Posts by gerbil

That other is a router setting, not in your lappie.
...and check that your computername is correct. Netbios is picky about that.

Not wishing this to turn into a When I was a young lad... thing but I do remember when our service computers [based on PDP, and later, VAX, by DEC] received a RAM upgrade. One Megabyte. One card. Measured... oh... 16 x 9 inches. Heavy with chips. Heavy. Each was 8KB. You could replace an individual if it died, and they did. We were rapt, so much faster than the installed 256KB of RAM.
120MB... you musta bin born way after they walked on the moon...

Okay, jim, so in there somewhere is a router. Just a silly check, but make sure that in its settings your compy is not excluded from its DNS service. You can do that on some models.

A first for me, also. You could try Adwcleaner from http://www.bleepingcomputer.com/download/adwcleaner/
- run the exe, hit Scan. When it completes you can press Report and post the result here for advice. Review finds carefully if you wish to Clean unaided.
As an aside, Ghostery will block adcash and similar sites cold. Worth getting, esp cos it's free.
With FF, if you pause on the bookmark in the list you should see the URL pop - if then you are truly redirected something has infected FF, likely via an extension. Best to reinstall it, but make sure to delete the Mozilla folder under Applications in your profile first.

Rev Jim, and Ishaan, I'm not sure that innovation is the issue here.... XP users are a subgroup who have something that works well for them and their hardware/software, they aren't generally hunting for that next new thing but are satisfied with what they have. And therein lies the problem for Microsoft - there is a large group of users who are just plain happy with XP. I know I am. With XP I can do the mundane day work with ease and no silly complications or gewgaws, and I can sit off to the side of Jupiter or Neptune and gaze back at the Sun and Earth. W7 does not give me any advantage with the things I do. W8 gave me a horror episode with my existing files. Nope, the carrot just is not large enough to make me forsake good ol XP. And the stick? Well, with a router plus solid software firewall and no penchant for the dark parts of the web, plus commonsense, I feel secure. Have been so far.
And yes, I am aware that replacing/acquiring new hardware will eventually force a change. May be by W13 for some...
PS. Office? Give Apache OpenOffice a run. Free. The real free.

"What Have I missed."
-nothing, yet, but it's coming....
"I have all the tools for any trouble that may occure"
-roses?

I'm not sure why /flushdns helps unless the cache is corrupting quickly...? So look upon its contents first.... /displaydns

Do you have sufficient space on your W7 lappie to image the W8 hdd? Then use Minitools Partition Wizard (free, download it): first of all, use it to scrunch up the files on your W8 hdd into the smallest partition(s) possible, next to create contiguous unallocated space on your W7 hdd, and finally to image the W8 hdd partitions into that. This method will not give a hoot about user permissions, and they will be available as long as you include the system (with its registry, naturally) in the image. The registry identifies the users and file permissions.

"What I wanna know is about when you recieve a file from outside your computer." - nope, in that case, there is nothing that will tell you about what the file has endured before you got it. If someone has prepared a file for you and is to transmit it to you, you can always request that they encrypt it, and give you the key separately.
"How can I quote posts?" - I just highlight and drag between a couple of quotation marks.

"So there is nothing built in to the windows for that..?" - If they actually opened the file then that will show in the profile they used under My Recent Documents, but if they merely opened the folder and dragged/copied the file then all you will see there is the folder reference. If they ran some program to do it, yes, you can see that, but not what they did with that program unless the program records its history.
"But is there a software for that?" - there always is....

I am not sure that XP will die easily, and I'm pretty sure that this thread won't, either.

To check when last copied or viewed.... without accessing the file yourself you check its Date Accessed attribute (just go to its parent folder, or the root and check from there).
Of course, all these attributes are metadata, and being such can be manipulated at will... so a canny file copier would do that when he had finished his sneak preview.
Oops.... a secret, given away.

I could make this a continuing series...

I loathe on W7 where you mouse pause over a target, say Control Panel, and an icon appears... it's just such a special thing to have that.... how else would one know it was the Control Panel one was interfering with?

I loathe on W7 when you go to drag an item and a flaming great icon appears and almost obliterates the target. I need an icon to identify what I'm dragging? Oh, yes, so much. I dunno why I bother with filenames at all.

That's the scenario I'm waiting for.. sleepers loaded into tens of millions of defenceless XP systems, pumping attack scripts directed at 7 and 8 OSes, mounting distributed attacks on targets everywhere, and generally gluing the net to the floor.

... No, ad, cos it's distributed, and there's a copy on my desktop, too. Which begs the question... why would I offload my data an download yours? Security, yeah, but who bothers about that?

