Andy Spragg

Hi Ron, Wow, that should keep me entertained for a while! Thank you for such a comprehensive list of resources - there is plenty of stuff out there about robocopy, but it's the usual problem of knowing what's wheat and what's chaff. I agree, robocopy being part of the OS was a huge attraction for me. What kicked this all off was Windows 7 being helpful and reminding me that I hadn't set up backup on my machine - but when I tried (and still when I try now), to get backup going, on the same network drive this post relates to, it tells me "the specified location cannot be used" with either "Access denied" (0x80070005) or "The parameter is incorrect" (0x80070057) or "The network drive cannot be found" (0x80070043) as a more detailed explanation. And there is lots of stuff out there about that, let me tell you! (and none of it helped me. Most of it is to do with backups failing partway through, and that is not my situation. I wasn't going to bore you with details, but I can't resist mentioning that one of the official suggested fixes, for folks that use , rather than . as a decimal separator, is to change to using . instead! Read something like that and you have to conclude Windows backup is at best flakey, and flakey software is never desirable but particularly when it is backup software). Anyway, I came to the conclusion, not for the first time in my life, that most users don't backup because something that should a) be very simple and b) just work, isn't and doesn't. So I figured robocopy would be a near-ideal workaround. Little did I know ... As a postscript, with my new knowledge, I went back to robocopy yesterday and discovered the /sl option which I figured added to my option list (consisting originally only of /mir) would enable it to do the same as FreeFileSync. But it didn't - for some reason it made no difference - and the reason it made no difference is that it was ignored (i.e. I specified it as an option in my batch file, but the log file showed the options that were actually used and /sl wasn't one of them). As a second postscript, after more messing around with /mir, /sl and /xj singly and in combination, I have finally managed to get robocopy to produce output that matches that of FreeFileSync - but definitely by luck and not judgement. The relationship between the options I specify and the ones actually used is not at all clear to me, and in particular I have never yet managed to get /sl listed in the log file. So my best guess is that some of these options are either mutually incompatible or equivalent in combination, but nothing in the documentation indicates that. Maybe I will find the reason somewhere in your list of homework Andy

Stop press - I figured it out (with the help of more reading around the subject)! And it is to do with "symbolic links". I don't understand it completely, but well enough to be happy. So in the hope that it will save others from wasting investing as much time as I have, here is my explanation. I said in the previous post that I had been set up with FreeFileSync and it didn't have the same problem. Well, I dug around in FreeFileSync, and came across an option for how to handle symbolic links: Exclude, Direct, or Follow (default is Exclude). Basically, a symbolic link is a special type of file, which is a pointer to an actual file or folder. Something like a shortcut except it isn't visible in Windows Explorer. "My Documents" contains three of them: to "My Music", "My Videos" and "My Pictures". Under the hood, "My Documents" is a folder \Documents, and it includes subfolders \Music, \Pictures and \Videos. The symbolic links make it appear to the user as though they are folders on the same level as "My Documents". So: With the Exclude option, these three symbolic links are ignored With the Direct option, they are treated as files, so relative to the Exclude option, the backup contains three more files With the Follow option, they are treated as their targets, so again relative to the Exclude option, the backup contains three more folders, and 57 more files and 0.2 more GB (the contents of those folders). Because I was treating My Pictures as a separate folder, this option gives two copies of the contents of "My Pictures": one as a subfolder of "My Documents", and the other as a separate folder. So something like the Follow option is what robocopy is doing. It is resolving symbolic links, with one critical difference: the resolved links are not visible in Windows Explorer! I know this because I tried using FreeFileSync with the Follow option, and the folder, file and byte count for My Documents came out the same as the robocopy result, but the FreeFileSync version of My Documents contained visible copies of the three symbolically linked folders. I can now sleep again :-) Andy

