# Sudden failure of utilities



## xelahart (Apr 29, 2009)

Last night I had a strange sudden failure on my computer. I don't know what search terms to use to get help form Google, so I am hoping a friendly human on this forum will be able to diagnose and point me to a solution.

*OS*
Windows Vista
*The Event*
Last night I had turned on the computer and logged on using a dedicated logon I use for synching my i-pod. I was adding folders to my library from an external harddrive when everything suddenly froze. I only had Windows Explorer and i-tunes open, both froze. I could not close them. I opened Task Manager, this could not close them. I Switched User, used a differnt logon, openined Task Manager, clicked All Users, and tried to kill i-tunes and Windows Explorer from there, still no effect. I tried to Log Off, Restart and Shut Down, all ignored. I eventually held the power button down until it died and then started it up again.
*Symptoms Since*
After restarting the computer Windows Explorere could see the external hard drive, but could not see anything inside it, it just looked for ages, then hung, then would not close, then computer would not shut down, power down again.

When I started it up the next time it hung before loading Windows, it appeared to be trying to read one of the external hard disks. I powered down again, turned off all the external hard disks and started up again.
Now whenever I turn it on it seems fine, but freezes as soon as I try to do anything. Open internet explorer to research the issue, opening up Control Panel, Task Manager, or sometimes just Windows Explorer, all freeze, which is making diagnostics difficult. Whenever it freezes it also refuses to shut down so I have to manually power it down. Sometimes I try to shut it down before it has frozen and it hangs half way trhough the shut down, I just have a mouse pointer on a black screen indefintiely.

It seems to run OK in Safe Mode. I tried doing a System Restore from within from Safe Mode. It suggested going back to before the last Windows update a few days ago so I did this. I don't know if it worked, I think not, it was taking ages so I went to bed, in the moring it was frozen on the black screen with the mouse pointer. When I started it again it was no better.

I will try to do a TSG SysInfo run tonight if it will let me (I am writing this from another computer).

Any suggestions?


----------



## xelahart (Apr 29, 2009)

TSG Info said:

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft® Windows Vista Home Premium, Service Pack 2, 32 bit
Processor: Intel(R) Core(TM)2 Quad CPU Q8200 @ 2.33GHz, x64 Family 6 Model 23 Stepping 7
Processor Count: 4
RAM: 3070 Mb
Graphics Card: NVIDIA GeForce 7100 / NVIDIA nForce 630i, 256 Mb
Hard Drives: C: Total - 600238 MB, Free - 303221 MB;
Motherboard: Packard Bell BV, MCP73PVT-PM
Antivirus: McAfee Anti-Virus and Anti-Spyware, Updated and Enabled


----------



## xelahart (Apr 29, 2009)

That TSG Info didn't seem to give a lot of info that would help with diagnosis. If there is anything else I can do to provide more useful data I am happy to try.
A little help, somebody, please ...


----------



## xelahart (Apr 29, 2009)

Er...

How about some advice on how to get a question responded to?
Have I posted in the wrong place?
Or failed to use some key words that the technical wizards on this forum search for?
Or comitted some newbie forum faux pas I am not aware of?

Hello, Earth to Tech Support Guy Forum, are you reading me? OVER


----------



## xelahart (Apr 29, 2009)

Would a Hijack This log help with diagnosis?
Happy to try anything that helps.


----------



## xelahart (Apr 29, 2009)

OK this is what HJT said:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:16:18, on 16/05/2013
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16476)
Boot mode: Safe mode with network support
Running processes:
C:\Windows\Explorer.EXE
C:\Windows\helppane.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\mcafee.com\agent\McUpdate.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=1&o=vp32&d=1008&m=imedia_x2416
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=1&o=vp32&d=1008&m=imedia_x2416
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120706041929.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O13 - Gopher Prefix: 
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~1\mcafee\msc\mcsniepl.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\PACKARDBELL\Packard Bell Recovery Management\Service\ETService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
--
End of file - 8685 bytes


----------



## Couriant (Mar 26, 2002)

Please bear in mind, this is a 100% volunterring site and we are not on here 24/7. We may not see your thread until later.

As to the issue at hand, if you completely leave the external drives disconnected for 48 hours does your computer work as normal?


----------



## AtlBo (Jun 2, 2010)

Just a tip xelahart...

When the computer starts to slow, (if at all possible) let your first response be to open Task Manager. Sort by the CPU column so that the processes using the most processor can be seen at the top. Leave it open while you troubleshoot and make note of which processes seem to be bogging down the computer. This can help lead to diagnosis more quickly...


----------



## xelahart (Apr 29, 2009)

Couriant
Sorry for getting impatient. I can see now that it has not been that long since my first post, and you all have your own lives.
The external hard drive has not been connected since the event (which is now more than 48hrs).

AtlBo
Task manager is usually my first response. However since this fault developed I often find that once a programme has frozen on me Task Manager refuses to open. I get the tiny green grid icon in the bottom right of my Task Bar saying Task Manager is open but no main window I can do anything with. If I do manage to get TM open, It tells me the CPU is 99% idle, i.e. nothing is bogging the computer down even though I can see the hard drive light is on almost constantly (and hear it chugging about) and the computer is ignoring most of my instructions.


----------



## xelahart (Apr 29, 2009)

A few more symptoms to report. All the below are if I don't start in Safe Mode.

If I open IE it normally runs OK initially unless I go to a site with an embedded video in which case it crashes.
I when I tried to download HighJackThis and TSG Info, the Save As window refused to pop up when I tried to save them (had to do it from within safe mode)
Similarly I opened a Word doc and tried to print, when I clicked print the window that normally pops up wiith print option didn't.
If I try to open any of the utilities from within Control Panel, they either refuse to open, or freeze when trying to populate the initial list of things (e.g. when Programmes populates the list of installed programmes)
If I have Task Manager open when a programme crashes, TM does not report any unusual CPU or RAM usage, just says that the programme is not responding. It is also usually not able to close the programme or end the associated process.


----------



## xelahart (Apr 29, 2009)

And a specific question:

Is there a way to get the computer to start in Safe Mode without having to start the computer normally and then kill it by holding down the power button. (When I start it up again Safe Mode is offered before Windows loads)

The only way I can get the computer to do anything, (including diagnositcs) is in safe mode and the only way I know to access safe mode is the process above. I assume that doing this repeatedly must be battering some of the components?


----------



## Couriant (Mar 26, 2002)

Hold down F8 while computer is booting up (but HAS to be before the Windows logo screen)

I will move this to the Malware forum as it seems that you may have something running in the background that is causing these issues. Again, please be patient while they are working with you and others


----------



## xelahart (Apr 29, 2009)

Thanks for the help.
If you think it is malware presumably there would be no harm in me trying to run something that looks for that sort of stuff?
Any you can suggest that would run from within safe mode?


----------



## Couriant (Mar 26, 2002)

The Malware team will be the ones to answer that. I don't deal with malware... yet


----------



## xelahart (Apr 29, 2009)

Not sure if it is relevant but when I start in safe mode I notice that the last thing to load is crcdisk.sys and that it hangs for a long time at this point before starting.

Also the advice I was given (above) for starting in safe mode without having to start up normally then kill the power doesn't work for me. I was told to hold F8 but this just takes me to a screen where I can choose to boot from alternative disks, it does not give me an option to start in safe mode. Is there some other route I can try to get it to start in safe mode?

Also please could someone recommend a malware tool I could run from safe mode to see if that is my problem?


----------



## xelahart (Apr 29, 2009)

Doh! Just read the sticky and seen the scans I need to do. Here they come.

