O.T. Computer Cleaning Maintenance:

The 8200 came back up fine with no problems
but I ran the scans again just to make sure.


Robert

Mark Twain wrote:
When I computer freezes I can't do anything,
the mouse doesn't work or the keyboard. Once
it free's up everything is back to normal but
it shouldn't be doing this at all and never
did this before.

I also came across another question: I was
updating SpywareBlaster and it said that there
was a new version available so I clicked the link:

http://i58.tinypic.com/2r76ijt.jpg

http://i57.tinypic.com/2h4drww.jpg

http://i59.tinypic.com/9s865g.jpg

http://i59.tinypic.com/qqcoja.jpg

It's pretty confusing on which to click for
the correct download. So I thought I would play
it safe and ask you before I click the wrong one.

Why do they make things so difficult? If there's
a new version I shouldn't have to click multiple
times to get it and the download screen just contain
that one download and nothing else.

Your right the EXE command is much better but I
don't know how to retrieve it for the update.

I also I ran a Avast scan on the 8200 and found
(2) threats which I successfully deleted and it
recommended a restart/scan which it's in the
process of doing now.

I'll be ordering the external HD and case for
storage on the 8500 on Wed.


Thanks,
Robert


I checked, and SpywareBlaster is owned by BrightFort.

https://en.wikipedia.org/wiki/SpywareBlaster

This is supposed to be a link to the product page.

http://www.brightfort.com/spywareblaster.html

*******

In your first picture, they don't promise a direct download.
That button is supposed to "lead you on safari".

On the second image, you would click the less exciting
"continue download" button.

On the third page, it would be "Download SpywareBlaster 5.2
from MajorGeeks". Anything to get off the Safari Trail.

On the fourth page, there are three download links. They
are under Download Locations. I've made a number of downloads
from MajorGeeks without problems.

spywareblastersetup52.exe 4,184,064 bytes

The scan for the download is clean.

https://www.virustotal.com/en/file/f...c56d/analysis/

They tried to lose you in the woods, by taking you on
safari, but it didn't work :-) Have fun with your update.

Paul

Mark Twain wrote:
You mentioned that FF would sometimes up an
alert or somtimes I would see a pop-up
that the script is busy. I have seen those
in the past but stopped the script.

I'm not saying this is the cause but ever
since I disabled the hardware acceleration
I haven't seen any and as I said I can logon
with no troubleshooting issues but this freezing
isn't normal



Well, I get them here (a script that won't stop
or finish), so they are common.

Sometimes I switch browsers, and try again, just
to see if every browser gets the same luusy quality
code from the web site.

If they want, a web site can give every
user a unique program to run on their computer,
so really, it's possible to have problems on web
browsers, that no one else can reproduce.

I'm not saying that's the case here. And as for
incompetence, even the Microsoft site has web pages
with bad code on them, that drag the browser to
its knees. So this is a common problem, and even sites
that should know better, can produce just lousy code.
In Microsofts case, they can't even blame "advertiser
code" for causing a script problem, as generally
Microsoft web pages are purely technical. With very
little overt advertising (not like the flashing
crap you see on the Tinypic site :-) )

Paul

Mark Twain wrote:
Hello Paul,

Of late, I've noticed that like when I
click on a story on Yahoo the 8500 freezes
and I can't do anything until the story
loads. This never happened before.

Could the hardware accelerator have anything
to do with this?

On the one hand I like being able to logon
without going into the trouble shooting mode
but at the same time I don't like the 8500
hanging up like this especially as this has
never happened before.

Thoughts/Suggestions?

Robert

I tried to read a story on the Yahoo page.

I got a huge (3MB) HTML page, plus a folder
containing another 3MB of files. And in the
folder is a 600KB "movie player" javascript.

But that's not all. Near the top of the page,
portions of the page keep reloading over and
over again.

I railed one core on my CPU for at least 30 seconds.

But, the machine did not freeze.

Now, consider, that you have AV programs on your
machine. There could be an interaction between
that level of activity on the browser, and the
response from the AV software while it watches
what is going on. (The AV software can scan the
files, while they're being read.)

I would keep Task Manager open, revisit the
Yahoo page, and see if Task Manager can continue
to update, while things freeze up.

It takes a lot to freeze up a machine like that.
But an AV (running in Ring0), is in a perfect
position to freeze things. If it wants to.

I had my AV lock up the computer one day, when
I tried to install the FRAPS screen capture
software. I had to use the power button to get out.

One thing you could try, is disable Avast real-time
protection. Then try reading a story on the Yahoo page,
and see if the symptoms differ. Avast probably has
one of those "disable real time protection for
ten minutes" things, which gives you enough time to
test the response of a program, without the AV
interfering.

