W7/64 freeze after few seconds; strange items in WMI

Page 3 of 5 FirstFirst 12345 LastLast

  1. Posts : 9,746
    Windows 7 Home Premium 64 bit sp1
       #21

    Fenichel said:
    I have a question for the clone-experienced contributors. When I first thought about cloning, quite a few years ago, I thought that it couldn't work. My thought was that most disk drives have a few unusable sectors here and there, identified to prevent their being allocated, but straight copying of one HDD onto another would not take proper account of the receiving HDD's bad sectors. Now, obviously my thinking was wrong, but what did I miss?
    These websites might help you with how cloning works.

    When to image a hard drive, and when to clone it | PCWorld

    Disk cloning - Wikipedia

    As I understand it cloning copies the hard drive into one big file. That file then is written to the new disc in much the same way as any software program is. In other words it's not the same as copy & paste. It's not actually coping sector by sector, thereby removing the bad sector problem being transferred.
      My Computer


  2. Posts : 21
    Windows 7/64 Pro SP1
    Thread Starter
       #22

    cloning


    As I understand it cloning copies the hard drive into one big file. That file then is written to the new disc in much the same way as any software program is. In other words it's not the same as copy & paste. It's not actually coping sector by sector, thereby removing the bad sector problem being transferred.
    I wasn't worried about the donor sites; it's easy enough to copy everything (all sectors) into one big file but then follow the file-system links and read out only the good stuff. What I was concerned about is the recipient sites. The OS works with offset-within-file much of the time, but at other times it talks directly to disk addresses, I think. If it thinks it knows that Thing is at sector AAA, but AAA is now (on the new, recipient disk) not usable, how does the clone system know what part of the OS should be told that Thing is now at BBB?

    We don't need to belabor this; obviously cloning has been made to work, and I'm foolish not to have been using it.
      My Computer


  3. Posts : 21
    Windows 7/64 Pro SP1
    Thread Starter
       #23

    results of suspending Kaspersky AV


    Thanks to ICIT2LOL. I suspended Kaspersky AV and moved back in the direction of Normal mode.

    • Windows accepted my password as usual
    • On a background I don't recall (black or the Welcome screen), I got an Application Error message from mbamtray.exe: The instruction at (somewhere) could not be read.
    • The cream, featureless, illegal-Windows desktop appeared behind the diagnostic box, and now I got an Application Error exception from ksdeuii.exe: Unknown software exception 0x40000015.
    • Within a few seconds, with no input from me, my normal desktop appeared. It lasted a few more seconds before the now-familiar freeze, and I had to go back in Safe Mode. But then, I tried Normal Mode again, hoping that the immediately-past experience in Normal Mode had been a one-off.
    • On that attempt at Normal Mode, with Kaspersky still disabled, I got no Application-Error messages, no nasty cream screen, just my normal desktop. I puttered for about a minute, at which time there appeared a Kaspersky popup, inviting me to reactivate it.
    • I did, and got another Kaspersky popup inviting me to update my virus definitions. I clicked on that, but a few seconds later the machine was frozen again.

    Possibly I can run in Normal mode indefinitely, as long as I don't try to reactivate Kaspersky AV (I don't know this; the latest freeze might just have been some other clock running out). If the Kaspersky theory is true, then there are at least two possible ways ahead (I want advice):

    • With help from this forum and, possibly, from Kaspersky Labs, I can get Kaspersky AV going again. While that is going on, I will need some sort of coverage, possibly from MalwareBytes.
    • Or, I could give up on Kaspersky altogether, and just start protecting myself with MWB or Eset or something else. Would I be losing something in not having Kaspersky?

    And yes, I'm off tomorrow to buy a new external HDD to be my clone holder.
    Last edited by Fenichel; 10 Apr 2017 at 00:53. Reason: new experimental results
      My Computer


  4. Posts : 21,004
    Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
       #24

    Well if you want then what I would do is to uninstall Kaspersky because you might have a very buggy download. Is the version 2017?? by the way because if not then you can use the same activation code for each subsequent version that comes out - that is what I do.
    If you uninstall then it will give you the option of saving the code so a fresh install is ready to go. Now I would seriously think about nit uninstalling it but if you want good free one then I would have a read of this
    If you want a good free AV then there are plenty in this
    Free Windows Desktop Software Security List - Realtime Protection | Gizmo's Freeware
    However I would advise you against using AVG, McAfee, Baidu, Ad-Adaware, and Comodo (only because it is a terrible nagger)
    I have tested out Bitdefender, Avast,Avira, MSE, Sophos, and Panda and out of those I would if I were not using a paid for version of Kaspersky run Bitdefender, Avast, and Avira in that order and then the others. I mentioned the Kaspersky only because I have used it for a very long time now and as well as being an excellent AV is also very cheap to run at approx $0.035 a day (currently) and that is just about free and one gets the extra benefits.
    The choice is yours as always.
    (pretyped to save time)

    NB That disabling depends on how long you set it for too so be aware of it enabling itself again. Plus if you do uninstall it it doesn't mean you cannot reinstall it and you need to use the removal tool which does sometimes leave remnants in the registry entries mainly because it is saving that code. .
      My Computer


  5. Posts : 21
    Windows 7/64 Pro SP1
    Thread Starter
       #25

    Kaspersky or not


    @ICIT2LOL:
    I don't think I understand your last message. On the one hand you say
    what I would do is to uninstall Kaspersky
    , but then you say
    I have used Kaspersky for a very long time now and as well as being an excellent AV is also very cheap to run at approx $0.035 a day (currently) and that is just about free and one gets the extra benefits.
    You note that perhaps I should uninstall Kaspersky because I might have a bad download. I've been running it for 2 years or so now, with updates as they are available, so it might be corrupt, but a bad download doesn't seem as likely. I'm paid up until next year, I think.