Hi Ron, I don't have the competence to access both resources from another remote system, or to robocopy to another Windows computer :-) I am only a user in this context. I have attached twelve screenshots, to validate my experience. (Edit: just now, I forgot the first time ). Two of reported properties for the parent folder on C and on the network drive (showing biig discrepancies), and five lots of two of reported properties for each of the five child folders on C and on the network drive (showing exact correspondence). It's academic now, though, because I have now been set up with FreeFileSync and I don't see the same issue with the backup it creates. I would like to understand this though! I was reading about "symbolic links" and "junction points" yesterday when I was looking through discussion prompted by others who have reported similar experiences. Both seem to be features of modern Windows file handling that might account for apparently anomalous file copying results (and get in the way of a user who knows enough to be dangerous and just wants to backup a load of files and verify it has been done correctly). Thanks as ever for your assistance, Ron. Andy

Hi Ron, Many thanks for a prompt reply. The network resource is a Novell drive, using NcFsd file system; more than that I don't know. The issue does not seem to be one of files failing to transfer. Maybe I am not describing the issue clearly enough. Let me try again. I have a parent folder on my C drive, containing five child folders. I (robo)copy that parent folder to the network drive. The reported properties of each copied child folder precisely match those of the original child folders. But the reported properties of the two parent folders are very different. Sounds bonkers, doesn't it? Andy

Hi folks, Briefly, I have searched the Net for symptoms like this, and found other people asking similar questions, but without getting any good answers ... The machine in question is a workplace Windows 7 Pro SP1 Dell laptop, running ESET Smart Security. Yesterday I set up a little robocopy script to mirror specific folders (Desktop, Favourites, My Documents and My Pictures) from my C drive to a network drive. Once I got a version that worked and did what it was supposed to, and made sure that the contents of both locations were the same (by e.g. deleting any hidden content from previous versions that did not work), I checked the aggregate properties of those four folders in each location. The total file, folder and byte counts were all different between locations. I have several times deleted everything, including hidden files, and started over. The properties on C are always the same (provided I haven't changed any files in the meantime, obviously), but the properties on the network drive are never the same twice. Even though Robocopy always reports 100% success. Here's the killer. I have looked more closely where the supposed discrepancies are occurring. The main culprit is My Documents, which contains precisely five folders and no files. If I examine the properties of each of those five folders, all five match exactly between locations in terms of file, folder and byte count. If however, I examine the properties of the My Documents folder (which is just a folder that contains those five folders), there are discrepancies of 57 files, 3 folders, and roughly 200 MB. Every time I delete the mirror and try again I get different discrepancies, but always all three are non-zero. Has anyone ever encountered anything like this? How can Windows count the contents of five folders correctly and yet get the result completely wrong for the folder that contains them (and nothing else)? Hoping as always for enlightenment, Andy

Hi noknojon, Thank you for replying. I should have been less lazy and included details about what I meant by "misbehaving badly". I read the content of your step 1 and thought OMG. Then I read up about KB268509 (thanks for that heads-up). However, the symptoms that are being reported are not mine. I get NO error messages and NO endless failure-to-install loops. As far as I can tell, all the updates installed "successfully". What happened halfway through installing the upgrades (and happens again very quickly if I reinstall my wireless keyboard and mouse) is the following. The Start menu begins to flash on and off, roughly once or twice a second, just as if the Start button were being pressed and released by the mouse cursor. That makes it quite hard to give focus to anything else, but if I do manage to do that, and open (say) Notepad for demo purposes, some character keys on the keyboard produce the correct character, while others produce actions e.g. minimize the Notepad window. Other keys, notably Ctrl, do not function at all. Note this only happens with wireless keyboard and mouse. The wired keyboard and mouse work just fine - fortunately, or I'd be completely shafted. So I am loath to embark on the major program of step one when the symptoms I am reading about do not correspond with mine - although I agree the timing and keyboard related nature of the problems others are having are very suggestive of a link to my problem. Andy