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 9.0.8112.16476 BrowserJavaVersion: 10.17.2
Run by Hart at 14:56:58 on 2013-05-19
Microsoft® Windows Vista Home Premium 6.0.6002.2.1252.44.1033.18.3070.2353 [GMT 1:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\mcafee.com\agent\McUpdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uDefault_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=1&o=vp32&d=1008&m=imedia_x2416
mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=1&o=vp32&d=1008&m=imedia_x2416
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - c:\program files\mcafee security scan\3.0.318\McAfeeMSS_IE.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - <orphaned>
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - 
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120706041929.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_6_602_180_ActiveX.exe -update activex
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eRecoveryService] <no file>
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.318\SSScheduler.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{27FA60FB-5855-47ED-90FC-73C7DFD953D2} : DHCPNameServer = 192.168.1.254 192.168.1.254
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-26 565888]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-8-26 210608]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-26 167784]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-26 169320]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-26 172416]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-26 60920]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-26 363080]
S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-7-29 102008]
S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-28 390528]
S1 RapportCerberus_51755;RapportCerberus_51755;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_51755.sys [2013-4-1 317112]
S1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2013-4-2 102680]
S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2013-4-2 173880]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ETService;Empowering Technology Service;c:\program files\packardbell\packard bell recovery management\service\ETService.exe [2008-10-13 24576]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-14 95232]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-26 167784]
S2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-26 167784]
S2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-26 203840]
S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2013-4-2 1124184]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-10-23 146872]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.0.318\McCHSvc.exe [2013-2-5 235216]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-26 235264]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-26 65928]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-26 92632]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-05-01 19:15:45 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys
.
==================== Find3M ====================
.
2013-03-23 16:45:28 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-23 16:45:28 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-11 13:25:50 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-11 13:25:50 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-09 03:45:04 49152 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-09 01:28:08 64000 ----a-w- c:\windows\system32\smss.exe
2013-03-08 03:53:50 376320 ----a-w- c:\windows\system32\winsrv.dll
2013-03-08 03:52:22 2067968 ----a-w- c:\windows\system32\mstscax.dll
2013-03-06 20:48:02 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-06 20:48:01 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-06 20:48:01 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-05 01:40:56 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-02-22 03:46:00 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-02-22 03:38:00 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-02-22 03:37:50 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-22 03:34:17 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-02-22 03:34:03 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-02-22 03:31:46 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-02-19 20:32:56 6162704 ----a-w- c:\windows\system32\nvopencl.dll
2013-02-19 20:32:54 10919200 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2013-02-19 20:32:52 2446416 ----a-w- c:\windows\system32\nvapi.dll
2013-02-19 20:32:52 17560352 ----a-w- c:\windows\system32\nvcompiler.dll
2013-02-19 20:32:30 2577184 ----a-w- c:\windows\system32\nvcuvid.dll
2013-02-19 20:32:30 1869088 ----a-w- c:\windows\system32\nvcuvenc.dll
2013-02-19 20:32:22 15413704 ----a-w- c:\windows\system32\nvd3dum.dll
2013-02-19 20:32:20 892704 ----a-w- c:\windows\system32\nvdispgenco32.dll
2013-02-19 20:32:18 1010464 ----a-w- c:\windows\system32\nvdispco32.dll
2013-02-19 20:32:12 7754560 ----a-w- c:\windows\system32\nvcuda.dll
2013-02-19 20:32:10 19915552 ----a-w- c:\windows\system32\nvoglv32.dll
2013-02-19 14:15:04 60920 ----a-w- c:\windows\system32\drivers\cfwids.sys
2013-02-19 14:12:24 210608 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2013-02-19 14:11:02 10088 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2013-02-19 14:10:52 92632 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2013-02-19 14:09:52 565888 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2013-02-19 14:09:02 363080 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2013-02-19 14:08:40 65928 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2013-02-19 14:08:20 235264 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-02-19 14:07:50 133416 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
.
============= FINISH: 14:59:10.43 ===============


----------



## xelahart (Apr 29, 2009)

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista Home Premium 
Boot Device: \Device\HarddiskVolume2
Install Date: 13/10/2008 10:07:55
System Uptime: 19/05/2013 14:34:52 (0 hours ago)
.
Motherboard: Packard Bell BV | | MCP73PVT-PM
Processor: Intel(R) Core(TM)2 Quad CPU Q8200 @ 2.33GHz | CPU 1 | 2333/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 586 GiB total, 298.964 GiB free.
D: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is CDROM ()
J: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&130421A5&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&130421A5&0
Service: i8042prt
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
[email protected] DVD Eraser v 1.1
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop Elements 6.0
Adobe Reader 8.3.1
Adobe Shockwave Player 11.5
Amazon MP3 Downloader 1.0.9
Apple Application Support
Apple Mobile Device Support
Apple Software Update
µTorrent
AviSynth 2.5
Bonjour
BT NetProtect Plus
Canon Camera Access Library
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities ZoomBrowser EX
Citrix XenApp Web Plugin
Cole2k Media - Codec Pack (Advanced) 7.9.5
Compatibility Pack for the 2007 Office system
DVD Flick 1.3.0.7
Garmin City Navigator Europe NT 2008
Garmin Communicator Plugin
Garmin USB Drivers
GrabIt 1.7.2 Beta 4 (build 997)
HDReg
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iCloud
Image Writer
Internet From BT
iTunes
Java 7 Update 17
Java Auto Updater
JavaFX 2.1.1
LCD test
LeapFrog Connect
LeapFrog MyOwnLeaptop Plugin
MagicDisc 2.7.106
McAfee Security Scan Plus
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access 2003 Developer Extensions
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Professional 2003
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 8 Essentials
neroxml
NVIDIA Control Panel 307.83
NVIDIA Drivers
NVIDIA Graphics Driver 307.83
NVIDIA Install Application
NVIDIA Update 1.10.8
NVIDIA Update Components
OGA Notifier 2.0.0048.0
Packard Bell Recovery Management
Photodex Presenter
PS3 Video 9 6
QuickTime
Rapport
Realtek High Definition Audio Driver
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition 
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition 
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition 
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition 
Shared C Run-time for x86
Spelling Dictionaries Support For Adobe Reader 8
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596802) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2768021) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Updator
Use the entry named LeapFrog Connect to uninstall (LeapFrog MyOwnLeaptop Plugin)
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)
WinRAR archiver
.
==== End Of File ===========================


----------



## xelahart (Apr 29, 2009)

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-05-19 15:47:04
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\0000005f WDC_WD64 rev.01.0 596.17GB
Running: m7dk7jcy.exe; Driver: C:\Users\Hart\AppData\Local\Temp\pxldipow.sys

---- System - GMER 2.1 ----
INT 0x51 ? 8C206BF8
INT 0x52 ? 8CD07BF8
INT 0x82 ? 8C205BF8
INT 0x92 ? 8C206BF8
---- Kernel code sections - GMER 2.1 ----
? System32\Drivers\spal.sys The system cannot find the path specified. !
? C:\Users\Hart\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
---- User code sections - GMER 2.1 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[260] kernel32.dll!CreateThread 7662CB0E 5 Bytes JMP 714475E3 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!SetWindowsHookExW 764B87AD 5 Bytes JMP 714825B4 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!CallNextHookEx 764B8E3B 5 Bytes JMP 714A7FDF C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!UnhookWindowsHookEx 764B98DB 5 Bytes JMP 714CED00 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!EnableWindow 764BCD8B 5 Bytes JMP 71489EBC C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!DefWindowProcA 764BDB88 3 Bytes JMP 7144980D C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!DefWindowProcA + 4 764BDB8C 3 Bytes [FA, CC, CC] {CLI ; INT 3 ; INT 3 }
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!CreateWindowExA 764BDC2A 5 Bytes JMP 71453643 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!CreateWindowExW 764C1305 5 Bytes JMP 714B03CF C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!DefWindowProcW 764D03B4 7 Bytes JMP 714A8042 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!DialogBoxParamW 764E10B0 5 Bytes JMP 713E1893 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!DialogBoxIndirectParamW 764E2EF5 5 Bytes JMP 715D913E C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!DialogBoxParamA 764F8152 5 Bytes JMP 715D90D9 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!DialogBoxIndirectParamA 764F847D 5 Bytes JMP 715D91A3 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!MessageBoxIndirectA 7650D4D9 5 Bytes JMP 715D9060 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!MessageBoxIndirectW 7650D5D3 5 Bytes JMP 715D8FE7 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!MessageBoxExA 7650D639 5 Bytes JMP 715D8F83 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!MessageBoxExW 7650D65D 5 Bytes JMP 715D8F1F C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[260] ole32.dll!OleLoadFromStream 766E1E80 5 Bytes JMP 715D990C C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] kernel32.dll!CreateThread 7662CB0E 5 Bytes JMP 714475E3 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!SetWindowsHookExW 764B87AD 5 Bytes JMP 714825B4 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!CallNextHookEx 764B8E3B 5 Bytes JMP 714A7FDF C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!UnhookWindowsHookEx 764B98DB 5 Bytes JMP 714CED00 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!EnableWindow 764BCD8B 5 Bytes JMP 71489EBC C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!DefWindowProcA 764BDB88 3 Bytes JMP 7144980D C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!DefWindowProcA + 4 764BDB8C 3 Bytes [FA, CC, CC] {CLI ; INT 3 ; INT 3 }
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!CreateWindowExA 764BDC2A 5 Bytes JMP 71453643 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!CreateWindowExW 764C1305 5 Bytes JMP 714B03CF C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!DefWindowProcW 764D03B4 7 Bytes JMP 714A8042 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!DialogBoxParamW 764E10B0 5 Bytes JMP 713E1893 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!DialogBoxIndirectParamW 764E2EF5 5 Bytes JMP 715D913E C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!DialogBoxParamA 764F8152 5 Bytes JMP 715D90D9 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!DialogBoxIndirectParamA 764F847D 5 Bytes JMP 715D91A3 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!MessageBoxIndirectA 7650D4D9 5 Bytes JMP 715D9060 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!MessageBoxIndirectW 7650D5D3 5 Bytes JMP 715D8FE7 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!MessageBoxExA 7650D639 5 Bytes JMP 715D8F83 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!MessageBoxExW 7650D65D 5 Bytes JMP 715D8F1F C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] ole32.dll!OleLoadFromStream 766E1E80 5 Bytes JMP 715D990C C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!EnableWindow 764BCD8B 5 Bytes JMP 71489EBC C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!DialogBoxParamW 764E10B0 5 Bytes JMP 713E1893 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!DialogBoxIndirectParamW 764E2EF5 5 Bytes JMP 715D913E C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!DialogBoxParamA 764F8152 5 Bytes JMP 715D90D9 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!DialogBoxIndirectParamA 764F847D 5 Bytes JMP 715D91A3 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!MessageBoxIndirectA 7650D4D9 5 Bytes JMP 715D9060 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!MessageBoxIndirectW 7650D5D3 5 Bytes JMP 715D8FE7 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!MessageBoxExA 7650D639 5 Bytes JMP 715D8F83 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!MessageBoxExW 7650D65D 5 Bytes JMP 715D8F1F C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] kernel32.dll!CreateThread 7662CB0E 5 Bytes JMP 714475E3 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!SetWindowsHookExW 764B87AD 5 Bytes JMP 714825B4 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!CallNextHookEx 764B8E3B 5 Bytes JMP 714A7FDF C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!UnhookWindowsHookEx 764B98DB 5 Bytes JMP 714CED00 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!EnableWindow 764BCD8B 5 Bytes JMP 71489EBC C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!DefWindowProcA 764BDB88 3 Bytes JMP 7144980D C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!DefWindowProcA + 4 764BDB8C 3 Bytes [FA, CC, CC] {CLI ; INT 3 ; INT 3 }
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!CreateWindowExA 764BDC2A 5 Bytes JMP 71453643 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!CreateWindowExW 764C1305 5 Bytes JMP 714B03CF C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!DefWindowProcW 764D03B4 7 Bytes JMP 714A8042 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!DialogBoxParamW  764E10B0 5 Bytes JMP 713E1893 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!DialogBoxIndirectParamW 764E2EF5 5 Bytes JMP 715D913E C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!DialogBoxParamA 764F8152 5 Bytes JMP 715D90D9 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!DialogBoxIndirectParamA 764F847D 5 Bytes JMP 715D91A3 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!MessageBoxIndirectA 7650D4D9 5 Bytes JMP 715D9060 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!MessageBoxIndirectW 7650D5D3 5 Bytes JMP 715D8FE7 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!MessageBoxExA 7650D639 5 Bytes JMP 715D8F83 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!MessageBoxExW 7650D65D 5 Bytes JMP 715D8F1F C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] ole32.dll!OleLoadFromStream 766E1E80 5 Bytes JMP 715D990C C:\Windows\system32\IEFRAME.dll
******************************************************************************
I'll continue witht he devices bit in the next post


