I know I’m supposed to keep out of the logs on the whole, but I’m scratching around for any clues to a persistent wireless connection issue that I have, and I’m trying to convince myself it’s not associated with my security software either singly or in combination. So please humour me awhiles …
I’m running Win XP Home SP3, with Avast! 4.8, Online Armor free edition, TrojanHunter and Malwarebytes AntiMalware.
setifaceUpdatePackages
I know that I can expect setifaceUpdatePackages to fail from time to time, and it’s no cause for concern. Until recently, that is exactly what was happening. But since 9 September, the warning log shows anything from 1 to 9 instances (return code 20000004) every day, with one exception (16 September), and this does not sound good. Admittedly, the virus database is only 1 day out of date, so the update process does seem to be limping along somehow - but why would it have started to fail so regularly?
x_AavmCheckFileDirectEx
There are loads of entries in the warning and error logs for this routine (returning 00000005), and I know the typical culprits (usually Firefox profile stuff and Microsoft template stuff), and I know I don’t need to worry about them on the whole. But I do keep an eye out for the more unusual entries and since 2 September I have had 11 instances of this (so once every two days, on average):
Error 5 is access denied. Probably file in use. Nothing that much to be worried also.
A little bit strange as the rootkit scanning is run 8 minutes after boot and should have be no trouble…
Anti-rootkit scan log is in C:\Program Files\Alwil Software\Avast4\DATA\log\aswAr.log.
It will basically just look for hidden services and drivers, that’s it. I.e. it will take a list of loaded services and drivers (which means a list of roughly 200~ items) and compare these results with a low level scan. As I said, it should be fairly fast (not noticable).
it happens and is nothing to worry about as avast will try again to get a connection, if it fails after all attempts then you would get a Red pop-up Update failed notice. If you do get that again unless it is a regular occurrence, like all the time again I wouldn’t worry about.
again under normal circumstances this is nothing to worry about it, avast just can’t scan a file because access is denied. What you have to identify is if the reason access is denied is reasonable and to do that you have to investigate the file name.
See http://www.threatexpert.com/files/beep.sys.html which basically says this file name has been found to be malicious on many occasions and could be being protected by a malicious process, but a file name is no certainty.
If multiple scanners find these infected send the samples to avast for analysis and inclusion in the virus database.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
again unless it is happening all the time not too much too be concerned about, but bearing in mind the above about beep.sys it needs further investigation.
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. - 2. SUPERantispyware On-Demand only in free version.
Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Download and run HJT and post the contents of the log file (cut and paste or attach the log file) into this topic, you may need to split it over two or more posts depending on how large it is.
I got a 1/41 score for my beep.sys. ESafe detected Win32.Banker. This is the same result, from the same engine, as I got on the other occasion I uploaded a file to VirusTotal for analysis recently, so I presume this is an Esafe FP. But I’d be happier if I’d got a 0/41 score on both occasions. Not sure what you mean by: "report the findings here the URL in the Address bar of the VT results page. "
Diagnostics:
I’ve been using MBAM for several months now, it hasn’t found anything amiss for quite a while.
SuperAntiSpyware I recently uninstalled because it seemed to me to be resource-greedy for little payback
HijackThis log below
Andy
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:40:34, on 24/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Go to Add/Remove Programs and un-install vulnerable Adobe Reader 7.0.
Adobe Reader has become the latest favorite of the malware purveyors and is under constant attack and I would remove all Adobe Reader from the system and get Foxit Reader as it is much safer: http://www.filehippo.com/download_foxit
Run the install application then select Custom then Next then un-select Desktop shortcut, Quick Launch Toolbar and Firefox plugin if you don’t have Firefox then Next then Install then un-select Foxit Toolbar and Ask.com default search then Next then un-select Create desktop eBay, quick launch
I ran Secunia, and it identified three vulnerable apps: Jav, QuickTime and Adobe Reade. I downloaded the recommended patch installers for all three and installed them.
So I haven’t uninstalled Adobe Reader 7 yet.
I didn’t follow up the hive cleanup service because I’m not getting any events with IDs 1517 or 1524.
You need to uninstall old versions of adobe reader or there are exploits that try to use old versions specifically. You should only have the latest version installed and remove older versions.
If you aren’t having any slow log-off or shutdown issues, then you don’t really need the User Profile Hive Cleanup service.
On my old XP Home 2.4GHZ 512MB RAM system it made a lot of difference and the XP Pro system not as much but on your Core2Duo E8300/ 2GB Ram system then I guess it does not.