Home network.
3 Win XP Pro laptops.
2 Win 7 Pro laptops.
2 Win 7 Pro Desktops.

All on the LAN and Internet.

The problems seems to be only with the Win XP Pro PCs.

Started with one Win XP Pro PC (on Cat5)
Then weeks later the next XP PC started the same problems (on Cat5).
Finally the third one on WiFi started problems.

Boot up any and all seems fine.
After leaving each on for days eventually this starts happening.
Power off boot gets it back to operating OK (so it seems) for a while,
then problems.

Problems.
Cannot start some apps. Others start.
Cannot update apps like Malwarebytes database etc at any time even after
boot.
Cannot runs apps once started.
Cannot copy / paste.
Cannot use Explorer.

Suggestion please for cleaning or ...

It will be a real pain to try to re-image these.
I did re-image the original problem one and so far it seems OK.
Way too much work to bring it back now all the way.

Are others having this problem ?

On 10/7/2022 11:51 AM, Roberta wrote:
>
> Home network.
> 3 Win XP Pro laptops.
> 2 Win 7 Pro laptops.
> 2 Win 7 Pro Desktops.
>
> All on the LAN and Internet.
>
> The problems seems to be only with the Win XP Pro PCs.
>
> Started with one Win XP Pro PC (on Cat5)
> Then weeks later the next XP PC started the same problems (on Cat5).
> Finally the third one on WiFi started problems.
>
> Boot up any and all seems fine.
> After leaving each on for days eventually this starts happening.
> Power off boot gets it back to operating OK (so it seems) for a while,
> then problems.
>
> Problems.
> Cannot start some apps. Others start.
> Cannot update apps like Malwarebytes database etc at any time even after
> boot.
> Cannot runs apps once started.
> Cannot copy / paste.
> Cannot use Explorer.
>
> Suggestion please for cleaning or ...
>
> It will be a real pain to try to re-image these.
> I did re-image the original problem one and so far it seems OK.
> Way too much work to bring it back now all the way.
>
> Are others having this problem ?
>

Can you do a virus scan with a current virus database from one of the
Windows 7 desktops? In my LAN, I can scan my wife's Windows XP PC from
my Windows 7 PC.

--
David E. Ross
<http://www.rossde.com/>

Donald Trump demands that he be declared the winner of
the 2020 presidential election. Otherwise, he demands
that the election be rerun immediately.

What has he been smoking?

On Fri, 7 Oct 2022 11:51:23 -0700, Roberta wrote:
>
> Home network.
> 3 Win XP Pro laptops.
> 2 Win 7 Pro laptops.
> 2 Win 7 Pro Desktops.
>
> All on the LAN and Internet.
>
> The problems seems to be only with the Win XP Pro PCs.
>
> Started with one Win XP Pro PC (on Cat5)
> Then weeks later the next XP PC started the same problems (on Cat5).
> Finally the third one on WiFi started problems.
>
> Boot up any and all seems fine.
> After leaving each on for days eventually this starts happening.
> Power off boot gets it back to operating OK (so it seems) for a while,
> then problems.
>
> Problems.
> Cannot start some apps. Others start.
> Cannot update apps like Malwarebytes database etc at any time even after
> boot.

Sounds to me like a virus, though I could be wrong. Can you put
Malwarebytes latest version on a USB stick or CD-ROM with a known
good computer, then take all the bad ones off network and clean them
with Malwarebytes?

--
Stan Brown, Tehachapi, California, USA https://BrownMath.com/
Shikata ga nai...

"Roberta" <Roberta@Roberta.com> wrote

| Problems.
| Cannot start some apps. Others start.
| Cannot update apps like Malwarebytes database etc at any time even after
| boot.
| Cannot runs apps once started.
| Cannot copy / paste.
| Cannot use Explorer.
|

Sounds to me like it might just be funky with age.
One or more things acting up. I'd start by using ProcExplorer
to see what's running. Then check autoruns and the services
list to see what else runs. Make sure there are no extra
complications, like a printer hooked up. Then check specifics.
If a program doesn't start... Can you start the EXE directly?
Where is the shortcut pointing?

