# Windows Defender Offline Removed Root kit now Windows wont load



## Kevier (May 7, 2014)

I was Running Windows Security Defender it said i had a Root Kit Virus and needed to download Windows Defender offline so i did
ran it it foud 2 so i removed them and it restarted and now while loading Windows it flashes blue screen and restarts i dont have a boot disk and i really need help


----------



## Kevier (May 7, 2014)

im running windows 7 and cant access safe mode

dont know if this will help but i ran FRST64

Results

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-05-2014
Ran by SYSTEM on MININT-KRNF8R6 on 07-05-2014 01:27:15
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
*ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.*

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-10-13] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-28] (Realtek Semiconductor)
HKLM\...\Run: [Acer ePower Management] => C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe [823840 2009-09-30] (Acer Incorporated)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated)
HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [1157128 2009-08-18] (Dritek System Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [NapsterShell] => C:\Program Files (x86)\Napster\napster.exe [323280 2010-01-19] (Napster)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [1675160 2011-11-22] (McAfee, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [ApnUpdater] => C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1557160 2012-04-09] (Ask)
HKLM-x32\...\Run: [SSDMonitor] => C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe [103896 2011-12-12] (PC Tools)
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2009-07-13] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\cherylandshannon\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-11-05] (Google Inc.)
HKU\cherylandshannon\...\Run: [lime pro] => "C:\Program Files (x86)\Lime PRO\LimePro.exe" -h
HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files (x86)\eMachines\Screensaver\run_eMachines.exe [162336 2009-07-21] ()
HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files (x86)\eMachines\Screensaver\run_eMachines.exe [162336 2009-07-21] ()
Startup: C:\Users\cherylandshannon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FrostWire On Startup.lnk
ShortcutTarget: FrostWire On Startup.lnk -> C:\Program Files (x86)\FrostWire 5\FrostWire.exe (FrostWire)

==================== Services (Whitelisted) =================

S2 ePowerSvc; C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe [844320 2009-09-30] (Acer Incorporated)
S3 GameConsoleService; C:\Program Files (x86)\eMachines Games\eMachines Game Console\GameConsoleService.exe [250616 2009-05-22] (WildTangent, Inc.)
S2 Greg_Service; C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [1150496 2009-08-28] (Acer Incorporated)
S2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 mcmscsvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McNASvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [502032 2011-10-18] (McAfee, Inc.)
S4 McOobeSv; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [199272 2011-12-06] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [208536 2011-12-06] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [161168 2011-12-06] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [249936 2011-01-27] (McAfee, Inc.)
S2 PCToolsSSDMonitorSvc; C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [793048 2011-12-12] (PC Tools)
S2 Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [240160 2009-07-03] (Acer)

==================== Drivers (Whitelisted) ====================

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [65264 2011-10-15] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [160280 2011-10-15] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [229528 2011-10-15] (McAfee, Inc.)
S3 mfeavfk01; No ImagePath
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [481768 2011-10-15] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [647080 2011-10-15] (McAfee, Inc.)
S1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [75808 2011-10-15] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [100912 2011-10-15] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [284648 2011-10-15] (McAfee, Inc.)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [28416 2008-04-16] (Research In Motion Limited)
S3 RSUSBSTOR; C:\Windows\SysWOW64\Drivers\RtsUStor.sys [225280 2009-09-01] (Realtek Semiconductor Corp.)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-05-07 01:26 - 2014-05-07 01:27 - 00000000 ____D () C:\FRST
2014-05-04 23:11 - 2014-05-04 23:11 - 55574528 _____ () C:\Windows\System32\config\SOFTWARE4b533101
2014-05-04 23:00 - 2014-05-04 23:58 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-05-04 13:48 - 2014-05-04 13:50 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Local\Mozilla
2014-05-04 13:47 - 2014-05-04 13:50 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Roaming\Mozilla
2014-05-04 13:46 - 2014-05-04 23:48 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-05-04 13:46 - 2014-05-04 23:48 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-05-04 13:46 - 2014-05-04 13:46 - 00000000 ____D () C:\ProgramData\Mozilla
2014-05-04 13:42 - 2014-05-04 13:42 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Local\SearchProtect
2014-05-04 13:41 - 2014-05-04 13:42 - 00000000 ____D () C:\Program Files (x86)\SearchProtect
2014-05-04 13:14 - 2014-05-04 23:53 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-05-04 13:14 - 2014-05-04 23:53 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-05-04 13:03 - 2014-05-04 13:03 - 00000000 ____D () C:\Windows\System32\Tasks\Games
2014-05-04 13:00 - 2014-05-04 12:53 - 13829304 _____ (Microsoft Corporation) C:\Users\cherylandshannon\Desktop\MSEInstall.exe

==================== One Month Modified Files and Folders =======

2014-05-07 01:27 - 2014-05-07 01:26 - 00000000 ____D () C:\FRST
2014-05-04 23:58 - 2014-05-04 23:00 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-05-04 23:53 - 2014-05-04 13:14 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-05-04 23:53 - 2014-05-04 13:14 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-05-04 23:53 - 2014-05-04 13:03 - 00000000 ____D () C:\Windows\System32\Tasks\Games
2014-05-04 23:53 - 2012-05-07 16:32 - 00000000 ____D () C:\Program Files (x86)\Ask.com
2014-05-04 23:53 - 2012-05-07 16:29 - 00000000 ____D () C:\Program Files (x86)\FrostWire 5
2014-05-04 23:53 - 2012-01-06 15:49 - 00000000 ____D () C:\Program Files (x86)\McAfee.com
2014-05-04 23:53 - 2011-12-26 04:27 - 00000000 ____D () C:\Program Files (x86)\Rhapsody
2014-05-04 23:53 - 2011-10-09 10:57 - 00000000 ____D () C:\Program Files\McAfee
2014-05-04 23:53 - 2011-10-09 10:57 - 00000000 ____D () C:\Program Files\Common Files\McAfee
2014-05-04 23:53 - 2011-09-27 16:23 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-05-04 23:53 - 2011-07-08 14:25 - 00000000 ____D () C:\Program Files (x86)\McAfee
2014-05-04 23:53 - 2011-07-08 13:30 - 00000000 ____D () C:\ProgramData\McAfee
2014-05-04 23:53 - 2011-06-28 19:32 - 00000000 ____D () C:\users\cherylandshannon
2014-05-04 23:53 - 2011-06-28 19:32 - 00000000 ____D () C:\Program Files (x86)\OEM
2014-05-04 23:53 - 2009-11-05 10:10 - 00000000 ____D () C:\Program Files\Google
2014-05-04 23:53 - 2009-11-05 10:10 - 00000000 ____D () C:\Program Files (x86)\Google
2014-05-04 23:53 - 2009-07-13 23:45 - 00000000 ____D () C:\Program Files\Windows Journal
2014-05-04 23:53 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\System32\NDF
2014-05-04 23:53 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\servicing
2014-05-04 23:53 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2014-05-04 23:52 - 2011-10-09 10:57 - 00000000 ____D () C:\Program Files\McAfee.com
2014-05-04 23:52 - 2011-09-27 16:23 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-05-04 23:52 - 2009-11-05 10:10 - 00000000 ____D () C:\ProgramData\Google
2014-05-04 23:48 - 2014-05-04 13:46 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-05-04 23:48 - 2014-05-04 13:46 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-05-04 23:11 - 2014-05-04 23:11 - 55574528 _____ () C:\Windows\System32\config\SOFTWARE4b533101
2014-05-04 14:40 - 2009-11-05 09:58 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-05-04 13:50 - 2014-05-04 13:48 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Local\Mozilla
2014-05-04 13:50 - 2014-05-04 13:47 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Roaming\Mozilla
2014-05-04 13:46 - 2014-05-04 13:46 - 00000000 ____D () C:\ProgramData\Mozilla
2014-05-04 13:42 - 2014-05-04 13:42 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Local\SearchProtect
2014-05-04 13:42 - 2014-05-04 13:41 - 00000000 ____D () C:\Program Files (x86)\SearchProtect
2014-05-04 13:05 - 2011-06-28 19:43 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Local\Google
2014-05-04 12:53 - 2014-05-04 13:00 - 13829304 _____ (Microsoft Corporation) C:\Users\cherylandshannon\Desktop\MSEInstall.exe
2014-05-04 12:00 - 2009-07-13 20:45 - 00009920 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-04 12:00 - 2009-07-13 20:45 - 00009920 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-04 11:58 - 2011-09-28 09:07 - 01720159 _____ () C:\Windows\WindowsUpdate.log
2014-05-04 11:53 - 2011-09-28 15:55 - 00021215 _____ () C:\Windows\setupact.log
2014-05-04 11:53 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-05-04 11:44 - 2011-07-04 10:35 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-05-04 11:32 - 2009-07-13 21:13 - 00005152 _____ () C:\Windows\System32\PerfStringBackup.INI

Some content of TEMP:
====================
C:\Users\cherylandshannon\AppData\Local\Temp\0114831325893763mcinst.exe
C:\Users\cherylandshannon\AppData\Local\Temp\0304161318173103mcinst.exe
C:\Users\cherylandshannon\AppData\Local\Temp\installhelper.dll
C:\Users\cherylandshannon\AppData\Local\Temp\SRAssetsHelper.dll
C:\Users\cherylandshannon\AppData\Local\Temp\WiseUpdX.exe
C:\Users\cherylandshannon\AppData\Local\Temp\_is2273.exe
C:\Users\cherylandshannon\AppData\Local\Temp\_is58AA.exe

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== Restore Points =========================

Restore point made on: 2012-05-24 02:44:57
Restore point made on: 2012-05-26 11:40:10
Restore point made on: 2012-05-26 23:27:48
Restore point made on: 2012-05-31 13:11:20
Restore point made on: 2012-06-01 12:50:41
Restore point made on: 2012-06-01 12:53:20
Restore point made on: 2012-06-04 14:17:22
Restore point made on: 2012-06-06 13:41:47
Restore point made on: 2014-05-04 12:19:05
Restore point made on: 2014-05-04 13:06:13
Restore point made on: 2014-05-04 13:11:17
Restore point made on: 2014-05-04 13:41:38

==================== Memory info ===========================

Percentage of memory in use: 21%
Total physical RAM: 3001.98 MB
Available physical RAM: 2368.32 MB
Total Pagefile: 3000.13 MB
Available Pagefile: 2363.32 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Drives ================================

Drive c: (eMachines) (Fixed) (Total:220.78 GB) (Free:166.1 GB) NTFS
Drive e: (PQSERVICE) (Fixed) (Total:12 GB) (Free:1.86 GB) NTFS
Drive g: (WDO_MEDIA64) (Removable) (Total:1.86 GB) (Free:1.86 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.04 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected.

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 233 GB) (Disk ID: F85E7820)
Partition 1: (Not Active) - (Size=12 GB) - (Type=27)
Partition 2: (Active) - (Size=102 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=221 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 2 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=2 GB) - (Type=0B)

LastRegBack: 2014-05-04 12:11

==================== End Of Log ============================


----------



## Mark1956 (May 7, 2011)

Hi Kevier and welcome to TSG. As this is a Malware problem I have requested it is move to the Malware forum where I will assist you in cleaning up the machine.

You still have a Rootkit infection on the PC and I suspect removing it with an Anti Virus program has caused some damage to the MBR which is why it won't boot normally.

We first need to remove the infection which FRST found.

On your functioning PC: Open Notepad and *Copy & Paste* the contents of the code box below into it. To do this highlight the entire contents of the box, right click on the highlighted area and select *Copy* then right click in the Notepad window and select *Paste*. Save it to the flashdrive as *fixlist.txt* _*<--- it is very important to spell this name exactly as written here.*_


```
TDL4: custom:26000022 <===== ATTENTION!
```
*NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.*

Plug the Flash Drive back into the infected PC and enter the *System Recovery Options* and select the *Command Prompt* using the same instructions you followed to run the first scan.


In the command window type *e:\frst.exe* (or for x64 bit version type *e:\frst64*) and press *Enter* 
*Note:* Replace letter e with the drive letter of your flash drive. 
*NOTE:* if you receive an error message "the system cannot find the drive specified" go back into Notepad and check the drive letter for the Flash Drive.
When the *FRST* window opens click on the *Fix* button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please *Copy & Paste* it into your next reply.

When this is complete try to boot the defective PC and let me know what happens.

Please also tell me what OS is on your functional PC, including the bit rate.


----------



## Kevier (May 7, 2014)

sorry for the delay

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-05-2014
Ran by SYSTEM at 2014-05-07 10:52:50 Run:1
Running from G:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************


TDL4: custom:26000022 <===== ATTENTION!
*****************


The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====

Both computers are Windows 7 64bit


----------



## Kevier (May 7, 2014)

sorry forgot to say Infected PC started fine have to fix a few things because i tried system restore to try to fix the problem earlier


----------



## Mark1956 (May 7, 2011)

Good news, but don't go away as we should run some more checks to make sure there are no more remnants and none of the system services are damaged. Now the PC is booting up it will make things a little easier.

I only asked about the other PC in case we needed to make a boot disc, but that won't be required now.

Don't use system restore again as it will most likely re-infect the system, once we have made sure the system is clean you can create a fresh restore point and delete all the old ones.

Please don't make any changes to the system or run any other scans apart from those I am asking you to do as this can cause great confusion in the logs.

The next check is to run FRST on the system while it is booted up, you won't need a Flash Drive again as long as you can connect to the internet. The second scan is just to check your system is clear of any Adware. Please download a fresh copy of FRST onto the system as the one on the Flash Drive may need updating.

Please run these scans in the order listed:

The first scan is to remove all your temp files as some infections are saved in temporary files.

*SCAN 1*
NOTE: This will empty your recycle bin, if you have anything you need in there please save it before you run this scan.
Download Temporary file cleaner and save it to the desktop. Make sure you do not use the Download button in the advert at the top of the page, use the button right next to the name *TFC - Temp File Cleaner by Old Timer*.
Double click on the icon to run it (it appears as a dark grey dustbin). For Windows 7 and Vista right click the icon and select *Run as Administrator*.
When the window opens click on* Start*. It will close all running programs and clear the desktop icons.
When complete you may be asked to reboot, if so accept the request and your PC will reboot automatically.

NOTE: There is no need to post the log, just confirm in your next post that it ran without a problem. At times it may appear to freeze, which is perfectly normal, it may take a while to complete the clean up depending on the amount of temporary files there are on the system.

*SCAN 2*
Click on this link to download : ADWCleaner Click on the Download Now button and save it to your desktop.

*NOTE:* If using Internet Explorer and you get an alert that stops the program downloading click on *Tools > Smartscreen Filter > Turn off Smartscreen Filter* then click on *OK* in the box that opens. Then click on the link again.

Close your browser and double click on this icon on your desktop: 

You will then see the screen below, click on the *Scan* button (as indicated), accept any prompts that appear and allow it to run, it may take several minutes to complete, when it is done click on the *Clean* button, accept any prompts that appear and allow the system to reboot. You will then be presented with the report, Copy & Paste it into your next post.



*SCAN 3*
Please download Farbar Recovery Scan Tool (FRST) and save it to your desktop. Do not get tempted to download Regclean Pro.

*Note:* If you get a warning that the download could harm your system, please ignore it and allow the download to go ahead. FRST is perfectly safe and we would never ask you to download anything that isn't.

*Note*: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click on FRST to run it. When the tool opens click *Yes* to the disclaimer.
Press the* Scan* button.
It will make a log (*FRST.txt*) in the same directory the tool is run from. Please copy and paste it into your next reply.
The first time the tool is run, it makes another log (*Addition.txt*). Please also copy and paste that into your reply.


----------



## Mark1956 (May 7, 2011)

You should have run TFC first then Adwcleaner then FRST so it only showed anything that was left over.

Maybe you got to my instructions while I was still editing them.

Complete the run with TFC, then do Adwcleaner and post the log. Then run FRST again, this time you will need to put a check mark next to Addition.txt in the opening window or it will only produce one log.

To keep the thread organized for easy reference please go back, click on the Edit button at the bottom of you last post and select Delete to remove it.


----------



## Kevier (May 7, 2014)

just wanna make sure this is normal but during restart it went straight to Startup repair and its attempting repairs


----------



## Mark1956 (May 7, 2011)

The system has obviously found something wrong in the boot sector which is where the infection was, let me know what happens next. Don't forget to delete the log above as suggested


----------



## Kevier (May 7, 2014)

it said Startup Repair cannont Repair This Computer Automatically what do you want me to do form here


----------



## Mark1956 (May 7, 2011)

sounds like it may have re-infected, do another scan with FRST using your Flash Drive just as you did to produce the first log and post it back here.


