Posts by gerbil

Around about this time you start to suspect interference from poorly written softwares launching with/hooking IE.
Folks disable add-ons, run the system file checker, roll back SP1, uninstall a few security updates, change IE versions, run registry cleaners, look narrow-eyed at their RAM... Maybe a rootkit? Tried TDSSKiller, or another rootkit scanner? eg GMER, RootkitRevealer, IceSword,MBAM's AR Beta...? Tricky that it sometimes disappears upon a restart. What does the event log say is causing it [the process...dclick the error line]?

Does your sys have KB2859537? If so, you could try uninstalling it; it came out on 15 Aug 2013. Find it in Windows folder with hidden files showing, and tunnel down to its spuninst.exe file, dclick that, or via CP/Programs. If no change then just reinstall it via dl.

Oh, true... I remember reading of one or two that disturbed the system itself. Now they don't have much excuse for that.

So where did that silly aphorism come from..?

I think some of M$'s problems with updates could stem from their effects on 3rd party and M$ softwares not being able to be tested fully with updated system files. It's a scarily complex comuting world out there... in over a billion different systems and configurations something aint gunna be accounted for.
Me? I've never had a problem with an XP security or system update.... reaching out to touch desk.. [wood].

If you're adjusting your volume with a keyboard button, then very likely the graph comes from the keyboard driver softwares.
I have Realtek; if I adjust the sound using their icon I get a window with various sliders. If I use the keyboard buttons I get a bargraph [courtesy Logitech].

I wouldn't be without ERUNT....
SysRestore is capable of some file restoration, though...
This is interesting.... apply to you?..
http://bertk.mvps.org/html/missingrpv.html

You could try reinstalling it with the inf file. In a cmd winodw, or just Run...:
%Windir%\Inf\sr.inf
That procedure will totally reset it, removing all current points.

It seems as if you need a proper firewall, one that learns, one to which you can identify your safe and usual softwares, one that you can finally set into safe mode whereby it understands that it should only query new software actions, and risky ones. I use Comodo, there are others. With a good firewall you don't need UAC. My opinion.
Comodo is a complex tool, it queries all the time, but nothing gets by it. My experience.

The code detector thinks your white space is indicating code line indents. So just post as code, which means that your lines will be numbered. Not a big deal.
However.... the code detector also picks up excess spaces throughout lines, and at the end of lines (I think 3 consecutive spaces will trigger it). A simple solution to find those concatenated spaces is to put your post in a notepad, and hit CtrlA; the spaces will be highlighted.

I'm afraid you've caught me at a bad time... I'm getting pretty much over computers and their foibles, and investigating them. But anyway.... I will need to see what your system is running; without that information I'm staring at a blank wall, or a maze with many paths... something. This pgm is non-disruptive in the mode you shall run it:
==Download OTL from http://oldtimer.geekstogo.com/OTL.exe to your Desktop.

• Double click on the icon to start the application.
• Press Scan All Users, Minimal Output, Standard Registry ALL, leave other sections as they are.
• Under the Custom Scan box paste this in:

netsvcs
%SYSTEMDRIVE%*.exe
CREATERESTOREPOINT

• Press Run Scan.
  The scan will take maybe 5 minutes; 2 notepads will present [saved to the place from where you ran OTL.exe] - please post both.

Tiny point - no way would two processes share the same PID... a typing error:
WINWORD.EXE (PID: 8012) Thread: 7604
splwow64.exe(PID: 8012) Thread: 3628

Stupid, dumb code detector.

What are you trying to say? Are these processes of programs that you are trying to run, and which are hanging, or processes that just run non-stop in TM, and won't quit even if you are not using their programs?

rundll32 should only appear in TM when it is actually handling a dll, and should only use CPU time as it handles; most of the time it should show zero CPU time while there. As an example, to get rundll32 to appear, rclick your taskbar clock and choose Adjust.
You could check its properties; the valid rundll32.exe is in system32. Further, if you delete it, it should be replaced by Windows File Protection from cache immediately.

DON'T DO IT!!
Find a cave, and live in it.

