Installing programs say I'm not running Windows 7

[Stuffed]

Two weeks ago  I updated FIrefox to the latest- and got some malware bytes warnings. I''m sure I downloaded from a safe location. I uninstalled and tried to install again and got warned I was not running win 7. Tried to install the previous version that I had been running - same warning - had to copy a backup version of FIrefox. Several attempts to reinstall - all failed. However it seems to have updated by itself, Yesterday tried to install an update for SyncBack Pro - it worked but warned I was running WIn XP.

I'm running WIn 7 Professional  64 bit - thats what shows under computer properties

Otherwise everything works

 

[AdvancedSetup]

Hello @Stuffed

Sorry for the delay, did you still need help on this?

Thanks

Ron

 

[Stuffed]

The condition still exists - though its not causing any major problems.

Trying to install Firefox 57 says i';m not running win7 - and refuses to install. [Though if I copy - not install an old version  it runs and eventually updates to the latest]

installing SYncBack pro works but warns me i'm running win XP

I'm suspicous that something got corrupted by malware when I did the Firefox update a month ago.

 

 

[AdvancedSetup]

Let me get some logs. Maybe a path or environment variable has been messed up.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

Ron

 

[Stuffed]

win 7 64bit

Addition.txt

FRST.txt

[Stuffed]

This afternoon FireFox became unresponsive, high CPU, then crashed

Short;y after HItmanPRO detected a suspicous USB keyboard - i have no USB keyboard attached ---  its PS/2

Mitigation   BadUSB
Platform     6.1.7601/x64 v723 06_3c
Keyboard name        HID Keyboard Device
Hardware ID        HID\VID_046D&PID_C232

Mitigation BadUSB Platform 6.1.7601/x64 v723 06_3c Keyboard name HID Keyboard Device Hardware ID HID\VID_046D&PID_C232

[Stuffed]

shortly after this crashed with BSOD - IRQL NOT LESS OR EQUAL

currently no problems

 

[AdvancedSetup]

Well you have a ton of hardware there and one of them looks to be having an issue.

Drive c: (C 1593) (Fixed) (Total:322.73 GB) (Free:102.93 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (D 1593) (Fixed) (Total:2.01 GB) (Free:0.99 GB) NTFS
Drive e: (E 1593) (Fixed) (Total:22.94 GB) (Free:22.85 GB) NTFS
Drive f: (F 1593) (Fixed) (Total:20 GB) (Free:12.95 GB) NTFS
Drive g: (G 1593) (Fixed) (Total:215.58 GB) (Free:140.29 GB) NTFS
Drive h: (H 1490) (Fixed) (Total:200.01 GB) (Free:104.91 GB) NTFS
Drive i: (I 1490) (Fixed) (Total:319.89 GB) (Free:225.08 GB) NTFS
Drive j: (J 1490) (Fixed) (Total:91.68 GB) (Free:87.18 GB) NTFS
Drive k: (K 1490) (Fixed) (Total:62.96 GB) (Free:60.59 GB) NTFS
Drive l: (H1621 LaCie) (Fixed) (Total:931.51 GB) (Free:243.11 GB) NTFS
Drive n: (My Book) (Fixed) (Total:4657.49 GB) (Free:2397.49 GB) NTFS
Drive p: (Drobo) (Fixed) (Total:16383.87 GB) (Free:12694.61 GB) NTFS
Drive z: (Z 1490) (Fixed) (Total:198.37 GB) (Free:69.5 GB) NTFS

 

System errors:
=============
Error: (12/19/2017 10:34:33 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (12/19/2017 10:34:32 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (12/19/2017 10:34:32 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (12/19/2017 10:34:31 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (12/19/2017 10:34:31 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (12/19/2017 09:37:32 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (12/19/2017 09:37:30 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (12/18/2017 01:54:45 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MSI Live Update Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (12/17/2017 01:37:34 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 70. The internal error state is 105.

Error: (12/16/2017 07:01:12 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Windows Update service hung on starting.