Couple of things... you either have a redirector malware which is just not good at its job, or, more likely, a failure of some of your system softwares involved in rendering pages. Me, I'd grab my installation dvd/cd and run in a command window:
sfc /scannow
That will replace any damaged system files.
Next, I would check my Winsock entries, and repair my TCP\IP configuration; this command will do both:
netsh int ip reset C:\resetlog.txt ..and place a log into your C: root.
Or maybe the other way about.... the netsh cmd is fast.
Restart, and try a webpage again.

Hello, Lynn, and welcome. From what you say it appears that you have been infected by malware which has read your email address book and then proceeded to use those addresses to spread itself via infected emails. But you knew that... Anyway, that makes it a trojan (just an industry definition so that we know what we are dealing with). And no, I don't know why it should be called a trojan... they were the ones who got attacked by the greeks inside the horse. Maybe call it a Greek with Gift. Malwarebytes.org is a reputable group with a formidable anti-malware tool, which you used, but it only fights some groups of infections, and of course, only those it knows about. RogueKiller is generally run to stop malware processes that interfer with the running of anti-malware softwares; it has some killing capabilities, too. Neither software would have introduced problems into your system, nor did they remove anything.
There.
OTL, which you did not use, is a software which gives via its log a detailed look into your system, the processes which are running, or can be set to run, the add-ons to your browsers and so on. It is totally safe to run, but has removal capabilities if separately and specially instructed.

My CFP is for xp & Vista only, not W7. But folks seem to clamour for this version because of the interface... 5.10.228257. And it's here: http://www.filehorse.com/download-comodo-32/9997/ for 32 bit types.
There are pages of old versions to choose from, 5.12 for example.
This is the lead-in page to 64 bit versions: http://www.filehorse.com/download-comodo-64/old-versions/

diskpart? Set it back to type 07

http://www.zdnet.com/time-to-move-on-final-patch-for-opera-12-due-by-mid-2014-7000023427/

I have used Comodo's firewall for years, still do, on XP which I use 99% of the time. W7 just aggravates me... it's the other 1%.
Comodo's firewall is just great, runs alongside Avast's AV only. But I got CF when it was purely that, not a firewall packaged with a deactivated AV service, which is how the new version is presented. Doubt if the old one is still available... I have the installer yet, 19 MB.
Opera is my main browser, the workhorse, but I find that I must use FF for banking, cos most like institutions won't set up their pages for Opera.
Now Jorge thinks (knows...) that I'm a dinosaur.

Something else, something that may be important to Opera users who love Version 12.... Disable the auto-update feature under Security, because inside 3 months you will otherwise be forced onto Opera 18.

Sorry, James, the weekend got in the way.
I note that you had trouble creating a new partition by creating space in your D: drive. For future use, you should consider Minitools Partition Wizard... there is a free home version, plus an offline version, also free, which likely you could have used. I find them much more capable than the W7 management tool. They are capable of manipulating GUID partitions.
I didn't really get around to putting in much effort.... :(
By the way, the UEFI system reserved partition really shouldn't be unhidden and given a drive letter.....

No, it's not an intrusion.... we would not be here helping if we thought it such.
So.... W7U 64 bit; UEFI boot; so a GPT disk with UEFI system partition [100MB, so 512 byte sectors] as active boot, plus a data partition as D:.
I am confused as to how your UEFI system partition got a drive letter? C:?
I guess that the MSR partition is hidden from your disk viewer? It would be revealed by LBA addressing of the visible partitions.
I think that I had better see that screenshot of your disk, with all partition information.

9) But I haven't a clue how to recover the drivers for my keyboard and mouse, which work so flawlessly in POST operations.
10) It seems what I need is a bootable short program that will install my keyboard and mouse USB drivers, and have wininit accept that installation, restoring my ability to use my keyboard and mouse in Windows 7, Ultimate, 64 bit.
-it's BIOS which controls the keyboard in POST, using a simple map. But your kb and mouse both work in BIOS? Then you have a UEFI? BIOS, which can pick up the drivers from a special partition.
So your BIOS is not handing over correctly to your OS during boot - the W7 drivers should load, and then depending upon your setup any proprietary drivers would be loaded from the Run key or wherever.
Use your W7 dvd and Setup, boot from that; it will use the W7 keyboard and mouse drivers. If it works then create a new partition, load a fresh W7 into that and see how your gear works.
Or haul the drive out, slave into another machine and go from there.
Check the drivers/replace them in your orig sys partition.
kbdclass.sys kbdhid.sys mouclass.sys mouhid.sys WdfCoInstaller01005.dll are the MS ones.
But it is rather strange that both those sets would die; they are loaded independently from the Service key; kb, mouse are unrelated. Do you have any software installed that might modify those drivers, some …

And some trojans are capable of self repair - they already download portions of themselves to complete the infection, so repair is quite straightforward.
Viruses? Nope, that's not how they work.

Big Oops!.. Combofix is not written for XP 64 bit machines. Which this one is....

Combofix is NOT written for 64 bit machines.

