rjhfandclf

Just wondering if anyone has any ideas about this - if not I will close my end of the thread ... new system due to arrive tomorrow :D with Win 7 Pro and Office 2010. Something new to get used to! Thanks

Hello, Thanks - and noted! I have decided to grasp the nettle and have ordered a new system. In the meantime, I have found a route to get the old PC running, albeit intermittently, in reasonably operable 'normal' mode, but with occasional BS crashes that refer to hardware probs. It entails three boots ... last good (which fails) > safe+net (fine but no nets!) > last good again ... which presently 'works'. This route has worked a couple of times now - despite appearing illogical! At least I can get some work done. I will leave the repair install until it becomes absolutely necessary in hope that I can transfer my backed up data from Retrospect into Win7 Pro XP mode OK. Retrospect have given me some help with this. One query that still bugs me is why I still get dozens/hundreds of ipconfig entries in task manager during a partially failed boot. Hopefully it's academic now ... just curious. Thanks again to all for all your help. Best wishes.

I am afraid I am going to have to try something basic to see if I can get Windows working again. Things have deteriorated to the extent that I cannot now boot into any working mode other than safe. In any other mode, I cannot open any mainstay programs other than Firefox. In safe mode I cannot access the internet, so I am stumped - and have an enormous amount of work backing up. I thought I might try another repair install - but with very little confidence. If this will affect anything you might be working on or wish to suggest, please kindly let me know, but I must try something soon. NB what I don't understand is why, if there is some malware affecting the amchine, has Kaspersky not recognised it! Many thanks.

I should have added that, as from my first post in this thread, Kaspersky recommended the link to MS's kb on resetting hosts to default. That seemed to solve the cpu hogging 'conflict' with Kaspersky's avp and svhosts - but also seemed to coincide with the influx of dozens of ipconfig entries in task manager (currently there are about 130 in task manager). Also, re starting up, I always try in normal mode first, but if this fails, I try last good mode, then safe mode as a fall-back. Last night's post was written while in a rare normal mode. This morning is last good mode.

Hello, Thanks very much for all your help. Delighted to get rid of Advanced Windows Care as this caused all the original crash problems following a slow PC (I also got my money back from them!) Listed Java bits now all gone too, as well as TweakNow and also Glary Utilities, which I found as well. I do still have ERUNT and NTREGOPT, which are slightly different, and which were highly recommended to me by a tech professional some years ago. I hope you agree! OTL log: Files\Folders moved on Reboot... C:\WINDOWS\System32\drivers\etc\Hosts moved successfully. Registry entries deleted on Reboot... OTL ran OK, but didn’t want to close down after displaying a message box that said “Cannot create file C\windows\systen32\drivers\etc\hosts”. I left it running for quite a while, but it did nothing, so I closed OTL manually and rebooted. The OTL log opened on reboot. NB when I open OTL, I notice that ‘Extra Registry’ has ‘None’ checked, not ‘Use safe list’ as shown in your previous screen shot. This was how it was set when I posted the last results – I don’t know if it is relevant or not. Equally, I have not altered it to ‘Use safe list’ this time – nor made any of the other changes you previously asked for. If this is incorrect and I need to run it again, pls let me know. Thanks.

Hello and thank you. I take the reprimand – although currently not entirely correct! When I bought this PC 8 years ago it was used as a ‘family/student’ PC and all sorts of things got imported onto it – including downloads from an older PC. I don’t use P2P myself as I simply don’t trust such things. I thought I had cleared it out pretty well, particularly as these problems are quite new. Obviously I didn’t, but can try harder - if we get that far. Anyway, that is all pretty irrelevant, so I have run OTL as instructed. The files are hundreds of lines long, so I attach tham as files as follows. As you will see I had trouble attaching OTL.txt as it was too big for the forum rules. I have therefore had to convert it to a Word doc. If this is no good and you want me to try to copy/paste the contents, I will certainly try. PS please note that I have just been called away on urgent family business for a couple of days, so will shortly be unable to reply further till around Friday. Thanks again. Extras.Txt OTL.doc