    What do you think about uninstalling it and then immediately reinstalling it, speculating that the new download will be OK? Of course, all of this is contingent on the theory that my problems have all been routed out by the other AV programs, and that the only lingering issue is with a malfunctioning Kaspersky program. That is not yet proven, to say the least.
      My Computer


  6. Posts : 25,847
    Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
       #26

    Before worrying about backups and cloning your system, I would suggest taking care of the infections first.

    Have you tried RKill and then run needed scans?

    RKill Download


    I would also suggest removing all cookies found by SAS.

    Their is a good chance you will need to do a Clean Install; it all depends on the infections found.

    Jack
      My Computer


  7. Posts : 21
    Windows 7/64 Pro SP1
    Thread Starter
       #27

    Thanks for the link to RKill. RKill seemed to be reasonably comfortable (see attached output), and I had already deleted all of the cookies found by SAS.

    I recognize that I still may need to do a clean install, but I'm not sure how to decide whether that will be necessary. I've now scanned my whole system with MalWareBytes, eSet, SuperAntiSpyWare, and now RKill, and removed the various tagged items.

    What other disinfection would you recommend? One possibility that occurs to me is that I should now run some or all of the above scans again, in case the malware had a hiding place and has now re-established itself.

    Remember that the trouble seems to have started just after midnight at the beginning of April 1st; the computer had then been running continuously for over a week, and receiving no input from me during that time (I was away until 0400 on April 1st). That says to me that the malware was lying in wait, set to start at or after a specific time (2017-04-01 00:00). It had not, in its dormant form, ever been detected by Kaspersky, and I may (or may not) have successfully deleted the dormant version as described in message #7. In the depths of my paranoia, it occurs to me that there might be another dormant version still on my system somewhere, ready to rise again on April 1st of next year or, indeed, at any other time.

    In this vein, I remember that the file that I suspect was the dormant carrier was recognized by Windows Explorer as being encrypted (that is, its name was displayed in green). I've never noticed any other files on my system with that property. I could search my system for files whose FILE_ATTRIBUTE_ENCRYPTED bit is set; I don't know of a tool that does that, but I could write my own without much delay. Do you recommend that I bother with this?
    W7/64 freeze after few seconds; strange items in WMI Attached Files
      My Computer


  8. Posts : 21
    Windows 7/64 Pro SP1
    Thread Starter
       #28

    finding encrypted files


    I could search my system for files whose FILE_ATTRIBUTE_ENCRYPTED bit is set; I don't know of a tool that does that, but I could write my own without much delay.
    This turned out to be a trivial piece of coding, so it's coded and run. There were a few copies of the encrypted file hanging around in the Recycle Bin, but now they're definitely gone.
      My Computer


  9. Posts : 25,847
    Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
       #29

    We need a status report.
    Are you having any problems with your system?

    The purpose of RKill is to stop programs (infections) from running so a better security scan can be done.
    Some infection will try to shut down security programs so your security programs can't find the infections.

    No security program is a fix all.

    If at the end you have doubts about your computer security, that is when I would do a clean install.
    In cases like this I would do a format and a wipe of the disk and then install Windows 7 again.
    It's a pain I know.

    P/S:
    Remember that anything that was hooked up to or in communications with the infected system could also be infected. A April Fools day infection could of been in the system for a long time just waiting for the clock on your computer to activate the infection. Their are just so many possibilities.

    Jack
      My Computer


  10. Posts : 21
    Windows 7/64 Pro SP1
    Thread Starter
       #30

    status report


    I haven't been back into Normal Mode since the time yesterday, described a few messages ago.

    I am not altogether comfortable with the current situation, but I am heartened by the facts that

    • the presumed malware file came in a Github file that was unlikely to be downloaded by many people, let alone high-value targets, and
    • it was left around in a non-stealthy form (distinguished explorer appearance, immediate detection upon attempted copying), and
    • the trigger date was the too-obvious April 1st, and
    • I haven't heard from any ransomers or gloaters, and
    • other victims don't seem to be complaining publicly

    To me, these facts suggest that the perpetrators were only moderately skilled dabblers, and so I may (with the help of this forum) have got rid of the infection. I am inclined

    • to run MalWareBytes again, to see if the malware somehow ran a flanking maneuver around it,
    • to run eSet again
    • to run SuperAntiSpyware again
    • to unload Kaspersky AV
    • to reload Kaspersky AV

    and then to reattempt Normal Mode. Formatting and reinstalling would take about a week, considering all of the Windows annoyances that would need to be cleaned up again, and considering the wide range of apps that I use. I respect your more conservative approach, of course. I hope you don't believe that I am being wild-ass foolhardy.

    What I may do in parallel is just to buy another machine and, without any time pressure, configure it into usable form. Then I could move my data over and use the new machine while, again under no time pressure, I scrubbed this machine down to bare silicon & iron oxide and did the clean install. I used to maintain 2 machines to ease a strategy like this, but it became too much trouble to keep them both up to date.
      My Computer


 
Page 3 of 5 FirstFirst 12345 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 06:39.
Find Us