Keygen music... ha ha... yeah, there's some interesting loops out there. You find a good cracking group or two, their stuff is safe cos they want to protect their reputations. :) They badge their stuff. It's a weird world, still.
Okay, clear your Restore points, make a new one, consider ERUNT, and off you go.
Cheers.

Lord, no, don't run a Repair, that would blast your sys back to the stone ages... it takes the registry from \Windows\repair and if you have not done a System State Backup lately, well, that folder dates from installation. Check the dates on the reg files in there.
By all means run sfc, but note that both TDSSKiller and ASWMBR check important system file signatures.
Likewise, your Backup files may be compromised.... when you are sure your system is clean and functioning well you should remove them all and make a fresh one. May I recommend ERUNT?
Anyway, as to the fix, it should continue because something dropped that bootkit in there, and likely it's still lurking. If a trojan, it could be a downloader (of the rootkit files etc). So...
- RogueKiller, again, then
- run MBAM again.
- run JRT again
- eSet Free Online Scanner

Have you got the tail of that TDSSKiller log? It's missing all the good stuff.
If that screenshot is from your latest TDSSKiller run, then rerun it, but...
- still skip cmuda3
- delete the TDLFS, and
- default action (cure or delete) for the rootkit.

From your ASWMBR log:

9.   23:36:44.671    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi
and..
17.  23:36:48.796    Disk 0 MBR read successfully
18.  23:36:48.796    Disk 0 MBR scan
19.  23:36:48.843    Disk 0 unknown MBR code
20.  23:36:48.843    Disk 0 MBR hidden

That would be the worry. Any reason your bootdisk MBR is non-standard, and hidden? Anyway, the TDSSKiller run should repair it; in any event ASWMbr can write a new one.
Rerun ASWMBR after the TDSSKiller fix is complete.

Ah... let's go after the pest. Some exploration:
==Download TDSSkiller from this link, save it to your desktop:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe
=Start TDSSKiller,(((( click Change Parameters. Under Additional options check both boxes, Verify Driver Digital Signature and Detect TDLFS file system; click OK. ))))
-click Start scan;
-choose Skip for unsigned files;
-leave or set at Cure if TDSSKiller finds a rootkit and prompts a Cure or Delete [a reboot may be required];
-do not Delete or Quarantine any files.
Post the log from C:.

==Download aswMBR from http://www.bleepingcomputer.com/download/aswmbr/
Start it, press Scan [it will download virus definitions from Avast], wait the 3 or 4 minutes until it says Scan completed then press Save Log. Post that, please. Do NOT fix anything at this stage.
An MBR.dat file will appear on your desktop, it is a copy of your MBR. Do not delete it.

Hmm. okay. With your Opera torrent client disabled and the explorer instances multiplying, do they use the network at all? Check in Resource Monitor.

And... if you have the latest M$ C++ 2010 distribution you will have to uninstall that to get the debugger installed, and then you may reinstall it. The SDK installer won't work with the latest version... so much for compatibility... of their own products. But M$ never did promise that, anyway.
Honestly, getting the debugger installed may not help much. It will list the functions called, and I will struggle with more than a few of those, but may be able to identify what is the purpose of them. Honestly, we are motoring out to a place where I will be over my head.
I hope someone else can help?

Urg. That is not an interesting stack list you have there - your system has no debug capability, so no functions called are shown, just locations. The stack shows that ntdll.dll is calling ntoskrnl.dll at various memory locations, but it does not say what functions are being run.
ntoskrnl.dll deals with process and memory management and scheduling amongst other functions.
To go further along this path you need Windbg and the SDK symbols ... go here for instructions http://blogs.msdn.com/b/vijaysk/archive/2009/04/02/getting-better-stack-traces-in-process-monitor-process-explorer.aspx?Redirected=true
and here for the debugging tool http://msdn.microsoft.com/en-us/windows/hardware/hh852365 (halfway down, Windows 7 Standalone Debugging Tools) - follow those instructions and install the debugger. Then in Process Explorer, go to Options tab, Configure Symbols and fill the details as in the web page. The symbol pathname C:\symcache in the Symbol Path you can replace with one of your choice.
Else... did you check how explorer performed in safe mode, or with no third party services loaded?
Go back a bit... run the JRT in Safe Mode while you're in there.

Urk. Something is really working kernel32.dll. I cannot tell what, but all threads start from the same memory address. Dclick a few of those threads, and compare the stacks that pop. Post a couple. Note that with Process Explorer you only get snapshots of activity.
Something else... you could try a Safe Mode check on explorer.exe, or use msconfig to do a clean start ( go to the Services tab, check to hide all Microsoft services, then Disable all remaining Apply and restart).

Do a hard reset while it is powered up. Wait for the lamps to flick off, then release the button.