In the end, I had to run the int HDDs' (C & E) MBAM via Safe Mode. The ext HDD (G) I had to run separately after rebooting in 'Last good...' mode again, as this drive was not available in safe mode. I attach the two txt files produced. I cannot see anything operationally damaging in the C & E report showing 4 threats (two each identical in each of the mirror drives) as these seem to lie dormant in an old inherited download folder. I am not entirely sure where they came from. Perhaps you will see something I cannot, though. PS I have now heard from Retrospect that I woud be able to either restore Windows XP system files from a older 'good' back-up session (although that would now be from about a month ago), or if I decided to replace my machine with Win 7 Pro, I will be able to restore my XP based files into their own directory OK - so at leat that gives me some other options to play with, as I am rapidly losing confidence that I will economically be able to resurrect this machine. Thanks for all your support. Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.18.04 Windows XP Service Pack 3 x86 NTFS (Safe Mode) Internet Explorer 8.0.6001.18702 Robin :: R-PC [administrator] 18/06/2012 19:23:16 mbam-log-2012-06-18 (19-23-16).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 764424 Time elapsed: 1 hour(s), 33 minute(s), Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 4 C:\Documents and Settings\Robin\My Documents\My Downloads\New\New Items in place\Adobe\Photoshop CS\photoshop\key gen\keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully. C:\Documents and Settings\Robin\My Documents\My Downloads\New\New Items in place\Not yet installed\spyware remover (CHGE).exe (Rogue.PALSpywareRemover) -> Quarantined and deleted successfully. E:\Documents and Settings\Robin\My Documents\My Downloads\New\New Items in place\Adobe\Photoshop CS\photoshop\key gen\keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully. E:\Documents and Settings\Robin\My Documents\My Downloads\New\New Items in place\Not yet installed\spyware remover (CHGE).exe (Rogue.PALSpywareRemover) -> Quarantined and deleted successfully. (end) ============= Malwarebytes Anti-Malware 1.61.0.1400 http://www.malwarebytes.org Database version: v2012.06.18.04 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Robin :: R-PC [administrator] 18/06/2012 22:05:12 mbam-log-2012-06-18 (22-05-12).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 297331 Time elapsed: 4 minute(s), 28 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) ======================= I have posted the logs they are easier to read this way - KenB mbam-log-2012-06-18 (22-05-12).txt mbam-log-2012-06-18 (19-23-16).txt

KenB: Thanks - it is well underway again, so will try safe mode if it goes again. RandyL: Should have added that the response message was sent on your online form that opened on ‘click here’, and was acknowledged as received!

KenB: I don’t understand ipconfig in task manager either. I can only regularly start Windows now in ‘last good ...’ mode. This gives me a just about operable machine with task manager running at about 65 processes. I was wondering about running a malware check, as I have been watching for ipconfig and it flashes on briefly with ca 10-15% CPU usage then disappears. Looks suspicious. I am running Malwarebytes and will attach the results i.d.c. It will take a few hours for the three disks (int and ext). I hope it doesn't find much as Kaspersky is supposed to look after this! RandyL: Re being banned – I promise I didn’t imagine it and this is the only forum I am keeping open. The message appeared in a banner box a bit like the quote box shown in messages, as I recall it. NB PC just BSODed on me in mid flight - hope the malware checker doesn't have to start again!

Perhaps there is something else wrong at this end ... I just wrote you a response to this, but when I posted it, the site told me that it had failed as the ticket (or something?) had expired - please reload the page. I reloaded and so lost everything I wrote!!! Incidentally, it usually shows a regular 'autosave flash in the botton RH corner of the message box - but I cannot find anywhere where the message is saved - or is it not you but Firefox perhaps? Anyway, the previous banned message appeared in the middle of a blank page when I reopened Firefox. It said something like "Your IP address has been banned. Please click here to contact the administrator" Clicking here opened your contact form, which I responded to with a simple: "Banned???"! I am still having the same problems. It took two reloads via F8 to get going this am, but pm I had no problem first time without F8! Currently I have just 65 processes (one ipconfig - where I have sometimes had up to 200!) in task manager. I does seem that this relates somehow to the number of processes/applications that are trying to load, with a new ipconfig added at each failure. I know how well it might work by the number of task bar icons that appear at startup. I have a load of urgent work to catch up with so will not risk the raid array yet. I will keep you informed i.d.c. I'll try to send this again (copied to clipboard just in case!!)

