Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG PC TuneUp scan on Win7 PC shows more than 11000 browser items


  • Please log in to reply
16 replies to this topic

#1 MorriganXa

MorriganXa

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 16 February 2017 - 03:31 PM

AVG PC TuneUp manual scan on Win7 PC shows more than 11,000 browser items after opening IE11 into Yahoo for approx 2 minutes, then closing IE11.

The spurious browser items do not appear as extra web pages.

Web pages do not seem to require extra time to load.

The PC otherwises operates normally.

This effect also appears in Safe mode with networking option selected.

Wireshark and Cports tools seem to verify a high number of internet contacts to disparate sites worldwide.

Scanned computer in live and safe modes with AVG Antivirus, MalwareBytes, Spybot, Microsoft Malware Removal Tool (MRT), Adware Cleaner, Hitman Pro, C-Cleaner, and cleared CryptNet

cache. No viruses or malware found.

Ran CheckDisk, Kaspersky Rootkit killer. Nothing found.

Ran HijackThis on this PC. Compared results with HijackThis on a laptop with same OS (Win7), same programs, on same network. Evaluated results on HijackThis.de Security website. No obvious malware entries were found.

Ran DDS (Ver_2012-11-20.01), printed results. Will send same at your direction.

Verified AVG computer firewall, Linksys router firewall were operating correctly and PC Data Execution prevention option was selected.

AVG PC TuneUp manual scan on a laptop with same OS (Win7), same programs, on same network shows -no- browser items after opening IE11 into Yahoo for approx 2 minutes,

then closing IE11.

Thanks in advance for your help.



BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:05 PM

Posted 16 February 2017 - 03:41 PM

Bleeping Computer does NOT recommend the use of PC Optimizers, Driver Updaters or Registry Cleaners. Please see this excellent post on the subject by Quietman7.
I would recommend that you uninstall this program. Using such programs can cause computer issues, and I speak from personal experience. You are well advised to stay away from these applications. They are all "snake oil" as well as being dangerous to the health and performance of your computer. Generally speaking all of the functions that these program classes perform are either already built into Windows or should not be done automatically, only when the need arises.
 
I would personally recommend removing it with a tool, to make sure it is out completely.
 
2mqt6c6.jpg  Please download and install Revo Uninstaller.

  • Run the application and wait for the icon page to fully populate
  • Select AVG Tuneup from the list and click the Uninstall button in the top ribbon
  • After Revo has created a restore point it will automatically run the target program's built in uninstaller.
  • Click through the uninstaller.
  • When it has completed you will be presented with a scanning page, select Moderate and then Scan
  • In the new windows click Select All then Delete and then Finish

Now the spurious application is removed...
 
If you want you can install an application that will remove an extra temp files and clean up your HDD a bit, if you wish. I recommend CCleaner. Just avoid using the registry cleaning function.


Edited by TsVk!, 16 February 2017 - 03:58 PM.
added word NOT to 1st sentence


#3 MorriganXa

MorriganXa
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 16 February 2017 - 05:20 PM

TsVk!

Thanx for your note.

If PC TuneUp were the only factor, I would agree.

Not to be contrary, but PC TuneUp has worked well on all my computers since its purchase several years ago.

The laptop used for comparative diagnostics has the same version of of PC TuneUp, but does not have the problem.

Whether DDS (Ver_2012-11-20.01) test results prove otherwise remains to be seen.

Running Process Explorer, Wireshark, Cport, and Task Manager on the PC showed no evidence that PC TuneUp opened any process or port to cause the problem.

However, Wireshark and Cport support evidence of the problem by indicating excessive internet traffic tied to the same process id (Internet Explorer).

The problem also appears in Safe mode in which PC TuneUp has been confirmed disabled.

Murphy's Law being what it is, I shall remove PC TuneUp with Revo and monitor internet access with Cport to see if the problem repeats.



#4 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:05 PM

Posted 16 February 2017 - 08:30 PM

If you like we can do some further inspection and look at how your machine is running, and which files exist that may cause issues. I'm happy to help to the best of my ability.

 

Let me know how you would like to proceed.



#5 MorriganXa

MorriganXa
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 17 February 2017 - 03:21 AM

TsVk!, Would like to proceed with your help.

 

Since our last...
 
Uninstalled AVG Internet Security and PC TuneUp with Revo. Checked for and removed program artifacts with C-Cleaner and manual inspexion of

folders.

 

Reinstalled AVG Internet Security and PC TuneUp. Verified updates and configurations.

 

Ran PC Tuneup manual scan. Results showed no browser items.

 

Opened IE11 to Yahoo.com. approximately 1 minute, closed same, exited IE11.

 

Ran PC TuneUp manual scan. Results showed 11,378 browser items.

 

Results showed browser items were located in C:\Users\JoelG\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content -and- C:\Users\JoelG

\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData

 

Closed PC TuneUp without executing "Fix and Clean" which would return the 11,378 to zero.

 

Ran Webcache Killer

 

Ran PC Tuneup manual scan. Results showed 11,381 browser items.

 

Executed  PC TuneUp "Fix and Clean" which returned the 11,381 to zero.

 

Checked and cleared certificate revocation list, Online Certificate Status Protocol responses, and CryptNet cache with "certutil -urlcache CRL

delete", "certutil -urlcache OCSP delete", and "certutil -URLcache * delete".

 

(All programs and command lines were executed in Administrator mode.)

 

Opened IE11 to Yahoo.com. approximately 1 minute, closed same, exited IE11.

 

Ran PC Tuneup manual scan. Again, results showed 11,381 browser items.