Hey, you're welcome.
This forum is where I learnt a lot of stuff; you look at people's problems and find solutions. I find that the most interesting way to learn. It imprints it, like hands-on does.

In the Windows startup options screen ( http://windows.microsoft.com/en-au/windows/advanced-startup-options-including-safe-mode#1TC=windows-7 )set the system so that it does not automatically restart upon errors such as BSOD. Then next time, give the error code so displayed. Likely there will be a faulting process listed also.
If you often get "a black screen that says "a disk read error occurred"" then it could be a cabling issue, or still a hdd fault, or a driver problem. Are you using AHCI or Raid?

Naw... JRT runs on 64 bit machines.
And yes, that's how torrents work. You get credit for seeding.
If you glance at your screenshot above, you can see that Opera is running as your torrent client, and the explorer processes are spawned by it.

For a start, HijackThis is pretty much out of its depth with W7. And malware is generally too smart now to appear in a simple scanner like HT, which has not been maintained/updated for years. A waste of time.
Your multiple explorer.exes... I see that you are running BitTorrent - that will do it if you have it set to open a folder for each torrent instance. Closing BT won't end those processes, but they will throttle back the amount of memory that they are using.
Bit of a worry that JRT won't run... try running RogueKiller first, then without rebooting, JRT. If that works for JRT, then you have malware. Well-hidden malware.

Actually, because you appear to have some sort of redirector trying to work, it would be advisable to run this tool as well... download it from http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.zip
Unzip to your desktop, start it [right click and select Run As Administrator], accept both statements. Before you start the scan, click Change Parameters - in that window check the Detect TDLFS file system box, and the Check file signatures box.
Skip all files that are shown to fail signature check; leave any objects to be cured as Cure; if any objects show Delete, please change that to Cure.
Click Continue, reboot if requested.
Finally, a log file will appear on your C: drive - TDSSKILLER date.txt.
Please post that log.

Hello, 2rti,
as you might have worked out, HijackThis is incapable of working with W7, and it is no longer being maintained. In my view, as a malware revealer, it was at the end of its rope years ago, even with XP. MAlware moved on, HT did not.
Anyway, with a multifaceted problem such as you seem to have picked up, the first step is the easiest: run Malwarebytes. Get it from here... https://www.malwarebytes.org/
The free version will do; run the installer, and at the end allow it to start and update. When that is over, do the Quick Scan. Delete all it finds, reboot if it suggests it. Post the log.

Hi, cat.
If you are able to log into windows now without the Windows Accel Pro screen, then running malwarebytes will clean it from your system completely.
http://www.malwarebytes.org/ -the free version will do it. At completion of installation, let it start and update, then do the quick scan. Set it to delete what it finds.
An antivirus may not have protected you from this threat... it's classed as a ransomware/spyware - a trojan. A good firewall would have.... anyway, a good, free AV service is Panda's Cloud AV Free. Rated the best free AV atm. The paid version includes a firewall.
I should add Comodo Free and Avast Free. It's difficult to choose between the three, really. Maybe Panda wins.

A few things on this page are of some note:
http://www.prolific.com.tw/US/ShowProduct.aspx?p_id=225&pcid=41
Correct version of software driver, correct hardware chip for W8/8.1, not counterfeit chipset... if none of those appply then the installer should work. Note that you can download and install directly from Windows Update.

vino, the field separator in libre office is a semicolon " ; ".
So... IF(C2;"";"";TODAY())
Openoffice is absolutely strict about formula formats, I do not know about Libre. OO would throw an error message into the cell [all cells]. PErhaps you could show a screenshot of the formula in an empty date cell, say A18?

Of course it did not work. The whole idea of acls is that low permissioned users cannot allow greater access to files and folders. That's called security at work. Get an administrator to make the change for you.
cacls does not care that it may have been YOU that removed the permission, it just is not going to allow a Guest or User grant full access to everyone. It's pretty much like the bank manager might let you slam the vault door, but he aint gunna let you have the key to open it.

Here is something else to learn. Users with lower permissions can use cacls to restrict permissions, as you have so done, but that user cannot grant more relaxed permissions. As you have seen. To reverse what you have done, you will need to have an administration-rights account. And then it is as simple as entering th cmd that you tried.

That's just how I use them, rubberman.
Boris, you picked up a lot of English language skills in the last day (:wink)...
My point about Java is that you don't have to know how to program with it, but merely have it (the Java Runtime Environment, or JRE) loaded on your system; a lot of websites use Java to enhance their pages' presentation and offerings, so as part of downloading their page you may download a Java applet which runs automatically if your system has the JRE installed, and running website applets is permitted. And that is how you send a Trojan, by infecting the website to do just that. All the agent needs to do is instruct your browser to download a file from some site, and run it. So if you don't need the JRE, do not install it. It ranks as the biggest security flaw in the Windows world.