For some reason you/administrator has banned my IP addresses on both PC and laptop - so I have had to reset my router to make this update! No reply needed at this stage. I have been working on the problem, and after numerous false starts, decided to try an F8 OS start via last good configuration - something that had failed previously. After a couple of attempts, it worked. I therefore went through the sfc process again, and it seems that this is party to the problem as the system immediately froze and failed again. Perhaps the bad sectors prevail. It took a couple more F8 resets to get it going again and I currently have reasonable (if not total) control. I shall leave well alone while I think about the future of this system. - Presently, it doesn't bode well for it! I have copied the I386 directory to both C: and E: as well as a mem stick, so that there are alternatives to the CD if I do have to make a repair install (previously this has failed to copy important files due to not recognising the extentions on the CD - no idea why. I shall now rebuld the mirror raid so that I can link directly to Retrospect again, so hopefully that will work OK ... Again, thanks for your help.

I have now tried several ways to check/fix the disks, but nothing works. I tried via Explorer > properties: check disk and even that said it couldn't complete. cmd > chkdsk (no parameters) runs but says it finds errors, but can't complete in read only mode. Everything seems to point at the disks. The problem is the age of the system (8years). It has a very early SATA array and the m/b will only take 3.5" 150 drives. Replacement HDDs are very scarce and consequently seem very expensive in relation to an entirely new system. It seems daft to replace redundant equipment, so I need to think through a possible total replacement - and quickly. I have all my user files backed up via Retrospect on an external drive but these are in progs under XP - so there will be the problem of intrgrating into Win7 (I understand they can go into their own 'window' within Win 7 Pro). Meanwhile one query: With all the now available backup.recovery media, do you think there is any great value in mirror raid systems? I could possibly then replace just one disk - although a full (like for like) restore from Retrospect would not be possible. Thanks again.

I've now tried chkdsk /f but it freezes and won't close in exactly the same way as chkdsk /r as above. By freeze, I mean that the curser does a carriage return after the line 'cannot lock ...', and continues to flash, but will not accept any entries nor close commands. I still cannot open any useful programmes, including Control panel or 'Your uninstaller', so cannot uninstall IE 8 before doing a repair install. I will try one more reboot, but will then have to leave everythign else, I guess, until after that. One thing I have now managed to do by deleting the raid is run the Kaspersky recommended programme CrystalDiskInfo. This tells me that the two disks are in 'caution' state concerning 'reallocated sector counts'. I have no idea what this means, but if I can fire up Firefox on the PC (I cannot open email at all), I may be able to attach a file of the test run results - if it is of any value/interest.

Hello again, PC jammed up again, so I re-booted again a couple of times; however, I now find that it will not complete the boot. Windows starts OK to desktop, but then jams before task bar icons. So I have now re-booted again, having first deleted the raid array, but Windows still won't complete, so I am writing this on the laptop. Having just written this, the PC has just rebooted into Windows OK, although I can't open programmes, I can open My Computer, so can see the two drives identified OK. I have tried to run chkdsk, but for C: it says 'The type of file system is NTFS. Cannot lock current drive'. Cmd now seems to be locked up and won't close. I have tried to run a 2nd chkdsk on the 2nd drive 'E', but this says the same re NTFS, but not the locking bit, and also won't close. Task manager won't open so I will have to reboot with them open. Just tried that but the whole thing is now jammed open and will not close down via any route, so I will have to unplug it and try again tomorrow.

Hello, The problem with the raid is that it combines the two disks into the one drive 'C' - so My Computer only sees 'C' ... in fact it now sees nothing at all as that won't populate either now!. (I'll try yet another reboot.) I could then disolve the raid array at boot and then the two drives may become visible. Onwards and (hopefully!) upwards!