 

 

I would track down that drive and verify all the cables and connections are good to it and run a full disk check on it.

 

 

[Stuffed]

I have 2 internal drives with muilipe partitions - C: to K: and Z:

third device is a DROBO raid on a USB always plugged in and powered on as P:

L: and N: are USB externals plugged in as required for backups

I'm assuming \Device\Harddisk2\DR2 is the DROBO [ but \DR2 makes no sense] - the only diagnostic avaiiable is CHKDSK which found some unused sectors marked as used

 

[AdvancedSetup]

You can reboot the computer and then check your Event Logs and see if there was a new entry for any disk issue.

You can also run DISKPART to check the drive.

C:\>DISKPART

Microsoft DiskPart version 10.0.16299.15

Copyright (C) Microsoft Corporation.
On computer: PC

DISKPART> LIST DISK

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          476 GB  1024 KB        *
  Disk 1    Online         2794 GB      0 B        *
  Disk 2    Online         3726 GB      0 B        *
  Disk 3    Online         1863 GB      0 B        *
  Disk 4    Online           14 TB      0 B        *
  Disk 5    Online         7452 GB      0 B        *
  Disk 6    Online         3726 GB      0 B        *

DISKPART> LIST VOLUME

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0     Z                       DVD-ROM         0 B  No Media
  Volume 1     C   SAM-NVM-500  NTFS   Partition    475 GB  Healthy    Boot
  Volume 2         Recovery     NTFS   Partition    450 MB  Healthy    Hidden
  Volume 3                      FAT32  Partition     99 MB  Healthy    System
  Volume 4                      NTFS   Partition    881 MB  Healthy    Hidden
  Volume 5     F   SEA-ATA-3.0  NTFS   Partition   2794 GB  Healthy
  Volume 6     E   SEA-SSH-4.0  NTFS   Partition   3725 GB  Healthy
  Volume 7     D   INT-SSD-2TB  NTFS   Partition   1862 GB  Healthy
  Volume 8     G   WDG-USB-16.  NTFS   Partition     14 TB  Healthy
  Volume 9     H   SEA-USB-8.0  NTFS   Partition   7451 GB  Healthy
  Volume 10        EFI          FAT32  Partition    200 MB  Healthy    Hidden
  Volume 11    R   SEA-USB-4.0  NTFS   Partition   3725 GB  Healthy

Assuming the DROBO was the device and CHKDSK found and either repaired or marked as unusable then that should correct the issue and it should stop showing in the Event Logs.

I would be suspicious though of any disk that is having enough issues to report it to the Event Logs as it may be susceptible to a failure. Make sure any data on that unit that is important is backed up somewhere else as well.

Backup Software

From a command prompt type in SET and then copy/paste that back here in CODE TAGs please.

 

 

 

[Stuffed]

The DROBO is only used for backups - and I have multiple other backups -- cloud and drive each day

 

In the last two days MBAM has warned about this twice - reboot does not help  -- Malwarebytes is unable to load the Anti-Rootkit DDA Driver.

reinstalled rootkit and MBAM - now MBAM keeps doing --- Real Time Protection turned off  and I cant fix that

SET list attached

 

27dec-set.txt

[AdvancedSetup]

Please download the installer at the bottom of this post.

Currently it points to this link:  https://malwarebytes.box.com/s/8ubyzv23i2xdocd2zuvwyfqc48ytq6zu

Install that version and reboot and then check for updates in the program and let me know if you're still having issues with it loading.

Ron

 

[Stuffed]

no anti-rootkit warnings

still getting Real Time Protection turned off

cannot turn on - -- real time web protection

or -- Ransomware Protection

[AdvancedSetup]

Okay, please run the following MB-Clean procedure. Then don't allow it to reinstall Malwarebytes. Just reboot 2 times.

Then download the installer from the beta you downloaded already.