----------



## Kevier (May 7, 2014)

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-05-2014
Ran by SYSTEM on MININT-5KNO2VA on 07-05-2014 12:49:52
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
*ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.*

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ 
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ 
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-10-13] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-28] (Realtek Semiconductor)
HKLM\...\Run: [Acer ePower Management] => C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe [823840 2009-09-30] (Acer Incorporated)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated)
HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [1157128 2009-08-18] (Dritek System Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [NapsterShell] => C:\Program Files (x86)\Napster\napster.exe [323280 2010-01-19] (Napster)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [SSDMonitor] => C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe [103896 2011-12-12] (PC Tools)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\cherylandshannon\...\Run: [lime pro] => "C:\Program Files (x86)\Lime PRO\LimePro.exe" -h
HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files (x86)\eMachines\Screensaver\run_eMachines.exe [162336 2009-07-21] ()
HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files (x86)\eMachines\Screensaver\run_eMachines.exe [162336 2009-07-21] ()

==================== Services (Whitelisted) =================

S2 0100941399475305mcinstcleanup; C:\Users\cherylandshannon\AppData\Local\Temp\0100941399475305mcinst.exe [827456 2012-01-26] (McAfee, Inc.)
S2 ePowerSvc; C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe [844320 2009-09-30] (Acer Incorporated)
S3 GameConsoleService; C:\Program Files (x86)\eMachines Games\eMachines Game Console\GameConsoleService.exe [250616 2009-05-22] (WildTangent, Inc.)
S2 Greg_Service; C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [1150496 2009-08-28] (Acer Incorporated)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [199272 2011-12-06] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [208536 2011-12-06] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [161168 2011-12-06] (McAfee, Inc.)
S2 PCToolsSSDMonitorSvc; C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [793048 2011-12-12] (PC Tools)
S2 Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [240160 2009-07-03] (Acer)

==================== Drivers (Whitelisted) ====================

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [65264 2011-10-15] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [160280 2011-10-15] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [229528 2011-10-15] (McAfee, Inc.)
S3 mfeavfk01; No ImagePath
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [481768 2011-10-15] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [647080 2011-10-15] (McAfee, Inc.)
S1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [75808 2011-10-15] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [100912 2011-10-15] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [284648 2011-10-15] (McAfee, Inc.)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [28416 2008-04-16] (Research In Motion Limited)
S3 RSUSBSTOR; C:\Windows\SysWOW64\Drivers\RtsUStor.sys [225280 2009-09-01] (Realtek Semiconductor Corp.)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-05-07 07:59 - 2014-05-07 08:00 - 00024618 _____ () C:\Users\cherylandshannon\Downloads\Addition.txt
2014-05-07 07:58 - 2014-05-07 08:00 - 00022523 _____ () C:\Users\cherylandshannon\Downloads\FRST.txt
2014-05-07 07:26 - 2014-05-07 12:32 - 00000000 ____D () C:\eff74ccb47279cbec46d9985a8d40624
2014-05-07 07:26 - 2014-05-07 07:26 - 00000000 ____D () C:\Windows\System32\EventProviders
2014-05-07 07:23 - 2014-05-07 07:23 - 00001160 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2014-05-07 07:21 - 2014-05-07 07:21 - 00282960 _____ (Mozilla) C:\Users\cherylandshannon\Downloads\Firefox Setup Stub 29.0.exe
2014-05-07 07:20 - 2014-05-07 07:22 - 00000000 ____D () C:\Windows\System32\MRT
2014-05-07 07:18 - 2014-05-07 07:18 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-05-07 07:13 - 2014-05-07 07:13 - 00000351 _____ () C:\Users\cherylandshannon\Desktop\Network - Shortcut.lnk
2014-05-07 07:12 - 2014-05-07 07:12 - 00000355 _____ () C:\Users\cherylandshannon\Desktop\Computer - Shortcut.lnk
2014-05-07 01:26 - 2014-05-07 12:49 - 00000000 ____D () C:\FRST
2014-05-04 23:11 - 2014-05-04 23:11 - 55574528 _____ () C:\Windows\System32\config\SOFTWARE4b533101
2014-05-04 23:00 - 2014-05-04 23:58 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-05-04 13:48 - 2014-05-04 13:50 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Local\Mozilla
2014-05-04 13:47 - 2014-05-04 13:50 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Roaming\Mozilla
2014-05-04 13:46 - 2014-05-07 07:23 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-05-04 13:46 - 2014-05-07 07:23 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-05-04 13:46 - 2014-05-04 13:46 - 00000000 ____D () C:\ProgramData\Mozilla
2014-05-04 13:42 - 2014-05-04 13:42 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Local\SearchProtect
2014-05-04 13:41 - 2014-05-04 13:42 - 00000000 ____D () C:\Program Files (x86)\SearchProtect
2014-05-04 13:14 - 2014-05-04 23:53 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-05-04 13:14 - 2014-05-04 23:53 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-05-04 13:03 - 2014-05-04 23:53 - 00000000 ____D () C:\Windows\System32\Tasks\Games
2014-05-04 13:00 - 2014-05-04 12:53 - 13829304 _____ (Microsoft Corporation) C:\Users\cherylandshannon\Desktop\MSEInstall.exe

==================== One Month Modified Files and Folders =======

2014-05-07 12:49 - 2014-05-07 01:26 - 00000000 ____D () C:\FRST
2014-05-07 12:33 - 2011-06-28 19:32 - 00000000 ____D () C:\users\cherylandshannon
2014-05-07 12:32 - 2014-05-07 07:26 - 00000000 ____D () C:\eff74ccb47279cbec46d9985a8d40624
2014-05-07 12:32 - 2011-11-29 15:18 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-05-07 12:32 - 2011-09-27 16:23 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-05-07 12:32 - 2009-11-05 09:58 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-05-07 12:32 - 2009-07-13 19:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-05-07 12:31 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2014-05-07 12:27 - 2011-09-27 16:23 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-05-07 08:00 - 2014-05-07 07:59 - 00024618 _____ () C:\Users\cherylandshannon\Downloads\Addition.txt
2014-05-07 08:00 - 2014-05-07 07:58 - 00022523 _____ () C:\Users\cherylandshannon\Downloads\FRST.txt
2014-05-07 07:26 - 2014-05-07 07:26 - 00000000 ____D () C:\Windows\System32\EventProviders
2014-05-07 07:26 - 2011-09-28 09:07 - 01858999 _____ () C:\Windows\WindowsUpdate.log
2014-05-07 07:23 - 2014-05-07 07:23 - 00001160 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2014-05-07 07:23 - 2014-05-04 13:46 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-05-07 07:23 - 2014-05-04 13:46 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-05-07 07:22 - 2014-05-07 07:20 - 00000000 ____D () C:\Windows\System32\MRT
2014-05-07 07:21 - 2014-05-07 07:21 - 00282960 _____ (Mozilla) C:\Users\cherylandshannon\Downloads\Firefox Setup Stub 29.0.exe
2014-05-07 07:18 - 2014-05-07 07:18 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-05-07 07:18 - 2009-11-05 10:05 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-05-07 07:13 - 2014-05-07 07:13 - 00000351 _____ () C:\Users\cherylandshannon\Desktop\Network - Shortcut.lnk
2014-05-07 07:12 - 2014-05-07 07:12 - 00000355 _____ () C:\Users\cherylandshannon\Desktop\Computer - Shortcut.lnk
2014-05-07 07:07 - 2009-07-13 20:45 - 00009920 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-07 07:07 - 2009-07-13 20:45 - 00009920 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-07 07:06 - 2011-06-28 19:43 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Local\Google
2014-05-07 07:06 - 2009-11-05 10:10 - 00000000 ____D () C:\Program Files (x86)\Google
2014-05-07 07:02 - 2011-07-08 13:30 - 00000000 ____D () C:\ProgramData\McAfee
2014-05-07 06:59 - 2011-07-04 10:34 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-05-07 06:59 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-05-04 23:58 - 2014-05-04 23:00 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-05-04 23:53 - 2014-05-04 13:14 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-05-04 23:53 - 2014-05-04 13:14 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-05-04 23:53 - 2014-05-04 13:03 - 00000000 ____D () C:\Windows\System32\Tasks\Games
2014-05-04 23:53 - 2012-01-06 15:49 - 00000000 ____D () C:\Program Files (x86)\McAfee.com
2014-05-04 23:53 - 2011-12-26 04:27 - 00000000 ____D () C:\Program Files (x86)\Rhapsody
2014-05-04 23:53 - 2011-10-09 10:57 - 00000000 ____D () C:\Program Files\McAfee
2014-05-04 23:53 - 2011-10-09 10:57 - 00000000 ____D () C:\Program Files\Common Files\McAfee
2014-05-04 23:53 - 2011-07-08 14:25 - 00000000 ____D () C:\Program Files (x86)\McAfee
2014-05-04 23:53 - 2009-11-05 10:10 - 00000000 ____D () C:\Program Files\Google
2014-05-04 23:53 - 2009-07-13 23:45 - 00000000 ____D () C:\Program Files\Windows Journal
2014-05-04 23:53 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\System32\NDF
2014-05-04 23:53 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\servicing
2014-05-04 23:52 - 2011-10-09 10:57 - 00000000 ____D () C:\Program Files\McAfee.com
2014-05-04 23:52 - 2009-11-05 10:10 - 00000000 ____D () C:\ProgramData\Google
2014-05-04 23:11 - 2014-05-04 23:11 - 55574528 _____ () C:\Windows\System32\config\SOFTWARE4b533101
2014-05-04 13:50 - 2014-05-04 13:48 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Local\Mozilla
2014-05-04 13:50 - 2014-05-04 13:47 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Roaming\Mozilla
2014-05-04 13:46 - 2014-05-04 13:46 - 00000000 ____D () C:\ProgramData\Mozilla
2014-05-04 13:42 - 2014-05-04 13:42 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Local\SearchProtect
2014-05-04 13:42 - 2014-05-04 13:41 - 00000000 ____D () C:\Program Files (x86)\SearchProtect
2014-05-04 12:53 - 2014-05-04 13:00 - 13829304 _____ (Microsoft Corporation) C:\Users\cherylandshannon\Desktop\MSEInstall.exe
2014-05-04 11:44 - 2011-07-04 10:35 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-05-04 11:32 - 2009-07-13 21:13 - 00005152 _____ () C:\Windows\System32\PerfStringBackup.INI

Some content of TEMP:
====================
C:\Users\cherylandshannon\AppData\Local\Temp\0100941399475305mcinst.exe
C:\Users\cherylandshannon\AppData\Local\Temp\_is58AA.exe
C:\Users\cherylandshannon\AppData\Local\Temp\_isECAE.exe

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points =========================

Restore point made on: 2014-05-07 07:27:41

==================== Memory info ===========================

Percentage of memory in use: 21%
Total physical RAM: 3001.98 MB
Available physical RAM: 2364.25 MB
Total Pagefile: 3000.13 MB
Available Pagefile: 2359.69 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Drives ================================

Drive c: (eMachines) (Fixed) (Total:220.78 GB) (Free:176.16 GB) NTFS
Drive e: (PQSERVICE) (Fixed) (Total:12 GB) (Free:1.86 GB) NTFS
Drive g: (WDO_MEDIA64) (Removable) (Total:1.86 GB) (Free:1.86 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.04 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 233 GB) (Disk ID: F85E7820)
Partition 1: (Not Active) - (Size=12 GB) - (Type=27)
Partition 2: (Active) - (Size=102 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=221 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 2 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=2 GB) - (Type=0B)

LastRegBack: 2014-05-04 12:11

==================== End Of Log ============================


----------



## Mark1956 (May 7, 2011)

No sign of the infection so not too sure what may have gone wrong.

Please repeat the instructions used in post 3 using the script in the code box below, let me know if that fixes it.

I will be out for the rest of the evening, I am on GMT +2. I shall have a look back later. If this does not work you can try running the Startup Repair several times in a row to see if it fixes the problem. Please don't run anything else until I get back.


```
CMD: bootrec /FixMbr
```


----------



## Kevier (May 7, 2014)

its acting like its updating saying preparing to configure windows do not turn off you computer 
gets to 30% then shuts down and then goes into startup repair

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-05-2014
Ran by SYSTEM at 2014-05-07 13:13:06 Run:2
Running from G:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
CMD: bootrec /FixMbr
*****************


========= bootrec /FixMbr =========

??T h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y . 

========= End of CMD: =========


----------



## Kevier (May 7, 2014)

i was reading the Diagnosis and Repair details

The Root Cause Found 
Boot Critical File d:\windows\system32\kdcom.dll is corrupt.
Repair Action: File Repair
Result: Failed. Error Code = 0xa
time Taken = 5757 ms

Repair action: system Restore
Result: Failed. Error code = 0x1f
time Taken = 485163 ms

Repair action: System Files Integrity Check and Repair
Result: Failed. Error Code = 0xa
time Taken = 6084 ms


----------



## Mark1956 (May 7, 2011)

I'm back but won't be around for long. Can you try booting into Safe Mode and see if you can get there.

Looks like there is a corrupt system file which we need to replace, it will be easier if the system can boot up.


----------



## Kevier (May 7, 2014)

sorry didn't see it switch to second page 

tried to boot in safe mode goes straight to startup repair


----------



## Mark1956 (May 7, 2011)

Ok, lets try restoring the system back and see if it will start to boot again. As soon as this is done run FRST from the desktop (if it boots), post the log and then wait for further instructions. Chances are this will put the infection back so I will have to issue further instructions to remove it again.

If it won't boot after running the fix below, run another scan with FRST from the Flash Drive and post the log.

Use the same instructions for FRST as in post 3 and use this script:


```
LastRegBack: 2014-05-04 12:1
```


----------



## Kevier (May 7, 2014)

sorry for the delay work 3rd shift 

system restore did not complete successfully. your computer's system files and settings were not changed 

Details:
An unspecified error occurred during system Restore. (0x8000fff)


----------



## Kevier (May 7, 2014)

do you still want me to run FRST


----------



## Mark1956 (May 7, 2011)

No need to run FRST again at the moment.

Lets give this a try:

Use the same procedure you went through to run FRST from the Flash Drive to get to the list of the Recovery Options and select Command Prompt. Just before you get there it will show you a list of the installed operation systems, make a note of the drive letter it shows for Windows 7.

When you get to the Command Prompt window, very carefully type this command in.

NOTE; You must replace the drive letter d: with the drive letter you found for Windows 7 if it is different. Be carefull to leave spaces to match those in the command or you will get an error message, forward and back slashes must also be the same.

sfc /scanfile=d:\windows\system32\kdcom.dll /offbootdir=d:\ /offwindir=d:\windows

This should replace the corrupt file shown in the report you posted earlier. Please post back any error messages that may appear. After it has completed, reboot the system and let me know what happens.

If it still won't boot up in Safe or Normal Mode then repeat the above operation and use the command below, this will check all the system files and should either confirm all is well or will state there are files it cannot repair.

sfc /scannow /offbootdir=d:\ /offwindir=d:\windows

As before you must replace the letter d: if it is wrong.


----------



## Kevier (May 7, 2014)

there is a system repair pending which requires reboot to complete. restart windows and run sfc again


----------



## Kevier (May 7, 2014)

i googled it and one of the post said to run 
dism.exe /image:C:\ /cleanup-image /revertpendingactions

what do you think
again tonight i work 3rd shift and wont be home till about 12 pm EST


----------



## Mark1956 (May 7, 2011)

Not too clear on what has happened, when you got the message saying a repair was pending, did you reboot and try again?

The dism.exe command is not something I have come across before, a quick search suggests it is for dealing with image files, so I'm none too sure what it will do for you.


----------



## Kevier (May 7, 2014)

yep tried rebooting and same thing every time


----------



## Mark1956 (May 7, 2011)

I had time to investigate the problem a bit more and several searches gave the command to use as the one you posted above, that's another fix added to my already huge library.

Go ahead and run it and then try following the instructions again in post 21.


----------



## Kevier (May 7, 2014)

we have safe mode


----------



## Kevier (May 7, 2014)

and it was a corrupted Windows Update because it prompted me letting me know that windows update failed bla bla bla


----------



## Mark1956 (May 7, 2011)

At what point did Safe Mode start to work again, so that I know what fixed it. Which command did you run from post 21, either one or both?

What happens if you try to boot into Normal Mode?

If Normal Mode is still not working boot back to the Recovery Options and run the Startup Repair option up to three times in a row and see if that gets Normal Mode working again.


----------



## Kevier (May 7, 2014)

i ran this like you said dism.exe /image:C:\ /cleanup-image /revertpendingactions

and then ran sfc /scanfile=d:\windows\system32\kdcom.dll /offbootdir=d:\ /offwindir=d:\windows
rebooted and tried safe mode

Normal Mode works as well


----------



## Mark1956 (May 7, 2011)

Great, we have some functionality back.

Lets first make sure there are no more corrupt files and run TFC to clean out the temp files.

Go back to post 6 and follow the SCAN 1 instructions to run the tool, there is no read to post any log from it.

Then run the System File Checker as follows.

*System File Checker*


Click on *Start* and type *cmd* in the search box. Right click on *cmd* in the popup menu and select *Run as Administrator*.
Another box will open, at the Command Prompt, type *sfc /scannow* and press Enter. (Note the gap between the c and the /)
Let the check run to completion. *DO NOT* reboot the PC or close the *cmd* window.
Copy & Paste the following command at the Command Prompt and press Enter:

* findstr /c:"[SR]" %windir%\logs\cbs\cbs.log >%userprofile%\Desktop\sfcdetails.txt*


This will place a file on your desktop called *sfcdetails.txt* which contains the results of the scan.
Copy and Paste the contents of the file into your next post.