----------



## xelahart (Apr 29, 2009)

---- Devices - GMER 2.1 ----
Device \FileSystem\Ntfs \Ntfs 8C20C1F8
Device \Driver\volmgr \Device\VolMgrControl  8C2081F8
Device \Driver\usbohci \Device\USBPDO-0 8CD2C1F8
Device \Driver\usbehci \Device\USBPDO-1 8CE5D500
Device \Driver\nvstor32 \Device\00000060 8C20B1F8
Device \Driver\volmgr \Device\HarddiskVolume1 8C2081F8
Device \Driver\volmgr \Device\HarddiskVolume2 8C2081F8
Device \Driver\cdrom \Device\CdRom0 8CE9D1F8
Device \Driver\atapi \Device\Ide\IdePort0 8C20A1F8
Device \Driver\atapi \Device\Ide\IdePort1 8C20A1F8
Device \Driver\volmgr \Device\HarddiskVolume3 8C2081F8
Device \Driver\cdrom \Device\CdRom1 8CE9D1F8
Device \Driver\volmgr \Device\HarddiskVolume4 8C2081F8
Device \Driver\volmgr \Device\HarddiskVolume5 8C2081F8
Device \Driver\volmgr \Device\HarddiskVolume6 8C2081F8
Device \Driver\netbt \Device\NetBt_Wins_Export 8D2071F8
Device \Driver\Smb \Device\NetbiosSmb 8D2211F8
Device \Driver\nvstor32 \Device\RaidPort0 8C20B1F8
Device \Driver\iScsiPrt \Device\RaidPort1 8CE9E1F8
Device \Driver\USBSTOR \Device\0000006a 8CE1F1F8
Device \Driver\nvstor32 \Device\0000005f 8C20B1F8
Device \Driver\USBSTOR \Device\0000006b 8CE1F1F8
Device \Driver\USBSTOR \Device\0000006c 8CE1F1F8
Device \Driver\usbohci \Device\USBFDO-0 8CD2C1F8
Device \Driver\USBSTOR \Device\0000006d 8CE1F1F8
Device \Driver\usbehci \Device\USBFDO-1 8CE5D500
Device \Driver\USBSTOR \Device\0000006e 8CE1F1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{27FA60FB-5855-47ED-90FC-73C7DFD953D2} 8D2071F8
Device \FileSystem\cdfs \Cdfs 8D8FE1F8
---- Trace I/O - GMER 2.1 ----
Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8c20b1f8]<< 8c20b1f8
Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8c3956f0] 8c3956f0
Trace 3 CLASSPNP.SYS[90dc98b3] -> nt!IofCallDriver -> [0x8c2d06d8] 8c2d06d8
Trace 5 acpi.sys[807b96bc] -> nt!IofCallDriver -> \Device\0000005f[0x8c2d0ba0] 8c2d0ba0
Trace \Driver\nvstor32[0x8c2ca290] -> IRP_MJ_CREATE -> 0x8c20b1f8 8c20b1f8


----------



## xelahart (Apr 29, 2009)

I haven't pasted the Registry section because it is enormous. I don't know how to work out the size but I would estimate between 100 and 1000 as large as the bits I have already posted.

I would post it as an attachement, but I can't. One of my computers symptoms is that for most things which pop up window before they complete (e.g. Save As, Print, or attaching things), the window doesn't pop up. So I can't attach anything.


----------



## xelahart (Apr 29, 2009)

I tried to download malware bytes while I was waiting for advice. Tried to download from here: http://www.techspot.com/downloads.p...6&evp=0a59f9584bb65ce60f8292a3fc06e555&file=1

But my computer won't let me do Save As any more, and if I just try to Save or Run it gets to about 90% downloaded then says it can't download.


----------



## Cookiegal (Aug 27, 2003)

Please go  here and download the *TDSSKiller.exe* to your desktop.

Double-click to TDSSKiller.exe on your desktop to run it.
Click on *Start Scan*
As we don't want to fix anything yet, if any malicious objects are detected, *do NOT select Cure* but select *Skip* instead.
It will produce a log once it finishes in the root drive which should look like this example:

C:\TDSSKiller.<version_date_time>log.txt

Please copy and paste the contents of that log in your next reply.