Hi folks, It's been a while since I posted (long story). I'm posting now so that the information is findable by others - it's better than joining loads of new forums I'll never use again just to answer individual questions. So, short version (I composed this for www.justanswers.com then found it was going to cost me $43 for the privilege of an answer): I installed the last 10 Windows (XP Home SP3) updates yesterday (been away for three weeks) and my Microsoft wireless desktop started badly misbehaving halfway through the process. To cut a long story short, after a lot of uninstalling and cleaning up and reinstalling good old wired devices, I was able to use the computer again. Today I downloaded the latest drivers (v8.2, I had only been on v7) and reinstalled and got the same symptoms. So I am back to wired again. It would take a long time to describe the presenting symptoms in writing, and I'm not going to do that, but I'm happy to relate my experience to you over the phone if you want. I think Microsoft messed up badly here and the only reason there is not a lot more outcry so far is because it's hard to write an angry email when the keyboard isn't working, and lots of folks don't have a wired keyboard any more. What would lengthen the post considerably is a description of what I mean by "badly misbehaving", and at the moment all I want to do is alert savvy folks to the issue. But I'm happy to expand if interest warrants. There are other folks out there with the same problem - I have established that - the difficulty is finding the right set of words to feed into Google to narrow tens of millions of hits down to a manageable number ... Andy

Hi Chris, Well, I didn't want to mention it too soon, because it looked like things were all sorted after I got the Internet connection working again, and that only lasted a couple of days, so after I did the registry surgery and it looked like I had fixed things, I thought I'd better give it two or three times as long as that before deciding that I had finally got things sorted. Like I said, thanks for sticking with me. You are a gentleman, and Malwarebytes rocks. Andy

Hi Chris, OK, first things first. I uninstalled the network adapter, which took care of the non-hidden entry and one of the hidden ones. The other hidden one, Windows said it couldn't uninstall it, and that it might be needed to boot the computer. Ha, I think not. So I searched the registry for all instances of "Belkin Wireless G USB Network Adapter #2 - Packet Scheduler Miniport" - there were three - and to my surprise successfully deleted the associated registry content (I thought I might have been told "Access denied"). But I now think that was a red herring. Here's some more information that I didn't tell you at the time. When I was trying to get the router working, before I realised that I needed some ISP account information, in desperation I tried using the Internet Connection wizard. After a couple of preliminary steps it created a Shared Internet Connection, complete with icon, which I knew was not what I wanted, and I figured when I cancelled it would go away again - but it didn't. And straight away it started to register a lot of traffic apparently between my computer and the internet, but I still wasn't able to browse or connect to my email server. So I got a bit freaked at this point, and tried to delete it, but delete was not an option anywhere that I could see, so I just disabled it. I did change its name to something to indicate it was bogus but that was all I could do. When I got the Internet working again, that shared Internet connection changed its name and device name to values associated with the ISP, and since I was able to connect normally again at that point I figured it was now necessary, and stopped fretting about it. But within a day I had the same connection problems as before. At this point I decided to see if I could find this Shared Internet Connection in the registry and get rid of it - which turned out to be very easy. A couple of "folders" called "Shared Internet Connection" with a small amount of data and no "subfolders", and I was able to delete them no problem. Since then (about five days ago), my connection has been fine. So currently I believe I'm sorted. However, I am left wondering what this weird Shared Internet Connection was that I managed to create, and amend when I got the router working again, that seemed to come and go at random, and which indicated massive amounts of traffic to and from the router. Maybe you can shed some light on that? Thank you very much for sticking with me in a topic that is almost certainly in the wrong forum. Andy

Hi, I don't have Network Devices, I have Network Adapters, under which is just one entry: Belkin Wireless G USB Network Adapter. If I Show Hidden Devices, a little more interesting. I have as well: - Belkin Wireless G USB Network Adapter - Packet Scheduler Miniport - Belkin Wireless G USB Network Adapter #2 - Packet Scheduler Miniport - Direct Parallel - Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport - WAN Miniport (IP) - WAN Miniport (IP) - Packet Scheduler Miniport - WAN Miniport (L2TP) - WAN Miniport (PPPOE) - WAN Miniport (PPTP) No yellow exclamation marks, but I know enough to know that the first two hidden devices jointly indicate something not right. Should I uninstall the second one? Andy