If the scan ends by saying it found corrupt files but could not repair them, post the log and wait for further instructions. If it says all repairs were completed or there is no message at the end post the log anyway and carry on with SCANs 2 & 3 in post 6 in the order listed and post the logs.

I'm just finishing work and will be out for the rest of the evening, I'll look back in later tonight.


----------



## Kevier (May 7, 2014)

TFC Ran fine didn't need to reboot


----------



## Mark1956 (May 7, 2011)

That's good, now run the System File Checker. I've finished work now but won't be about for long.


----------



## Kevier (May 7, 2014)

after running the scan 
windows Resource Protection did not find any integrity violations 

when i type in the Command you gave for the sfcdetails file 
it pops up on my desktop but it is blank absolutely nothing in it just a blank notepad


----------



## Kevier (May 7, 2014)

running the Adw Cleaner


----------



## Kevier (May 7, 2014)

# AdwCleaner v3.207 - Report created 09/05/2014 at 22:12:57
# Updated 05/05/2014 by Xplode
# Operating System : Windows 7 Home Premium (64 bits)
# Username : cherylandshannon - COMPUTER
# Running from : C:\Users\cherylandshannon\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\Program Files (x86)\SearchProtect
Folder Deleted : C:\Users\cherylandshannon\AppData\Local\Conduit
Folder Deleted : C:\Users\cherylandshannon\AppData\Local\SearchProtect
Folder Deleted : C:\Users\cherylandshannon\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\cherylandshannon\AppData\LocalLow\DataMngr
Folder Deleted : C:\Users\cherylandshannon\AppData\Roaming\PerformerSoft
File Deleted : C:\Windows\System32\roboot64.exe

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AF175732-0D59-716D-F757-9F1492D808D9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AF6AC4F2-9825-4FB6-A600-92BC5361F209}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF6AC4F2-9825-4FB6-A600-92BC5361F209}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AF6AC4F2-9825-4FB6-A600-92BC5361F209}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AF6AC4F2-9825-4FB6-A600-92BC5361F209}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2426}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2426}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AF6AC4F2-9825-4FB6-A600-92BC5361F209}]
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2426}
Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\PIP
Key Deleted : [x64] HKLM\SOFTWARE\DataMngr

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16421

-\\ Mozilla Firefox v29.0 (en-US)

[ File : C:\Users\cherylandshannon\AppData\Roaming\Mozilla\Firefox\Profiles\98odsgox.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [3363 octets] - [09/05/2014 22:11:05]
AdwCleaner[S0].txt - [3134 octets] - [09/05/2014 22:12:57]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3194 octets] ##########


----------



## Kevier (May 7, 2014)

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 09-05-2014 01
Ran by cherylandshannon (administrator) on COMPUTER on 09-05-2014 22:18:31
Running from C:\Users\cherylandshannon\Desktop
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ 
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ 
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Acer Incorporated) C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe
(Acer Incorporated) C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Acer Incorporated) C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(PC Tools) C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe
(Acer) C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Acer Incorporated) C:\Program Files\eMachines\eMachines Power Management\ePowerEvent.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
(Napster) C:\Program Files (x86)\Napster\napster.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(PC Tools) C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-10-13] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7982112 2009-07-28] (Realtek Semiconductor)
HKLM\...\Run: [Acer ePower Management] => C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe [823840 2009-09-30] (Acer Incorporated)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1808168 2009-06-18] (Synaptics Incorporated)
HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [1157128 2009-08-18] (Dritek System Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [NapsterShell] => C:\Program Files (x86)\Napster\napster.exe [323280 2010-01-19] (Napster)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [SSDMonitor] => C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe [103896 2011-12-12] (PC Tools)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-1677003303-2019734653-4176814065-1000\...\Run: [lime pro] => "C:\Program Files (x86)\Lime PRO\LimePro.exe" -h

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273606118725l04g4z1i5r44620263
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273606118725l04g4z1i5r44620263
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273606118725l04g4z1i5r44620263
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273606118725l04g4z1i5r44620263
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2426} URL = 
SearchScopes: HKLM-x32 - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW
SearchScopes: HKCU - {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW_enUS438US438
SearchScopes: HKCU - {D6D7979A-7A2A-4BC9-BDF5-DAD3180787C8} URL = http://websearch.ask.com/redirect?client=ie&tb=FWV5&o=14193&src=kw&q={searchTerms}&locale=en_US&apn_ptnrs=FM&apn_dtid=TES002U0US&apn_uid=a8ffc819-b91f-45ee-870f-3121b751f3f7&apn_sauid=8C19C4B8-FB23-45F1-80CB-33910253703E
BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120411210513.dll (McAfee, Inc.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120411210513.dll (McAfee, Inc.)
BHO-x32: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKCU - No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - No File
Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\syswow64\urlmon.dll (Microsoft Corporation)
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF ProfilePath: C:\Users\cherylandshannon\AppData\Roaming\Mozilla\Firefox\Profiles\98odsgox.default
FF Homepage: Yahoo.com
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=1.6.0_32 - C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @java.com/JavaPlugin - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files (x86)\Common Files\McAfee\SystemCore
FF Extension: No Name - C:\Program Files (x86)\Common Files\McAfee\SystemCore [2011-10-09]

==================== Services (Whitelisted) =================

R2 ePowerSvc; C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe [844320 2009-09-30] (Acer Incorporated)
S3 GameConsoleService; C:\Program Files (x86)\eMachines Games\eMachines Game Console\GameConsoleService.exe [250616 2009-05-22] (WildTangent, Inc.)
R2 Greg_Service; C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [1150496 2009-08-28] (Acer Incorporated)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [199272 2011-12-06] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [208536 2011-12-06] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [161168 2011-12-06] (McAfee, Inc.)
R2 PCToolsSSDMonitorSvc; C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [793048 2011-12-12] (PC Tools)
R2 Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [240160 2009-07-03] (Acer)

==================== Drivers (Whitelisted) ====================

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [65264 2011-10-15] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [160280 2011-10-15] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [229528 2011-10-15] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [481768 2011-10-15] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [647080 2011-10-15] (McAfee, Inc.)
R1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [75808 2011-10-15] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [100912 2011-10-15] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [284648 2011-10-15] (McAfee, Inc.)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [28416 2008-04-16] (Research In Motion Limited)
S3 RSUSBSTOR; C:\Windows\SysWOW64\Drivers\RtsUStor.sys [225280 2009-09-01] (Realtek Semiconductor Corp.)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-05-09 22:18 - 2014-05-09 22:18 - 00011531 _____ () C:\Users\cherylandshannon\Desktop\FRST.txt
2014-05-09 22:18 - 2014-05-09 22:18 - 00000000 ____D () C:\Users\cherylandshannon\Desktop\FRST-OlderVersion
2014-05-09 22:11 - 2014-05-09 22:12 - 00000000 ____D () C:\AdwCleaner
2014-05-09 22:05 - 2014-05-09 22:05 - 00000000 _____ () C:\Users\cherylandshannon\Desktop\sfcdetails.txt
2014-05-09 21:55 - 2014-05-09 22:18 - 02064384 _____ (Farbar) C:\Users\cherylandshannon\Desktop\FRST64.exe
2014-05-09 21:55 - 2014-05-07 12:16 - 01316991 _____ () C:\Users\cherylandshannon\Desktop\AdwCleaner.exe
2014-05-09 13:35 - 2014-05-09 17:01 - 00000084 _____ () C:\Users\cherylandshannon\Desktop\cmd.txt
2014-05-09 13:19 - 2014-05-09 13:17 - 00448512 _____ (OldTimer Tools) C:\Users\cherylandshannon\Desktop\TFC.exe
2014-05-09 11:23 - 2014-05-09 11:23 - 00000000 _____ () C:\Windows\setuperr.log
2014-05-07 13:27 - 2014-05-09 22:14 - 00000336 _____ () C:\Windows\setupact.log
2014-05-07 11:59 - 2014-05-07 12:00 - 00024618 _____ () C:\Users\cherylandshannon\Downloads\Addition.txt
2014-05-07 11:58 - 2014-05-07 12:00 - 00022523 _____ () C:\Users\cherylandshannon\Downloads\FRST.txt
2014-05-07 11:26 - 2014-05-08 23:27 - 00000000 ____D () C:\eff74ccb47279cbec46d9985a8d40624
2014-05-07 11:26 - 2014-05-07 11:26 - 00000000 ____D () C:\Windows\system32\EventProviders
2014-05-07 11:23 - 2014-05-07 11:23 - 00001172 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2014-05-07 11:23 - 2014-05-07 11:23 - 00001160 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2014-05-07 11:21 - 2014-05-07 11:21 - 00282960 _____ (Mozilla) C:\Users\cherylandshannon\Downloads\Firefox Setup Stub 29.0.exe
2014-05-07 11:20 - 2014-05-07 11:22 - 00000000 ____D () C:\Windows\system32\MRT
2014-05-07 11:19 - 2014-05-07 11:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2014-05-07 11:18 - 2014-05-07 11:18 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-05-07 11:15 - 2012-06-02 18:19 - 02428952 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2014-05-07 11:15 - 2012-06-02 18:19 - 00057880 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2014-05-07 11:15 - 2012-06-02 18:19 - 00044056 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2014-05-07 11:15 - 2012-06-02 18:15 - 02622464 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2014-05-07 11:15 - 2012-06-02 15:19 - 00186752 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2014-05-07 11:15 - 2012-06-02 15:15 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2014-05-07 11:13 - 2014-05-07 11:13 - 00000351 _____ () C:\Users\cherylandshannon\Desktop\Network - Shortcut.lnk
2014-05-07 11:12 - 2014-05-07 11:12 - 00000355 _____ () C:\Users\cherylandshannon\Desktop\Computer - Shortcut.lnk
2014-05-07 05:26 - 2014-05-09 22:18 - 00000000 ____D () C:\FRST
2014-05-05 03:11 - 2014-05-05 03:11 - 55574528 _____ () C:\Windows\system32\config\SOFTWARE4b533101
2014-05-05 03:00 - 2014-05-05 03:58 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-05-04 17:48 - 2014-05-04 17:50 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Local\Mozilla
2014-05-04 17:47 - 2014-05-04 17:50 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Roaming\Mozilla
2014-05-04 17:46 - 2014-05-07 11:23 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-05-04 17:46 - 2014-05-07 11:23 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-05-04 17:46 - 2014-05-04 17:46 - 00000000 ____D () C:\ProgramData\Mozilla
2014-05-04 17:14 - 2014-05-05 03:53 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-05-04 17:14 - 2014-05-05 03:53 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-05-04 17:03 - 2014-05-05 03:53 - 00000000 ____D () C:\Windows\System32\Tasks\Games
2014-05-04 17:00 - 2014-05-04 16:53 - 13829304 _____ (Microsoft Corporation) C:\Users\cherylandshannon\Desktop\MSEInstall.exe

==================== One Month Modified Files and Folders =======

2014-05-09 22:19 - 2014-05-09 22:18 - 00011531 _____ () C:\Users\cherylandshannon\Desktop\FRST.txt
2014-05-09 22:18 - 2014-05-09 22:18 - 00000000 ____D () C:\Users\cherylandshannon\Desktop\FRST-OlderVersion
2014-05-09 22:18 - 2014-05-09 21:55 - 02064384 _____ (Farbar) C:\Users\cherylandshannon\Desktop\FRST64.exe
2014-05-09 22:18 - 2014-05-07 05:26 - 00000000 ____D () C:\FRST
2014-05-09 22:14 - 2014-05-07 13:27 - 00000336 _____ () C:\Windows\setupact.log
2014-05-09 22:14 - 2011-10-02 16:11 - 00045164 _____ () C:\Windows\PFRO.log
2014-05-09 22:14 - 2011-07-04 14:34 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-05-09 22:14 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-05-09 22:13 - 2011-09-28 13:07 - 01380517 _____ () C:\Windows\WindowsUpdate.log
2014-05-09 22:12 - 2014-05-09 22:11 - 00000000 ____D () C:\AdwCleaner
2014-05-09 22:05 - 2014-05-09 22:05 - 00000000 _____ () C:\Users\cherylandshannon\Desktop\sfcdetails.txt
2014-05-09 21:53 - 2009-07-14 00:45 - 00009920 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-09 21:53 - 2009-07-14 00:45 - 00009920 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-09 21:43 - 2009-07-14 03:45 - 00000000 ____D () C:\Program Files\Windows Journal
2014-05-09 21:31 - 2011-07-04 14:35 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-05-09 17:01 - 2014-05-09 13:35 - 00000084 _____ () C:\Users\cherylandshannon\Desktop\cmd.txt
2014-05-09 13:17 - 2014-05-09 13:19 - 00448512 _____ (OldTimer Tools) C:\Users\cherylandshannon\Desktop\TFC.exe
2014-05-09 11:26 - 2011-07-04 14:35 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-05-09 11:26 - 2011-07-04 14:35 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-05-09 11:23 - 2014-05-09 11:23 - 00000000 _____ () C:\Windows\setuperr.log
2014-05-09 11:23 - 2011-10-09 14:57 - 00000000 ____D () C:\Program Files\Common Files\McAfee
2014-05-09 11:23 - 2011-07-08 18:25 - 00000000 ____D () C:\Program Files (x86)\McAfee
2014-05-09 11:23 - 2011-07-08 17:30 - 00000000 ____D () C:\ProgramData\McAfee
2014-05-09 10:55 - 2011-06-28 23:32 - 00000000 ____D () C:\Users\cherylandshannon
2014-05-08 23:27 - 2014-05-07 11:26 - 00000000 ____D () C:\eff74ccb47279cbec46d9985a8d40624
2014-05-08 23:27 - 2011-11-29 19:18 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-05-08 23:27 - 2011-09-27 20:23 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-05-08 23:27 - 2009-11-05 13:58 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-05-08 23:27 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\registration
2014-05-08 23:27 - 2009-07-13 23:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-05-08 23:23 - 2011-09-27 20:23 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-05-07 12:16 - 2014-05-09 21:55 - 01316991 _____ () C:\Users\cherylandshannon\Desktop\AdwCleaner.exe
2014-05-07 12:00 - 2014-05-07 11:59 - 00024618 _____ () C:\Users\cherylandshannon\Downloads\Addition.txt
2014-05-07 12:00 - 2014-05-07 11:58 - 00022523 _____ () C:\Users\cherylandshannon\Downloads\FRST.txt
2014-05-07 11:26 - 2014-05-07 11:26 - 00000000 ____D () C:\Windows\system32\EventProviders
2014-05-07 11:23 - 2014-05-07 11:23 - 00001172 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2014-05-07 11:23 - 2014-05-07 11:23 - 00001160 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2014-05-07 11:23 - 2014-05-04 17:46 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-05-07 11:23 - 2014-05-04 17:46 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-05-07 11:22 - 2014-05-07 11:20 - 00000000 ____D () C:\Windows\system32\MRT
2014-05-07 11:21 - 2014-05-07 11:21 - 00282960 _____ (Mozilla) C:\Users\cherylandshannon\Downloads\Firefox Setup Stub 29.0.exe
2014-05-07 11:19 - 2014-05-07 11:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2014-05-07 11:18 - 2014-05-07 11:18 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-05-07 11:18 - 2009-11-05 14:05 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-05-07 11:13 - 2014-05-07 11:13 - 00000351 _____ () C:\Users\cherylandshannon\Desktop\Network - Shortcut.lnk
2014-05-07 11:12 - 2014-05-07 11:12 - 00000355 _____ () C:\Users\cherylandshannon\Desktop\Computer - Shortcut.lnk
2014-05-07 11:06 - 2011-06-28 23:43 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Local\Google
2014-05-07 11:06 - 2009-11-05 14:10 - 00000000 ____D () C:\Program Files (x86)\Google
2014-05-07 11:05 - 2011-06-28 23:34 - 00000000 ___RD () C:\Users\cherylandshannon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-05-05 03:58 - 2014-05-05 03:00 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-05-05 03:53 - 2014-05-04 17:14 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-05-05 03:53 - 2014-05-04 17:14 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-05-05 03:53 - 2014-05-04 17:03 - 00000000 ____D () C:\Windows\System32\Tasks\Games
2014-05-05 03:53 - 2012-01-09 18:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
2014-05-05 03:53 - 2012-01-07 00:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rhapsody
2014-05-05 03:53 - 2011-12-26 08:27 - 00000000 ____D () C:\Program Files (x86)\Rhapsody
2014-05-05 03:53 - 2009-11-05 14:10 - 00000000 ____D () C:\Program Files\Google
2014-05-05 03:53 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-05-05 03:53 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\servicing
2014-05-05 03:52 - 2009-11-05 14:10 - 00000000 ____D () C:\ProgramData\Google
2014-05-05 03:11 - 2014-05-05 03:11 - 55574528 _____ () C:\Windows\system32\config\SOFTWARE4b533101
2014-05-04 17:50 - 2014-05-04 17:48 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Local\Mozilla
2014-05-04 17:50 - 2014-05-04 17:47 - 00000000 ____D () C:\Users\cherylandshannon\AppData\Roaming\Mozilla
2014-05-04 17:46 - 2014-05-04 17:46 - 00000000 ____D () C:\ProgramData\Mozilla
2014-05-04 16:53 - 2014-05-04 17:00 - 13829304 _____ (Microsoft Corporation) C:\Users\cherylandshannon\Desktop\MSEInstall.exe
2014-05-04 15:32 - 2009-07-14 01:13 - 00005152 _____ () C:\Windows\system32\PerfStringBackup.INI