"I am having trouble transferring the program from a DVD to the flash drive"...
For Windows, I use Novicorp's WinToFlash. Dead simple to use, and free.

Sounds like the installation did not complete. Can you run a disk check? Get hold of a W7 computer and build a system restore disk [via Backup and Restore centre], or download the W7 installation file and burn to dvd. Run Repair,; if it recognises your installation you will have the opportunity to run a disk check.
Here's a link which gives you the links to the GENUINE W7 download site... http://best-windows.vlaurie.com/boot-disks.html#full
Or.. http://forums.mydigitallife.info/threads/14709-Windows-7-Digital-River-direct-links-Multiple-Languages-X86-amp-X64/page60

It happens with OSK, it happens with your kbd, but never with Ubuntu. Only Windows. Any hardware kbd controller is built into the kbd, or in the case of a laptop at the end of a ribbon cable. But that hardware controller has nothing to do with OSK. What inputs it takes from the OS I have no clue about.
So, to basics. Test it in Safe Mode. There you have no third-party filter drivers, just kbdclass and kbdhid, both M$ drivers. If it does not happen there, then likely you have some malware. Scanned?

Check this value in your registry. At key HKLM\SYSTEM\CurrentControlSet\Control\Nls\CodePage, check that...
OEMCP=437.
And that it does not change between startups.
It is possible for applications to change the codepage via several functions. If it is fixed at the same value each time then somehow your codepage is getting altered internally.
And that is all I know about keyboards and the characters that they produce.

"and i think it really MAKES the cpu go to 85+ "...."Maybe speccy isnt compatible "
Around about this time, you rip it out and go with what works; there are plenty of good options. For sys info, i use either msinfo32 [RUN that one], or siw.exe [gurgle for that].
Msinfo32 is okay for the basics, siw.exe is comparable to or even better than speccy. My judgement. More info than you'll ever need.

Shouldn't do any damage. The quality pastes are non-conductive electrically, non-corrosive. The worst it could do is harden a wee bit and make it ever so slightly more difficult to lift the CPU out one day.
Interesting about the monitors. I use Core Temp on an Intel CPU... it's just fine, and believable.
I don't know where your other moonitors get their info from... some query the system monitor chip's outputs eg a Winbond chip; some can read the CPU's temperatures directly from their sensors eg CPUID. I have that one, too, and if I check now, it agrees with Core Temp. I set Core Temp to output to the systray.
85 is not going to cook a CPU [if it is the real temp], but under 60 is nice for hard work, and 35 or less for idle [a bit dependent on ambient].
Are the softwares giving strange readings suited to your mb and CPU?

And this... " In "Administrator" I tried loading updates again because I don't know how to get it back to that scan and it does the same old thing with not wanting to load updates. So I forced it to run the update with /wuforce. It acts like it's working and then in the end it says "Install failed with error number 0x8007043c."
Windows update cannot function in Safe Mode [this is quite normal] because some services are not loaded in Safe Mode, hence that error message. Your update service is quite likely ok still in Normal mode.
Looking around, it seems that a simple system restore to a date previous to your infection will stop the threat locking your PC, and allow you to run Malwarebytes, which program is up to date with this particular threat.
Good luck.

:)... it is a bogus threat, and your files are safe. Let's see, because you can boot into safe mode you have a couple of simple coihces to start with. First off, see if it launches from your startup folder...
In safe mode, go to C:\Docs n Setts\your account\Start menu\Programs\Startup. Look there, and see if there is a link [shortcut] to a program that you do not recognise; if you see one then rename it with an X in front and try to restart in Normal mode. Post the links here if you wish me to look at them.
In Safe Mode, if you do not see any such link, then Run...
msconfig
Go to Startup tab, and check there for unknown entries, uncheck them, Apply n OK, and restart.
Once you can restart OK, update and run Malwarebytes.
As far as how you actually newly got the trojan [it obviously only just came in], by any chance do you have a torrent program installed and running?

Posted in your other thread, Crystal.