Let me know if that corrects the issue

Ron

 

[Stuffed]

Followed the above last night - still had problems

Did it again today

no anti-rootkit warnings

still getting Real Time Protection turned off

cannot turn on - -- real time web protection - goes on for a second then off again

Ransomware Protection - unavailable - cannot turn on

 

[AdvancedSetup]

Okay, please run the MB-Check program and post back the zip file for us and we'll review and see if we can get more information as to what's going on.

Thanks

Ron

 

[Stuffed]

Atttached

mb-check-results.zip

[AdvancedSetup]

Our check log and our installer log also show the computer to be Windows XP with SP3

2017-12-28 12:40:08.554   Windows version: 5.1.2600 SP3  (NT platform: Yes)
2017-12-28 12:40:08.554   64-bit Windows: Yes
2017-12-28 12:40:08.554   Processor architecture: x64
2017-12-28 12:40:08.554   User privileges: Administrative
2017-12-28 12:40:08.556   64-bit install mode: Yes

Can you please show me a screen shot of your desktop and Start Menu.

Can you also click on START and type in WINVER and press the Enter key and show me a screen shot of that.

Here is an example from my computer.

 

[AdvancedSetup]

Are you dual booting with Windows XP and Windows 7 ?

Why do you have a C: and a G: with basically the same path?

2013-11-14 02:29 - 1996-10-01 01:02 - 000098816 _____ () C:\Program Files (x86)\Norton Commander\nc_res.dll
2013-11-17 01:28 - 2010-04-04 21:48 - 001352704 _____ () G:\Program Files (x86)\CurioStudio\GreatNews\GreatNews.exe

Can you start a DOS Command Prompt and type in SET and then copy/paste that back here.

Something very odd going on. Some programs are seeing XP and some are seeing Windows 7. It's obvious that XP is there as either a Virtual System or dual boot system as there is account info there.

 

[Stuffed]

Will be back in a hour or so

quick note for now

winver.com - gives window 7

I have Oracle VM virttual Box and it runs Win XP - but I only start it up occasionly so its never running when I do all these diagnostics -

I dont have dual boot

set attached

 

28-dec-set.TXT

[AdvancedSetup]

It almost has to be from one or more of your compatibility settings. If you look at your logs for the MB-Check it shows you have a few of them set. I didn't notice any that specifically stood out as an issue, but maybe one of them is causing this.

You might want to remove all of the compatibility settings that are set for RUNASADMIN - nothing should be set like that. There is an option to run as Admin if you want, without setting it in compatibility mode.

 

Compatibility Flag Settings:
=================================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers
    F:\Program Files\Oracle\VirtualBox\VirtualBox.exeREG_SZ        DISABLEUSERCALLBACKEXCEPTION
    C:\Program Files (x86)\InstallShield Installation Information\{59679381-3F22-4A40-A7AD-890242D74DF4}\setup.exeREG_SZ        VISTARTM
    G:\Program Files\Family Tree Maker 2014\FTM.exeREG_SZ        DISABLEUSERCALLBACKEXCEPTION