----------



## xelahart (Apr 29, 2009)

12:02:43.0289 3232 TDSS rootkit removing tool 2.8.17.0 Apr 11 2013 11:56:34
12:02:43.0960 3232 ============================================================
12:02:43.0960 3232 Current date / time: 2013/05/25 12:02:43.0960
12:02:43.0960 3232 SystemInfo:
12:02:43.0960 3232 
12:02:43.0960 3232 OS Version: 6.0.6002 ServicePack: 2.0
12:02:43.0960 3232 Product type: Workstation
12:02:43.0960 3232 ComputerName: HART-PC
12:02:43.0960 3232 UserName: Hart
12:02:43.0960 3232 Windows directory: C:\Windows
12:02:43.0960 3232 System windows directory: C:\Windows
12:02:43.0960 3232 Processor architecture: Intel x86
12:02:43.0960 3232 Number of processors: 4
12:02:43.0960 3232 Page size: 0x1000
12:02:43.0960 3232 Boot type: Safe boot with network
12:02:43.0960 3232 ============================================================
12:02:44.0288 3232 Drive \Device\Harddisk0\DR0 - Size: 0x950B056000 (596.17 Gb), SectorSize: 0x200, Cylinders: 0x13001, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
12:02:44.0350 3232 ============================================================
12:02:44.0350 3232 \Device\Harddisk0\DR0:
12:02:44.0350 3232 MBR partitions:
12:02:44.0350 3232 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1400800, BlocksNum 0x494572B0
12:02:44.0350 3232 ============================================================
12:02:44.0366 3232 C: <-> \Device\Harddisk0\DR0\Partition1
12:02:44.0366 3232 ============================================================
12:02:44.0366 3232 Initialize success
12:02:44.0366 3232 ============================================================
12:02:46.0628 3268 ============================================================
12:02:46.0628 3268 Scan started
12:02:46.0628 3268 Mode: Manual; 
12:02:46.0628 3268 ============================================================
12:02:47.0064 3268 ================ Scan system memory ========================
12:02:47.0064 3268 System memory - ok
12:02:47.0064 3268 ================ Scan services =============================
12:02:47.0330 3268 [ 82B296AE1892FE3DBEE00C9CF92F8AC7 ] ACPI C:\Windows\system32\drivers\acpi.sys
12:02:47.0361 3268 ACPI - ok
12:02:47.0454 3268 [ E8FE4FCE23D2809BD88BCC1D0F8408CE ] AdobeActiveFileMonitor6.0 C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
12:02:47.0626 3268 AdobeActiveFileMonitor6.0 - ok
12:02:47.0720 3268 [ EA856F4A46320389D1899B2CAA7BF40F ] AdobeFlashPlayerUpdateSvc C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
12:02:47.0720 3268 AdobeFlashPlayerUpdateSvc - ok
12:02:47.0751 3268 [ 04F0FCAC69C7C71A3AC4EB97FAFC8303 ] adp94xx C:\Windows\system32\drivers\adp94xx.sys
12:02:47.0766 3268 adp94xx - ok
12:02:47.0813 3268 [ 60505E0041F7751BDBB80F88BF45C2CE ] adpahci C:\Windows\system32\drivers\adpahci.sys
12:02:47.0829 3268 adpahci - ok
12:02:47.0844 3268 [ 8A42779B02AEC986EAB64ECFC98F8BD7 ] adpu160m C:\Windows\system32\drivers\adpu160m.sys
12:02:47.0844 3268 adpu160m - ok
12:02:47.0891 3268 [ 241C9E37F8CE45EF51C3DE27515CA4E5 ] adpu320 C:\Windows\system32\drivers\adpu320.sys
12:02:47.0891 3268 adpu320 - ok
12:02:47.0922 3268 [ 9D1FDA9E086BA64E3C93C9DE32461BCF ] AeLookupSvc C:\Windows\System32\aelupsvc.dll
12:02:47.0938 3268 AeLookupSvc - ok
12:02:47.0969 3268 [ 3911B972B55FEA0478476B2E777B29FA ] AFD C:\Windows\system32\drivers\afd.sys
12:02:47.0969 3268 AFD - ok
12:02:47.0985 3268 [ 13F9E33747E6B41A3FF305C37DB0D360 ] agp440 C:\Windows\system32\drivers\agp440.sys
12:02:47.0985 3268 agp440 - ok
12:02:48.0016 3268 [ AE1FDF7BF7BB6C6A70F67699D880592A ] aic78xx C:\Windows\system32\drivers\djsvs.sys
12:02:48.0016 3268 aic78xx - ok
12:02:48.0047 3268 [ A1545B731579895D8CC44FC0481C1192 ] ALG C:\Windows\System32\alg.exe
12:02:48.0047 3268 ALG - ok
12:02:48.0063 3268 [ 9EAEF5FC9B8E351AFA7E78A6FAE91F91 ] aliide C:\Windows\system32\drivers\aliide.sys
12:02:48.0063 3268 aliide - ok
12:02:48.0094 3268 [ C47344BC706E5F0B9DCE369516661578 ] amdagp C:\Windows\system32\drivers\amdagp.sys
12:02:48.0094 3268 amdagp - ok
12:02:48.0110 3268 [ 9B78A39A4C173FDBC1321E0DD659B34C ] amdide C:\Windows\system32\drivers\amdide.sys
12:02:48.0110 3268 amdide - ok
12:02:48.0125 3268 [ 18F29B49AD23ECEE3D2A826C725C8D48 ] AmdK7 C:\Windows\system32\drivers\amdk7.sys
12:02:48.0125 3268 AmdK7 - ok
12:02:48.0141 3268 [ 93AE7F7DD54AB986A6F1A1B37BE7442D ] AmdK8 C:\Windows\system32\drivers\amdk8.sys
12:02:48.0141 3268 AmdK8 - ok
12:02:48.0172 3268 [ C6D704C7F0434DC791AAC37CAC4B6E14 ] Appinfo C:\Windows\System32\appinfo.dll
12:02:48.0172 3268 Appinfo - ok
12:02:48.0312 3268 [ 7EF47644B74EBE721CC32211D3C35E76 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
12:02:48.0312 3268 Apple Mobile Device - ok
12:02:48.0344 3268 [ 5D2888182FB46632511ACEE92FDAD522 ] arc C:\Windows\system32\drivers\arc.sys
12:02:48.0344 3268 arc - ok
12:02:48.0359 3268 [ 5E2A321BD7C8B3624E41FDEC3E244945 ] arcsas C:\Windows\system32\drivers\arcsas.sys
12:02:48.0375 3268 arcsas - ok
12:02:48.0390 3268 [ 53B202ABEE6455406254444303E87BE1 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys
12:02:48.0390 3268 AsyncMac - ok
12:02:48.0390 3268 [ 1F05B78AB91C9075565A9D8A4B880BC4 ] atapi C:\Windows\system32\drivers\atapi.sys
12:02:48.0406 3268 atapi - ok
12:02:48.0437 3268 [ 68E2A1A0407A66CF50DA0300852424AB ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll
12:02:48.0453 3268 AudioEndpointBuilder - ok
12:02:48.0468 3268 [ 68E2A1A0407A66CF50DA0300852424AB ] Audiosrv C:\Windows\System32\Audiosrv.dll
12:02:48.0468 3268 Audiosrv - ok
12:02:48.0484 3268 [ 67E506B75BD5326A3EC7B70BD014DFB6 ] Beep C:\Windows\system32\drivers\Beep.sys
12:02:48.0484 3268 Beep - ok
12:02:48.0531 3268 [ C789AF0F724FDA5852FB9A7D3A432381 ] BFE C:\Windows\System32\bfe.dll
12:02:48.0531 3268 BFE - ok
12:02:48.0578 3268 [ 93952506C6D67330367F7E7934B6A02F ] BITS C:\Windows\System32\qmgr.dll
12:02:48.0812 3268 BITS - ok
12:02:48.0827 3268 [ D4DF28447741FD3D953526E33A617397 ] blbdrive C:\Windows\system32\drivers\blbdrive.sys
12:02:48.0827 3268 blbdrive - ok
12:02:48.0890 3268 [ DB5BEA73EDAF19AC68B2C0FAD0F92B1A ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
12:02:48.0905 3268 Bonjour Service - ok
12:02:48.0921 3268 [ 35F376253F687BDE63976CCB3F2108CA ] bowser C:\Windows\system32\DRIVERS\bowser.sys
12:02:48.0921 3268 bowser - ok
12:02:48.0936 3268 [ 9F9ACC7F7CCDE8A15C282D3F88B43309 ] BrFiltLo C:\Windows\system32\drivers\brfiltlo.sys
12:02:48.0936 3268 BrFiltLo - ok
12:02:48.0952 3268 [ 56801AD62213A41F6497F96DEE83755A ] BrFiltUp C:\Windows\system32\drivers\brfiltup.sys
12:02:48.0952 3268 BrFiltUp - ok
12:02:48.0983 3268 [ A3629A0C4226F9E9C72FAAEEBC3AD33C ] Browser C:\Windows\System32\browser.dll
12:02:48.0983 3268 Browser - ok
12:02:48.0999 3268 [ B304E75CFF293029EDDF094246747113 ] Brserid C:\Windows\system32\drivers\brserid.sys
12:02:48.0999 3268 Brserid - ok
12:02:49.0014 3268 [ 203F0B1E73ADADBBB7B7B1FABD901F6B ] BrSerWdm C:\Windows\system32\drivers\brserwdm.sys