Maybe also check RAM and hard disks. But if a disk image
restore works then those are probably not a problem --
unless the new installs start acting up. This is also the time
to back up personal files in case you restore a disk image.
There's no sense having disk image backup if restoring the
backup is too much trouble to do.

On 10/7/2022 2:51 PM, Roberta wrote:
>
> Home network.
> 3 Win XP Pro laptops.
> 2 Win 7 Pro laptops.
> 2 Win 7 Pro Desktops.
>
> All on the LAN and Internet.
>
> The problems seems to be only with the Win XP Pro PCs.
>
> Started with one Win XP Pro PC  (on Cat5)
> Then weeks later the next XP PC started the same problems (on Cat5).
> Finally the third one on WiFi started problems.
>
> Boot up any and all seems fine.
> After leaving each on for days eventually this starts happening.
> Power off boot gets it back to operating OK (so it seems) for a while, then problems.
>
> Problems.
> Cannot start some apps.  Others start.
> Cannot update apps like Malwarebytes database etc at any time even after boot.
> Cannot runs apps once started.
> Cannot copy / paste.
> Cannot use Explorer.
>
> Suggestion please for cleaning or ...
>
> It will be a real pain to try to re-image these.
> I did re-image the original problem one and so far it seems OK.
> Way too much work to bring it back now all the way.
>
> Are others having this problem ?

I tried to find an offline scanner.

Some options:

1) Kaspersky Rescue CD. This has a good record of being able to do scans.
However, it has politically inspired reputation problems now.
Which is a shame, when you consider that technically
competent people built this scanning CD. The same
cannot be said for the others.

2) Bitdefender (rescue CD). The scanner actually works, but the display
to the screen does not work. (linux modesetting failure)
Can be made to work, using an Xorg on a second computer.
Considered "not to work, out of the box".

3) Microsoft Safety Scanner. May have worked at one time, seems to have a problem
today with MPAM-FE or with acquiring yet another MPAM-FE
from the Internet. I would consider this broken.

For those who like to tinker, there is some background info available.
This at least explains how it launches.

https://www.verboon.info/2012/01/how-the-windows-defender-offline-beta-tool-works/
https://www.verboon.info/2012/03/how-to-add-drivers-to-the-windows-defender-offline-tool/

4) This is todays find - The ESET rescue disc. A large CD-sized download with
Ubuntu LXTerminal (could be LXDE).

https://www.eset.com/ca/download/tools-and-utilities/sysrescue/

The only problem with this one, is the interface on the scanner
does not follow any useful convention. For example, if you see
square boxes with tick marks, those are tabs with the scan results
in them, and are not "scanning kickoff" buttons.

So the main barrier on this tool, is not being able to tell if
you actually ran a scan. And not being able to tell even, whether
C: got scanned or not.

It was all as much fun as I expected it to be.

*******

For online tools (you run these while the sick OS is booted), we have:

https://support.norton.com/sp/static/external/tools/npe.html

Norton Power Eraser

# The WinXP/Vista one.

https://buy-download.norton.com/downloads/premium_services/NPE/5.3/en/NPE.exe

Name: NPE.exe
Size: 9,639,912 bytes (9413 KiB)
SHA256: E9AA615D100B14D6A85D3DAD8BCE832B9DBE84568EB5BF975365C3467E3E652B

I did not test this.

MBAR (MalwareBytes Rootkit scanner) is one tool for rootkits.
(The MBAM is the AV scanner.)

TDSSKiller is another. TDSS is a rootkit that infects atapi.sys amongst others.

https://www.bleepingcomputer.com/download/tdsskiller/

# Or, from the site that made it.

https://support.kaspersky.com/5350

The nice thing about a rootkit, is there is nothing to see in Task Manager.
That's the power of the thing. A rootkit can cloak just about anything
it is doing, with the exception of the "weird symptoms" and "I can't
run this or that, mainly AV products" symptoms.

If malware attempts to protect itself against removal, that's
when you start seeing the weird side effects of that.

I guarantee there will be hair loss, before you get the tools
to do what they're supposed to do. I wasn't shocked by what I found,
as it's been like this for some number of years.