Cool, you're clear of adwares.
"install is not need since Windows update agent is already installed"
If you used the /wuforce parameter it should have over-ridden that "already installed" condition. Did you use that in the command line, like...
C:\some download folder:\WindowsUpdateAgent30-x86.exe /wuforce <=that /wuforce is necessary!
...and that should have forced it to reinstall. Don't run it from the website, rather download and save it, then run from that folder.
Okay, if trying that again does not work, then try this...
Paste this into the Run box:
%systemdrive%\Windows\inf ..and press OK
Scroll down to au.inf and upon rclick choose Install.
Browse to your \ServicePackFiles\i386 folder below the inf folder, and OK.
After it finishes restart your system andtry the updates site again.

Interesting. I had to experiment to be sure, because account information on the web is conflicting and some of it is quite wrong, and my experience with them was moderate... so on my W7 machine I enabled the Guest account; I also created a new User account, Justonce, logged in as him and had him build and save some files in his Documents folder and elsewhere... the desktop, other drives. Then I added Justonce to the Guests Localgroup, and deleted him from the Users Localgroup. Logged him out, logged the new guest Justonce in.... all his files stood, desktop, his Documents and saves to other drives. Restarted, and logged him in... all files remained. He could not rename himself or move himself from Localgroup Guest.
Hmmm. So then I logged in as the Guest [not Justonce] and discovered that the Guest can only save to his Documents and not to any other drive. He can read on other drives.
So an account in the Localgroup Guest is not the same as the Guest account: the Guest can only save to his Documents, whereas a Localgroup Guest [Justonce in this case] can save to other drives also. And the Guest account Documents is NOT deleted when he logs out, or when the sys is restarted - the Guest account persists until it is removed.
So all I can think is, it is as BigPaw said: your IT deleted the User account and all its folders, and created a …

If not, you could just download the installer for your x86 SP3 system:
http://download.windowsupdate.com/WindowsUpdate/redist/standalone/7.4.7600.226/WindowsUpdateAgent30-x86.exe
Open the download folder; open a cmd window, and drag the file into the cmd window. Add the parameter /wuforce, so: [below is a copy of my cmd window]; it will self extract, and run the installer. Finally, reattempt to update your system.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Don>D:\Downloads\WindowsUpdateAgent30-x86.exe /wuforce

Hi again.
I think you can safely delete all those adware related issues that ADWCleaner found - run it again, and press Delete button.
The bat command - net stop wuauserv && regsvr32 %windir%\system32\wups2.dll && net start wuauserv - it looks like wuauserv is not installed [the .bat failed on the first part]. M$ have an automated troubleshooter/Fixit at http://go.microsoft.com/?linkid=9830262
You could first check in Services that Automatic Updates [common name wuauserv exists].
If you paste this URL into IE, does it not offer to repair or install the update service?
http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

No, I won't have that, caper... I blew the Vista uninstall updates bit. I do have a W7 machine to learn from... I just prefer my ol XP.
So I bumble through... :). And I shouldn't push in...
Hey, Techno, what service was the problem, if any?

Could you post those logs from ADWCleaner and MWB? Those should give me a clue as to where next.
Being blocked from Google may be as simple as a malware entry in your Hosts file; you can clear it manually by deleting the Google entry and saving the file. Your hosts file is in system32\drivers\etc; drag it into a notepad to edit. To save you may first need to uncheck the Read Only box in hosts' properties.
As a blind first try to enable autoupdates, you might try this: open a cmd window, and paste in...
net stop wuauserv && regsvr32 %windir%\system32\wups2.dll && net start wuauserv
... and hit Enter. Please post a copy of the screen [rclick, select all, copy with Ctrl-C].

ULead... find its launch point and disable it to see if that improves startup performance. It's likely in DocsnSetts\some user\start menu\pgms\startup; if not in one of those folders, then use Technet's Autoruns to locate it.
If you use it regularly, try installing over the top again.
Great that you got the sys running again. Did you use msconfig to isolate the problem service [fastest way is to choose half, then half again, then ha...]?