12:02:49.0014 3268 BrSerWdm - ok
12:02:49.0014 3268 [ BD456606156BA17E60A04E18016AE54B ] BrUsbMdm C:\Windows\system32\drivers\brusbmdm.sys
12:02:49.0014 3268 BrUsbMdm - ok
12:02:49.0030 3268 [ AF72ED54503F717A43268B3CC5FAEC2E ] BrUsbSer C:\Windows\system32\drivers\brusbser.sys
12:02:49.0030 3268 BrUsbSer - ok
12:02:49.0030 3268 [ AD07C1EC6665B8B35741AB91200C6B68 ] BTHMODEM C:\Windows\system32\drivers\bthmodem.sys
12:02:49.0030 3268 BTHMODEM - ok
12:02:49.0108 3268 [ 20F89E232173985A455BC9A5F70D1166 ] CCALib8 C:\Program Files\Canon\CAL\CALMAIN.exe
12:02:49.0108 3268 CCALib8 - ok
12:02:49.0108 3268 [ 7ADD03E75BEB9E6DD102C3081D29840A ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys
12:02:49.0124 3268 cdfs - ok
12:02:49.0124 3268 [ 6B4BFFB9BECD728097024276430DB314 ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys
12:02:49.0124 3268 cdrom - ok
12:02:49.0170 3268 [ 312EC3E37A0A1F2006534913E37B4423 ] CertPropSvc C:\Windows\System32\certprop.dll
12:02:49.0170 3268 CertPropSvc - ok
12:02:49.0202 3268 [ 25C323075C5EA4A2555E35355A01F793 ] cfwids C:\Windows\system32\drivers\cfwids.sys
12:02:49.0202 3268 cfwids - ok
12:02:49.0202 3268 [ E5D4133F37219DBCFE102BC61072589D ] circlass C:\Windows\system32\drivers\circlass.sys
12:02:49.0202 3268 circlass - ok
12:02:49.0248 3268 [ D7659D3B5B92C31E84E53C1431F35132 ] CLFS C:\Windows\system32\CLFS.sys
12:02:49.0248 3268 CLFS - ok
12:02:49.0389 3268 [ 8EE772032E2FE80A924F3B8DD5082194 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
12:02:49.0404 3268 clr_optimization_v2.0.50727_32 - ok
12:02:49.0498 3268 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
12:02:49.0545 3268 clr_optimization_v4.0.30319_32 - ok
12:02:49.0576 3268 [ 0CA25E686A4928484E9FDABD168AB629 ] cmdide C:\Windows\system32\drivers\cmdide.sys
12:02:49.0576 3268 cmdide - ok
12:02:49.0576 3268 [ 6AFEF0B60FA25DE07C0968983EE4F60A ] Compbatt C:\Windows\system32\drivers\compbatt.sys
12:02:49.0576 3268 Compbatt - ok
12:02:49.0592 3268 COMSysApp - ok
12:02:49.0592 3268 [ 741E9DFF4F42D2D8477D0FC1DC0DF871 ] crcdisk C:\Windows\system32\drivers\crcdisk.sys
12:02:49.0592 3268 crcdisk - ok
12:02:49.0607 3268 [ 1F07BECDCA750766A96CDA811BA86410 ] Crusoe C:\Windows\system32\drivers\crusoe.sys
12:02:49.0607 3268 Crusoe - ok
12:02:49.0670 3268 [ F1E8C34892336D33EDDCDFE44E474F64 ] CryptSvc C:\Windows\system32\cryptsvc.dll
12:02:49.0670 3268 CryptSvc - ok
12:02:49.0716 3268 [ 3B5B4D53FEC14F7476CA29A20CC31AC9 ] DcomLaunch C:\Windows\system32\rpcss.dll
12:02:49.0763 3268 DcomLaunch - ok
12:02:49.0779 3268 [ 622C41A07CA7E6DD91770F50D532CB6C ] DfsC C:\Windows\system32\Drivers\dfsc.sys
12:02:49.0779 3268 DfsC - ok
12:02:49.0872 3268 [ 2CC3DCFB533A1035B13DCAB6160AB38B ] DFSR C:\Windows\system32\DFSR.exe
12:02:49.0904 3268 DFSR - ok
12:02:49.0950 3268 [ 9028559C132146FB75EB7ACF384B086A ] Dhcp C:\Windows\System32\dhcpcsvc.dll
12:02:49.0950 3268 Dhcp - ok
12:02:49.0966 3268 [ 5D4AEFC3386920236A548271F8F1AF6A ] disk C:\Windows\system32\drivers\disk.sys
12:02:49.0966 3268 disk - ok
12:02:49.0997 3268 [ 57D762F6F5974AF0DA2BE88A3349BAAA ] Dnscache C:\Windows\System32\dnsrslvr.dll
12:02:50.0013 3268 Dnscache - ok
12:02:50.0028 3268 [ 324FD74686B1EF5E7C19A8AF49E748F6 ] dot3svc C:\Windows\System32\dot3svc.dll
12:02:50.0028 3268 dot3svc - ok
12:02:50.0060 3268 [ A622E888F8AA2F6B49E9BC466F0E5DEF ] DPS C:\Windows\system32\dps.dll
12:02:50.0060 3268 DPS - ok
12:02:50.0091 3268 [ 97FEF831AB90BEE128C9AF390E243F80 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys
12:02:50.0091 3268 drmkaud - ok
12:02:50.0122 3268 [ C68AC676B0EF30CFBB1080ADCE49EB1F ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys
12:02:50.0138 3268 DXGKrnl - ok
12:02:50.0153 3268 [ 5425F74AC0C1DBD96A1E04F17D63F94C ] E1G60 C:\Windows\system32\DRIVERS\E1G60I32.sys
12:02:50.0153 3268 E1G60 - ok
12:02:50.0200 3268 [ C0B95E40D85CD807D614E264248A45B9 ] EapHost C:\Windows\System32\eapsvc.dll
12:02:50.0200 3268 EapHost - ok
12:02:50.0216 3268 [ 7F64EA048DCFAC7ACF8B4D7B4E6FE371 ] Ecache C:\Windows\system32\drivers\ecache.sys
12:02:50.0216 3268 Ecache - ok
12:02:50.0325 3268 [ 9BE3744D295A7701EB425332014F0797 ] ehRecvr C:\Windows\ehome\ehRecvr.exe
12:02:50.0325 3268 ehRecvr - ok
12:02:50.0340 3268 [ AD1870C8E5D6DD340C829E6074BF3C3F ] ehSched C:\Windows\ehome\ehsched.exe
12:02:50.0340 3268 ehSched - ok
12:02:50.0356 3268 [ C27C4EE8926E74AA72EFCAB24C5242C3 ] ehstart C:\Windows\ehome\ehstart.dll
12:02:50.0356 3268 ehstart - ok
12:02:50.0356 3268 [ 23B62471681A124889978F6295B3F4C6 ] elxstor C:\Windows\system32\drivers\elxstor.sys
12:02:50.0372 3268 elxstor - ok
12:02:50.0403 3268 [ 4E6B23DFC917EA39306B529B773950F4 ] EMDMgmt C:\Windows\system32\emdmgmt.dll
12:02:50.0418 3268 EMDMgmt - ok
12:02:50.0450 3268 [ 3DB974F3935483555D7148663F726C61 ] ErrDev C:\Windows\system32\drivers\errdev.sys
12:02:50.0465 3268 ErrDev - ok
12:02:50.0543 3268 [ 23112102BC2A8FE44B8AC44A05BDF4C3 ] ETService C:\Program Files\PACKARDBELL\Packard Bell Recovery Management\Service\ETService.exe
12:02:50.0543 3268 ETService - ok
12:02:50.0590 3268 [ 67058C46504BC12D821F38CF99B7B28F ] EventSystem C:\Windows\system32\es.dll
12:02:50.0590 3268 EventSystem - ok
12:02:50.0621 3268 [ 22B408651F9123527BCEE54B4F6C5CAE ] exfat C:\Windows\system32\drivers\exfat.sys
12:02:50.0621 3268 exfat - ok
12:02:50.0637 3268 [ 1E9B9A70D332103C52995E957DC09EF8 ] fastfat C:\Windows\system32\drivers\fastfat.sys
12:02:50.0637 3268 fastfat - ok
12:02:50.0637 3268 [ AFE1E8B9782A0DD7FB46BBD88E43F89A ] fdc C:\Windows\system32\DRIVERS\fdc.sys
12:02:50.0637 3268 fdc - ok
12:02:50.0652 3268 [ 6629B5F0E98151F4AFDD87567EA32BA3 ] fdPHost C:\Windows\system32\fdPHost.dll
12:02:50.0652 3268 fdPHost - ok
12:02:50.0668 3268 [ 89ED56DCE8E47AF40892778A5BD31FD2 ] FDResPub C:\Windows\system32\fdrespub.dll
12:02:50.0668 3268 FDResPub - ok
12:02:50.0699 3268 [ A8C0139A884861E3AAE9CFE73B208A9F ] FileInfo C:\Windows\system32\drivers\fileinfo.sys
12:02:50.0699 3268 FileInfo - ok
12:02:50.0699 3268 [ 0AE429A696AECBC5970E3CF2C62635AE ] Filetrace C:\Windows\system32\drivers\filetrace.sys
12:02:50.0699 3268 Filetrace - ok
12:02:50.0793 3268 [ 227846995AFEEFA70D328BF5334A86A5 ] FLEXnet Licensing Service C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
12:02:50.0808 3268 FLEXnet Licensing Service - ok
12:02:50.0824 3268 [ 85B7CF99D532820495D68D747FDA9EBD ] flpydisk C:\Windows\system32\DRIVERS\flpydisk.sys
12:02:50.0824 3268 flpydisk - ok
12:02:50.0840 3268 [ 01334F9EA68E6877C4EF05D3EA8ABB05 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys
12:02:50.0840 3268 FltMgr - ok
12:02:50.0902 3268 [ 8CE364388C8ECA59B14B539179276D44 ] FontCache C:\Windows\system32\FntCache.dll
12:02:50.0918 3268 FontCache - ok
12:02:50.0996 3268 [ C7FBDD1ED42F82BFA35167A5C9803EA3 ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
12:02:50.0996 3268 FontCache3.0.0.0 - ok
