KenEgginton

I'm sorry I haven't updated the thread - I've not had much time to work on the PCs the last couple of days (and will still be busy for the next few days). Reading around, I think Google Photos on the Sony tablet is causing the sudden crashes - maybe due to a corrupt photo - I'm still investigating. Cheers, Ken

Yes, their photo backup/sharing service has gone through several incarnations (and that may be the cause of some of the issues) - I know other users have had issues. Yes, I'd updated the GPU driver in May. Last night my wife's Win10 machine through up a 'redirect' in Firefox - I'd used google to search for washing machines (ours has just broken down and that's ging to take me away from the PC problems for a whiel) and it wouldn't respond to a left-click on a link. I used a right-click to open the link in a new tab and got a black screen with small text saying that the previous page was trying to redirect to the page I wanted. Seems odd, as that is what I wanted it to do, but I also had a 'Cannot make a secure connection' error last week - after checking that out it seems Firefox have introduced aome new SSL (1.3?) security protocol that Avast may not be ready to handle but this black screen worrried me - I've never seen it before. In fact I didn't quite follow the refernce to 'redirections' in your last message. I had thought that that PC was 'clean-ish' but now I'm wondering. Cheers, Ken

Hi Ron, thanks for that. I recently had a graphic card driver (IIRC) update on the 32 Win7 PC but will check it again. I will try browser reset later in the week and see if that makes any difference. Is the Google Sync thingy the same as their backup & sync service that links with the Android App Google Photos? It was that, that was playing up in the first place. Cheers, Ken

I think you have the patience of Job - thank you Ron. The Win10 update went ok this time and the machine seems 'normal' at this time. I still have the laptop to sort out - see if that''s the same KRD10 problem - bu that will wait until tomorrow. I'm using the 32bit Win7 PC at the moment, letting it soak in the Internet for a little while, it's ok-ish but I'll be keeping my eye on it - what I don't like is the screen flash when I open new windows (it makes me think they're being grabbed) and long white pauses when I first open Chrome or Firefox - but that may just be the slowness of this PC and updated browser operation. As you say, maybe it's time to refresh or replace. Thank you again for all your time, I'll keep you informed of any developments. Ken

KRD10 folder in SRP now removed - on advice from Kaspersky, I used the File Manager in KRD2018 to delete it. Plenty of space now - will try Windows Update again later. Ken.

Ron, a quick question: I have investigated the System Reserved Partition on the Win10 desktop PC - I assigned a drive letter and explored it. I find there is a Kaspersky Rescue Disk 10 folder in there with over 400Mb of files. Clearly, this would seem to be the cause of the problem of low drive space. Can I simply delete the KRD10 folder from the SRP - or isthere a specific method I need to follow? Cheers, Ken

Thanks Ron, I agree, the tools we have used do not seem to have revealed anything but my Windows Update issues (weird downloading pattern on the 32bit win7 and now the latest WU failure on the Win10 PC) make me very uneasy. I shall look at the Win10 update again today. One thing that struck me as odd yesterday, is that I burned the KRD CD on a Win10 laptop, not long after booting it (not connected to the 'net) I was notified that Drive E: was running out of space (42Mb left out of 450Mb, yet it reports as being empty) Now Drive E: seems to be a small NTFS OEM partition which along with a 100Mb system partition and the rest of the 128Gb SSD is Drive C. I didn't set-up this machine but I'm wondering what is using up the space. I mention this because from what I gather about the WU failure 0x800f0922 on WIn10, it can be caused by the (hidden) system partition from being short on space (also firewalls can get in the way, so I'll have to deal with that too). As you know, I have been worried that my machines are being virtualized - AV scanners find no infections because in the VM everything is running normally. I wonder if when shutting down a machine, the filesystem is returned to some sort of 'normal' state and so the likes of KRD don't see a problem either. Are there any other tools that might detect this sort of activity? Cheers, Ken.

Shall I skip all then? I will use KRD2018 on the other machines tomorrow. I was just trying to install kb4284848 june cumulative update on the Win10 machine and it couldn't complete after abput 95% (0x800f0922) - ho hum. Will try again tomorrow. Goodnight, Ken

Shall I skip all then?