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers
    C:\Users\Avrad\Downloads\Firefox Setup Stub 25.0.exeREG_SZ        WINXPSP3 RUNASADMIN
    C:\Users\Avrad\Downloads\Firefox Setup 25.0.exeREG_SZ        WINXPSP3 RUNASADMIN
    C:\Program Files (x86)\Norton Commander\NC.EXEREG_SZ        WINXPSP3
    G:\clarion6\BIN\C60PE.EXE     REG_SZ        WINXPSP3 RUNASADMIN
    D:\NV\NV.EXE                  REG_SZ        WINXPSP3 640X480 RUNASADMIN
    G:\Program Files\TurboTax 2012\tt2012.exeREG_SZ        WINXPSP3
    G:\Program Files\FeedReader30\feedreader.exeREG_SZ        WINXPSP3
    D:\Timeslip\TWREPORT.EXE      REG_SZ        WINXPSP3 RUNASADMIN
    D:\Timeslip\TWTIMER.EXE       REG_SZ        WINXPSP3 RUNASADMIN
    G:\Program Files\palmOne\Palm.exeREG_SZ        WINXPSP3 RUNASADMIN
    G:\Program Files (x86)\palmOne\RestartPalm.exeREG_SZ        ELEVATECREATEPROCESS
    G:\LIFEFORM\LIFEFORM.EXE      REG_SZ        WINXPSP3
    G:\Program Files\WinZip\WINZIP32.EXEREG_SZ        WINXPSP3 RUNASADMIN
    D:\Timeslip\TSTIMER.EXE       REG_SZ        WINXPSP3 RUNASADMIN
    G:\Program Files\palmOne\Hotsync.exeREG_SZ        WINXPSP3
    D:\PALM\Palm Desktop 62 and HotSync Manager\palmhotsyncsetup.exeREG_SZ        WINXPSP3
    C:\Users\Avrad\Desktop\NV.EXE.pifREG_SZ        WINXPSP3 256COLOR 640X480 HIGHDPIAWARE RUNASADMIN
    G:\Program Files\CurioStudio\GreatNews\GreatNews.exeREG_SZ        WINXPSP3
    G:\Program Files (x86)\Breevy\Breevy.exeREG_SZ        RUNASADMIN
    C:\Windows\winsxs\amd64_microsoft-windows-fsutil_31bf3856ad364e35_6.1.7601.17577_none_2a4c3b3e06ba1a1d\fsutil.exeREG_SZ        RUNASADMIN
    C:\Windows\winsxs\amd64_microsoft-windows-fsutil_31bf3856ad364e35_6.1.7601.21680_none_2ac406171fe62477\fsutil.exeREG_SZ        RUNASADMIN
    C:\Windows\winsxs\amd64_microsoft-windows-fsutil_31bf3856ad364e35_6.1.7600.16385_none_28590620099da2d8\fsutil.exeREG_SZ        RUNASADMIN
    C:\Windows\winsxs\x86_microsoft-windows-fsutil_31bf3856ad364e35_6.1.7600.16385_none_cc3a6a9c514031a2\fsutil.exeREG_SZ        RUNASADMIN
    C:\Windows\winsxs\x86_microsoft-windows-fsutil_31bf3856ad364e35_6.1.7601.21680_none_cea56a936788b341\fsutil.exeREG_SZ        RUNASADMIN
    C:\Windows\winsxs\x86_microsoft-windows-fsutil_31bf3856ad364e35_6.1.7601.17577_none_ce2d9fba4e5ca8e7\fsutil.exeREG_SZ        RUNASADMIN

 

 

https://www.howtogeek.com/howto/10436/using-program-compatibility-mode-in-windows-7/

 

[Stuffed]

MY brain can''t deal with all these new concepts  LOL

A few notes

D:\NV\NV.EXE    - is a DOS app that runs on the VM - under WInxp

D:\Timeslip  is a win app on the VM - under WInxp - it stopped wokrin correctly a few weeks ago - and I have no energy to try and fix

I really have no idea where to go next - but from the docs you sent I had an idea - the two apps I was trying to install and would not since they refused - think I'm running WIN XP

if I run them - as Administrtor - they now work !!!!! - so maybe I no longer have that issue to deal with

still would like to fix - the Real Time Protection turned off issue

[AdvancedSetup]

None of these compatibility should be set for your Windows 7 box. If your VM host does not like a program then it needs to have compatibility set on it. But more than likely it does not. Also, normally one would not share the drive with a VM host except in rare cases. Normally users use VM to isolate on purpose in a home environment. That way if you're playing or testing something possibly dangerous you can't affect the main computer. Best to copy the files or folders into the VM client's own hard drive.

 

[Stuffed]

This is not connected to any of my issues - but maybe of interest

The latest MB scan found two items it quarantined - and it  may be wrong - relates to a several year old version  of Corel - that i'm not using

log attached

scanlog.txt

[AdvancedSetup]

Yes, looks to be an FP to me. Please create new topic in the forum below and post that log along with a zipped copy of the files in question and upload. They will review and remove from detection

https://forums.malwarebytes.com/forum/42-file-detections/

Cheers

Ron