Paul

On Fri, 7 Oct 2022 11:51:23 -0700, Roberta <Roberta@Roberta.com>
wrote:

>
>Home network.
>3 Win XP Pro laptops.
>2 Win 7 Pro laptops.
>2 Win 7 Pro Desktops.
>
>All on the LAN and Internet.
>
>The problems seems to be only with the Win XP Pro PCs.
>
>Started with one Win XP Pro PC (on Cat5)
>Then weeks later the next XP PC started the same problems (on Cat5).
>Finally the third one on WiFi started problems.
>
>Boot up any and all seems fine.
>After leaving each on for days eventually this starts happening.
>Power off boot gets it back to operating OK (so it seems) for a while,
>then problems.
>
>Problems.
>Cannot start some apps. Others start.
>Cannot update apps like Malwarebytes database etc at any time even after
>boot.
>Cannot runs apps once started.
>Cannot copy / paste.
>Cannot use Explorer.
>
>Suggestion please for cleaning or ...
>
>It will be a real pain to try to re-image these.
>I did re-image the original problem one and so far it seems OK.
>Way too much work to bring it back now all the way.
>
>Are others having this problem ?
I have used Sophos free scanner for about 3 years. It found things
others have not. They have a new version out.

KenW

On 10/8/2022 1:22 PM, Paul wrote:

>
> 3) Microsoft Safety Scanner. May have worked at one time, seems to have a problem
>                              today with MPAM-FE or with acquiring yet another MPAM-FE
>                              from the Internet. I would consider this broken.
>
>    For those who like to tinker, there is some background info available.
>    This at least explains how it launches.
>
>    https://www.verboon.info/2012/01/how-the-windows-defender-offline-beta-tool-works/
>    https://www.verboon.info/2012/03/how-to-add-drivers-to-the-windows-defender-offline-tool/

I got this working.

The verboon.info articles really helped a lot.
Couldn't have done it, without them.

I made a USB stick first, using the mssstool stub.

Then, I replaced the crusty old boot.wim on the USB stick,
with a boot.wim from another WinPE CD.

Admin Terminal on Windows 11 (what was in front of me).
I simply assumed there was only one index on the boot.wim,
as there was no XML file for me to check.

dism.exe /mount-wim /wimfile:d:\tempwdo\boot.wim /index:1 /MountDir:d:\tempwdo\mount

Deployment Image Servicing and Management tool
Version: 10.0.22621.1

Mounting image
[==========================100.0%==========================]
The operation completed successfully.

Using 7ZIP, I opened the USB stick boot.wim and copied out
the safety scanner Program Files entry and moved it into the d:\tempwdo\mount tree.
The winpeshl.ini file needs to be moved into d:\tempwdo\mount\windows\system32
in place of whatever winpeshl.ini was already there. I also moved over an
Internet Explorer chunk that was next to the safety scanner folder in
Program Files. ( Since my WinPE was a 32-bit one, there is only a Program
Files and no Program Files (x86) thing. )

This command, then generates an updated boot.wim using the
contents of d:\tempwdo\mount .

dism.exe /Unmount-Wim /Mountdir:d:\tempwdo\mount /commit

Then, I copied the new boot.wim, into the "source" directory
on the USB stick.

The USB stick booted up fine, it read the mpam-fe.exe I put on
the top level of the USB stick, using the download from here.
This is the 32 bit mpam-fe.exe .

http://go.microsoft.com/fwlink/?LinkID=209593&clcid=0x409

While I've been writing this, the scanner has scanned 337,000
files. And isn't quite finished yet.

Paul

My issue is on the Win XP Pro 32 bit laptops.

mpam-fe.exe is a 64bit program. I downloaded and started and it failed.
---------------------------
D:\ThisPC\Scanner\mpam-fe.exe
---------------------------
D:\ThisPC\Scanner\mpam-fe.exe is not a valid Win32 application.

Just ignorant here.