Some content of TEMP:
====================
C:\Users\cherylandshannon\AppData\Local\Temp\Quarantine.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-05-09 12:54

==================== End Of Log ============================


----------



## Kevier (May 7, 2014)

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-05-2014
Ran by cherylandshannon at 2014-05-07 11:59:44
Running from C:\Users\cherylandshannon\Downloads
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

Update for Microsoft Office 2007 (KB2508958) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0C5823AA-7B6F-44E1-8D5B-8FD1FF0E6438}) (Version: - Microsoft)
Acrobat.com (HKLM-x32\...\{287ECFA4-719A-2143-A09B-D6A12DE54E40}) (Version: 1.6.65 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.0.7220 - Adobe Systems Inc.)
Adobe AIR (x32 Version: 1.5.0.7220 - Adobe Systems Inc.) Hidden
Adobe Flash Player 10 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 10.3.183.5 - Adobe Systems Incorporated)
Adobe Reader 9.1 MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-A91000000001}) (Version: 9.1.0 - Adobe Systems Incorporated)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 1.0.0.10 - Atheros Communications Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
eMachines Games (HKLM-x32\...\WildTangent emachines Master Uninstall) (Version: 1.0.0.71 - WildTangent)
eMachines Power Management (HKLM-x32\...\{3DB0448D-AD82-4923-B305-D001E521A964}) (Version: 4.05.3004 - Acer Incorporated)
eMachines Recovery Management (HKLM-x32\...\{7F811A54-5A09-4579-90E1-C93498E230D9}) (Version: 4.05.3005 - Acer Incorporated)
eMachines Registration (HKLM-x32\...\eMachines Registration) (Version: 1.02.3006 - Acer Incorporated)
eMachines ScreenSaver (HKLM-x32\...\eMachines Screensaver) (Version: 1.1.0805 - eMachines Incorporated)
eMachines Updater (HKLM-x32\...\{EE171732-BEB4-4576-887D-CB62727F01CA}) (Version: 1.01.3017 - Acer Incorporated)
Google Update Helper (x32 Version: 1.3.21.111 - Google Inc.) Hidden
Identity Card (HKLM-x32\...\Identity Card) (Version: 1.00.3003 - Acer Incorporated)
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.2202 - Intel Corporation)
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version: - Intel Corporation)
Java Auto Updater (x32 Version: 2.0.7.1 - Sun Microsystems, Inc.) Hidden
Java(TM) 6 Update 32 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216032FF}) (Version: 6.0.320 - Oracle)
Junk Mail filter update (x32 Version: 14.0.8089.726 - Microsoft Corporation) Hidden
Launch Manager (HKLM-x32\...\LManager) (Version: 3.0.02 - eMachines)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Choice Guard (x32 Version: 2.0.48.0 - Microsoft Corporation) Hidden
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
Microsoft Office 2007 Service Pack 3 (SP3) (x32 Version: - Microsoft) Hidden
Microsoft Office Excel MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Home and Student 2007 (HKLM-x32\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint Viewer 2007 (English) (HKLM-x32\...\{95120000-00AF-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Proof (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2007 (x32 Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) (x32 Version: - Microsoft) Hidden
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Suite Activation Assistant (HKLM-x32\...\{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}) (Version: 2.9 - Microsoft Corporation)
Microsoft Office Word MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Works (HKLM-x32\...\{67E03279-F703-408F-B4BF-46B5FC8D70CD}) (Version: 9.7.0621 - Microsoft Corporation)
Mozilla Firefox 29.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 29.0 (x86 en-US)) (Version: 29.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0 - Mozilla)
MSVCRT (x32 Version: 14.0.1468.721 - Microsoft) Hidden
Napster (HKLM-x32\...\{BBBCAE4B-B416-4182-A6F2-438180894A81}) (Version: 4.6.3.4 - Napster)
Napster Burn Engine (x32 Version: 3.5.0000 - Roxio) Hidden
NTI Backup Now 5 (HKLM-x32\...\InstallShield_{12EFA1A4-AC3B-443C-8143-237EDE760403}) (Version: 5.1.2.627 - NewTech Infosystems)
NTI Backup Now Standard (x32 Version: 5.1.2.627 - NewTech Infosystems) Hidden
NTI Media Maker 8 (HKLM-x32\...\InstallShield_{2413930C-8309-47A6-BC61-5EF27A4222BC}) (Version: 8.0.12.6623 - NewTech Infosystems)
NTI Media Maker 8 (x32 Version: 8.0.12.6623 - NewTech Infosystems) Hidden
PC Tools Registry Mechanic 11.0 (HKLM-x32\...\Registry Mechanic_is1) (Version: 11.0 - PC Tools)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5904 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7600.30104 - Realtek Semiconductor Corp.)
Rhapsody (HKLM-x32\...\Rhapsody) (Version: - )
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 13.2.2.0 - Synaptics Incorporated)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2468871) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2533523) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2600217) (Version: 1 - Microsoft Corporation)
Update for Microsoft Office 2007 Help for Common Features (KB963673) (HKLM-x32\...\{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AB365889-0395-4FAD-B702-CA5985D53D42}) (Version: - Microsoft)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{A024FC7B-77DE-45DE-A058-1C049A17BFB3}) (Version: - Microsoft)
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6FAA03BD-2B51-4029-9AD9-64A3B8E3C84C}) (Version: - Microsoft)
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition (HKLM-x32\...\{90120000-002A-0000-1000-0000000FF1CE}_HOMESTUDENTR_{CB68A5B0-3508-4193-AEB9-AF636DAECE0F}) (Version: - Microsoft)
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{CB68A5B0-3508-4193-AEB9-AF636DAECE0F}) (Version: - Microsoft)
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{E9A82945-BA29-4EE8-8F2A-2F49545E9CF2}) (Version: - Microsoft)
Update for Microsoft Office Excel 2007 Help (KB963678) (HKLM-x32\...\{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{199DF7B6-169C-448C-B511-1054101BE9C9}) (Version: - Microsoft)
Update for Microsoft Office OneNote 2007 Help (KB963670) (HKLM-x32\...\{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2744EF05-38E1-4D5D-B333-E021EDAEA245}) (Version: - Microsoft)
Update for Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM-x32\...\{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{397B1D4F-ED7B-4ACA-A637-43B670843876}) (Version: - Microsoft)
Update for Microsoft Office Script Editor Help (KB963671) (HKLM-x32\...\{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{CD11C6A2-FFC6-4271-8EAB-79C3582F505C}) (Version: - Microsoft)
Update for Microsoft Office Word 2007 Help (KB963665) (HKLM-x32\...\{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{80E762AA-C921-4839-9D7D-DB62A72C0726}) (Version: - Microsoft)
Welcome Center (HKLM-x32\...\eMachines Welcome Center) (Version: 1.00.3009 - Acer Incorporated)
Windows Live Call (x32 Version: 14.0.8064.0206 - Microsoft Corporation) Hidden
Windows Live Communications Platform (x32 Version: 14.0.8064.206 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite_Wave3) (Version: 14.0.8089.0726 - Microsoft Corporation)
Windows Live Essentials (x32 Version: 14.0.8089.726 - Microsoft Corporation) Hidden
Windows Live Mail (x32 Version: 14.0.8089.0726 - Microsoft Corporation) Hidden
Windows Live Messenger (x32 Version: 14.0.8089.0726 - Microsoft Corporation) Hidden
Windows Live Movie Maker (x32 Version: 14.0.8091.0730 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (x32 Version: 14.0.8081.709 - Microsoft Corporation) Hidden
Windows Live Sign-in Assistant (HKLM-x32\...\{45338B07-A236-4270-9A77-EBB4115517B5}) (Version: 5.000.818.5 - Microsoft Corporation)
Windows Live Sync (HKLM-x32\...\{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}) (Version: 14.0.8089.726 - Microsoft Corporation)
Windows Live Upload Tool (HKLM-x32\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
Windows Live Writer (x32 Version: 14.0.8089.0726 - Microsoft Corporation) Hidden

==================== Restore Points =========================

07-05-2014 15:27:24 Windows 7 Service Pack 1

==================== Hosts content: ==========================

2009-07-13 22:34 - 2009-06-10 17:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {09477279-A7C4-4497-8DB1-538C4CC870EE} - System32\Tasks\RMSmartUpdate => C:\Program Files (x86)\PC Tools Registry Mechanic\update.exe [2011-12-12] (PC Tools)
Task: {1489A5F2-BB49-4717-AAE4-16667A88087C} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-07-04] (Google Inc.)
Task: {6D605302-CEC4-4C12-B433-2295309CF583} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-07-04] (Google Inc.)
Task: {8CF46A0E-E701-4A86-B61B-7BDE622C6808} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2014-05-07 11:23 - 2014-04-22 05:25 - 03845232 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\ProgramData\TEMP:430C6D84
AlternateDataStreams: C:\ProgramData\TEMP1B5B4F1
AlternateDataStreams: C:\ProgramData\TEMPFC5A2B2

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"

==================== EXE Association (whitelisted) =============

==================== Disabled items from MSCONFIG ==============

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (05/07/2014 11:53:28 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY) (EventID: 3011)
Description: Unloading the performance counter strings for service MSDTC Bridge 4.0.0.0 (MSDTC Bridge 4.0.0.0) failed. The first DWORD in the Data section contains the error code.

Error: (05/07/2014 11:53:28 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY) (EventID: 3012)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (05/07/2014 11:53:28 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY) (EventID: 3011)
Description: Unloading the performance counter strings for service MSDTC Bridge 4.0.0.0 (MSDTC Bridge 4.0.0.0) failed. The first DWORD in the Data section contains the error code.

Error: (05/07/2014 11:53:28 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY) (EventID: 3012)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (05/07/2014 11:53:28 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY) (EventID: 3011)
Description: Unloading the performance counter strings for service SMSvcHost 4.0.0.0 (SMSvcHost 4.0.0.0) failed. The first DWORD in the Data section contains the error code.

Error: (05/07/2014 11:53:28 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY) (EventID: 3012)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (05/07/2014 11:53:28 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY) (EventID: 3011)
Description: Unloading the performance counter strings for service SMSvcHost 4.0.0.0 (SMSvcHost 4.0.0.0) failed. The first DWORD in the Data section contains the error code.

Error: (05/07/2014 11:53:28 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY) (EventID: 3012)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (05/07/2014 11:48:57 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY) (EventID: 3011)
Description: Unloading the performance counter strings for service MSDTC Bridge 4.0.0.0 (MSDTC Bridge 4.0.0.0) failed. The first DWORD in the Data section contains the error code.

Error: (05/07/2014 11:48:57 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY) (EventID: 3012)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

System errors:
=============
Error: (05/07/2014 11:59:36 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY) (EventID: 20)
Description: Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Windows 7 for x64-based Systems (KB2813347).

Error: (05/07/2014 11:58:52 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY) (EventID: 20)
Description: Installation Failure: Windows failed to install the following update with error 0x8024200d: Update for Windows 7 for x64-based Systems (KB2779562).

Error: (05/07/2014 11:57:28 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY) (EventID: 20)
Description: Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Windows 7 for x64-based Systems (KB2808735).

Error: (05/07/2014 11:57:05 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY) (EventID: 20)
Description: Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2789644).

Error: (05/07/2014 11:56:53 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY) (EventID: 20)
Description: Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2729451).

Error: (05/07/2014 11:56:46 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY) (EventID: 20)
Description: Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Windows 7 for x64-based Systems (KB2840149).

Error: (05/07/2014 11:54:07 AM) (Source: Disk) (User: ) (EventID: 11)
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (05/07/2014 11:54:07 AM) (Source: Disk) (User: ) (EventID: 11)
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (05/07/2014 11:54:06 AM) (Source: Disk) (User: ) (EventID: 11)
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (05/07/2014 11:54:06 AM) (Source: Disk) (User: ) (EventID: 11)
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
Date: 2014-05-04 22:57:03.894
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-05-04 22:55:15.015
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-05-04 22:39:39.187
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-05-04 22:15:07.711
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-05-04 22:06:24.626
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-05-04 21:32:50.540
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-05-04 20:56:26.122
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-05-04 20:35:04.268
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-05-04 20:26:16.846
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-05-04 17:55:11.272
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\wininet.dll because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Percentage of memory in use: 62%
Total physical RAM: 3001.98 MB
Available physical RAM: 1113.84 MB
Total Pagefile: 6002.1 MB
Available Pagefile: 4210.52 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: (eMachines) (Fixed) (Total:220.78 GB) (Free:173.96 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 233 GB) (Disk ID: F85E7820)
Partition 1: (Not Active) - (Size=12 GB) - (Type=27)
Partition 2: (Active) - (Size=102 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=221 GB) - (Type=07 NTFS)

==================== End Of Log ============================


----------



## Kevier (May 7, 2014)

it just rebooted on its own and started the startup repair again so going back and redoing the steps to fix


----------



## Kevier (May 7, 2014)

alright back in normal mode again


----------



## Mark1956 (May 7, 2011)

Seems that the system is still a little unstable. The SFC scan result is fine, but not sure why the log came out blank.

Adwcleaner found several items of Adware, please run it again to check they have all gone.

I can see you have 'PC Tools Registry Mechanic 11' this is an optimizer program that makes changes to your systems registry. These kind of programs are a waste of time and money, the registry does not need to be cleaned and mistakes can be made by this type of software that can damage your system. I would recommend you uninstall it.

Java is out of date, uninstall the existing version and then go here to get the latest version: Java Download

There is a sign your hard drive might have an issue, please run the scan below and post the log.

There is clearly a problem with Windows Updates, run the program below and then go into Windows Update via the Control Panel and click the option to check for updates, install all important updates made available. Let me know if it displays any errors.

Please also run the scan with Rkill and Malwarebytes and post the logs.

Run these in the order listed:

*SCAN 1*
*Disk Check*


Click on *Start* then type *cmd* in the search box. A menu will pop up with *cmd* at the top, *right click* on it and select *Run as Administrator*. Another box will open, at the prompt type *chkdsk /r* and hit *Enter*._ *Note:* you must include a space between the *k* and the */*_
You will then see the following message:
*chkdsk* cannot run because the volume is in use by another process. Would you like to schedule this volume to be checked the next time the system restarts?* (Y/N)*
Type *Y* for yes, and hit *Enter*. Then reboot the computer.
*chkdsk* will start when Windows begins loading again. Let all 5 phases run and don't use or turn off the computer. (_The *chkdsk* process may take an hour or more to finish, if it appears to freeze this is normal so *do not* interrupt it. On drives above 500GB it can take several hours._)
When the Disk Check is done, it will finish loading Windows.

When back at the desktop, follow this to find the log.


Press the *Windows + R* keys to open the *Run* box, type *eventvwr.msc*, and hit the Enter key on your keyboard.
If prompted by the *User Account Control*, click on *Yes* (Windows 7/8) or *Continue* (Vista).
In the left pane of *Event Viewer*, double click on *Windows Logs* to expand it, then left click once on *Application* then right click on *Application* and select *Find*.
Type *wininit* into the *Find *box and click on *Find Next*.
When the search completes you should see the log displayed in the central pane, close the *Find* window.
In the right hand pane click on *Copy* and select *Copy details as text*.
Come back to this thread and right click in the message box and select *Paste*, the log should appear.
Add any other information asked for and submit the post.

*SCAN 2*
Download this and save it to the desktop: Windows Repair Use the coloured button next to *Direct Download* just below *Installer (5.32MB)* to start the download. NOTE: DO NOT use the green buttons at the top of the page as this is dubious software that could infect your system with Adware.

Close your browser and any running programs, double click on the Tweaking icon on your desktop to run the tool. When the program opens click on the *Step 5* tab. Under System Restore click on *Create* and wait for the confirmation to appear just below the button.

When complete click on the tab *Start Repairs*, click on the *Start* button. Then click on *Unselect All* and tick the boxes next to the the items in the list below.

When done click on the *Start* button and leave it undisturbed until complete.


Reset Registry Permissions
Reset File Permissions
Register System Files
Remove Policies Set By Infections
Repair Winsock & DNS Cache
Remove Temp Files
Unhide Non System Files
Repair Windows Updates
Set Windows Services To Default Startup
Repair File Associations
Restore Important Windows Services

*SCAN 3*
Please download RKill 
There are three buttons to choose from with different names on, select the first one and save it to your desktop.


