Well Curson - First of all, thank you for your personal remarks - concerns about the temperatures. You are a good person for sure.
Now, on the the problem at hand and your questions/information you requested:
-The computer is still running slowly at times and at other times faster/ok. The problem with svchost.exe hogging memory still recurs from time to time - yet, when I end the process using Task Manager, it does the weird things it should and then the computer runs faster (however, that does not 'feel' like the only problem or maybe not the root problem. I have some experience in diagnosing problems but not always the skills to fix them or the knowledge to know about the great tools out there now that work best. Thurs my statement about 'feeling' like the problem).
In fact, when I first used Rogue Killer, the hooks et al made too much sense as a possible core source of the problems - especially since it also 'feels' like I have something dragging down performance (like malware that can track) and I've even suspected a keylogger or other way to see/watch what I am doing).
Re Norton and reporting the issue and requesting white listing
-Done - I'll let you know when I hear from them (right now, I've only posted it and received an acknowledgement)
-If I have room, I paste their response since it includes what I sent Norton at the bottom of this.
-If not enough room, then I'll put it in a subsequent reply.
Re Coupon Printer, Hopster or Catalina Marketing on purpose:
-Yes, I installed them on purpose. I use coupons extensively and, as you know, those are required files to print coupons. (Although, if memory service, Hopster is what Red Plum uses and it is not working properly.)
-If they weren't required files by various sites (Coupon Printer becoming more and more necessary), then I would not use them.
-For a long time, I would (and still do) disable the Coupon Printer service in the services window. I also make it a manual (not automatic) service. Then, right before I plan to print coupons, I would enable the service manually.
That tended to make Coupon Printer not working (and appeared to keep it's background 'mess' to a minimum.)
-Recently, the Coupon Printer service can be totally off and also on manual start - and, the Coupon Printer will still print (oddly). Also, sometimes, I uninstall Coupon Printer from the Programs anyway and then reinstall when I want to print coupons that require Coupon Printer. One additional oddity is that sometimes installing Coupon Printer will not install a corresponding service (i.e. - none there at all).
-Seems like the Coupons.com/Coupons Printer folks are getting sneakier and sneakier to make sure they can get the information the Coupon Printer feeds them without us being able to block it..
-In fact, one time (has only happened once), I uninstalled Coupon Printer and then sometime later needed to print some coupons requiring Coupon Printer. Instead of prompting me to install Coupon Printer (it having been uninstalled), the coupons simply printed. So, somewhere, Coupon printer had to still be working despite it not showing in Services or even in Programs under Control Panel.
-Currently, I see no service for Hopster or Catalina Marketing. I do see the Coupon Printer Service (which was on manual and not started when I've run the scans.)
-Under the Programs area of the Control Panel
-Catalina Savings Printer - Publisher: Catalina Marketing Corp - Installed on: 9/30/2013 - Size: 1.94 MB - Version: 1.0.0
-Coupon Printer for Windows - Publisher: Coupons.com Incorporated - Installed on: 1/6/2015 - Size: (nothing listed) - Version: 5.0.1.3
(A reinstall after an earlier deletion. This time, it did show install a service. But, it has printed even when the service was disabled/not started)
-CouponPrinterPlugin - Publisher: Hopster - Installed on: 1/6/2015 - Size: 2.82 MG - Version: 2.0.2.0
(There is not a listing for a program named Hopster; so, apparently, Hopster names itself upon install as CouponPrinterPlugin. Also, when I installed it on 1/6/2015, it did not work properly and never printed a coupon for me. I have not had a chance to troubleshoot and have not needed it to print any coupons since then).
Thank you for contacting Symantec.
Your submission has been received and will be reviewed. We endeavor to respond to all submissions within 2 working days.
The tracking number for your submission is: 3729629, please reference this tracking number in any further correspondence on this issue.
Your submission:
-----
When did the detection you are reporting occur? = APPLICATION
Which product were you using when you saw this? = N360
Which of the following types of detection are you reporting? = AUTO-PROTECT
Name (person to contact) = Clif Kelley
Email address = clifkelley@earthlink.net
Are you the creator or distributor of the software in question? = no
File being uploaded =
Download (or blocking) URL =
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ Name of the software being detected = Fabar Recovery Software Tool - FTST.exe and FRST(1).exe
Name of detection given by Symantec product = Suspicious.Cloud.7.EP
File hash or clipboard paste from product = FIRST PROBLEM:
Filename: frst.exe
Threat name: Suspicious.Cloud.7.EP
Full Path: c:\users\clif\downloads\fabar recovery scan tool\frst.exe
____________________________
Details
Unknown Community Usage Unknown Age Risk High
Origin
Downloaded from
 Unknown
Activity
Actions performed: 14
____________________________
On computers as ofÂ
Not Available
Last UsedÂ
2/17/2015 at 11:47:29 AM
Startup ItemÂ
No
LaunchedÂ
No
____________________________
Unknown
It is unknown how many users in the Norton Community have used this file.