 

Again, results showed browser items were located in C:\Users\JoelG\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content -and- C:\Users\JoelG

\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData.



#6 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:05 PM

Posted 18 February 2017 - 12:50 PM

Maybe PC Tuneup is the problem still, detecting and deleting files that it really has no business looking at...

 

Here is some further explanation about the cryptnet folders:

 

- Are these folders a permanent (or even temporary) record of a user's search history / web activity?
NO, these folders store the URL which are accessed via SSL (NOT a user's search history or web activity.  By default, the OS is pre-installed with a number of SSL URL for a number of Intermediate and Trusted Root Certification Authorities for performing SECURED web activity for Internet Explorer or Google Chrome only.  The user can add new URL when visits have been made to a website via SSL and such URL is not included in the corresponding URLS for Intermediate and Trusted Root Certification Authorities.

- If these files are not deleted by most "surfing trace cleaner" type utilities, then can they/should they be modified manually?
Unless you DO NOT want to visit any web site via SSL, you can remove all content inside the sub-folders of subfolders of "Content" and "MetaData".

- Why is the content encrypted, and how & when is the content decrypted?
It is difficult to explain as it is a kind of browser behavior. CryptnetURL is only valid for Internet Explorer or Google Chrome.  Please visit the URL below to get a brief understanding. http://www.f5.com/pdf/white-papers/browser-behavior-wp.pdf 

- What is the primary function and purpose of this kind of encrypted, hidden (by default) folder?
As explained earlier, it is just how Internet Explorer or Google Chrome works on SSL URLs.  Being hidden is to avoid accidental deletion by normal users just like other system files.

- Do these encrypted and hidden folders pose a potential security threat to users?
NO



#7 MorriganXa

MorriganXa
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 18 February 2017 - 04:01 PM

TsVk!, The early bird, yourself... 19 hours ahead of me, it seems...

Thanx for your research. From experience, I agree that more than a bit of cynical malware is flogged as pc optimizer. Caveat emptor, even if free.

Found no evidence that PC TuneUp is the culprit after:
(a) removing and reinstalling same;
(B) using it for many years on several computers without this problem;
© using it now on a similarly configured Asus laptop running on same network, without this problem;
(d) observing that problem occurs in Safe Mode with networking, while PC Tune-Up does not operate in Safe Mode.

Understand cryptnet simply shows evidence of activity conducted elsewhere.

Mentioned because strategy was to flush caches and certificates that might contribute to IE11's anomalous behaviour.

Doing so did not resolve the problem, but seemed to focus the issue:

What causes IE11, on opening, to contact thousands of sites and leave evidence of that activity in cryptnet (as opposed IE history)?

Other findings since our last:

Found IE11 connects to thousands of spurious sites and deposits evidence in cryptnet, --almost as soon as IE11 is opened--.

Number of spurious sites connected by IE11 remains nearly the same each time IE11 is opened.

Opened IE11 without add-ons. Same results, IE11 contacts the same number of spurious sites.

The 11,000 contacts may be momentary because:
(a)  TCP Viewer and Cport do not show evidence of 11,000 continuous contacts;
(B)  LAN traffic does not slow, and traffic volume does not increase, as would be expected from continuous contact with 11,000 sites.
©  CPU usage does not rise significantly, is comparable to Asus laptop running IE11 on the same network.

Can send screenshot(s). Request instruction on attaching same.



#8 MorriganXa

MorriganXa
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 18 February 2017 - 04:11 PM

Forgive format gibberish... Bleeping doesn't seem to like letters in parentheses...



#9 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:05 PM

Posted 18 February 2017 - 08:23 PM

To be honest, we are starting to go out of the scope of my knowledge here. I'm sure with some experimentation and research you would be able to learn more about the subject.

 

In my opinion Internet Explorer has been the best browser, to download Firefox with, in the last 10 years. If you were to hold it with such high regard it would also be just as effective for you.



#10 MorriganXa

MorriganXa
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 18 February 2017 - 11:24 PM

TsVk!, Interesting thought... Will give Firefox a try...

 

Thanx for your help and patience.



#11 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:05 PM

Posted 19 February 2017 - 05:45 PM

You're welcome. :)

 

In my humble opinion, essential add ons for Firefox security include

  • FlashBlock
  • Popup Blocker Ultimate
  • Ghostery

I also like

  • DISCONNECT
  • Privacy Badger
  • AdBlock Plus
  • User Agent Switcher

Some of these things might need some tweaking or disabling on your favourite sites. I have an ad-free, pop-up free, click-here-to-continue free experience on the internet.

 

They can provide you with a much more secure and user friendly experience.



#12 MorriganXa

MorriganXa
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 19 February 2017 - 06:20 PM

Will get on with it, then...

 

Last question... what does one do in Firefox to see selected animated things whilst remaining ad-free and pop-up free?



#13 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:05 PM

Posted 19 February 2017 - 06:28 PM

With FlashBlock you can just click on a particular object if you want it to play/animate/etc.

 

Or if there is a whole page you want to allow you allow it from the drop down menu up the top....

 

mkabg0.jpg


Edited by TsVk!, 19 February 2017 - 06:32 PM.


#14 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:05 PM

Posted 19 February 2017 - 06:33 PM

This tutorial will help a lot

 

https://support.mozilla.org/t5/Customize-controls-options-and/Customize-Firefox-controls-buttons-and-toolbars/ta-p/2715



#15 MorriganXa

MorriganXa
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 19 February 2017 - 11:32 PM

Thanx for both...






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users