12:02:50.0996 3268 [ B972A66758577E0BFD1DE0F91AAA27B5 ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys
12:02:50.0996 3268 Fs_Rec - ok
12:02:51.0011 3268 [ 34582A6E6573D54A07ECE5FE24A126B5 ] gagp30kx C:\Windows\system32\drivers\gagp30kx.sys
12:02:51.0011 3268 gagp30kx - ok
12:02:51.0011 3268 [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
12:02:51.0011 3268 GEARAspiWDM - ok
12:02:51.0042 3268 [ CD5D0AEEE35DFD4E986A5AA1500A6E66 ] gpsvc C:\Windows\System32\gpsvc.dll
12:02:51.0058 3268 gpsvc - ok
12:02:51.0074 3268 [ CB04C744BE0A61B1D648FAED182C3B59 ] HdAudAddService C:\Windows\system32\drivers\HdAudio.sys
12:02:51.0074 3268 HdAudAddService - ok
12:02:51.0105 3268 [ 062452B7FFD68C8C042A6261FE8DFF4A ] HDAudBus C:\Windows\system32\DRIVERS\HDAudBus.sys
12:02:51.0105 3268 HDAudBus - ok
12:02:51.0105 3268 [ 1338520E78D90154ED6BE8F84DE5FCEB ] HidBth C:\Windows\system32\drivers\hidbth.sys
12:02:51.0105 3268 HidBth - ok
12:02:51.0120 3268 [ FF3160C3A2445128C5A6D9B076DA519E ] HidIr C:\Windows\system32\drivers\hidir.sys
12:02:51.0120 3268 HidIr - ok
12:02:51.0152 3268 [ 84067081F3318162797385E11A8F0582 ] hidserv C:\Windows\system32\hidserv.dll
12:02:51.0152 3268 hidserv - ok
12:02:51.0152 3268 [ CCA4B519B17E23A00B826C55716809CC ] HidUsb C:\Windows\system32\DRIVERS\hidusb.sys
12:02:51.0152 3268 HidUsb - ok
12:02:51.0167 3268 [ D61E53E3FEC0C92BC8DD3969FAD63F87 ] HipShieldK C:\Windows\system32\drivers\HipShieldK.sys
12:02:51.0167 3268 HipShieldK - ok
12:02:51.0230 3268 [ D8AD255B37DA92434C26E4876DB7D418 ] hkmsvc C:\Windows\system32\kmsvc.dll
12:02:51.0230 3268 hkmsvc - ok
12:02:51.0245 3268 [ 16EE7B23A009E00D835CDB79574A91A6 ] HpCISSs C:\Windows\system32\drivers\hpcisss.sys
12:02:51.0245 3268 HpCISSs - ok
12:02:51.0245 3268 [ F870AA3E254628EBEAFE754108D664DE ] HTTP C:\Windows\system32\drivers\HTTP.sys
12:02:51.0261 3268 HTTP - ok
12:02:51.0261 3268 [ C6B032D69650985468160FC9937CF5B4 ] i2omp C:\Windows\system32\drivers\i2omp.sys
12:02:51.0261 3268 i2omp - ok
12:02:51.0292 3268 [ 22D56C8184586B7A1F6FA60BE5F5A2BD ] i8042prt C:\Windows\system32\DRIVERS\i8042prt.sys
12:02:51.0292 3268 i8042prt - ok
12:02:51.0339 3268 [ 54155EA1B0DF185878E0FC9EC3AC3A14 ] iaStorV C:\Windows\system32\drivers\iastorv.sys
12:02:51.0339 3268 iaStorV - ok
12:02:51.0401 3268 [ 98477B08E61945F974ED9FDC4CB6BDAB ] idsvc C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
12:02:51.0417 3268 idsvc - ok
12:02:51.0417 3268 [ 2D077BF86E843F901D8DB709C95B49A5 ] iirsp C:\Windows\system32\drivers\iirsp.sys
12:02:51.0417 3268 iirsp - ok
12:02:51.0464 3268 [ 9908D8A397B76CD8D31D0D383C5773C9 ] IKEEXT C:\Windows\System32\ikeext.dll
12:02:51.0479 3268 IKEEXT - ok
12:02:51.0479 3268 [ C6E5276C00EBDEB096BB5EF4B797D1B6 ] int15 C:\Windows\system32\drivers\int15.sys
12:02:51.0495 3268 int15 - ok
12:02:51.0573 3268 [ 219CA9A36D6DE2EC04F958C907673436 ] IntcAzAudAddService C:\Windows\system32\drivers\RTKVHDA.sys
12:02:51.0651 3268 IntcAzAudAddService - ok
12:02:51.0698 3268 [ 83AA759F3189E6370C30DE5DC5590718 ] intelide C:\Windows\system32\drivers\intelide.sys
12:02:51.0698 3268 intelide - ok
12:02:51.0698 3268 [ 224191001E78C89DFA78924C3EA595FF ] intelppm C:\Windows\system32\DRIVERS\intelppm.sys
12:02:51.0698 3268 intelppm - ok
12:02:51.0744 3268 [ 9AC218C6E6105477484C6FDBE7D409A4 ] IPBusEnum C:\Windows\system32\ipbusenum.dll
12:02:51.0744 3268 IPBusEnum - ok
12:02:51.0744 3268 [ 62C265C38769B864CB25B4BCF62DF6C3 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys
12:02:51.0744 3268 IpFilterDriver - ok
12:02:51.0776 3268 [ 1998BD97F950680BB55F55A7244679C2 ] iphlpsvc C:\Windows\System32\iphlpsvc.dll
12:02:51.0776 3268 iphlpsvc - ok
12:02:51.0776 3268 IpInIp - ok
12:02:51.0791 3268 [ B25AAF203552B7B3491139D582B39AD1 ] IPMIDRV C:\Windows\system32\drivers\ipmidrv.sys
12:02:51.0791 3268 IPMIDRV - ok
12:02:51.0791 3268 [ 8793643A67B42CEC66490B2A0CF92D68 ] IPNAT C:\Windows\system32\DRIVERS\ipnat.sys
12:02:51.0807 3268 IPNAT - ok
12:02:51.0885 3268 [ CE004777B92DEA56FE14EC900D20BAA4 ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
12:02:51.0900 3268 iPod Service - ok
12:02:51.0900 3268 [ 109C0DFB82C3632FBD11949B73AEEAC9 ] IRENUM C:\Windows\system32\drivers\irenum.sys
12:02:51.0900 3268 IRENUM - ok
12:02:51.0916 3268 [ 6C70698A3E5C4376C6AB5C7C17FB0614 ] isapnp C:\Windows\system32\drivers\isapnp.sys
12:02:51.0916 3268 isapnp - ok
12:02:51.0932 3268 [ 232FA340531D940AAC623B121A595034 ] iScsiPrt C:\Windows\system32\DRIVERS\msiscsi.sys
12:02:51.0947 3268 iScsiPrt - ok
12:02:51.0947 3268 [ BCED60D16156E428F8DF8CF27B0DF150 ] iteatapi C:\Windows\system32\drivers\iteatapi.sys
12:02:51.0947 3268 iteatapi - ok
12:02:51.0963 3268 [ 06FA654504A498C30ADCA8BEC4E87E7E ] iteraid C:\Windows\system32\drivers\iteraid.sys
12:02:51.0963 3268 iteraid - ok
12:02:51.0963 3268 [ 37605E0A8CF00CBBA538E753E4344C6E ] kbdclass C:\Windows\system32\DRIVERS\kbdclass.sys
12:02:51.0978 3268 kbdclass - ok
12:02:51.0978 3268 [ 18247836959BA67E3511B62846B9C2E0 ] kbdhid C:\Windows\system32\DRIVERS\kbdhid.sys
12:02:51.0978 3268 kbdhid - ok
12:02:52.0010 3268 [ A3E186B4B935905B829219502557314E ] KeyIso C:\Windows\system32\lsass.exe
12:02:52.0010 3268 KeyIso - ok
12:02:52.0025 3268 [ 4A1445EFA932A3BAF5BDB02D7131EE20 ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys
12:02:52.0041 3268 KSecDD - ok
12:02:52.0088 3268 [ 8078F8F8F7A79E2E6B494523A828C585 ] KtmRm C:\Windows\system32\msdtckrm.dll
12:02:52.0088 3268 KtmRm - ok
12:02:52.0119 3268 [ 1BF5EEBFD518DD7298434D8C862F825D ] LanmanServer C:\Windows\system32\srvsvc.dll
12:02:52.0134 3268 LanmanServer - ok
12:02:52.0181 3268 [ 1DB69705B695B987082C8BAEC0C6B34F ] LanmanWorkstation C:\Windows\System32\wkssvc.dll
12:02:52.0212 3268 LanmanWorkstation - ok
12:02:52.0415 3268 [ 4CCC8AABE7880C56BA10043B8FBCA3EB ] LeapFrog Connect Device Service C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
12:02:52.0524 3268 LeapFrog Connect Device Service - ok
12:02:52.0524 3268 [ D1C5883087A0C3F1344D9D55A44901F6 ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys
12:02:52.0524 3268 lltdio - ok
12:02:52.0571 3268 [ 2D5A428872F1442631D0959A34ABFF63 ] lltdsvc C:\Windows\System32\lltdsvc.dll
12:02:52.0571 3268 lltdsvc - ok
12:02:52.0587 3268 [ 35D40113E4A5B961B6CE5C5857702518 ] lmhosts C:\Windows\System32\lmhsvc.dll
12:02:52.0587 3268 lmhosts - ok
12:02:52.0587 3268 [ C7E15E82879BF3235B559563D4185365 ] LSI_FC C:\Windows\system32\drivers\lsi_fc.sys
12:02:52.0602 3268 LSI_FC - ok
12:02:52.0602 3268 [ EE01EBAE8C9BF0FA072E0FF68718920A ] LSI_SAS C:\Windows\system32\drivers\lsi_sas.sys
12:02:52.0602 3268 LSI_SAS - ok
12:02:52.0634 3268 [ 912A04696E9CA30146A62AFA1463DD5C ] LSI_SCSI C:\Windows\system32\drivers\lsi_scsi.sys
12:02:52.0634 3268 LSI_SCSI - ok
12:02:52.0634 3268 [ 8F5C7426567798E62A3B3614965D62CC ] luafv C:\Windows\system32\drivers\luafv.sys
12:02:52.0634 3268 luafv - ok
12:02:52.0743 3268 [ AA44024C1796F40D43F2E6C08B47A564 ] McAfee SiteAdvisor Service C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