Double-click on the *Rkill* desktop icon to run the tool.
If using Vista or Windows 7, right-click on it and select *Run As Administrator*.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
A log pops up at the end of the run. This log file is located at *C:\rkill.log*. *Please Copy & Paste the entire log in your next reply.*
If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
If the tool does not run from any of the links provided, please let me know.

*SCAN 4*
DO NOT reboot the PC. Download Malwarebytes from here: Malwarebytes if you do not already have it and save the download to your desktop and install it. Once installed, open the program by double clicking on the icon and click on Update Now in the line where Database Version: is shown.


Before you run the scan click on Settings and then Detection and Protection in the left pane.
At the next window make sure there are check marks next to all three of the items below Detection Options.
When done click on the Scan button and then make sure Threat Scan is selected, then click on the Scan Now button.
Shut down all browsers and any running programs and leave the system undisturbed while the scan is running, it may take several hours to complete depending on the amount of data that is on your system.
When the scan completes it will tell you and show a window with a list of the detected items. They should all show Quarantine under the Action column, check to make sure. Then click on the Apply Actions button, accept any prompts that appear and allow it to reboot if requested.
When the system has finished booting back up open Malwarebytes again by double clicking on the icon. Then click on the History button at the top of the window.
Click on Application Logs in the left pane. It will show a list of logs, you must find the Scan log, not the Protection Log, with today's date on it, it should be the one at the top of the list, click on the box at the beginning of the line so a check mark appears then click on View just above the list. When the next window opens click on Copy to Clipboard.
Immediately come back here, right click inside the message box and select Paste, the log should appear. Add any other information asked for and submit the post.


----------



## Kevier (May 7, 2014)

little update i tried scan and after reboot it went straight to desktop gonna try again


----------



## Kevier (May 7, 2014)

sorry scan 1


----------



## Kevier (May 7, 2014)

worked second time


----------



## Mark1956 (May 7, 2011)

Ok, post the results when done.

I've just been going over the FRST logs above. Have you had Microsoft Security Essentials on this system as there appears to be some files belonging to it, was it uninstalled or is it still there?


----------



## Kevier (May 7, 2014)

I had it installed before everything went to crap it was what suggested that i download Windows Defender offline and now it seems to be gone i still have the install on the desktop


----------



## Kevier (May 7, 2014)

see this laptop was given to me it has all kinds of programs that i have tried to uninstall like Napster Frostwire Malwarebytes but cant seem to get rid of them


----------



## Mark1956 (May 7, 2011)

I can help with that once we have made sure the system is clean and stable. We should also clean out all the remnants of MSE, but one step at a time. You will see I have asked you to run a scan with Malwarebytes, it is a program well worth keeping and will run alongside you Anti Virus without causing any conflicts. Malwarebytes does not show in your list of installed programs so if it won't run install a fresh copy from the link in the instructions, this will give you the latest version.

Please continue with the scans above and post the results when done.


----------



## Kevier (May 7, 2014)

Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 5/10/2014 8:01:00 AM
Event ID: 1001
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: computer
Description:

Checking file system on C:
The type of the file system is NTFS.
Volume label is eMachines.

A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 5)...
323072 file records processed.

File verification completed.
1623 large file records processed.

0 bad file records processed.

0 EA records processed.

44 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 5)...
383928 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 5)...
323072 file SDs/SIDs processed.

Cleaning up 469 unused index entries from index $SII of file 0x9.
Cleaning up 469 unused index entries from index $SDH of file 0x9.
Cleaning up 469 unused security descriptors.
Security descriptor verification completed.
30429 data files processed.

CHKDSK is verifying Usn Journal...
33673576 USN bytes processed.

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
323056 files processed.

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
47513863 free clusters processed.

Free space verification is complete.
Windows has checked the file system and found no problems.

231506209 KB total disk space.
40903248 KB in 152223 files.
114828 KB in 30430 indexes.
0 KB in bad sectors.
432677 KB in use by the system.
65536 KB occupied by the log file.
190055456 KB available on disk.

4096 bytes in each allocation unit.
57876552 total allocation units on disk.
47513864 allocation units available on disk.

Internal Info:
00 ee 04 00 88 c9 02 00 cf 55 05 00 00 00 00 00 .........U......
da 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 ....,...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
<EventID Qualifiers="16384">1001</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-05-10T12:01:00.000000000Z" />
<EventRecordID>65846</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>computer</Computer>
<Security />
</System>
<EventData>

Checking file system on C:
The type of the file system is NTFS.
Volume label is eMachines.

A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 5)...
323072 file records processed.

File verification completed.
1623 large file records processed.

0 bad file records processed.

0 EA records processed.

44 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 5)...
383928 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 5)...
323072 file SDs/SIDs processed.

Cleaning up 469 unused index entries from index $SII of file 0x9.
Cleaning up 469 unused index entries from index $SDH of file 0x9.
Cleaning up 469 unused security descriptors.
Security descriptor verification completed.
30429 data files processed.

CHKDSK is verifying Usn Journal...
33673576 USN bytes processed.

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
323056 files processed.

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
47513863 free clusters processed.

Free space verification is complete.
Windows has checked the file system and found no problems.

231506209 KB total disk space.
40903248 KB in 152223 files.
114828 KB in 30430 indexes.
0 KB in bad sectors.
432677 KB in use by the system.
65536 KB occupied by the log file.
190055456 KB available on disk.

4096 bytes in each allocation unit.
57876552 total allocation units on disk.
47513864 allocation units available on disk.

Internal Info:
00 ee 04 00 88 c9 02 00 cf 55 05 00 00 00 00 00 .........U......
da 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 ....,...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.

</EventData>
</Event>


----------



## Kevier (May 7, 2014)

when i click on Windows Repair go to step 4 it says System File Check 
Before working on the system it is very good idea to have windows check the file system files for corruptions or mis matched versions having the system files checked by the system file checker can even repair some known problems. problems that are caused by wrong versions of the system files.

then it asks me to click do it to run the scan


----------



## Kevier (May 7, 2014)

Do you mean Step 5:Backup 
this one talks about begistry backup & System restore


----------



## Mark1956 (May 7, 2011)

Thanks for bringing that to my attention, the program has had a recent update so what was tab 4 is now tab 5. I have edited the instructions, all the rest are the same.


----------



## Kevier (May 7, 2014)

ok did everything you said but under step 5 instead of 4 and seems to go well
about to run RKILL


----------



## Kevier (May 7, 2014)

quick question the DOS box appeared and stayed on screen and isn't moving from 
checking for processes to terminate:
is this normal??


----------



## Mark1956 (May 7, 2011)

Just leave it and it should complete.


----------



## Kevier (May 7, 2014)

ok RKill Created a Rkill.txt file on my desktop is that the same as the *C:\rkill.log*


----------



## Kevier (May 7, 2014)

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 05/10/2014 09:05:05 AM in x64 mode.
Windows Version: Windows 7 Home Premium

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.


----------



## Kevier (May 7, 2014)

ok while trying to install Malwarebytes' Anti-Malware 1.x is currently installed and could not be uninstalled properly. Please Uninstall Malwarebytes'Anti-Malware 1.x manually, Reboot, and thern try ther installation again


----------



## Mark1956 (May 7, 2011)

Please see if the old version will uninstall from Programs and Features via the Control Panel.


----------



## Kevier (May 7, 2014)

Messages file "C:\Program Files (x86)\Malwarebytes' Anti-Malware\unins000.msg" is missing. Please Correct ther Problem or obtain a new Copy of ther program.


----------



## Mark1956 (May 7, 2011)

Please go here: https://forums.malwarebytes.org/index.php?showtopic=96102

Follow the instructions given in the second post, that should correct the issue.


----------



## Kevier (May 7, 2014)

yep fixed the problem now running Malwarebytes


----------



## Mark1956 (May 7, 2011)

Great, post the log when done.


----------



## Kevier (May 7, 2014)

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/10/2014
Scan Time: 10:15:54 AM
Logfile: 
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.05.10.05
Rootkit Database: v2014.03.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows 7
CPU: x64
File System: NTFS
User: cherylandshannon

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 259247
Time Elapsed: 20 min, 6 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)


----------



## Mark1956 (May 7, 2011)

All the results are good. Please confirm removal of Registry Mechanic, the Java update and tell me what happens with the check on Windows Update.


----------



## Kevier (May 7, 2014)

I removed Registry Mechanic updated Java and checking for windows Updates will let you know what happens


----------



## Kevier (May 7, 2014)

Some updates were not installed 
Succeeded 72 updates
failed 5 updates
not needed 1 update
errors found
code 80072EE2 Windows Update encountered an unknown error.
code 80073712 Windows Update encountered an unknown error.
Windows Can't Update important files and services while that system is using them. Sace any open files and then restart the computer


----------



## Kevier (May 7, 2014)

after restart it booted straight into Startup Repair again letting it run through will keep you informed


----------



## Kevier (May 7, 2014)

after updating again 

stage 1 of 4 
configuring service pack
%
Do not trun off your computer


----------



## Kevier (May 7, 2014)

now its doing the windows update to shutdown to startup repair loop again


----------



## Kevier (May 7, 2014)

ran the dism.exe /image:C:\ /cleanup-image /revertpendingactions again to get back to desktop it worked


----------



## Kevier (May 7, 2014)

another weird thing Malwarebytes is gone ??


----------



## Kevier (May 7, 2014)

ok something weird is going on the computer rebooted again by itself and same problem configuring windows updates 
then reboot to startup repair 
so i tried the dism.exe /image:C:\ /cleanup-image /revertpendingactions and got and error:87
the recertpendingactions option is not recognized in this context. for more information refer to the help
the dism log file can be found at x:\windows\logs\dism\dism.log