Hi Chris, I haven't replied sooner because until landlady re-appeared there was nothing more I could do. As I suspected, the router was missing ISP account details after I reset it. Once I established that information and restored it, I was able to connect to the Internet just fine again. It only lasted for about a day, though, then I started to have the same problems as before. Currently it's fine, yesterday it wasn't. The only new information I have to offer, and I don't know what to make of it, is this. Before the problems started, I only had a single network connection icon in Control Panel, Network Connections - for the wireless network. Once I got Internet connectivity again, I acquired a second one, for an Internet gateway connection, which also appeared in the system tray. At first it seemed as though I could only get a good connection while this second connection was visible in the system tray, but currently I can't see it and I'm connected just fine. It seems to come and go at random. One thing that does worry me is that when it's there, it often indicates a colossal amount of traffic between the Internet and the router. Still don't know whether to suspect something malevolent or not. Hope you can advise. Andy

Hi Chris, I am posting this from work because I am now not able to get online on my machine at home at all - please read on I did as directed: - disabled the wireless connection and physically disconnected the wireless adapter - reset the router - checked TCP/IP settings (no changes needed) - flushed the DNS cache - re-connected the wireless adapter and re-enabled the wireless connection The automatic wireless network connection did not remake itself. I viewed the available wireless networks and the network I have been using was not there (although there were several listed so the adapter is working OK). One of the networks was called NETGEAR, which is the make of the house router, and the start of the name of the missing wireless network. By switching the router off and on again, and observing that the NETGEAR network disappeared and reappeared again, I demonstrated that the NETGEAR network corresponded to the router. So resetting the router reset its name and removed its security key. I could connect to the newly-unsecured network but I could not load any web pages, or connect to my mail server, or log on to Skype. There were two other unsecured wireless networks visible but I could not connect to either of them - Windows never returned from acquiring a network address. I know the name and security key and login details that the router was using, and I guessed (correctly) that the factor preset login password was "password", so I was able to log in to the router and set all that stuff back how it was. And I can now connect to the wireless network automatically like before, but I still don't have an internet connection. What I have tried since is two things: - I noticed in the router config that the firewall was set up with two default rules: "Let everything out" and "let nothing in" (I paraphrase). I figured this was the problem, and to test that, I set up a new rule "let everything in" and put it above the default rule, but it didn't help. So that isn't the problem (though I guess there is still some fine-tuning to do there once the real problem is fixed). - This morning I tried a couple of TCP/IP repair utilities, without success. My landlady is the only other person who uses this router, and she is away for a week, so I can't tell if the problem is with the router or my computer (though I do know that she has not been having problems while I have been). So I believe the problem is still confined to my computer. What I know is that if she comes back to a router that is not working, she is not going to be happy, and the best way for me to know that the router is working is for me to be able to use it successfully again. And I have just over a week to make it so. Please help!

Hi Chris, Many thanks for getting back to me. First suggestion is not an option ... I'm using the house router and it's a long way away on a different floor. The only other computer that uses this router did not have the same issue last time I checked (owner has been away for a few days at the moment). The only new pieces of information I have since I first posted are: i) that since I uninstalled Avast and changed to Avira, I can not now send emails from my client Thunderbird. I get the warning/error attached as a screenshot, which I never saw before. I thought it might be Avira getting tangled up with Thunderbird, but I checked and Avira doesn't scan outgoing emails. If I click on Get Certificate, nothing happens. I don't know the first thing about certificates and how they work but I don't like the look of this. ii) I noticed that the wireless connection is being reported at various speeds below 54 Mbps (eg 24 Mbps, 36 Mbps) whereas it has always been 54 Mbps since I moved here four months ago. Andy

