,

Your image has the Blocker tab selected; thanks, for straightening me out, on finding this dialog. I had tweaked as you guessed. Will try your settings.
I have downloaded the avgremover.exe file, and I will try it tomorrow. Should I log into safe mode , and run avgremover from there?

The Help & Support search for indexing is taking me elsewhere, and I am too tired now (after Midnight) to fuss with it, so will defer 'til tomorrow. Thank you, for these suggestions. Will post tomorrow if all goes well.

FR

You’re welcome.

Yes, tweaking can have unexpected consequences when you don’t know what they do.