Paul wrote:
> On 10/8/2022 1:22 PM, Paul wrote:
>
>>
>> 3) Microsoft Safety Scanner. May have worked at one time, seems to
>> have a problem
>>                               today with MPAM-FE or with acquiring yet
>> another MPAM-FE
>>                               from the Internet. I would consider this
>> broken.
>>
>>     For those who like to tinker, there is some background info
>> available.
>>     This at least explains how it launches.
>>
>>
>> https://www.verboon.info/2012/01/how-the-windows-defender-offline-beta-tool-works/
>>
>>
>> https://www.verboon.info/2012/03/how-to-add-drivers-to-the-windows-defender-offline-tool/
>>
>
> I got this working.
>
> The verboon.info articles really helped a lot.
> Couldn't have done it, without them.
>
> I made a USB stick first, using the mssstool stub.
>
> Then, I replaced the crusty old boot.wim on the USB stick,
> with a boot.wim from another WinPE CD.
>
> Admin Terminal on Windows 11 (what was in front of me).
> I simply assumed there was only one index on the boot.wim,
> as there was no XML file for me to check.
>
>    dism.exe /mount-wim /wimfile:d:\tempwdo\boot.wim /index:1
> /MountDir:d:\tempwdo\mount
>
> Deployment Image Servicing and Management tool
> Version: 10.0.22621.1
>
> Mounting image
> [==========================100.0%==========================]
> The operation completed successfully.
>
> Using 7ZIP, I opened the USB stick boot.wim and copied out
> the safety scanner Program Files entry and moved it into the
> d:\tempwdo\mount tree.
> The winpeshl.ini file needs to be moved into
> d:\tempwdo\mount\windows\system32
> in place of whatever winpeshl.ini was already there. I also moved over an
> Internet Explorer chunk that was next to the safety scanner folder in
> Program Files. ( Since my WinPE was a 32-bit one, there is only a Program
> Files and no Program Files (x86) thing. )
>
> This command, then generates an updated boot.wim using the
> contents of d:\tempwdo\mount .
>
>    dism.exe /Unmount-Wim /Mountdir:d:\tempwdo\mount /commit
>
> Then, I copied the new boot.wim, into the "source" directory
> on the USB stick.
>
> The USB stick booted up fine, it read the mpam-fe.exe I put on
> the top level of the USB stick, using the download from here.
> This is the 32 bit mpam-fe.exe .
>
>    http://go.microsoft.com/fwlink/?LinkID=209593&clcid=0x409
>
> While I've been writing this, the scanner has scanned 337,000
> files. And isn't quite finished yet.
>
>    Paul

On 10/10/2022 18:55, Roberta wrote:
>
> My issue is on the Win XP Pro 32 bit laptops.
>
> mpam-fe.exe is a 64bit program.  I downloaded and started and it failed.
> ---------------------------
> D:\ThisPC\Scanner\mpam-fe.exe
> ---------------------------
> D:\ThisPC\Scanner\mpam-fe.exe is not a valid Win32 application.

Sounds like you downloaded the wrong version for your OS - you
downloaded a 64-bit version of the file whereas you need a 32-bit version.

> Paul wrote:
>
>> On 10/8/2022 1:22 PM, Paul wrote:
>>
>>> 3) Microsoft Safety Scanner. May have worked at one time, seems to
>>> have a problem
>>>                               today with MPAM-FE or with acquiring
>>> yet another MPAM-FE
>>>                               from the Internet. I would consider
>>> this broken.
>>>
>>>     For those who like to tinker, there is some background info
>>> available.
>>>     This at least explains how it launches.
>>>
>>> https://www.verboon.info/2012/01/how-the-windows-defender-offline-beta-tool-works/
>>>
>>> https://www.verboon.info/2012/03/how-to-add-drivers-to-the-windows-defender-offline-tool/
>>
>> I got this working.
>>
>> The verboon.info articles really helped a lot.
>> Couldn't have done it, without them.
>>
>> I made a USB stick first, using the mssstool stub.
>>
>> Then, I replaced the crusty old boot.wim on the USB stick,
>> with a boot.wim from another WinPE CD.
>>
>> Admin Terminal on Windows 11 (what was in front of me).
>> I simply assumed there was only one index on the boot.wim,
>> as there was no XML file for me to check.
>>
>>     dism.exe /mount-wim /wimfile:d:\tempwdo\boot.wim /index:1
>> /MountDir:d:\tempwdo\mount
>>
>> Deployment Image Servicing and Management tool
>> Version: 10.0.22621.1
>>
>> Mounting image
>> [==========================100.0%==========================]
>> The operation completed successfully.
>>
>> Using 7ZIP, I opened the USB stick boot.wim and copied out
>> the safety scanner Program Files entry and moved it into the
>> d:\tempwdo\mount tree.
>> The winpeshl.ini file needs to be moved into
>> d:\tempwdo\mount\windows\system32
>> in place of whatever winpeshl.ini was already there. I also moved over an
>> Internet Explorer chunk that was next to the safety scanner folder in
>> Program Files. ( Since my WinPE was a 32-bit one, there is only a Program
>> Files and no Program Files (x86) thing. )
>>
>> This command, then generates an updated boot.wim using the
>> contents of d:\tempwdo\mount .
>>
>>     dism.exe /Unmount-Wim /Mountdir:d:\tempwdo\mount /commit
>>
>> Then, I copied the new boot.wim, into the "source" directory
>> on the USB stick.
>>
>> The USB stick booted up fine, it read the mpam-fe.exe I put on
>> the top level of the USB stick, using the download from here.
>> This is the 32 bit mpam-fe.exe .
>>
>>     http://go.microsoft.com/fwlink/?LinkID=209593&clcid=0x409
>>
>> While I've been writing this, the scanner has scanned 337,000
>> files. And isn't quite finished yet.