Hi folks, This has been going on for around three weeks now. Basically, my ability to connect to webpages and my email server has suddenly become very unpredictable. The PC says I have a good wireless connection but a lot of the time, lots of web pages won't load (usually saying the site couldn't be found). The ones that don't, often do so if I hit Reload a couple of times. The ones that do, often don't load completely (missing graphics, lots of vanilla HTML, that sort of thing). I get the same problems with all of Chrome, Firefox and IE8 so it's not a browser-specific problem. Also I can't connect reliably to my email server. I posted about it in the MBAM PC Help forum: http://forums.malwarebytes.org/index.php?showtopic=75582 because I wasn't convinced it was malware, but didn't get any replies. I suspected my AV software Avast, and posted on the Avast forum too: http://forum.avast.com/index.php?topic=71456.0 At first it seemed I was right to be suspicious - once I uninstalled its behaviour shield, everything seemed to return to normal for a couple of days. The only residual question mark was that I couldn't ping a lot of the websites that I could load, but I now gather a lot of web sites won't respond to ping anymore anyway. Anyway, today the problem returned. I completely uninstalled Avast and removed all traces from the registry, but it made no difference. The considered opinion there is that it is probably a hardware problem. The reason I am now posting here is because I noticed something today that made me a little bit more convinced that the explanation is malware rather than hardware. I noticed that there were 10 new top-level subfolders of my C drive, copies of the folders in my bookmarks toolbar. They had all been created between 00:18 and 00:19 on 19 February. I had a look in event manager and at 00:19:15 I found the following TCPIP warning recorded: "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts." Which all sounds more than a bit fishy to me (given that accessing websites from my favourites toolbar is the main difficulty I'm having). And I struggle to see how a hardware problem could explain it. So I have done the necessary groundwork: - MBAM came up clean - rather than reinstall Avast (because I'm still suspicious that it was implicated somehow), I installed Avira instead. It found 1 hidden object and gave 4 warnings - I ran DeFogger, DDS and GMER in that order. DDS.txt is reproduced below. MBAM, Avira, DDS (attach) and GMER (ark) logs are attached as a zip. Grateful as usual for any assistance. Andy ----- DDS (Ver_10-12-12.02) - NTFSx86 Run by Andy at 21:59:43.06 on 20/02/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1431 [GMT 0:00] AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\Program Files\Nero\Update\NASvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\WINDOWS\vVX3000.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Andy\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.co.uk/ BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll mRun: [WINDVDPatch] CTHELPER.EXE mRun: [VX3000] c:\windows\vVX3000.exe mRun: [updReg] c:\windows\UpdReg.EXE mRun: [NBAgent] "c:\program files\nero\nero 10\nero backitup\NBAgent.exe" /WinStart mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe" mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe" mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe" mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe" mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe mPolicies-system: EnableLinkedConnections = 1 (0x1) IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL Trusted Zone: microsoft.com\*.windowsupdate Trusted Zone: windowsupdate.com\download DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://dcode.support.microsoft.com/dcode/ActiveX/MSDcode.cab DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\andy\applic~1\mozilla\firefox\profiles\yam7ukyh.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff ============= SERVICES / DRIVERS =============== R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-2-20 11608] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-2-20 135336] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-2-20 267944] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-2-20 61960] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-4 363344] R2 NAUpdate;@c:\program files\nero\update\nasvc.exe,-200;c:\program files\nero\update\NASvc.exe [2010-3-25 490280] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-4 20952] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-11 136176] =============== Created Last 30 ================ 2011-02-20 20:22:29 -------- d-----w- c:\windows\system32\NtmsData 2011-02-20 20:18:39 -------- d-----w- c:\docume~1\andy\applic~1\Avira 2011-02-20 20:16:10 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-02-20 20:16:09 -------- d-----w- c:\program files\Avira 2011-02-20 20:16:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira 2011-02-19 00:18:57 -------- d-----w- C:\Hide & seek 2011-02-19 00:18:57 -------- d-----w- C:\e logs.zip