Lessee, i click the red download button, a box pops with the options, i check one, and hit that Next button, and the dl starts. Down the BR corner.... :)

This one...?
Update for Microsoft .NET Framework 4 on XP, Server 2003, Vista, Windows 7, Server 2008 x86 (KB2836939)
Date last published: 6/11/2013
Download size: 5.5 MB
That bit about AU not working was a bit surplus to the post. I meant for you to grab the KB number and download the installer itself, and to try re-applying it.
http://www.microsoft.com/en-us/download/details.aspx?id=39257

Whoops, my mistake. That was for XP; they changed the system for Vista, and thus Caperjack's post details the correct and only way to remove updates. You could try repeating the updates from Safe Mode with Networking, but you would need the KB number so as to download it. AU won't work if the system thinks it has it already.
Sorry for the confusion.

You might try downloading RKill and ADWCleaner from bleepingcomputer; run RKill first, then without restarting run ADWCleaner and Malwarebytes again.
http://www.bleepingcomputer.com/download/rkill/
http://www.bleepingcomputer.com/download/adwcleaner/

So from Safe Mode, if you look in \Windows, are there $NtUninstallKB.... folders dated yesterday? Open them, open spuninst folder and dclick spuninst.exe.

Ancient, I'm using IE6 [rarely], but I'm going to guess nothing much has changed... :)
What if you physically edit this key [or sim, for IE10] to reflect your homepage URL?

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

So: "Start Page"="http://www.rottentomatoes.com/m/dogville/"

Or check that it at least reflects the home page that you tried to set?

"the highest users are "system" and "Service Host:local Service (Network Restricted)(7)" is what you see in TM. That's a restricted view. Download Process Explorer from http://technet.microsoft.com/en-us/sysinternals/bb795533, check in properties of that svchost which service is being run by it.

Phew. Numbers.

To enlarge...
The ATA-6 /Ultra DMA100 standard provides for a 48 bit LBA address space for sectors [Ultra DMA133 is just faster], so that is the current hardware limit, I believe. 2^48 * 512B sector size = 144 * 10^15, or 128 * 2^50. That is 128PB. 2^50 is a PiB.
NTFS itself uses 32 bit addressing internally, although it is capable of 64 bits; NTFS uses 4KB clusters as address blocks by default, so theoretically you have a partition size maximum of 16TB. 2^32 * 4096 = 17.6 * 10^ 12, or 16 * 2^40. 2^40 is a Tib.
But if you forgo file compression capability you can set a cluster size up to 64KB with the format command.... and the limit for NTFS is then 256TB. Who needs file compression on a volume like that?

Hospital reading for you... :)
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Value Name: NoFileMru - prevents common dialogue boxes from showing recently used entries.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ||
Value Name: NoRecentDocsMenu - this will remove My Recent Docs from Start Menu [there is a checkbox for it in Start, Properties, Customise, Advanced ...]
Value Name: ClearRecentDocsOnExit - empties the record of these objects upon logoff.
Value Name: NoRecentDocsHistory - this prevents complying applications from recording used objects, ie. it removes the Recent folder.
HKCU hive is for you; placing the above in HKLM hive instead would block for all users.
And so it goes. XP records a multitude of recent documents operations in registry [another is the Run box in Start: NoRunMRU], as well as searches. As far as I know, there is no blanket reg key which when used would control all of those records. You can prevent them/block them individually. Some applications do it also, and they too must be blocked individually. Windows also records in registry all programs, shortcuts and links that are used by users, and also certain system executables, when and how often. All, since installation.
Clearing tracks is a laborious job. You can find, I'm sure, web softwares that will do some or much of what you want.