Paul

I updated SpywareBlaster on both computers then
I took your advice and started Task Manager then
disabled Avast for 10 minutes then went to Yahoo
and read several stories with no problems whatsoever.

So I should or shouldn't be concerned if it freezes
up?

Thanks,
Robert

Mark Twain wrote:
I updated SpywareBlaster on both computers then
I took your advice and started Task Manager then
disabled Avast for 10 minutes then went to Yahoo
and read several stories with no problems whatsoever.

So I should or shouldn't be concerned if it freezes
up?

Thanks,
Robert

Absolutely, you should fix whatever is freezing
the computer.

Avast has AutoSandbox and DeepScreen.

http://www.ghacks.net/2013/08/17/a-f...ntivirus-2014/

As far as I know, AutoSandbox is like running a
separate OS in a virtual machine, as a place to
test suspicious executable programs for heuristically
detected behavior.

Regular signature scanning, is the old way of providing
protection. Where every file you access on the computer,
is checked against a signature database. But that is weak
for new malware, which might not be in the signature
database yet. The sandbox idea, is for catching things
that don't have a signature definition yet.

So for "freezing" on the computer, those features, ones
involving Sandbox, are the ones I'd turn off first.

So your test sequence might be:

1) Read your article on Yahoo. Notice at some point,
you have a freeze event.

2) Try to read another story, to confirm that the freeze
events are consistent. You want a repeatable test case.

3) Now, open the Avast control panel, and either turn off
all AV protection, turn off DeepScreen or turn off
something related to Sandbox. Try to figure out which
feature in Avast, causes the problem.

4) Now, read another Yahoo story. Does it freeze now with
the certain thing turned off ? Is the behavior different ?

And remember, that behaviors on a computer can be caused
by the bad guys (malware), the good guys (AV software),
or by defective hardware. When you have an AV product
on-board, it had access to virtually every resource
on the computer, and then your AV product calls the shots.

It could just as easily be a malware doing it.

Take my situation here. Yahoo makes a "very busy" news page.
It kept my processor busy. But, it only used up one core
on my dual core computer. The computer remained responsive,
because the second core is not overloaded like that. As long
as programs are not threaded so well that they can abuse the
whole machine, I'm in good shape.

Now, the AV program, it is responsible for all cores on the
computer. And if the AV program calls for a certain behavior,
it might apply it to your 4C 8T processor and lock the whole
thing up. Things like sandbox technology, require loading
the sandbox off the disk drive, and you could be disk-limited
while that is happening. But if the GUI (desktop) stops responding,
then something "pretty deep" in the machine is doing it.

I've had GUI failures here in WinXP. Where the desktop interface
stops responding entirely. And the machine is not crashed,
because I can issue a "ping" command from a second computer,
and the frozen machine responds. I've also had that happen
when a 3D game crashes, the sound card is looping, and you
hear the same 1-second long sound effect over and over again.
The machine isn't "crashed to a BSOD", it's just the graphics
subsystem which is hosed, and will require a reboot to recover.

I'm just guessing it is Avast, and it's probably a relatively
easy thing to test a few of the settings.

Paul

Understood, it could be malware, AV or
hardware causing it.

I'm assuming from what your saying is that if
I'm on Yahoo for example and I click a story
and it freezes the 8500, then when it frees it up
click the story again to see if the same thing
happens.

If it does, then go into Avast and disable some
component associated with 'Sandbox' (although how
will I know?). Then try reading the story again to
see if it freezes and repeat until the component
which is causing the freezing is found by process
of elimination. Correct?

In passing I had to remove the Win 10 nag twice
today.

Thanks,
Robert

Mark Twain wrote:
Understood, it could be malware, AV or
hardware causing it.

I'm assuming from what your saying is that if
I'm on Yahoo for example and I click a story
and it freezes the 8500, then when it frees it up
click the story again to see if the same thing
happens.

If it does, then go into Avast and disable some
component associated with 'Sandbox' (although how
will I know?). Then try reading the story again to
see if it freezes and repeat until the component
which is causing the freezing is found by process
of elimination. Correct?

In passing I had to remove the Win 10 nag twice
today.

Thanks,
Robert

The procedure for the Win10 nag is:

1) Uninstall 583. Reboot.

Look in "Installed Updates" for 583. Uninstall it.
http://cdn3.howtogeek.com/wp-content...uBt7RqJZLH.png

2) Enter Windows Update (assuming your Windows Update
at least prompts for permission to go ahead). Perhaps
your Windows Update is set to fully automatic ? You
need to bring up the list of updates it proposed to
install, locate 583 in the list, right-click it and
there should be an item "Hide" there. If Windows Update
were to be set to "Full Auto", you won't have a chance
to change the status to "hidden".