12:02:52.0743 3268 McAfee SiteAdvisor Service - ok
12:02:52.0821 3268 [ DDCC236009C707761D60E5C76D639176 ] McComponentHostService C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe
12:02:52.0836 3268 McComponentHostService - ok
12:02:52.0852 3268 [ 8FD868E32459ECE2A1BB0169F513D31E ] mcdbus C:\Windows\system32\DRIVERS\mcdbus.sys
12:02:52.0852 3268 mcdbus - ok
12:02:52.0930 3268 [ ECAB006AC6136F1307E140B633CDB8C2 ] McMPFSvc C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
12:02:52.0930 3268 McMPFSvc - ok
12:02:52.0946 3268 [ ECAB006AC6136F1307E140B633CDB8C2 ] mcmscsvc C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
12:02:52.0946 3268 mcmscsvc - ok
12:02:52.0961 3268 [ ECAB006AC6136F1307E140B633CDB8C2 ] McNaiAnn C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
12:02:52.0961 3268 McNaiAnn - ok
12:02:52.0977 3268 [ ECAB006AC6136F1307E140B633CDB8C2 ] McNASvc C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
12:02:52.0977 3268 McNASvc - ok
12:02:53.0008 3268 [ C7DA06C9A9AEEFBE37AAC281EA6385D5 ] McODS C:\Program Files\McAfee\VirusScan\mcods.exe
12:02:53.0024 3268 McODS - ok
12:02:53.0039 3268 [ ECAB006AC6136F1307E140B633CDB8C2 ] McProxy C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
12:02:53.0039 3268 McProxy - ok
12:02:53.0086 3268 [ 6FE0532CB16300C09D098F808EAAEE9D ] McShield C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
12:02:53.0102 3268 McShield - ok
12:02:53.0117 3268 [ AEF9BABB8A506BC4CE0451A64AADED46 ] Mcx2Svc C:\Windows\system32\Mcx2Svc.dll
12:02:53.0117 3268 Mcx2Svc - ok
12:02:53.0148 3268 [ 0001CE609D66632FA17B84705F658879 ] megasas C:\Windows\system32\drivers\megasas.sys
12:02:53.0148 3268 megasas - ok
12:02:53.0180 3268 [ C252F32CD9A49DBFC25ECF26EBD51A99 ] MegaSR C:\Windows\system32\drivers\megasr.sys
12:02:53.0195 3268 MegaSR - ok
12:02:53.0211 3268 [ 6708AD7D9ABDD6FDE1EB9B54FFE426B0 ] mfeapfk C:\Windows\system32\drivers\mfeapfk.sys
12:02:53.0211 3268 mfeapfk - ok
12:02:53.0226 3268 [ 375DE90B68533D9D0D7766D4CCB4CA32 ] mfeavfk C:\Windows\system32\drivers\mfeavfk.sys
12:02:53.0226 3268 mfeavfk - ok
12:02:53.0242 3268 [ 5ED806D4DF27AC11236BD9AD2CC10B7E ] mfebopk C:\Windows\system32\drivers\mfebopk.sys
12:02:53.0242 3268 mfebopk - ok
12:02:53.0258 3268 [ 1A427BB508ACBEE09A88F08D1CA38E2F ] mfefire C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
12:02:53.0258 3268 mfefire - ok
12:02:53.0273 3268 [ 16BF9475BFCFAA420A8CB29E40284457 ] mfefirek C:\Windows\system32\drivers\mfefirek.sys
12:02:53.0289 3268 mfefirek - ok
12:02:53.0320 3268 [ 875452ECDF4AEBE12B8C2EFD8599A36F ] mfehidk C:\Windows\system32\drivers\mfehidk.sys
12:02:53.0336 3268 mfehidk - ok
12:02:53.0336 3268 [ D669ACBE7672819109706C3CFF6BD1DB ] mferkdet C:\Windows\system32\drivers\mferkdet.sys
12:02:53.0351 3268 mferkdet - ok
12:02:53.0367 3268 [ D66A1A16166897A5F7D04961F582F03B ] mfevtp C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
12:02:53.0367 3268 mfevtp - ok
12:02:53.0382 3268 [ 28A9A52052006AC4B5EF1992C2984252 ] mfewfpk C:\Windows\system32\drivers\mfewfpk.sys
12:02:53.0382 3268 mfewfpk - ok
12:02:53.0492 3268 [ 123271BD5237AB991DC5C21FDF8835EB ] Microsoft Office Groove Audit Service C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
12:02:53.0507 3268 Microsoft Office Groove Audit Service - ok
12:02:53.0538 3268 [ 1076FFCFFAAE8385FD62DFCB25AC4708 ] MMCSS C:\Windows\system32\mmcss.dll
12:02:53.0538 3268 MMCSS - ok
12:02:53.0554 3268 [ E13B5EA0F51BA5B1512EC671393D09BA ] Modem C:\Windows\system32\drivers\modem.sys
12:02:53.0554 3268 Modem - ok
12:02:53.0554 3268 [ 0A9BB33B56E294F686ABB7C1E4E2D8A8 ] monitor C:\Windows\system32\DRIVERS\monitor.sys
12:02:53.0554 3268 monitor - ok
12:02:53.0570 3268 [ 5BF6A1326A335C5298477754A506D263 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys
12:02:53.0570 3268 mouclass - ok
12:02:53.0585 3268 [ 93B8D4869E12CFBE663915502900876F ] mouhid C:\Windows\system32\DRIVERS\mouhid.sys
12:02:53.0585 3268 mouhid - ok
12:02:53.0585 3268 [ BDAFC88AA6B92F7842416EA6A48E1600 ] MountMgr C:\Windows\system32\drivers\mountmgr.sys
12:02:53.0585 3268 MountMgr - ok
12:02:53.0601 3268 [ 511D011289755DD9F9A7579FB0B064E6 ] mpio C:\Windows\system32\drivers\mpio.sys
12:02:53.0601 3268 mpio - ok
12:02:53.0601 3268 [ 22241FEBA9B2DEFA669C8CB0A8DD7D2E ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys
12:02:53.0601 3268 mpsdrv - ok
12:02:53.0632 3268 [ 5DE62C6E9108F14F6794060A9BDECAEC ] MpsSvc C:\Windows\system32\mpssvc.dll
12:02:53.0632 3268 MpsSvc - ok
12:02:53.0632 3268 [ 4FBBB70D30FD20EC51F80061703B001E ] Mraid35x C:\Windows\system32\drivers\mraid35x.sys
12:02:53.0632 3268 Mraid35x - ok
12:02:53.0648 3268 [ 82CEA0395524AACFEB58BA1448E8325C ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys
12:02:53.0648 3268 MRxDAV - ok
12:02:53.0663 3268 [ 1E94971C4B446AB2290DEB71D01CF0C2 ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys
12:02:53.0663 3268 mrxsmb - ok
12:02:53.0679 3268 [ 4FCCB34D793B116423209C0F8B7A3B03 ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys
12:02:53.0679 3268 mrxsmb10 - ok
12:02:53.0694 3268 [ C3CB1B40AD4A0124D617A1199B0B9D7C ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys
12:02:53.0694 3268 mrxsmb20 - ok
12:02:53.0694 3268 [ 28023E86F17001F7CD9B15A5BC9AE07D ] msahci C:\Windows\system32\drivers\msahci.sys
12:02:53.0694 3268 msahci - ok
12:02:53.0710 3268 [ 4468B0F385A86ECDDAF8D3CA662EC0E7 ] msdsm C:\Windows\system32\drivers\msdsm.sys
12:02:53.0710 3268 msdsm - ok
12:02:53.0741 3268 [ FD7520CC3A80C5FC8C48852BB24C6DED ] MSDTC C:\Windows\System32\msdtc.exe
12:02:53.0741 3268 MSDTC - ok
12:02:53.0757 3268 [ A9927F4A46B816C92F461ACB90CF8515 ] Msfs C:\Windows\system32\drivers\Msfs.sys
12:02:53.0757 3268 Msfs - ok
12:02:53.0772 3268 [ 0F400E306F385C56317357D6DEA56F62 ] msisadrv C:\Windows\system32\drivers\msisadrv.sys
12:02:53.0772 3268 msisadrv - ok
12:02:53.0804 3268 [ 85466C0757A23D9A9AECDC0755203CB2 ] MSiSCSI C:\Windows\system32\iscsiexe.dll
12:02:53.0804 3268 MSiSCSI - ok
12:02:53.0804 3268 msiserver - ok
12:02:53.0850 3268 [ D8C63D34D9C9E56C059E24EC7185CC07 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys
12:02:53.0850 3268 MSKSSRV - ok
12:02:53.0866 3268 [ 1D373C90D62DDB641D50E55B9E78D65E ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys
12:02:53.0866 3268 MSPCLOCK - ok
12:02:53.0866 3268 [ B572DA05BF4E098D4BBA3A4734FB505B ] MSPQM C:\Windows\system32\drivers\MSPQM.sys
12:02:53.0866 3268 MSPQM - ok
12:02:53.0882 3268 [ B49456D70555DE905C311BCDA6EC6ADB ] MsRPC C:\Windows\system32\drivers\MsRPC.sys
12:02:53.0882 3268 MsRPC - ok
12:02:53.0913 3268 [ E384487CB84BE41D09711C30CA79646C ] mssmbios C:\Windows\system32\DRIVERS\mssmbios.sys
12:02:53.0913 3268 mssmbios - ok
12:02:53.0913 3268 [ 7199C1EEC1E4993CAF96B8C0A26BD58A ] MSTEE C:\Windows\system32\drivers\MSTEE.sys
12:02:53.0928 3268 MSTEE - ok
12:02:53.0928 3268 [ 6A57B5733D4CB702C8EA4542E836B96C ] Mup C:\Windows\system32\Drivers\mup.sys