For the last few days, I have been having big problems accessing mail (with Thunderbird) and a lot of web sites (with Firefox and Chrome). Thunderbird usually tells me that it "failed to connect", and both browsers often tell me that they "failed to find" website this or that - for example, Google, Gmail, and Facebook. If Facebook does load, it often comes up dispayed as basic text-only HTML with little or no graphics. On the other hand, some sites load reliably. No pressing reason to suspect malware at the moment - full scans with Avast and MBAM came up with nothing, also scans with GMER, DDS, HijackThis produced nothing obviously untoward. The only question mark I have about possible malware is that when Thunderbird started acting up, I had a look at the SSL-related Mail Shield settings, and I found that as well as the two entries I expected to find, there were two others with only IP addresses for names. I wondered at first if these were related to a new gmail account that I set up recently, but I only access it via browser so (as I understand it) Avast should not be involved with those mails. I kept a close eye on these Mail Shield settings for a day or two, and two more similar entries got added (all IP addresses ending in .78). I have now deleted them all. The only other thing that might be relevant is that three or four weeks ago, the PC started randomly shutting down (which I believe was due to overheating, because it stopped when I replaced a noisy fan and declagged the mobo fan). Then after a couple of days it refused to boot, which I fixed by plugging the hard disk into a different slot on the mobo (I noticed in the BIOS that the name of the slot it was plugged into had become corrupted). Today I had a look in event viewer and found a lot of disk controller-related errors up to 30 Jan, and none since. So I'm presuming that overheating was causing the disk errors, and that problem is now fixed. But I'm wondering if maybe some settings got corrupted in Avast? To be on the safe side, I have disabled the wireless network connection until I figure out what the problem is and fix it (I'm posting this from a different machine). Trouble is, I don't really know where to start. Does anyone have any suggestions, please? I'm going to post this in the Avast support forum too since I have a suspicion that it is implicated somehow.

Ron, As it happens, I have just with heavy heart disabled MBAM for an experimental period. I find the mbamservice.exe almost always takes up at least 100 MB regardless of whether or not it is actually doing anything or just being. When it is doing something, its CPU usage and effect on machine usability is often extreme. And it's not always obvious what it's doing at those times, seems to be background stuff, the scheduled scan is not usually a problem. CPU utilization is around 80%, frequently if not unbroken, and I might as well stop trying to use the PC until it has finished because monitor display freezes and keyboard input gets buffered with no effect often for loooong seconds at a time anyway. I have also noticed things taking ages to load, and when they do the corresponding task bar entries appear appear so slowly that they grow before my eyes and stutter into place. So I'm doing without it for a while to see if things improve. I have Avast so I'm not defenceless but I don't like being MBAMless. Andy

Hello folks. Delighted to say the collective wisdom re battery was quite correct. Managed to extract the old one - not as easy as I thought - and find a replacement at 2 for

Hi folks, thank you for all three replies. I been busy unpacking and sorting stuffs out for the last couple of days ... Computer was unplugged for two days. Never normally switched off for more than 24 hours. Seems most likely to be the battery then - either it got temporarily dislodged, or is running low (seems implausible that it should coincide with moving house though). Had a feeling it might be battery-related, ISTR I have been here or somewhere like it before. I don't understand what basis the machine has for asserting that the settings have changed. I see in the BIOS there is an option to reset to defaults, either failsafe or optimized. Is it comparing to one of those default value sets? I have no idea what the settings were before, so if they have changed, I have no idea which ones or what from, so I can't set them back again. But machine is obviously OK if I just change nothing at boot time. It will just keep prompting me that the CMOS settings have changed. Can I ask two specific questions please: - If I go into CMOS settings, change nothing, and Save and Exit, will that make the boot-time message go away even though I haven't changed anything? - if I change the battery, will machine lose all CMOS settings so I will have to reset to a default state?

I have just moved house and transplanted my PC. When I hooked it all back together again, at first there was no signal to the monitor. I fiddled with some cableage, rebooted and tried again. Second time, all seemed briefly to be OK again, but machine had only just started to boot when up popped the following message: Warning! CPU has been changed. Please re-enter CPU settings in the CMOS setup and remember to save before quit! with choices to continue or go into setup. So obviously I ignored the message and continued Machine booted normally except that it had lost time and date. I put that right and on the three or four boots since, I have always still had the boot time message but the correct time and date have been retained. Second time, I went into the CMOS setup to see if I could spot what setting it was that had somehow been changed, but I couldn't see anything amiss. In the sense that the PC appears to be booting normally, if I ignore the message ... no worries. But obviously I'd like to know what went wrong and how to put it right. I'd appreciate any advice from wiser folk than me. TIA, Andy

Thank you!