--

Fake news kills!

I may be contacted via the contact address given on my website:
www.macfh.co.uk

On 10/10/2022 1:55 PM, Roberta wrote:
>
> My issue is on the Win XP Pro 32 bit laptops.
>
> mpam-fe.exe is a 64bit program.  I downloaded and started and it failed.
> ---------------------------
> D:\ThisPC\Scanner\mpam-fe.exe
> ---------------------------
> D:\ThisPC\Scanner\mpam-fe.exe is not a valid Win32 application.
>
> Just ignorant here.

When you do online scans (like Windows 7, Windows 7 running some
version of Windows Defender), the OS has a bitness in that case.
You could receive a PC with a 32bit OS (x86) or a 64bit OS (x64).

In such a case, mpam-fe.exe would be for the 32bit OS.
Whereas mpam-fex64.exe would be for the 64bit OS.

On the offline scanner I was trying to get running, the scanning
CD or USB stick has its own OS. The version of mpam-fe would then
need to match the OS on the scanning CD.

The mpam-fe.exe is a signature definition delivery vehicle. The
executable in that case, does not open a graphical window. The offline
scanner has another file that is being executed, to do the actual scanning.

With online scanning, if for some reason the Microsoft software
was not able to pull in its own mpam-fe.exe , that is when you would
download one and use it.

When making offline scanners, if there's a choice, I would probably
stick with a 32-bit version of mssstool (that prepares the scanning
CD or USB stick) plus the 32-bit version of mpam-fe.exe to put at the
top level of the CD or USB stick.

I used a Macrium 32-bit boot CD, to gain a source of a boot.wim
prepared with winpe10. And used that, to build a repaired scanning
boot material for scanning my WinXP C: drive sample (I have one
sitting in the junk room for this). The theory being, the Macrium
boot.wim in that case, supports SHA2 signing and can compute the
signature of mpam-fe.exe and prove the file is legit. It's
the protection on that file which is failing (the offline scanner
then has no signatures it can use to do the scanning), and preventing
the offline scanner from working.

[Picture]

https://i.postimg.cc/bY6HtQ9j/mssstool-scan-finished.gif

But I can't prove that directly, because I have no Command Prompt
while that scan is running, so there's no opportunity to run other
tools.

The offline scan, offers options like quarantine, but I did not
see any of the detections from my sample disk offering "repair"
as an option. The disk drive in that case, probably did not have
a live infection present. I had one sample malware onboard, to verify
the scanner actually worked (signature detection). and a copy of ProduKey,
which sets off the "we don't like this" Microsoft response :-)
it's not a PUP, it's considered "hackerware" or some such.

For the average person though, rejigging a boot.wim like this,
is too much aggravation when you want a scanner that "just works".
Who knows, maybe KenW suggestion of Sophos is better. I haven't
got there yet, for a look.

Paul