Unknown
This file release is currently not known.
High
This file risk is high.
Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.
____________________________
Source: External Media
____________________________
File Actions
File: c:\users\clif\downloads\fabar recovery scan tool\ frst.exe Removed
File: c:\users\clif\downloads\fabar recovery scan tool\ addition.txt Removed
File: c:\users\clif\downloads\fabar recovery scan tool\ frst.txt Removed
File: c:\frst\logs\ frst_17-02-2015_11-34-52.txt Removed
Directory: c:\ frst Removed
Directory: c:\frst\ logs Removed
Directory: c:\frst\ quarantine Removed
Directory: c:\frst\ hives Removed
____________________________
Registry Actions
Registry change: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\ FRST_RASAPI32 Removed
Registry change: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\ FRST_RASMANCS Removed
Registry change: HKEY_USERS\S-1-5-21-3395011634-4035225922-1332991411-1003\Software\Microsoft\Windows\CurrentVersion\ Internet Settings-ProxyEnable:0 Repaired
Registry change: HKEY_USERS\S-1-5-21-3395011634-4035225922-1332991411-1003\Software\Microsoft\Windows\CurrentVersion\ Internet Settings-ProxyOverride:.local Repaired
Registry change: HKEY_USERS\S-1-5-21-3395011634-4035225922-1332991411-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ Connections-SavedLegacySettings:... Repaired
Registry change: HKEY_USERS\S-1-5-21-3395011634-4035225922-1332991411-1003_CLASSES\Local Settings\MuiCache\67C\ 52C64B7E-LanguageList:... Repaired
____________________________
File Thumbprint - SHA:
0b7923a063eadd4b8e45b1aaa676afb8922e6638967ff40588e830ecf8d2f3e5
File Thumbprint - MD5:
Not available
SECOND PROBLEM WHEN SUBMITTING THIS REPORT
Filename: FRST[1].exe
Threat name: Suspicious.Cloud.7.EP
Full Path: c:\users\clif\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\epf7tqcv\frst[1].exe
____________________________
Details
Unknown Community Usage Unknown Age Risk High
Origin
Downloaded from
Â
http://download.bleepingcomputer.com/farbar/FRST.exeActivity
Actions performed: Actions performed: 1
____________________________
On computers as ofÂ
2/17/2015 at 6:22:41 PM
Last UsedÂ
2/17/2015 at 6:24:15 PM
Startup ItemÂ
No
LaunchedÂ
No
____________________________
Unknown
It is unknown how many users in the Norton Community have used this file.
Unknown
This file release is currently not known.
High
This file risk is high.
Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.
____________________________
http://download.bleepingcomputer.com/farbar/FRST.exeDownloaded File FRST[1].exe Threat name: Suspicious.Cloud.7.EP
from bleepingcomputer.com
Source: External Media
frst[1].exe
____________________________
File Actions
File: c:\Users\Clif\AppData\Local\microsoft\Windows\temporary internet files\Low\Content.IE5\EPF7TQCV\ FRST[1].exe Removed
____________________________
File Thumbprint - SHA:
0b7923a063eadd4b8e45b1aaa676afb8922e6638967ff40588e830ecf8d2f3e5
File Thumbprint - MD5:
Not available
Additional notes or steps to reproduce the detection = -Initially Norton blocked the download of the file (like the second occurrence above. I had a link on both occasions to directly begin the download and Norton Blocked it.
So I disabled the Norton Antivirus portion of Norton 360 and successfully downloaded ran the tool (Fabar Recovery Scan Tool aka FRST.exe) so I could get the two log files/reports it generates. With Norton Anti-virus disabled I forwarded one log file/report generated by the successful scan to someone and then enabled Norton the Norton Antivirus. Norton then automatically removed both the FRST.exe file and the other log file (SECOND PROBLEM Above.)
This is probably a false positive and the Fabar Recovery Scan Tool needs to be white listed.
-----
Sincerely,
Symantec Security Response
http://securityresponse.symantec.comThis message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Show Posts