----------



## Kevier (May 7, 2014)

2014-05-11 05:32:08, Info DISM PID=884 Scratch directory set to 'X:\windows\TEMP\'. - CDISMManager:ut_ScratchDir
2014-05-11 05:32:08, Info DISM PID=884 Successfully loaded the ImageSession at "X:\windows\System32\Dism" - CDISMManager::LoadImageSession
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Found and Initialized the DISM Logger. - CDISMProviderStore::Internal_InitializeLogger
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Failed to get and initialize the PE Provider. Continuing by assuming that it is not a WinPE image. - CDISMProviderStore::Final_OnConnect
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Finished initializing the Provider Map. - CDISMProviderStore::Final_OnConnect
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:32:08, Info DISM DISM Manager: PID=884 Successfully created the local image session and provider store. - CDISMManager::CreateLocalImageSession
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:32:08, Info DISM DISM.EXE: 
2014-05-11 05:32:08, Info DISM DISM.EXE: <----- Starting Dism.exe session ----->
2014-05-11 05:32:08, Info DISM DISM.EXE: 
2014-05-11 05:32:08, Info DISM DISM.EXE: Host machine information: OS Version=6.1.7600, Running architecture=amd64, Number of processors=2
2014-05-11 05:32:08, Info DISM DISM.EXE: Executing command line: dism.exe /image:d\ /cleanup-image /revertpendingactions
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Getting the collection of providers from a local provider store type. - CDISMProviderStore::GetProviderCollection
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Loading Provider from location X:\windows\System32\Dism\WimProvider.dll - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Connecting to the provider located at X:\windows\System32\Dism\WimProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Loading Provider from location X:\windows\System32\Dism\FolderProvider.dll - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Connecting to the provider located at X:\windows\System32\Dism\FolderProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Loading Provider from location X:\windows\System32\Dism\CompatProvider.dll - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Connecting to the provider located at X:\windows\System32\Dism\CompatProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:32:08, Info DISM DISM.EXE: Got the collection of providers. Now enumerating them to build the command table.
2014-05-11 05:32:08, Info DISM DISM.EXE: Attempting to add the commands from provider: WimManager
2014-05-11 05:32:08, Info DISM DISM.EXE: Succesfully registered commands for the provider: WimManager.
2014-05-11 05:32:08, Info DISM DISM.EXE: Attempting to add the commands from provider: FolderManager
2014-05-11 05:32:08, Info DISM DISM.EXE: Attempting to add the commands from provider: DISM Log Provider
2014-05-11 05:32:08, Info DISM DISM.EXE: Attempting to add the commands from provider: Compatibility Manager
2014-05-11 05:32:08, Info DISM DISM.EXE: Succesfully registered commands for the provider: Compatibility Manager.
2014-05-11 05:32:08, Error DISM DISM.EXE: Failed to access the image folder or image's windows folder.
2014-05-11 05:32:08, Info DISM DISM.EXE: Image session has been closed. Reboot required=no.
2014-05-11 05:32:08, Info DISM DISM.EXE: 
2014-05-11 05:32:08, Info DISM DISM.EXE: <----- Ending Dism.exe session ----->
2014-05-11 05:32:08, Info DISM DISM.EXE: 
2014-05-11 05:32:08, Info DISM DISM Image Session: PID=884 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Disconnecting Provider: WimManager - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Disconnecting Provider: FolderManager - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Found the OSServices. Waiting to finalize it until all other providers are unloaded. - CDISMProviderStore::Final_OnDisconnect
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Disconnecting Provider: Compatibility Manager - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:32:08, Info DISM DISM Provider Store: PID=884 Releasing the local reference to DISMLogger. Stop logging. - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:32:59, Info DISM PID=932 Scratch directory set to 'X:\windows\TEMP\'. - CDISMManager:ut_ScratchDir
2014-05-11 05:32:59, Info DISM PID=932 Successfully loaded the ImageSession at "X:\windows\System32\Dism" - CDISMManager::LoadImageSession
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Found and Initialized the DISM Logger. - CDISMProviderStore::Internal_InitializeLogger
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Failed to get and initialize the PE Provider. Continuing by assuming that it is not a WinPE image. - CDISMProviderStore::Final_OnConnect
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Finished initializing the Provider Map. - CDISMProviderStore::Final_OnConnect
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:32:59, Info DISM DISM Manager: PID=932 Successfully created the local image session and provider store. - CDISMManager::CreateLocalImageSession
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:32:59, Info DISM DISM.EXE: 
2014-05-11 05:32:59, Info DISM DISM.EXE: <----- Starting Dism.exe session ----->
2014-05-11 05:32:59, Info DISM DISM.EXE: 
2014-05-11 05:32:59, Info DISM DISM.EXE: Host machine information: OS Version=6.1.7600, Running architecture=amd64, Number of processors=2
2014-05-11 05:32:59, Info DISM DISM.EXE: Executing command line: dism.exe /image:d:\ /cleanup-image /recertpendingactions
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Getting the collection of providers from a local provider store type. - CDISMProviderStore::GetProviderCollection
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Loading Provider from location X:\windows\System32\Dism\WimProvider.dll - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Connecting to the provider located at X:\windows\System32\Dism\WimProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Loading Provider from location X:\windows\System32\Dism\FolderProvider.dll - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Connecting to the provider located at X:\windows\System32\Dism\FolderProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Loading Provider from location X:\windows\System32\Dism\CompatProvider.dll - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Connecting to the provider located at X:\windows\System32\Dism\CompatProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:32:59, Info DISM DISM.EXE: Got the collection of providers. Now enumerating them to build the command table.
2014-05-11 05:32:59, Info DISM DISM.EXE: Attempting to add the commands from provider: WimManager
2014-05-11 05:32:59, Info DISM DISM.EXE: Succesfully registered commands for the provider: WimManager.
2014-05-11 05:32:59, Info DISM DISM.EXE: Attempting to add the commands from provider: FolderManager
2014-05-11 05:32:59, Info DISM DISM.EXE: Attempting to add the commands from provider: DISM Log Provider
2014-05-11 05:32:59, Info DISM DISM.EXE: Attempting to add the commands from provider: Compatibility Manager
2014-05-11 05:32:59, Info DISM DISM.EXE: Succesfully registered commands for the provider: Compatibility Manager.
2014-05-11 05:32:59, Info DISM DISM Provider Store: PID=932 Getting the collection of providers from a local provider store type. - CDISMProviderStore::GetProviderCollection
2014-05-11 05:32:59, Info DISM DISM WIM Provider: PID=932 [d:\] is not a WIM mount point. - CWimMountedImageInfo::Initialize
2014-05-11 05:33:00, Info DISM DISM Provider Store: PID=932 Getting the collection of providers from a local provider store type. - CDISMProviderStore::GetProviderCollection
2014-05-11 05:33:00, Info DISM DISM WIM Provider: PID=932 [d:\] is not a WIM mount point. - CWimMountedImageInfo::Initialize
2014-05-11 05:33:01, Info DISM DISM Manager: PID=932 Successfully loaded the ImageSession at "X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C" - CDISMManager::LoadImageSession
2014-05-11 05:33:01, Info DISM DISM Image Session: PID=956 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore
2014-05-11 05:33:01, Info DISM DISM Provider Store: PID=956 Initializing a provider store for the IMAGE session type. - CDISMProviderStore::Final_OnConnect
2014-05-11 05:33:01, Info DISM DISM Provider Store: PID=956 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:01, Info DISM DISM Provider Store: PID=956 Loading Provider from location X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\OSProvider.dll - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:01, Info DISM DISM Provider Store: PID=956 Connecting to the provider located at X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\OSProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:33:01, Info DISM DISM OS Provider: PID=956 Defaulting SystemPath to d:\ - CDISMOSServiceManager::Final_OnConnect
2014-05-11 05:33:01, Info DISM DISM OS Provider: PID=956 msxml6.dll was successfully copied to X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\msxml6.dll - CDISMOSServiceManager::RunASICompatibilityShim
2014-05-11 05:33:01, Info DISM DISM OS Provider: PID=956 msxml6r.dll was successfully copied to X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\msxml6r.dll - CDISMOSServiceManager::RunASICompatibilityShim
2014-05-11 05:33:01, Info DISM DISM OS Provider: PID=956 Defaulting Windows folder to d:\Windows - CDISMOSServiceManager::Final_OnConnect
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Loading Provider from location X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\LogProvider.dll - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Connecting to the provider located at X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Getting Provider OSServices - CDISMProviderStore::GetProvider
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Found and Initialized the DISM Logger. - CDISMProviderStore::Internal_InitializeLogger
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Loading Provider from location X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\PEProvider.dll - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:04, Warning DISM DISM Provider Store: PID=956 Failed to Load the provider: X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\PEProvider.dll. - CDISMProviderStore::Internal_GetProvider(hr:0x8007007e)
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Failed to get and initialize the PE Provider. Continuing by assuming that it is not a WinPE image. - CDISMProviderStore::Final_OnConnect
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Finished initializing the Provider Map. - CDISMProviderStore::Final_OnConnect
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:04, Info DISM DISM Manager: PID=932 Image session successfully loaded from the temporary location: X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C - CDISMManager::CreateImageSession
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Getting Provider OSServices - CDISMProviderStore::GetProvider
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:04, Info DISM DISM OS Provider: PID=956 Setting SystemPath to d:\ - CDISMOSServiceManager::SetSystemPath
2014-05-11 05:33:04, Info CSI 00000001 Shim considered [l:256{128}]"\??\d:\Windows\Servicing\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17592_none_672ce6c3de2cb17f\pkgmgr.exe" : got STATUS_OBJECT_PATH_NOT_FOUND
2014-05-11 05:33:04, Info CSI 00000002 Shim considered [l:250{125}]"\??\d:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17592_none_672ce6c3de2cb17f\pkgmgr.exe" : got STATUS_SUCCESS
2014-05-11 05:33:04, Info DISM DISM.EXE: Target image information: OS Version=6.1.7601.17592, Image architecture=amd64
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Getting the collection of providers from an image provider store type. - CDISMProviderStore::GetProviderCollection
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Loading Provider from location X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\CbsProvider.dll - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Connecting to the provider located at X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\CbsProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:33:04, Info DISM DISM Provider Store: PID=956 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:33:04, Info CSI 00000001 Shim considered [l:256{128}]"\??\d:\Windows\Servicing\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17592_none_672ce6c3de2cb17f\pkgmgr.exe" : got STATUS_OBJECT_PATH_NOT_FOUND
2014-05-11 05:33:04, Info CSI 00000002 Shim considered [l:250{125}]"\??\d:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17592_none_672ce6c3de2cb17f\pkgmgr.exe" : got STATUS_SUCCESS
2014-05-11 05:33:04, Info DISM DISM Package Manager: PID=956 Finished initializing the CbsConUI Handler. - CCbsConUIHandler::Initialize
2014-05-11 05:33:04, Info CSI 00000001 Shim considered [l:256{128}]"\??\d:\Windows\Servicing\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17592_none_672ce6c3de2cb17f\pkgmgr.exe" : got STATUS_OBJECT_PATH_NOT_FOUND
2014-05-11 05:33:04, Info CSI 00000002 Shim considered [l:250{125}]"\??\d:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17592_none_672ce6c3de2cb17f\pkgmgr.exe" : got STATUS_SUCCESS
2014-05-11 05:33:04, Info CBS Transactions disabled in registry, continuing without transaction support.
2014-05-11 05:33:04, Info CBS Kernel transactions are disabled, continuing without transaction support.
2014-05-11 05:33:04, Info CBS Failed to find a matching version for servicing stack: d:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17592_none_672ce6c3de2cb17f\ [HRESULT = 0x80070490 - ERROR_NOT_FOUND]
2014-05-11 05:33:04, Info CBS Failed to find servicing stack directory in online store. [HRESULT = 0x80070490 - ERROR_NOT_FOUND]
2014-05-11 05:33:04, Info CBS Must be doing offline servicing, using stack version from: d:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17592_none_672ce6c3de2cb17f\cbscore.dll
2014-05-11 05:33:04, Info CBS Loaded Servicing Stack v6.1.7601.17592 with Core: d:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17592_none_672ce6c3de2cb17f\cbscore.dll
2014-05-11 05:33:05, Info CSI [email protected]/5/11:13:33:05.143 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7fefb16f0ad @0x7fefb4d9849 @0x7fefb4a34e3 @0x7fefb5aa79d @0x7fefb5aa98b @0x7fefb57d487)
2014-05-11 05:33:05, Info CSI [email protected]/5/11:13:33:05.268 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7fefb16f0ad @0x7fefb526816 @0x7fefb4f2aac @0x7fefb4a35b9 @0x7fefb5aa79d @0x7fefb5aa98b)
2014-05-11 05:33:05, Info DISM DISM Package Manager: PID=956 Loaded servicing stack for offline use only. - CDISMPackageManager::RefreshInstanceAndLock
2014-05-11 05:33:05, Info CBS Loading offline registry hive: SOFTWARE, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/System32/config/SOFTWARE' from path '\\?\d:\Windows\System32\config\SOFTWARE'.
2014-05-11 05:33:05, Info CBS Loading offline registry hive: SYSTEM, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/System32/config/SYSTEM' from path '\\?\d:\Windows\System32\config\SYSTEM'.
2014-05-11 05:33:05, Info CBS Loading offline registry hive: SECURITY, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/System32/config/SECURITY' from path '\\?\d:\Windows\System32\config\SECURITY'.
2014-05-11 05:33:05, Info CBS Loading offline registry hive: SAM, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/System32/config/SAM' from path '\\?\d:\Windows\System32\config\SAM'.
2014-05-11 05:33:05, Info CBS Loading offline registry hive: COMPONENTS, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/System32/config/COMPONENTS' from path '\\?\d:\Windows\System32\config\COMPONENTS'.
2014-05-11 05:33:05, Info CBS Loading offline registry hive: DEFAULT, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/System32/config/DEFAULT' from path '\\?\d:\Windows\System32\config\DEFAULT'.
2014-05-11 05:33:05, Info CBS Loading offline registry hive: ntuser.dat, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Users/default/ntuser.dat' from path '\\?\d:\Users\default\ntuser.dat'.
2014-05-11 05:33:05, Info CBS Loading offline registry hive: schema.dat, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/system32/smi/store/Machine/schema.dat' from path '\\?\d:\Windows\system32\smi\store\Machine\schema.dat'.
2014-05-11 05:33:05, Info CBS Offline image is: writeable
2014-05-11 05:33:05, Info CSI 00000003 CSI Store 2876160 (0x00000000002be300) initialized
2014-05-11 05:33:05, Info CBS Session: 956_2428997 initialized by client DISM Package Manager Provider.
2014-05-11 05:33:05, Info DISM DISM Package Manager: PID=956 Loaded servicing stack for offline use only. - CDISMPackageManager::RefreshInstanceAndLock
2014-05-11 05:33:05, Info DISM DISM Package Manager: PID=956 Loaded servicing stack for online use only. - CDISMPackageManager::RefreshInstanceAndLock
2014-05-11 05:33:05, Info DISM DISM Provider Store: PID=956 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:05, Info DISM DISM Provider Store: PID=956 Loading Provider from location X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\MsiProvider.dll - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:05, Info DISM DISM Provider Store: PID=956 Connecting to the provider located at X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\MsiProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:33:05, Info DISM DISM Provider Store: PID=956 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Loading Provider from location X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\IntlProvider.dll - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Connecting to the provider located at X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\IntlProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Loading Provider from location X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\DmiProvider.dll - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Connecting to the provider located at X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\DmiProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:33:06, Info CSI 00000001 Shim considered [l:256{128}]"\??\d:\Windows\Servicing\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17592_none_672ce6c3de2cb17f\pkgmgr.exe" : got STATUS_OBJECT_PATH_NOT_FOUND
2014-05-11 05:33:06, Info CSI 00000002 Shim considered [l:250{125}]"\??\d:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17592_none_672ce6c3de2cb17f\pkgmgr.exe" : got STATUS_SUCCESS
2014-05-11 05:33:06, Info DISM DISM OS Provider: PID=956 Get the registry path to the SOFTWARE hive located at d:\Windows\system32\config\SOFTWARE and determine if it is loaded. - CDISMOSServiceManager:etermineBootDrive
2014-05-11 05:33:06, Info DISM DISM Driver Manager: PID=956 Further logs for driver related operations can be found in the target operating system at %WINDIR%\inf\setupapi.offline.log - CDriverManager::Initialize
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Loading Provider from location X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\UnattendProvider.dll - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Connecting to the provider located at X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\UnattendProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Loading Provider from location X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\SmiProvider.dll - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Connecting to the provider located at X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\SmiProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Loading Provider from location X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\TransmogProvider.dll - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Connecting to the provider located at X:\windows\TEMP\6D73EBB3-D162-48D6-885A-C2CA2DF4601C\TransmogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Encountered a servicing provider, performing additional servicing initializations. - CDISMProviderStore::Internal_LoadProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Getting Provider DISM Package Manager - CDISMProviderStore::GetProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Getting Provider DISM Unattend Manager - CDISMProviderStore::GetProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:06, Info DISM DISM.EXE: Got the collection of providers. Now enumerating them to build the command table.
2014-05-11 05:33:06, Info DISM DISM.EXE: Attempting to add the commands from provider: DISM Package Manager
2014-05-11 05:33:06, Info DISM DISM.EXE: Succesfully registered commands for the provider: DISM Package Manager.
2014-05-11 05:33:06, Info DISM DISM.EXE: Attempting to add the commands from provider: OSServices
2014-05-11 05:33:06, Info DISM DISM.EXE: Attempting to add the commands from provider: MsiManager
2014-05-11 05:33:06, Info DISM DISM.EXE: Succesfully registered commands for the provider: MsiManager.
2014-05-11 05:33:06, Info DISM DISM.EXE: Attempting to add the commands from provider: IntlManager
2014-05-11 05:33:06, Info DISM DISM.EXE: Succesfully registered commands for the provider: IntlManager.
2014-05-11 05:33:06, Info DISM DISM.EXE: Attempting to add the commands from provider: DriverManager
2014-05-11 05:33:06, Info DISM DISM.EXE: Succesfully registered commands for the provider: DriverManager.
2014-05-11 05:33:06, Info DISM DISM.EXE: Attempting to add the commands from provider: DISM Unattend Manager
2014-05-11 05:33:06, Info DISM DISM.EXE: Succesfully registered commands for the provider: DISM Unattend Manager.
2014-05-11 05:33:06, Info DISM DISM.EXE: Attempting to add the commands from provider: DISM Log Provider
2014-05-11 05:33:06, Info DISM DISM.EXE: Attempting to add the commands from provider: SmiManager
2014-05-11 05:33:06, Info DISM DISM.EXE: Attempting to add the commands from provider: Edition Manager
2014-05-11 05:33:06, Info DISM DISM Transmog Provider: PID=956 Current image session is [OFFLINE] - CTransmogManager::GetMode
2014-05-11 05:33:06, Info DISM DISM.EXE: Succesfully registered commands for the provider: Edition Manager.
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Getting Provider DISM Package Manager - CDISMProviderStore::GetProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2014-05-11 05:33:06, Info DISM DISM Package Manager: PID=956 Processing the top level command token(cleanup-image). - CPackageManagerCLIHandler:rivate_ValidateCmdLine
2014-05-11 05:33:06, Info DISM DISM Package Manager: PID=956 The option(recertpendingactions) is not recognized in this context. - CPackageManagerCLIHandler:rivate_ValidateCmdLine
2014-05-11 05:33:06, Info DISM DISM Image Session: PID=956 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Finalizing the servicing provider(DISM Package Manager) - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:06, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/System32/config/SOFTWARE
2014-05-11 05:33:06, Info CBS Failed to unload offline registry: {bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/System32/config/SOFTWARE, the client may still need it open. [HRESULT = 0x80070005 - E_ACCESSDENIED]
2014-05-11 05:33:06, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/System32/config/SYSTEM
2014-05-11 05:33:06, Info CBS Failed to unload offline registry: {bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/System32/config/SYSTEM, the client may still need it open. [HRESULT = 0x80070005 - E_ACCESSDENIED]
2014-05-11 05:33:06, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/System32/config/SECURITY
2014-05-11 05:33:06, Info CBS Failed to unload offline registry: {bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/System32/config/SECURITY, the client may still need it open. [HRESULT = 0x80070005 - E_ACCESSDENIED]
2014-05-11 05:33:06, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/System32/config/SAM
2014-05-11 05:33:06, Info CBS Failed to unload offline registry: {bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/System32/config/SAM, the client may still need it open. [HRESULT = 0x80070005 - E_ACCESSDENIED]
2014-05-11 05:33:06, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/System32/config/COMPONENTS
2014-05-11 05:33:06, Info CBS Failed to unload offline registry: {bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/System32/config/COMPONENTS, the client may still need it open. [HRESULT = 0x80070005 - E_ACCESSDENIED]
2014-05-11 05:33:06, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/System32/config/DEFAULT
2014-05-11 05:33:06, Info CBS Failed to unload offline registry: {bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/System32/config/DEFAULT, the client may still need it open. [HRESULT = 0x80070005 - E_ACCESSDENIED]
2014-05-11 05:33:06, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Users/default/ntuser.dat
2014-05-11 05:33:06, Info CBS Failed to unload offline registry: {bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Users/default/ntuser.dat, the client may still need it open. [HRESULT = 0x80070005 - E_ACCESSDENIED]
2014-05-11 05:33:06, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}d:/Windows/system32/smi/store/Machine/schema.dat
2014-05-11 05:33:06, Info DISM DISM Package Manager: PID=956 Finalizing CBS core. - CDISMPackageManager::Finalize
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Disconnecting Provider: DISM Package Manager - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Found the OSServices. Waiting to finalize it until all other providers are unloaded. - CDISMProviderStore::Final_OnDisconnect
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Finalizing the servicing provider(MsiManager) - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Disconnecting Provider: MsiManager - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Finalizing the servicing provider(IntlManager) - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Disconnecting Provider: IntlManager - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Found the PE Provider. Waiting to finalize it until all other providers are unloaded. - CDISMProviderStore::Final_OnDisconnect
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Finalizing the servicing provider(DriverManager) - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Disconnecting Provider: DriverManager - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Finalizing the servicing provider(DISM Unattend Manager) - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Disconnecting Provider: DISM Unattend Manager - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Found the OSServices. Waiting to finalize it until all other providers are unloaded. - CDISMProviderStore::Final_OnDisconnect
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Finalizing the servicing provider(SmiManager) - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Disconnecting Provider: SmiManager - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Finalizing the servicing provider(Edition Manager) - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Disconnecting Provider: Edition Manager - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Releasing the local reference to OSServices. - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:06, Info DISM DISM Provider Store: PID=956 Disconnecting Provider: OSServices - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:07, Info DISM DISM OS Provider: PID=956 Successfully unloaded all registry hives. - CDISMOSServiceManager::Final_OnDisconnect
2014-05-11 05:33:07, Info DISM DISM Provider Store: PID=956 Releasing the local reference to DISMLogger. Stop logging. - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:07, Info DISM DISM.EXE: Image session has been closed. Reboot required=no.
2014-05-11 05:33:07, Info DISM DISM.EXE: 
2014-05-11 05:33:07, Info DISM DISM.EXE: <----- Ending Dism.exe session ----->
2014-05-11 05:33:07, Info DISM DISM.EXE: 
2014-05-11 05:33:07, Info DISM DISM Image Session: PID=932 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect
2014-05-11 05:33:07, Info DISM DISM Provider Store: PID=932 Disconnecting Provider: WimManager - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:07, Info DISM DISM Provider Store: PID=932 Disconnecting Provider: FolderManager - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:07, Info DISM DISM Provider Store: PID=932 Found the OSServices. Waiting to finalize it until all other providers are unloaded. - CDISMProviderStore::Final_OnDisconnect
2014-05-11 05:33:07, Info DISM DISM Provider Store: PID=932 Disconnecting Provider: Compatibility Manager - CDISMProviderStore::Internal_DisconnectProvider
2014-05-11 05:33:07, Info DISM DISM Provider Store: PID=932 Releasing the local reference to DISMLogger. Stop logging. - CDISMProviderStore::Internal_DisconnectProvider


----------



## Kevier (May 7, 2014)

ok startup repair worked and now back on desktop man this computer is really screwed up


----------



## Kevier (May 7, 2014)

sorry for the bombardment of post


----------



## Mark1956 (May 7, 2011)

No problem. The log you posted is not something I am familiar with so don't really know what to look for there. After the Startup Repair how well is it running now.