Whoops, sorry, forgot about the rules of engagement, been so long since I stuck my head in this particular subforum. I uploaded the zipped file, and here's the log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4584 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 09/09/2010 23:18:39 mbam-log-2010-09-09 (23-18-39).txt Scan type: Quick scan Objects scanned: 170159 Time elapsed: 27 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\memman.vxd (Rogue.sysCleaner) -> No action taken. [189A7E0494DACBB3486AC6D04F329665] Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\memman.vxd (Rogue.sysCleaner) -> No action taken. [189A7E0494DACBB3486AC6D04F329665] memman.zip

Evening folks, It's been so long since MBAM reported finding anything that when it does my instinctive response is "Oh, it must be a false positive" ... tonight it reported two finds, both labelled Rogue.sysCleaner. One is a virtual device driver, memman.vxd in c:\windows\system32, the other is an associated registry key. Avast! finds no cause for concern with memman.vxd, nor does http://virusscan.jotti.org - so it does look like it's a false positive. I have Ignored them, pending definitive guidance from here. Andy

Wrong, as it happens. I have decided I am too prone to give hardware the benefit of the doubt, forgetting that it is prone to developing faults. I finally got around to buying and installing a replacement graphics card, and the display is brand new again. Really quite a reasonable price too. I'd like to say it absolutely points to the old graphics card as the problem, but I can't - quite - because the new card that I bought fitted into a different slot on the mobo (although that was not my intention when I bought it; I thought I was buying one to go in the same slot). So I can't entirely rule out a fault with the slot rather than the card, but I know where I'd place my money if I were a betting man. So lesson for the day is ... hardware is not above suspicion. Rule it out first if it's not prohibitively expensive to do so.

Hi guys, Well, top line summary - it's working again. For optional detail, read on ... All a bit unsatisfactory, as like last time, I neither know what went wrong or quite how I fixed it: Powering the router down and back up didn't help Updating the driver didn't help So then I uninstalled the newly-installed driver and unplugged the adapter and went through the registry removing all references to wireless network connections and to the manufacturer (Belkin). That required a reboot because quite a lot of these were "access denied"s, but after reboot everything was gone (except for no-matter stuff like install path names). So with a clean sheet I reinstalled the latest driver. Previously I had a driver-only download, using WZC, but the latest version is an exe that gives no option but to install the Belkin wireless utility as well, and the installer defaults to using it - you have to explicitly opt for WZC instead if that's what you want to do. Since the Belkin utility was reporting "Limited or no connectivity" that was a no-brainer, so I switched to WZC. PC sat there for fully a minute, I reckon, just saying "Connecting ..." and I fully expected it eventually to come back and say "Unable to connect", but I left it alone because at least it wasn't alternating between looking for a network address and being disconnected. Much to my surprise, eventually it did connect! There was a lot of hiccups subsequent to that, when I thought it had all gone wrong again, which I won't bore you with, but I think they were mostly associated with my having to reinstall Trend Micro. I had uninstalled it to rule it out as the source of the problem. Once I set up the MBAM exclusions again, it was all good. The Belkin adapter, with hindsight, was not a good choice. It comes in five hardware versions (not that this became apparent until about a year after I bought it), it has a long history of driver revision, and the site FAQs invariably still feature it in the top 5. Maybe I should just get a different one. Any recommendations?

Hi Ron, It's worth a try - quick and costs nothing, as it were. I'm not optimistic since the other two PCs in the house are still connecting as usual. Can you conceive of a scenario where only one machine out of three is failing to connect as the result of a router issue? I'll try it tonight anyway, before I try updating the driver.