Update: I copied the winmm.dll file onto a flash drive and uploaded it to VirusTotal using a machine on the 'net. The report is below, Note MD5 and SHA-256 are the same as given by KRD. Btw. The app it belongs to is old (2014) and no longer used. Do you think KRD/Tencent are reporting a false positive? Cheers, Ken One engine detected this file SHA-256 3832bbb60ff49f234e797509994248ef60ed07de0d5b720d25aa9e577e8add3d File name winmm.dll File size 76.5 KB Last analysis 2018-07-01 23:14:26 UTC ALL AV SCANNERS (inc Kaspersky) report 'CLEAN' except for this one (after a re-analysis): Tencent Win32.Rootkit.Hijrms.Wtxy Basic Properties MD5 6eda8aeac03d056b51ce71ef84c2ffaa SHA-1 64d6cd932980500662e72dd5fb9af4ad355d4f03 Authentihash a902bfeafe0612bf85eda400c89600c569e0a10d2aba80a9a2d58813a4ed9838 Imphash 2469dfb6a433edc674c19468e1a84b12 File Type Win32 DLL Magic PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit SSDeep 1536:39INbNgxY6WJ4yDPnQdakO1axwWqmQra:39I3gxYLJ4zjxv8ra TRiD Win32 Executable MS Visual C++ (generic) (67.3%) Win32 Dynamic Link Library (generic) (14.2%) Win32 Executable (generic) (9.7%) Generic Win/DOS Executable (4.3%) DOS Executable Generic (4.3%) File Size 76.5 KB Tags pedll History Creation Time 2014-10-01 17:51:52 First Submission 2014-10-07 02:05:06 Last Submission 2014-10-07 02:05:06 Last Analysis 2014-11-01 21:19:55 File Names winmm.dll d4f44cea6a6a7c6875add1c415a6b736bbdf7b7fdd832a7089fbbe22a0d31960 Portable Executable Info Header Target Machine Intel 386 or later processors and compatible processors Compilation Timestamp 2014-10-01 17:51:52 Entry Point 15538 Contained Sections 4 Sections Name Virtual Address Virtual Size Raw Size Entropy MD5 .text 4096 46883 47104 6.64 09735074e24a47dfeb129ddba072df9c .rdata 53248 19558 19968 5.18 845602809cc90265be2fc63c2f4cbf1b .data 73728 8220 4096 3.88 6fb9ce6a0e4c4e5b4210c97f5389df6b .reloc 86016 6096 6144 4.76 456107ec39627bd6115d58f3d1a8845a Imports KERNEL32.dll USER32.dll Exports CloseDriver DefDriverProc DriverCallback DrvGetModuleHandle GetDriverModuleHandle OpenDriver PlaySoundA PlaySoundW SendDriverMessage auxGetDevCapsA ExifTool File Metadata CodeSize 47104 EntryPoint 0x3cb2 FileType Win32 DLL ImageVersion 0.0 InitializedDataSize 34816 LinkerVersion 10.0 MIMEType application/octet-stream MachineType Intel 386 or later, and compatibles OSVersion 5.1 PEType PE32 Subsystem Windows command line SubsystemVersion 5.1 TimeStamp 2014:10:01 18:51:52+01:00 UninitializedDataSize 0

Hi Ron, Finally got round to downloading the 2018 version of KRD (didn't realize that KRD10 is no longer supported) and burning a CD. I had to run the tool without Internet access (and got the cloud/ base update warning but the database being used was dated yesterday (the same as on a machine with Internet access - so I guess it's the latest.) Attached are photos of the report for the 32bit Win 7 machine, the second one shows the bottom three entries that are not on the first photo. As you can see, the entry to worry about is: Rootkit.Win32.HijRMS.ac in the file ProgramFiles/SecondLifeViewer/winmm.dll As yet, I have not selected an action and moved on - I thought I'd wait for your advice. I did wonder about submitting it to Virus Total but I can't do that if I accept the recommended action of 'Delete'. Cheers, Ken

Rotten window frames take priority - no progress to report. Sony tablet behaved itself yesterday - 20 app update, no crashes. Ken

Sorry, I didn't get chance to sit down at the PC yesterday - and will be busy a lot of today too. The last thing I did was to run the old KRD10 disk through the 64bit win7 PC (the one whose clock was playing up - I've now bought a new CMOS battery and will fit it later but when I powered-up a after over 24hrs of being off, the clock was still correct - hmm). The scan threw-up nothing except some 'processing error' / 'password protected' DataStoreAndWULogfiles.zip files in local/ElevatedDiagnostics folder (which was created April 19, 2015 but modified June 8, 2018). I did try up upgrade the Win 7 to Win 10 a couple of years ago but it failed on that drive (a SSD), some remanants may still be lurking around. I did get the upgrade running on a HD but I need the speed of a SSD for uncompressed video capture on that PC - so I never did get round to making a permanent switchover to WIn10, now might be the time to do it. Yesterday my Sony tablet (Xperia Z) was the center of my concerns. Since all these unusual probems began back in April/May - it has had a tendency to suddenly reboot itself (no warning) maybe two or three times in succession, not long after powering-up (which is not often these days - which leads to a lot of updating of apps). Neither Malwarebytes nor AVG pick-up anything on scans. I'm not sure what to make of it. I would have thought legitimate app updates would give warning of an impending reboot. I might have to start a thread in the Android section. I will keep you in touch. Ken.

Quick update: house maintenance is taking a lot longer than expected - won't be able to run KRD10 until Friday. It looks as though the CMOS battery needs replacing in the 64bit Win7 PC - from one boot to the next (dropping into BIOS settings), the clock doesn't seem to be running - the system time hasn't changed from the last time I set it. Unless malware can actually stop the clock, I doubt that that's the issue. Of course, once into the OS, WIndow keeps track of the time. Ho hum. Edit: Hmm, may have spoken too soon - the after leaving the PC alone & running for two hours, the Windows time is still roughly at the time I set it two hours ago.

Quick update: house maintenance is taking a lot longer than expected - won't be able to run KRD10 until Friday. It looks as though the CMOS battery needs replacing in the 64bit Win7 PC - from one boot to the next (dropping into BIOS settings), the clock doesn't seem to be running - the system time hasn't changed from the last time I set it. Unless malware can actually stop the clock, I doubt that that's the issue. Of course, once into the OS, WIndow keeps track of the time. Ho hum.