Just want to check if your system has now updated to Service Pack 1. Please run this below:

Download Security Check by screen317 from Here or Here.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please Copy & Paste the contents of that document into your next reply.


----------



## Kevier (May 7, 2014)

it seem to be ok for now but it runs fine until i update or leave it setting for a bit im still not sure if it has actually updated 
here is the log

Results of screen317's Security Check version 0.99.83 
Windows 7 x64 (UAC is enabled) 
*Out of date service pack!!* 
Internet Explorer 11 
*``````````````Antivirus/Firewall Check:``````````````* 
Windows Firewall Enabled! 
WMI entry may not exist for antivirus; attempting automatic update. 
*`````````Anti-malware/Other Utilities Check:`````````* 
Adobe Flash Player 10 *Flash Player out of Date!* 
Adobe Reader 9 *Adobe Reader out of Date!* 
Mozilla Firefox (29.0.1) 
*````````Process Check: objlist.exe by Laurent````````* 
*`````````````````System Health check`````````````````* 
Total Fragmentation on Drive C: 3% 
*````````````````````End of Log``````````````````````*


----------



## Mark1956 (May 7, 2011)

The Service Pack has not installed, and with all the other failed updates something is clearly not correct. Before you go any further I would suggest you make sure you have all your important data backed up to an external drive or CD/DVD's just in case the situation gets worse again and you have no option left but to do a re-install of Windows. Hopefully we can avoid that, we will see.

Please run this scan, it may give us some clues and might find some other infected files.

Please download *ComboFix*







from one of the locations below and *save it to your Desktop. <-Important!!!*


Download Mirror #1
Download Mirror #2

Be sure to print out and follow these instructions: *A guide and tutorial on using ComboFix*

*Vista*/*Windows 7* users can skip the Recovery Console instructions and use the Windows DVD to boot into the Vista Recovery Environment or Windows 7 System Recovery Options if something goes awry. If you do not have a Windows 7 DVD then please create a Windows 7 Repair Disc. *XP* users need to install the Recovery Console first, just follow the prompts when you run it.


Temporarily *disable* your *anti-virus*, script blocking and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_. Click this link to see a list of such programs and how to disable them.
If ComboFix detects an older version of itself, you will be asked to update the program.
ComboFix will begin by showing a Disclaimer. Read it and click *I Agree* if you want to continue.
Follow the prompts and click on *Yes* to continue scanning for malware.
If using Windows 7 or Vista and you receive a UAC prompt asking if you want to continue running the program, you should press the *Continue* button.
When finished, please copy and paste the contents of C:\*ComboFix.txt* (_which will open after reboot_) in your next reply.
Be sure to *re-enable* your anti-virus and other security programs.

_-- Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.
-- ComboFix will temporarily disable your desktop, and if interrupted may leave it disabled. If this occurs, please reboot to restore it.
-- ComboFix disables autorun of all CD, floppy and USB devices to assist with malware removal and increase security._

If you no longer have access to your Internet connection after running ComboFix, please reboot to restore it. If that does not restore the connection, then follow the instructions for Manually restoring the Internet connection provided in the "_How to Guide_" you printed out earlier. Those instructions only apply to XP, for Vista and Windows 7 go here: Internet connection repair

*NOTE:* if you see a message like this when you attempt to open anything after the reboot *"Illegal Operation attempted on a registry key that has been marked for deletion"* please reboot the system again and the warning should not return.



> *Do NOT use ComboFix* unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, *NOT for general public or personal use*. *Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again.* This site, sUBs and myself *will not* be responsible for any damage caused to your machine by misusing or running ComboFix on your own. Please read *ComboFix's Disclaimer*.


----------



## Kevier (May 7, 2014)

like i said this computer was given to me and i was just trying to fix it to give to my wife.
but hopefully i wont have to re-install because i don't have any of the disk's


----------



## Mark1956 (May 7, 2011)

I can give you a link to download a legitimate copy of Windows 7 if required.

Lets see if Combofix gives us any clues. Not knowing what the previous owner did to this system doesn't help, if they ran Registry Cleaner/Optimizer tools they may have messed it up even before it got infected.


----------



## Kevier (May 7, 2014)

ComboFix 14-05-10.01 - cherylandshannon 05/11/2014 8:55.1.2 - x64
Running from: c:\users\cherylandshannon\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Blinkx
c:\program files (x86)\Blinkx\templates\index.html
c:\program files (x86)\Blinkx\templates\noflash.html
c:\program files (x86)\Blinkx\templates\offline.html
c:\program files (x86)\Blinkx\templates\offline.swf
.
.
((((((((((((((((((((((((( Files Created from 2014-04-11 to 2014-05-11 )))))))))))))))))))))))))))))))
.
.
2014-05-11 13:05 . 2014-05-11 13:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-05-11 02:49 . 2014-05-11 02:49 -------- d-----w- c:\users\cherylandshannon\AppData\Roaming\Malwarebytes
2014-05-11 01:51 . 2014-05-11 06:03 -------- d-----w- C:\1bd66a67443b745efaca0cd9
2014-05-10 17:50 . 2014-05-11 13:46 -------- d-----w- c:\windows\system32\SPReview
2014-05-10 17:49 . 2014-05-11 13:45 -------- d-----w- C:\21e2e72f8883674f5e2b
2014-05-10 14:27 . 2014-05-10 14:27 -------- d-----w- c:\users\cherylandshannon\AppData\Roaming\Oracle
2014-05-10 14:27 . 2014-05-10 14:27 -------- d-----w- c:\windows\Sun
2014-05-10 14:26 . 2014-05-10 14:26 -------- d-----w- c:\programdata\Oracle
2014-05-10 14:26 . 2014-05-10 14:26 -------- d-----w- c:\program files (x86)\Common Files\Java
2014-05-10 14:26 . 2014-05-10 14:26 -------- d-----w- c:\program files (x86)\Java
2014-05-10 13:49 . 2014-05-10 20:40 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-05-10 13:21 . 2014-05-10 13:21 -------- d-----w- c:\users\cherylandshannon\AppData\Local\Programs
2014-05-10 12:07 . 2014-05-10 20:15 -------- d-----w- c:\program files (x86)\Tweaking.com
2014-05-10 08:05 . 2012-04-26 05:34 76288 ----a-w- c:\windows\system32\rdpwsx.dll
2014-05-10 08:05 . 2012-04-26 05:34 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2014-05-10 08:05 . 2012-04-26 05:28 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2014-05-10 07:04 . 2014-05-10 20:41 -------- d-----w- C:\7344151a188fec7779690644
2014-05-10 03:07 . 2014-05-11 12:19 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{13544CC7-72E5-47F5-B49A-3E95D627767B}\offreg.dll
2014-05-10 02:11 . 2014-05-10 20:41 -------- d-----w- C:\AdwCleaner
2014-05-09 16:27 . 2014-04-17 09:31 10651704 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{13544CC7-72E5-47F5-B49A-3E95D627767B}\mpengine.dll
2014-05-09 15:34 . 2012-12-07 03:45 40960 ----a-w- c:\windows\system32\cob-au.rs
2014-05-07 15:26 . 2014-05-10 20:43 -------- d-----w- c:\windows\system32\EventProviders
2014-05-07 15:26 . 2014-05-10 20:41 -------- d-----w- C:\eff74ccb47279cbec46d9985a8d40624
2014-05-07 15:20 . 2014-05-07 15:22 -------- d-----w- c:\windows\system32\MRT
2014-05-07 15:18 . 2014-05-10 20:41 -------- d-----w- c:\program files\Microsoft Silverlight
2014-05-07 15:15 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2014-05-07 15:15 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2014-05-07 15:15 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2014-05-07 15:15 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2014-05-07 15:15 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2014-05-07 15:15 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2014-05-07 09:26 . 2014-05-10 02:20 -------- d-----w- C:\FRST
2014-05-05 07:00 . 2014-05-10 20:42 -------- d-----w- c:\windows\Microsoft Antimalware
2014-05-04 21:48 . 2014-05-04 21:50 -------- d-----w- c:\users\cherylandshannon\AppData\Local\Mozilla
2014-05-04 21:46 . 2014-05-11 12:08 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2014-05-04 21:14 . 2014-05-05 07:53 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2014-05-04 21:14 . 2014-05-10 20:16 -------- d-----w- c:\program files\Microsoft Security Client
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-31 13:35 . 2011-06-29 03:58 270496 ----a-w- c:\windows\system32\MpSigStub.exe
2014-03-31 07:51 . 2011-09-01 20:29 90655440 ----a-w- c:\windows\system32\MRT.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-08-18 1157128]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"NapsterShell"="c:\program files (x86)\Napster\napster.exe" [2010-01-19 323280]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS;c:\windows\SYSNATIVE\drivers\BVRPMPR5a64.SYS [x]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys;c:\windows\SYSNATIVE\drivers\cfwids.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys;c:\windows\SYSNATIVE\drivers\mferkdet.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys;c:\windows\SYSNATIVE\drivers\mfewfpk.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys;c:\windows\SYSNATIVE\DRIVERS\mfenlfk.sys [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe [x]
S2 Greg_Service;GRegService;c:\program files (x86)\eMachines\Registration\GregHSRW.exe;c:\program files (x86)\eMachines\Registration\GregHSRW.exe [x]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]
S2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [x]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys;c:\windows\SYSNATIVE\drivers\mfefirek.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-04 18:34]
.
2014-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-04 18:34]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-28 7982112]
"Acer ePower Management"="c:\program files\eMachines\eMachines Power Management\ePowerTray.exe" [2009-09-30 823840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 415256]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uLocal Page = c:\windows\system32\blank.htm
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273606118725l04g4z1i5r44620263
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273606118725l04g4z1i5r44620263
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: rhapsody.com\rhap-app-4-0
Trusted Zone: rhapsody.com\rhapreg
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\cherylandshannon\AppData\Roaming\Mozilla\Firefox\Profiles\98odsgox.default\
FF - prefs.js: browser.startup.homepage - Yahoo.com
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-10 - (no file)
Wow6432Node-HKCU-Run-lime pro - c:\program files (x86)\Lime PRO\LimePro.exe
Toolbar-Locked - (no file)
Toolbar-10 - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-05-11 09:08:57
ComboFix-quarantined-files.txt 2014-05-11 13:08
.
Pre-Run: 191,400,554,496 bytes free
Post-Run: 191,683,649,536 bytes free
.
- - End Of File - - F4DDA7D998C4F4F8E7EA9966B004399F
A36C5E4F47E84449FF07ED3517B43A31


----------



## Kevier (May 7, 2014)

just a little fyi my computer didn't reboot it opened right away


----------



## Kevier (May 7, 2014)

so how am i lookin


----------



## Mark1956 (May 7, 2011)

Not looking too bad. Combofix found some more Adware and no sign of any other problems.

One thing I meant to ask about earlier, what Anti Virus is on this system. I can see a lot of entries for McAfee bit neither FRST or the Security Check seems to recognize it as being installed, there are also a few files on the system that relate to Microsoft Security Essentials. Have a look in Programs & Features in the Control Panel and see if either of them are listed. We may have to do a bit of a clean up there.


----------



## Kevier (May 7, 2014)

McAfee was installed but i uninstalled it when i first got the computer i had MSE installed but it disappeared malwarebytes looks like it's still installed but the desktop icon is gone now and FRST and Security are both not there


----------



## Kevier (May 7, 2014)

something i noticed a little bit ago i went into my computer and opened the hard drive and noticed alot of folders with a bunch of numbers and letters for names ive never seen this type of folders before i looked inside them and some have REQ file's $shtdwn$.req


----------



## Kevier (May 7, 2014)

and another has checkurlauncher Application


----------



## Kevier (May 7, 2014)

there are 55 of these folders and while counting i found the FRST File Folder


----------



## Mark1956 (May 7, 2011)

Ok, at the moment it would seem your PC is completely unprotected with no active Anti Virus.

.req files are probably leftovers from a previously installed item of software, this page explains what they are: http://file.org/extension/req#

The disappearing programs/icons are a worry. The unknown files with numbers and letters as names are not actually that uncommon and in general they are harmless and created by the system.

The remnants of the Anti Virus programs need to be removed and there are a couple of tools we can use, I would then recommend you install MSE.

Run this tool to clean out McAfee: McAfee Removal Tool
Then run this one to clean out MSE: Microsoft Security Essentials Removal Tool

Then go here to download and install MSE: Microsoft Security Essentials

Once that is done, run a full system scan with MSE and allow it to remove anything it finds. Make a note of any detections and post them back here.

After that try running Windows Update again and let me know what happens. It may have been causing a problem with Windows Update having the remnants of two Anti Virus programs running on the system.


----------



## Kevier (May 7, 2014)

the scan was clean trying updates


----------



## Kevier (May 7, 2014)

windows update error 
error 80073712
can't install important update


----------



## Kevier (May 7, 2014)

after update same problem 
during the first restart shows step 1 of 4 gets to 30%
restarts startup repair goes through fixes a problem and restarts then
preparing to configure windows gets to 30% shuts down and goes to startup repair again and loops


----------



## Kevier (May 7, 2014)

i think im just gonna try to install the service pack alone no other updates


----------



## Mark1956 (May 7, 2011)

You can try that, but as the system is clearly having problems applying updates I think it is likely to fail.

I suspect this system is damaged and the running of a Repair Install would be my next suggestion. This will reinstall Windows without loosing any data or the installed software. If that doesn't get everything working smoothly again the next step would have to be a full re-install from scratch.

Follow these instructions to run the Repair Install.

Please go here: Windows 7 ISO downloads and download the version of Windows 7 that matches what you have on your PC.

If you have downloaded the ISO on a Windows 7 PC right click the ISO file, select *Open With*, then select* Windows Disc Image Burning Tool* then follow the prompts.

For PC's using other versions of Windows you must burn the ISO image to a DVD using an ISO image burner, copying the ISO to a DVD will not work, if you do not have an ISO burner download this free software and follow the instructions below to burn the disc.ImgBurn When you install ImgBurn make sure you uncheck any boxes offering bundled software.

Install the program and start the application. Select the top left hand option to burn image file to disk and then on the next window click on the small yellow folder icon and browse to the ISO file you wish to burn. Then click on the two grey discs with the arrow in between (bottom left) and leave it to complete the operation.

Once done, please go here Windows 7 Repair Install and follow the instructions from 5.

When complete, test the system to see if the original problems have been resolved.


----------



## Kevier (May 7, 2014)

ok we have a problem i had to run dism.exe /image:C:\ /cleanup-image /revertpendingactions
to get back to desktop but now after failure configuring windows updates reverting changes do not turn off computer i keep getting a blue screen trying in safe mode


----------



## Kevier (May 7, 2014)

ok i have safe mode


----------



## Kevier (May 7, 2014)

gonna try normal again


----------



## Kevier (May 7, 2014)

nope i get to the welcome screen and then blue screen


----------



## Kevier (May 7, 2014)

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7600.2.0.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 50
BCP1: FFFFFFFFFFFFFFD2
BCP2: 0000000000000000
BCP3: FFFFF88002101869
BCP4: 0000000000000000
OS Version: 6_1_7600
Service Pack: 0_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\051214-37081-01.dmp
C:\Users\cherylandshannon\AppData\Local\Temp\WER-87516-0.sysdata.xml

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt


----------



## Kevier (May 7, 2014)

im downloading this on my working pc
*Windows 7 Home Premium x64 SP1 (bootable)*
http://msft.digitalrivercontent.net/win/X17-24209.iso


----------



## Mark1956 (May 7, 2011)

This PC isn't looking good. Do you have the Product key for this system, it should be on a sticker on the case, it will show a 25 digit code?

If the system will not boot back into Normal Mode a Repair Install is going to be impossible so a clean install will be needed, but without the Product key you won't be able to validate the Windows license.

The error code for the BSOD of 50 could indicate a number of different problems but the most likely is defective hardware and at the top of the list is defective RAM. That could actually fit in with many of the errors you are having.

I would suggest you run this diagnostic to check the memory.

Download Memtest86+ from here
If you wish to run the test from a USB flash drive use this link Auto installer for USB key
When the download is complete right click the file and select Extract Here and burn the image to a CD.

In windows 7 right click the extracted file, select *Open With*, then select *Windows Disc Image Burning Tool* then follow the prompts.
For all other versions of windows (if you do not have an ISO burner) download this free software. ImgBurn 
Install the program (make sure you uncheck any boxes to stop any bundled software from installing) and start the application. Select the top left hand option to *Write image file to disk* and then on the next window click on the small yellow folder icon and browse to the ISO file you have downloaded. Then click on the two grey discs with the arrow in between (bottom left) and leave it to complete the operation.