"Hide Update"
http://cdn3.howtogeek.com/wp-content...YzSvjR8LUx.png

3) Once it is hidden, there should not be a nag. The only way
it can come back if you did (2) correctly, is if Microsoft
reissues the 583 update. As far as I know, 583 is at version 2
at the moment.

The procedure starts half way down this page if you need
more info.

http://www.howtogeek.com/218856/how-...fication-tray/

If Windows Update settings are left on full Auto, then
583 is going to keep coming back.

Now, when 583 got installed on my system, before it even
had a chance to nag, I happened to have Task Manager open
while working on something else, and I could see either
GWX.exe or GWXux.exe running. Something "Get Windows Ten"
or GWX related, was running on the computer. That's how I
knew it had sneaked in. After removing it, hiding it, so
far it hasn't come back. And one reason for that, is
my Windows Update is on Manual control. I start a Windows
Update run when I have time, I review the proposed updates,
I only tick the ones that appear to have zero impact.
Anything obnoxious gets the "Hide" treatment.

*******

For your "freezing" problem, I don't have any tools
that absolutely guarantee a clue as to what is wrong.
Tools like Avast, I don't know if they can even be
monitored with ETW (the tracing system in Windows).

This program, for example, will show you all sorts
of background activity on the computer. But like so
many things in Windows, it doesn't come with guarantees.
The events might be in Ring0, but any program granted
permission to run in Ring0 (like a driver), can muck
about as it sees fit, and nothing can stop it. If you
want to play with this, in the File menu of the
running program, is a tick box. You remove the tick
to stop collecting data, then you can scroll through
the trace and have a look for anything suspicious. The
events collected have a time stamp. In your case, if the
computer freezes for five seconds, you'd be looking for
a "gap" in the trace, where the computer "went quiet"
for five seconds. That would be proof, that the problem
was so severe, that something had interfered with ETW.

Use the download link that says "911 KB" near the top.

https://technet.microsoft.com/en-us/...rnals/bb896645

Unpack the zip and run the EXE. It will start tracing
immediately (if the Filter window gets in the way, just
dismiss it), and the first thing you will see in there,
is as many as 200 Registry accesses per second. Those tend
to be repetitive, and contain things the OS checks once
a second to see if the status of some thing it is supposed
to be doing, has changed. But amidst that flood of
information, sometimes you notice a single event in
the trace, that "gives a hint" as to what is going on.

What you would do, is read a Yahoo story, while
that trace is running - you would expect the
trace on the screen to stop moving. But, if the
tracing engine behind the scenes is still working,
there might be some record as to what process is
doing it. If there seems to be a five second
gap in the time stamps, then the problem is
so low-level, it can't be traced. And only the
AV could do that. It's unlikely to be a bug in
the kernel itself.

Paul

I forgot to hide it, my fault. Next
time it appears, I'll hide it.

You offer great solutions and links
but as you pointed out it could be
the AV, malware or hardware and since
its intermittent its very difficult
to pin down what exactly is causing it.

I ran the ETW then opened a story on Yahoo
and ETW kept running changed numbers.

http://i61.tinypic.com/fefbza.jpg

http://i58.tinypic.com/jafdpd.jpg

Robert

The 8500 froze again today while opening
Yahoo mail. It locked everything for a
few seconds. I then exited and then tried
it again with no problems.

Robert

Mark Twain wrote:
I forgot to hide it, my fault. Next
time it appears, I'll hide it.

You offer great solutions and links
but as you pointed out it could be
the AV, malware or hardware and since
its intermittent its very difficult
to pin down what exactly is causing it.

I ran the ETW then opened a story on Yahoo
and ETW kept running changed numbers.

http://i61.tinypic.com/fefbza.jpg

http://i58.tinypic.com/jafdpd.jpg

Robert

For a first trace, you should keep the Filter
window clean. In this example, I have the same
one you selected. Click this and "Remove" it with
the Remove button.

http://i60.tinypic.com/t8sndh.gif

When the trace runs, the File menu has a tick box next
to "Capture". If you select "Capture" from the menu, the
tracing stops. And then you can, at your leisure,
scroll around in there and look at stuff. You would
stop the trace, after your freezing event had happened.

http://i61.tinypic.com/2lkfccx.gif

Now, in the trace in that example, I've already encountered
something weird. My browser Firefox, is poking a file it
downloaded eons ago. Why is it doing that ? Who knows :-)

The thing is, that trace collects a torrent of data. In the
last trace window, you can see that some events collected,
are only 10 microseconds apart in time. So the potential amount
of information collected is huge.

