I recently installed Avira's Premium Security Suite 10.2100.672 , and while going through the post boot routine, and I am looking through the temporarily suspended files awaiting my input, I get pop ups stating "Windows explorer is trying to establish a TCP connection", and of course i have all the usual options...but WHY would this over-hyped File Manager, NEED a TCP connection, and curiously enough, there were a number of instances of windows explorer in those tagged as malware/virus in the list along with other normally common windows service files, like svchost.exe, cttmon.exe, csrss.exe, as well as DLL's such as Kernel32.DLL wsock.DLL, wininet.DLL.
Overall i have 109 of these files in the temporarily suspended list. along with the small sampling i listed there are approximately 20 different file names spread acxross the 109 files... AT THIS MOMENT, as soon as i go back to using that machine the number will climb after each incident.
I am aware that windows 7 has automatic redundancy checks on most integral actively used operations and systems and services files, that if any are accidentally deleted, windows quickly replaces them in up to three simultaneous locations, to ensure it is VIRTUALLY impossible to get rid of some of these files, and i mention this because it is the only thing i can think of that makes sense to explain why it keeps popping up like it does, because each time Avira stops one, windows replaces it, right.... but what i want to know is are these actually FALSE positives? for sure??? since they are recursively persistent. Or are they really viruses or malware, mimicking or taking inspiration from this windows function, and keeping the infections on the drive?
I also know that often times malware writers will write their code to files with the same names as regular windows operations files to keep them obscure and from being obvious in nature.
However, how can all these be viruses, and the real time protection pops up with almost every folder i open with another short list of instances of these same named files from the same path source, for the most part, C:\windows\system32\ or just c:\windows. I am not sure if there were other files also popping up as attempting to reach outside the network, as so much happens at one time immediately post booting, and since it is a new install it has to ask almost every file at least once beyond those assigned as allowed by default.
i would really appreciate learning how to determine what these are, and if it is normal for WINDOWS explorer (emphasis is for those inherrantly confusing that with INTERNET explorer ) to attempt to connect through a TCP connection, and if so WHY??? Isn't WER and, DRM enough LOL! (I laugh but it is kind of Big Brother-ish if you even crawled through one of those wer cab folders and saw what really gets transmitted... granted nothing to connect me...EXCEPT THE PATH C:\USERS\DANIEL\PROGRAM FILES ... YEAH THEY DON'T COLLECT ANY PERSONALLY IDENTIFIABLE INFORMATION, AND MY ip address is also recorded no? Hmmm can we count 2 + 2 = violation of privacy... but that's for another thread... just a little overly passionate about these things )
Thanks to anyone who is patient enough to read through my post and provides any enlightenment as to what I should think of these circumstances and how should I best proceed.
It would be greatly appreciated... BTW I have two other problematic threads posted elsewhere of which at least one may be resolved based on the out come of this one! This is the primary reason for going with a new virus scanner, never did care for MS Security Essentials!
No takers on this as to whether or not this is normal for these files to need access, or should be granted access, or a means by which to determine if their heuristic modified behavior are true infections or false positives by an overzealous detection algorithm or other means or explanations, as to what it is actually indicating with these files, for which if being constantly quarantined, is liable;e to result in instabilities or failed processes, all of which are detrimental to my getting a reliable running instance since due to other issues posted in other threads, when combines to see it is all within the same install, has seriously compromised my productivity, as I had JUST completed installing and configuring over 70 programs, many tools needed for my work, for which while incapacitated as i have been, is causing me such a backlog, as well as loses of huge blocks o time working within a few of the programs, only to lose my work when the program crashes, despite auto-save options engaged, and due to the data loss in those crashes, disassociating those saved versions of files or losing them completely when i cannot restore them, or reload them unless it is the original working image that then no longer reflected the changes i made, putting me right back at square one. Losing from an hour or more to sometimes four hours of work per each session or attempt, and the few times i did successfully manage to save a file periodically, the BSOD's sometimes resulting from the instabilities, then causing the program to lose fact of the mater it HAD backed up, and again causing me to start over from scratch. Mind you this WAS a brand new install on a newly formatted drive, due to the previous damage inflicted when a root kit infection was found, that in its scans, the anti-virus program flagged its own files as infected and when i initiated the process to "clean and repair" ti extracted the root kit infect, essentially killing the boot record since it resided in the boot sector of that drives primary boot sectors, and master boot record, for which any attempts at repairing or recover the boot manager and associated boot up info, failed and required i begin for the third time on a newly formatted drive and now i get this!!! PLEASE can't someone at least verify if these files normally need tcp connections or if there is a way to determine if they are indeed modified heuristically, and are in fact needed to be deleted so as to be able to move on, and be confident tat action will not disable windows, as these files in themselves display root kit behaviors, as the way windows 7 is set up, you cannot delete these files unless you do so in three locations simultaneously, because windows uses the other two resources to supply copies for it to replace them within moments of being deleted, for being system service files and the like in some DLL's too.
PLEASE someone help me out with this, it has been going on for a month now and i am at my wits end trying to pull any reliable information from numerous sites that are more interested in planting their own seeds instead of being what their search result indicated they are about. I hate that they are better at SEO than the sites providing valid worthwhile and MORE RELEVANT content overall.
Thanking in advance for some worthwhile methods that will allow me to resolve these issues.