Testing


Boot the PC into the Bios setup and set the CD/DVD drive to 1st in the boot sequence.
Insert the disk in the drive then reboot and the disc will load into dos.
Leave the test to run through* at least 8 passes* or until it is showing some errors.
If errors show in the test, stop the test and remove all but one of your RAM sticks then start the test again. Repeat the test on each stick until you find the one that is faulty.

*NOTE:* This is a long slow test and for convenience should ideally be run overnight.

The memtest will not be 100% accurate but should easily detect any major faults.


----------



## Kevier (May 7, 2014)

as for the product key it is really worn i can make out all but 2 numbers/letters 
i can barley see them but i think the 2 could be 3 and 7 is there a way to check if that is right 
and do you want me to go ahead and download Download Memtest86+


----------



## Mark1956 (May 7, 2011)

Run this: http://www.magicaljellybean.com/keyfinder/ to get the Product key and make a careful note of it, one digit incorrect and it will not work.

I would run the memtest to check the RAM. If it is defective it will need to be replaced before you stand any chance of getting this system back to full health.


----------



## Kevier (May 7, 2014)

ill run keyfinder first then memtest


----------



## Kevier (May 7, 2014)

memtest is at pass 10% 
something weird rebooted and forgot to put the flash drive in and it made it to the desktop for a min or so before i got the blue screen


----------



## Kevier (May 7, 2014)

3 passes and no errors


----------



## Mark1956 (May 7, 2011)

Make sure you let memtest run for at least 8 passes, you can see it listed to the right, across the middle of the screen, it will take many hours to complete. Anything less than 8 passes will be inconclusive.

The PC's behavior is certainly in line with a hardware error.


----------



## Kevier (May 7, 2014)

good news 10 passes and no errors


----------



## Mark1956 (May 7, 2011)

That is fairly conclusive, although I should add, even though Memtest is fairly good at what it does it can sometimes miss things. Lets see how things go with the re-install.


----------



## Kevier (May 7, 2014)

alright how exactly do i do this re-install 
do i extract the files and then burn all to a dvd 
... can i get a setp by step please


----------



## Mark1956 (May 7, 2011)

I posted the instructions to burn the DVD in post 95. DO NOT extract the files as that will not work.

When the disc is made just put it in the CD drive and reboot the system and follow the prompts.

There are some good instructions here: Windows 7 clean install


----------



## Kevier (May 7, 2014)

ok having problems after i downloaded the windows file i burned the zipped file to a dvd using image burn i put the disk into the computer restarted nothing happened


----------



## Kevier (May 7, 2014)

also it looks like i have normal mode back for now


----------



## Kevier (May 7, 2014)

but i cant seem to open my disk drive again


----------



## Mark1956 (May 7, 2011)

Kevier said:


> ok having problems after i downloaded the windows file i burned the zipped file to a dvd using image burn i put the disk into the computer restarted nothing happened


It isn't a zip file, it should be an ISO file.

Put the DVD into any other PC and see if it boots up, it may take 30 seconds or more and you should see something appear on screen.

If that works the disc is ok and you will need to boot the system into the bios and set the boot order so the CD drive is in first position.

Although you now have Normal Mode back again, considering how unstable the system is I think a clean install is the best way to go, up to you if you want to try the Repair Install first.


----------



## Kevier (May 7, 2014)

its a WinRAR archive file and its in the drive


----------



## Mark1956 (May 7, 2011)

WinRar does tend to give the impression it is a .zip file, but it is an .iso.

Can you open Windows Explorer, if so you should see the drive in the left pane, right click on it and select Eject. If that doesn't work shut the system down, then use a bent out paper clip to push into the CD drive through a tiny hole you should find on the front of it, this should open the drive tray.


----------



## Kevier (May 7, 2014)

i think im having trouble with my disk drive cause i cant see it


----------



## Mark1956 (May 7, 2011)

Check my post above.


----------



## Kevier (May 7, 2014)

ok what do you want me to try again after that


----------



## Mark1956 (May 7, 2011)

Try what I suggested in post 116.

Getting late here now and an early start so I won't be about for more than a few minutes then I'll be off line.


----------



## Kevier (May 7, 2014)

i apologies for being such a headache


----------



## Kevier (May 7, 2014)

ok im having trouble (Again)
i go to the clean install link you gave i click the link here

If you do not have a Windows 7 with SP1 installation DVD/USB, then you can download the latest official Windows 7 with SP1 *ISO* file here: *Microsoft: Windows 7 Direct Download Links*, and use *Windows 7 USB-DVD Download Tool* to create a bootable DVD or USB flash drive with the ISO to do 
the clean install with.

takes me here 
http://www.heidoc.net/joomla/technology-science/microsoft/14-windows-7-direct-download-links

i download this

Windows 7 Home Premium x64 SP1 (old) X17-24209.isoand it looks like a WinRAR file doesn't say iso but i tried burning with

*Windows 7 USB-DVD Download Tool*

and it says its not an iso file


----------



## Mark1956 (May 7, 2011)

> i apologies for being such a headache


 Not a problem, we are here to help with headaches.

The original download link I gave you is a Bootable .iso file, so there should be no need to do anything else with it, just to burn it with ImgBurn, or if on a Windows 7 PC right click the ISO file, select *Open With*, then select* Windows Disc Image Burning Tool* then follow the prompts.

I'm wondering if there is a problem with the CD drive. Try the disc in another PC with the PC turned on and see if it recognizes the disc and starts to run. If it does not do that then you may have a problem with your DVD burner. Try burning the disc in another PC.


----------



## Kevier (May 7, 2014)

its not picking up my flash drive in normal mode either


----------



## Kevier (May 7, 2014)

yes it recognized it


----------



## Kevier (May 7, 2014)

when i put it in the bad pc it just boots normal


----------



## Mark1956 (May 7, 2011)

Have you checked the Bios boot order to make sure the CD is in 1st position.


----------



## Kevier (May 7, 2014)

how do i do that again


----------



## Kevier (May 7, 2014)

i think i figured it out but seemed to not work 
i pressed f2 went over to boot and moved cd dvd up to 1 right


----------



## Mark1956 (May 7, 2011)

This is sounding like a defective CD drive. Go back into the Bios and make sure the setting has been saved, if you left the Bios without saving the setting it may have reverted.

I must get off to work now, be back in a couple of hours.


----------



## Kevier (May 7, 2014)

shouldn't be defective drive i burned photos off of it when i first got it


----------



## Mark1956 (May 7, 2011)

Even though the drive can burn something that doesn't necessarily mean it can read the new disc you made. You said the disc was recognized in another PC, but did it actually boot up and start to launch the Windows installation?

It could be that defects in the OS are stopping it from reading the disk when it is booted into Normal or Safe mode, but a defective OS cannot stop it from booting from the DVD when starting the system, only a defective CD drive or a defective DVD can cause that.


----------



## Kevier (May 7, 2014)

once the disk is in i cant even open it i have to shut it down and take it out manually and if i boot with disk inside i can't even see the drive but if i boot without it i can see the drive


----------



## Kevier (May 7, 2014)

by open it i mean the disk drive wont open when i push the button


----------



## Kevier (May 7, 2014)

it wont even read that i have a flash drive if i put that in


----------



## Kevier (May 7, 2014)

and i've been using a flash drive for most of the work we have been doing


----------



## Mark1956 (May 7, 2011)

Ok, just to bring me up to date with the full picture of what is going on.

Did you check the boot order has remained as you set it.

When you put the DVD of Windows 7 in the working PC (already booted to the desktop) does it launch the disk and show the Windows installation opening screen. You should hear the disc spinning up just after you insert it and the installation screen should appear soon after.

The fact that the CD drive will not open once you have inserted the DVD suggests to me it is having trouble reading it.


----------



## Kevier (May 7, 2014)

no if i put the disk in booted it does not recognize and if i click on the disk drive in my computer it says windows explorer is not responding and everything on my desktop disappears and i have to reboot and if i boot with the disk in the disk drive isn't even present it doesn't recognize my flash drive anymore let me try to put a blank disk in to see what happens


----------



## Kevier (May 7, 2014)

ok it can read cd's it can read blank dvds but it can't read burnt dvds so i think im gonna try to download it to the other laptop and burn it unless i can send the file by usb


----------



## Mark1956 (May 7, 2011)

> no if i put the disk in booted it does not recognize and if i click on the disk drive in my computer it says windows explorer is not responding and everything on my desktop disappears and i have to reboot and if i boot with the disk in the disk drive isn't even present it doesn't recognize my flash drive anymore let me try to put a blank disk in to see what happens


My question related to what happened when using the working PC, not the faulty one.



> *When you put the DVD of Windows 7 in the working PC *(already booted to the desktop) does it launch the disk and show the Windows installation opening screen. You should hear the disc spinning up just after you insert it and the installation screen should appear soon after.


You need to test the DVD in the working PC to see if it functions as it should.

If it fails then you should be able to transfer the .ISO of Windows 7 to your laptop on a USB stick. I hadn't realized up to this point that you downloaded and burned the DVD on the faulty PC, that may be why it isn't working.


----------



## Kevier (May 7, 2014)

sorry 

when i put the disk into the working pc the auto play boots up and i can open the file and run the setup exe. but the windows install screen doesn't boot 

and i had to download it to the functioning pc because at the time i couldn't access the normal mode on the other 

my flash drive is only 2 gig and it doesn't register on the non functioning pc now


----------



## Kevier (May 7, 2014)

sorry misread your post i downloaded and burned it on the working pc first and haven't got it on the faulty pc yet


----------



## Kevier (May 7, 2014)

like i said the faulty pc can read cd's and blank dvd's but any burnt dvd it cant read i even tried one that had pictures on it from forever ago


----------



## Mark1956 (May 7, 2011)

Ok, after some confusion I'm grasping what is going on.

When you put the DVD you burned into the working PC you should see the first screen appear in the attachment, then when you click on setup.exe it should show the second screen, is that what is happening? If so then the DVD you burned would appear to be fine.

What you have just posted seems to confirm the faulty PC has a defective CD drive and as it can't function with a Flash Drive we are now at a dead end unless you can purchase a new CD drive or borrow one from another system.


----------



## Kevier (May 7, 2014)

i do not get the run run setup.exe mine shows 
import pictures options 
and 
general options 
which is open folder


----------



## Kevier (May 7, 2014)

i just downloaded the file to the faulty pc and its an iso file but when i download it to the working pc its a WinRAR file


----------



## Kevier (May 7, 2014)

ok i have burnt it on the faulty pc and it can read it in normal mode can i just run the exe. file in normal mode or do i have to boot it


----------



## Mark1956 (May 7, 2011)

Ok, we might get somewhere now. Sounds like you just had an incompatibility between the CD burner on one system and the CD drive in the other, i.e. the drive the disk was burnt on isn't a good match with the drive you were using to read it. The difference between how the two PC's see the file is simply due to file associations.

Now to go ahead with a clean install you need to have the new DVD in the drive and then reboot the PC, hopefully it will boot from the DVD and not the hard drive and will get you going with a clean installation. Fingers crossed it all comes good when the installation is complete.


----------



## Kevier (May 7, 2014)

after i burn it i can see everything on the disk after restart doesn't boot and cant access


----------



## Kevier (May 7, 2014)

is there a scan i can do to check and see if my drive is bad or maybe it needs a driver update or something


----------



## Mark1956 (May 7, 2011)

Please check the Bios settings are still set with the CD in 1st position.

If that is set correctly, put the disk in when the PC is booted and try to run the .exe file, let me know if it then starts the installation showing the screen that I attached to an earlier post.

There aren't any drivers for CD drives and I don't know any way of testing one. As it is now able to read the new DVD it should be ok.


----------



## Kevier (May 7, 2014)

after i restarted it i cant see the files anymore gonna see if i can get a bigger flash drive could you please post the flash drive link for the windows 7 clean install


----------



## Mark1956 (May 7, 2011)

Here you go: http://pcsupport.about.com/od/windows7/a/install-windows-7-usb.htm


----------



## Kevier (May 7, 2014)

until i get my flash drive im gonna try to a repair install so im gonna run the setup.exe


----------



## Kevier (May 7, 2014)

Windows installation encountered an unexpected error. Verify that the installation sources are accessible, and restart the installation. Error code:0xE0000100

i googled it and it said i could have something wrong with my hard drive is that a possibility


----------



## Kevier (May 7, 2014)

could the iso file be corrupt


----------



## Mark1956 (May 7, 2011)

I'm seeing quite a few different causes for that error, but most seem to relate to Vista which obviously doesn't apply here, but it seems it has something to do with the partitions on the hard drive. I think it may be better to wait until you get the larger Flash Drive and see if that works any better.

You could try this solution in post 10 http://www.sevenforums.com/installation-setup/10565-windows-7-setup-error-0xe0000100.html Once you do this though it will not be able to perform a repair install as it will wipe the partition, so a full install will be the only option.

It looks like Drive E: is a Recovery Partition so you could try a System Recovery, you may have to google a bit to find out how to access it, usually this would be from the Advanced Boot menu after clicking on F8 at boot up or using a specific key during boot up. If successful this will put the system back to how it was when it left the factory.


----------



## Kevier (May 7, 2014)

i got my flash drive this morning


----------



## Mark1956 (May 7, 2011)

:up:


----------



## Kevier (May 7, 2014)

when i open the windows 7 usb/dvd download tool and add the source file it says it is not a valid iso file any ideas


----------



## Mark1956 (May 7, 2011)

Not sure why that would happen as we know 'it is' an ISO file. Try uninstalling WinRar so it is no longer associated with it.


----------



## Kevier (May 7, 2014)

tried that didn't work


----------



## Kevier (May 7, 2014)

fixed the problem here is a little something to add to your many bags of tricks

*Step 1:* Download ImgBurn software from here and install the same on your PC. As some of you know, ImgBurn is a free software and is compatible with all recent versions of Windows, both 32-bit and 64-bit systems.
*Step 2:* Launch ImgBurn, click *Create image file from files/folder*. Drag and drop the ISO file to ImgBurn window to add it to the source list.

**
*Step 3:* Select a location to save the new ISO file by clicking the Browse button next to Destination box.
*Step 4:* Click on the Options tab on the right-side pane of ImgBurn and select the file system as ISO9660 + Joliet + UDF from the drop-down menu.

*Step 5:* Finally, click the Build button (see picture) to begin saving the edited ISO file with new file system. Click Yes button when you see the confirmation dialog and click Yes button again if you see confirm Volume Label dialog box, and finally, click OK button to begin saving the ISO file.





Once the job is done, you can run Windows 7 USB/DVD Download Tool again and browse to the newly created ISO file to prepare the bootable USB/DVD without any issues.


----------



## Mark1956 (May 7, 2011)

Thanks for posting that info, but I still don't quite understand what was wrong with the downloaded ISO, I have had many people burn a DVD with it without any issues, both with the Win 7 built in image burner and using ImgBurn. Don't think I have come across anyone who had to put it on a Flash Drive so may be this is the way to go. Looking at the above guide it seems to recreate the ISO, but in a slightly different format, we live and learn.

Let us know how it goes using the Flash Drive. Fingers crossed there are no more hitches.


----------



## Kevier (May 7, 2014)

well now im trying to figure out why it wont copy to the usb it gets to 99% and then says it failed to copy to the usb to check the usb or the iso file im so confused


----------



## Mark1956 (May 7, 2011)

The bad luck continues.

Are you doing this on the faulty or working PC?


----------



## Kevier (May 7, 2014)

tried both


----------



## Kevier (May 7, 2014)

new problem ran fixwu and it seemed to fix things but after reboot windows starts up but before i can get to the logon screen i get this error 
C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.17601.17825_none_2b253c8271ec7765\gdiplus.dll is either not designed to run on windows or it contains an error. try installing the program again using the original installation media or contact your system administrator or the software vendor for support


----------



## Mark1956 (May 7, 2011)

You need to bring me up to date, have you managed to do the clean install from the Flash Drive?

Or, have you just run the Windows Update repair on the existing installation?

gdiplus.dll is an important Windows system file which contains libraries for the GDI graphics interface.


----------



## Kevier (May 7, 2014)

it was the existing installation


----------



## Mark1956 (May 7, 2011)

Ok, you never did respond to this suggestion in post 159:



> It looks like Drive E: is a Recovery Partition so you could try a System Recovery, you may have to google a bit to find out how to access it, usually this would be from the Advanced Boot menu after clicking on F8 at boot up or using a specific key during boot up. If successful this will put the system back to how it was when it left the factory.


This could be a viable option if you can get it to run.


----------



## Kevier (May 7, 2014)

ok will try to do a system recovery


----------



## Mark1956 (May 7, 2011)

Ok, lets hope this sees a change of luck.


----------



## Kevier (May 7, 2014)

that worked i now have normal mode back and trying updates


----------



## Kevier (May 7, 2014)

I must Thank You sir after the System Recovery the Laptop Works Great Thanks again


----------



## Kevier (May 7, 2014)

i just want to thank you again for all your time and effort (THANK YOU)







i wanted to do this







but instead you made me do this


















Thanks Again!


----------



## Mark1956 (May 7, 2011)

We always get there in the end and you're most welcome .


----------