MRU. Yeah. He's all about track hiding, like for when you use your mum's computer and she opens up Photoshop and sees in Open Recent an item "HotChickSex.jpg"....
Lots of apps record this info, pdf readers etc...., not just browsers. As an example, Foxit records in reg the last 50 documents opened - this is not for snoop value, but simply to enable restoring the document with the view settings you used with that particular item. Handy.
For many applications that adhere to M$ policy you can stop the practice by using a selection of the key values from the above OP post. You would put them in HKCU, not HKLM, else your savvy mum might sus interference. Why would you do it? Track hiding. Who wants to give up convenience?
As he posts, there is software that reads Registry to list all MRU entries... :)

My key shows an entry from my AV at AppInit_DLLS.. otherwise it's the same as M$'s default key.
Nothing showed in the Modify Binary data action? Then do as Jim suggested and get Autoruns, see what shows there.

Mods, I have decided that if your code detection monster finds code in my innocuous posts then it is simplest to just code the whole damn thing. Looks bad, doesn't it?

Couple of ways to do this...
Rclick the AppInit_DLLS Value name, choose Modify or Modify Binary Data, sweep your cursor across the data field to highlight and choose Delete.
Better still is to create this batch file and run it - it will expose hidden values in AppInit_DLLS data, and expose any hidden value names:
Save these two lines in a notepad as query.bat to your desktop, dclicking it will pop rq.txt.

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" >rq.txt
start rq.txt

You should see this [default \Windows subkey]:

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout    REG_SZ  15
    GDIProcessHandleQuota   REG_DWORD   0x2710
    Spooler REG_SZ  yes
    swapdisk    REG_SZ  
    TransmissionRetryTimeout    REG_SZ  90
    USERProcessHandleQuota  REG_DWORD   0x2710
    AppInit_DLLs    REG_SZ

Then you could delete that \Windows subkey and add it back with this reg file [attached] of the default Currentversion\Windows subkey. Save all the content via Notepad as Windowsdefault.reg [no .txt extension], then dclick the file to merge it; a msg about success should pop. If it does not, then rclick the file, choose Merge.

Or I guess that doen't matter. reset.log is just a file to write to.
I hate networking.. too complex.

"netsh int ip reset reset.log"
should be... netsh int ip reset resetlog.txt

And that is not a gaming laptop. Which are strange beasts, anyway... sure, they are portable, but unless you can plug into the AC with the adapter the graphics card falls over. Power saving.
The graphics on this one are not great... but the rest is overkill for home use... docs, editing pics, net stuff. At least you can plug up to a proper screen with the HDMI if you want to watch a movie you've downloaded.
When the McAfee runs out, get something real. An eSata port might have been nice.
Get your hands onto the keyboard before you buy, too.

Foxit.com. Free. Better.

I see. Try Safe Mode. While in there use Disk Management to see that all partitions are healthy. Hijackthis will run from there. Because we are pretty much in the dark with the problem, it would not hurt to schedule a chkdsk run also. From a cmd console [go Start, and Run: cmd] enter: chkdsk C: /f -it will run upon reboot.
And if you have the installation cd then running from that cmd window..
sfc /scannow -would not hurt, either. Just to check your windows files are up to scratch; errors do creep in in any system.

Joan, I put in a Whoops! post, or at least I thought I did... it aint showing.
The folder of interest is Docs n Setts\You\Start Menu\Programs\Startup. Any entry in there will start with the system, same for any in the corresponding All Users sub-folder.
All moot now, though. Information only, if you have deleted IE8 it's hardly likely to start.
Spybot: "Now I'm worried Spybot will harm this machine win7." It won't harm it, that's up to how you use it.
Your machine is now an MSI machine, ACER has been demoted to a tag on the case and probably an OEM product key for your installation. That is important...likely being OEM, your licence is restricted to that machine, but after a year limited numbers of parts can be exchanged at any one time without interfering with activation.
MSI's AMI/Award BIOS: the Quickboot option on Advanced BIOS Features page will only bypass some memory testing functions, and perhaps reduce information display times. If you select Full Screen Logo display the same procedures run but are hidden. F10 for Save option.
As I wrote before, your Browser Manager is starting from a fraught and unsafe place, the AppInit_DLLS reg key. It could well be the cause of your startup problems [the black screen is a Windows loading failure]. Putting it probably too simply, that loading point ensures that brwmngr.dll's code is injected into Microsoft's user32.dll, and hence into many of the processes that use user32.dll …