You use the Filter dialog, and the various filter types,
to restrict the things you see on the screen. If you suspect
a certain kind of thing happens, maybe you go looking for
that specific thing.

At this point, I really don't know what to expect, which
is why I'm trying to see as much as I can, even if it's
an overwhelming amount of data. You're looking for a
"pattern" to suggest what is happening during the freeze
period.

Paul

The Win 10 nag came back but it doesn't have
a box and when I right click it it only has
uninstall:

http://i61.tinypic.com/iqlvky.jpg

I think I deleted the process profiling that
you showed in your example but viewing the ETW
screen itself is rather confusing. I've tried
playing around with it but I really don't know
what I'm doing or looking for.

I was able to stop the tracing but the numbers on
the bottom kept running so I assume that's normal.

I can see my search queries like checking a library
book out/in but other than that it doesn't make much
sense to me.

Robert

Just ordered the external HD and case you
recommended.

I'll let you know when they arrive.

Thanks,
Robert

Mark Twain wrote:
The Win 10 nag came back but it doesn't have
a box and when I right click it it only has
uninstall:

http://i61.tinypic.com/iqlvky.jpg

I think I deleted the process profiling that
you showed in your example but viewing the ETW
screen itself is rather confusing. I've tried
playing around with it but I really don't know
what I'm doing or looking for.

I was able to stop the tracing but the numbers on
the bottom kept running so I assume that's normal.

I can see my search queries like checking a library
book out/in but other than that it doesn't make much
sense to me.

Robert

The tool you downloaded is called Process Monitor.

It uses the ETW tracing system, to collect events of
significant from the running computer.

In the File dialog, there is a tick box. You remove
the tick box, when you want to "stop tracing". The
numbers at the bottom should stop incrementing when you
do that. It should not continue adding elements to the
trace, once the trace is switched off from the File menu.

To clean the trace (the "stopped" trace), go to the
Edit menu and look for a clear option. That will make
the window empty again.

To start another trace running, go back to the File
menu, and select the same item as before. It will become
ticked, and the trace will start running again.

In one of the middle menus, there is a Filter dialog.
It filters what is shown in the display. When working
on a new, unique problem, typically you turn off the
filter events. To avoid confusion, you can use the
"Remove" button in there, to remove things you
don't need as filters.

Once you start the trace running, you would read your
Yahoo news stories, and get the computer to freeze again.
When the computer is unfrozen again, race over to the
Process Monitor window, go to File, and untick the
ticked item, to stop the trace. The numbers at
the bottom should stop growing.

I don't know what to expect in the trace. Obviously,
there will be items labeled with "Firefox", because
when you started browsing the Yahoo site, there will
be Firefox activity in the log. When Firefox pulls in
the Yahoo files, to present the news story on the
screen, there will be Createfile and Writefile
operations. As Firefox loads downloaded stuff into
the Firefox cache.

But what happens after that, I can't really predict
what is going to be in the trace. And there isn't
a simple way for you to describe and summarize what
is in that trace window. There is just too much data.

While you can Save and keep trace files, and other
people can open them, the files are huge, and not
suited for any sort of transport.

And I don't want you trying to Tinypic all the
trace windows either :-) That would take *thousands*
of pictures, to transfer the whole trace. Don't
do that. Only if you have the causative
event in a window, would taking *one* Tinypic
shot of it, make sense.

Using the time stamps in the left hand column,
plus the names of executables, that's about all
I can recommend looking at, for some hint as to
what is going on. I feel this is your AV program
(Avast), but that's purely a guess on my part.
And if Avast is doing it, there isn't even going
to be an entry in the Process Monitor trace, with
Avast in the name. As Avast can out-fox the
Process Monitor if it wants to. Just as a rootkit
could stay hidden, with enough effort (rootkit
modifies ETW subsystem to make it "blind").

So if the five second freeze period, is
filled with svchost or named_program items
of some sort, then we know it's an "ordinary"
problem. If the trace doesn't collect any data
for five seconds, that suggests something in
Ring0 did it. Or SMM. So what the trace
then tells us, is the "class" of the
perpetrator. Rather than guaranteeing
a resolution to the problem. So if the trace
doesn't collect anything during those five seconds,
it's probably not an adware, or a Firefox problem
etc. It's something lower down.

Paul

You make it sound easy but that's allot of
information for me to swallow and I just
wonder why is it doing it now since I've
had Avast for a long time.

From what you say I have to keep at this
until I find out what it is and that may be
never.

Seems every time I pose a question I open a
can of worms.

Robert