12:02:53.0928 3268 Mup - ok
12:02:53.0975 3268 [ E4EAF0C5C1B41B5C83386CF212CA9584 ] napagent C:\Windows\system32\qagentRT.dll
12:02:53.0975 3268 napagent - ok
12:02:54.0006 3268 [ 85C44FDFF9CF7E72A40DCB7EC06A4416 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys
12:02:54.0006 3268 NativeWifiP - ok
12:02:54.0038 3268 [ 1357274D1883F68300AEADD15D7BBB42 ] NDIS C:\Windows\system32\drivers\ndis.sys
12:02:54.0038 3268 NDIS - ok
12:02:54.0038 3268 [ 0E186E90404980569FB449BA7519AE61 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys
12:02:54.0038 3268 NdisTapi - ok
12:02:54.0053 3268 [ D6973AA34C4D5D76C0430B181C3CD389 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys
12:02:54.0053 3268 Ndisuio - ok
12:02:54.0053 3268 [ 818F648618AE34F729FDB47EC68345C3 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys
12:02:54.0053 3268 NdisWan - ok
12:02:54.0069 3268 [ 71DAB552B41936358F3B541AE5997FB3 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys
12:02:54.0069 3268 NDProxy - ok
12:02:54.0131 3268 [ 40D7D0A208EE863BCA8D89E299216F15 ] Nero BackItUp Scheduler 3 C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
12:02:54.0178 3268 Nero BackItUp Scheduler 3 - ok
12:02:54.0178 3268 [ BCD093A5A6777CF626434568DC7DBA78 ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys
12:02:54.0178 3268 NetBIOS - ok
12:02:54.0194 3268 [ ECD64230A59CBD93C85F1CD1CAB9F3F6 ] netbt C:\Windows\system32\DRIVERS\netbt.sys
12:02:54.0194 3268 netbt - ok
12:02:54.0225 3268 [ A3E186B4B935905B829219502557314E ] Netlogon C:\Windows\system32\lsass.exe
12:02:54.0225 3268 Netlogon - ok
12:02:54.0256 3268 [ C8052711DAECC48B982434C5116CA401 ] Netman C:\Windows\System32\netman.dll
12:02:54.0272 3268 Netman - ok
12:02:54.0303 3268 [ 2EF3BBE22E5A5ACD1428EE387A0D0172 ] netprofm C:\Windows\System32\netprofm.dll
12:02:54.0303 3268 netprofm - ok
12:02:54.0443 3268 [ D6C4E4A39A36029AC0813D476FBD0248 ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
12:02:54.0443 3268 NetTcpPortSharing - ok
12:02:54.0459 3268 [ 2E7FB731D4790A1BC6270ACCEFACB36E ] nfrd960 C:\Windows\system32\drivers\nfrd960.sys
12:02:54.0459 3268 nfrd960 - ok
12:02:54.0474 3268 [ 2997B15415F9BBE05B5A4C1C85E0C6A2 ] NlaSvc C:\Windows\System32\nlasvc.dll
12:02:54.0474 3268 NlaSvc - ok
12:02:54.0568 3268 [ CD4326BC339F98DE21AA07B208A305AE ] NMIndexingService C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
12:02:54.0615 3268 NMIndexingService - ok
12:02:54.0615 3268 [ D36F239D7CCE1931598E8FB90A0DBC26 ] Npfs C:\Windows\system32\drivers\Npfs.sys
12:02:54.0615 3268 Npfs - ok
12:02:54.0646 3268 [ 8BB86F0C7EEA2BDED6FE095D0B4CA9BD ] nsi C:\Windows\system32\nsisvc.dll
12:02:54.0646 3268 nsi - ok
12:02:54.0646 3268 [ 609773E344A97410CE4EBF74A8914FCF ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys
12:02:54.0646 3268 nsiproxy - ok
12:02:54.0693 3268 [ 2C1121F2B87E9A6B12485DF53CD848C7 ] Ntfs C:\Windows\system32\drivers\Ntfs.sys
12:02:54.0708 3268 Ntfs - ok
12:02:54.0708 3268 [ E875C093AEC0C978A90F30C9E0DFBB72 ] ntrigdigi C:\Windows\system32\drivers\ntrigdigi.sys
12:02:54.0708 3268 ntrigdigi - ok
12:02:54.0724 3268 [ C5DBBCDA07D780BDA9B685DF333BB41E ] Null C:\Windows\system32\drivers\Null.sys
12:02:54.0724 3268 Null - ok
12:02:54.0740 3268 [ A103162C62C336C2CB3C5E1E2773D17B ] NVHDA C:\Windows\system32\drivers\nvhda32v.sys
12:02:54.0740 3268 NVHDA - ok
12:02:54.0958 3268 [ 9A77B1C13BCCEDDF78DFD7AFC25B4F5E ] nvlddmkm C:\Windows\system32\DRIVERS\nvlddmkm.sys
12:02:55.0130 3268 nvlddmkm - ok
12:02:55.0145 3268 [ 2EDF9E7751554B42CBB60116DE727101 ] nvraid C:\Windows\system32\drivers\nvraid.sys
12:02:55.0145 3268 nvraid - ok
12:02:55.0145 3268 [ ABED0C09758D1D97DB0042DBB2688177 ] nvstor C:\Windows\system32\drivers\nvstor.sys
12:02:55.0145 3268 nvstor - ok
12:02:55.0176 3268 [ D05F6E26AC960474494356FE703D61BE ] nvstor32 C:\Windows\system32\DRIVERS\nvstor32.sys
12:02:55.0176 3268 nvstor32 - ok
12:02:55.0223 3268 [ 31B8835B003CAA6D31BEAD83DDBF98E5 ] nvsvc C:\Windows\system32\nvvsvc.exe
12:02:55.0239 3268 nvsvc - ok
12:02:55.0332 3268 [ F935E817409F78FA50C5921DB39124B3 ] nvUpdatusService C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
12:02:55.0348 3268 nvUpdatusService - ok
12:02:55.0364 3268 [ 18BBDF913916B71BD54575BDB6EEAC0B ] nv_agp C:\Windows\system32\drivers\nv_agp.sys
12:02:55.0364 3268 nv_agp - ok
12:02:55.0364 3268 NwlnkFlt - ok
12:02:55.0379 3268 NwlnkFwd - ok
12:02:55.0457 3268 [ 785F487A64950F3CB8E9F16253BA3B7B ] odserv C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
12:02:55.0473 3268 odserv - ok
12:02:55.0488 3268 [ BE32DA025A0BE1878F0EE8D6D9386CD5 ] ohci1394 C:\Windows\system32\drivers\ohci1394.sys
12:02:55.0488 3268 ohci1394 - ok
12:02:55.0504 3268 [ 5A432A042DAE460ABE7199B758E8606C ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
12:02:55.0520 3268 ose - ok
12:02:55.0551 3268 [ 0C8E8E61AD1EB0B250B846712C917506 ] p2pimsvc C:\Windows\system32\p2psvc.dll
12:02:55.0566 3268 p2pimsvc - ok
12:02:55.0566 3268 [ 0C8E8E61AD1EB0B250B846712C917506 ] p2psvc C:\Windows\system32\p2psvc.dll
12:02:55.0582 3268 p2psvc - ok
12:02:55.0582 3268 [ 0FA9B5055484649D63C303FE404E5F4D ] Parport C:\Windows\system32\drivers\parport.sys
12:02:55.0582 3268 Parport - ok
12:02:55.0598 3268 [ B9C2B89F08670E159F7181891E449CD9 ] partmgr C:\Windows\system32\drivers\partmgr.sys
12:02:55.0613 3268 partmgr - ok
12:02:55.0613 3268 [ 4F9A6A8A31413180D0FCB279AD5D8112 ] Parvdm C:\Windows\system32\drivers\parvdm.sys
12:02:55.0613 3268 Parvdm - ok
12:02:55.0629 3268 [ C6276AD11F4BB49B58AA1ED88537F14A ] PcaSvc C:\Windows\System32\pcasvc.dll
12:02:55.0629 3268 PcaSvc - ok
12:02:55.0644 3268 [ 941DC1D19E7E8620F40BBC206981EFDB ] pci C:\Windows\system32\drivers\pci.sys
12:02:55.0644 3268 pci - ok
12:02:55.0660 3268 [ 1636D43F10416AEB483BC6001097B26C ] pciide C:\Windows\system32\drivers\pciide.sys
12:02:55.0660 3268 pciide - ok
12:02:55.0691 3268 [ E6F3FB1B86AA519E7698AD05E58B04E5 ] pcmcia C:\Windows\system32\drivers\pcmcia.sys
12:02:55.0691 3268 pcmcia - ok
12:02:55.0738 3268 [ 6349F6ED9C623B44B52EA3C63C831A92 ] PEAUTH C:\Windows\system32\drivers\peauth.sys
12:02:55.0754 3268 PEAUTH - ok
12:02:55.0800 3268 [ B1689DF169143F57053F795390C99DB3 ] pla C:\Windows\system32\pla.dll
12:02:55.0816 3268 pla - ok
12:02:55.0847 3268 [ 875E4E0661F3A5994DF9E5E3A0A4F96B ] PLFlash DeviceIoControl Service C:\Windows\system32\IoctlSvc.exe
12:02:55.0847 3268 PLFlash DeviceIoControl Service - ok
12:02:55.0878 3268 [ C5E7F8A996EC0A82D508FD9064A5569E ] PlugPlay C:\Windows\system32\umpnpmgr.dll
12:02:55.0894 3268 PlugPlay - ok
12:02:55.0894 3268 [ 0C8E8E61AD1EB0B250B846712C917506 ] PNRPAutoReg C:\Windows\system32\p2psvc.dll
12:02:55.0910 3268 PNRPAutoReg - ok
12:02:55.0925 3268 [ 0C8E8E61AD1EB0B250B846712C917506 ] PNRPsvc C:\Windows\system32\p2psvc.dll
12:02:55.0925 3268 PNRPsvc - ok
12:02:55.0956 3268 [ D0494460421A03CD5225CCA0059AA146 ] PolicyAgent C:\Windows\System32\ipsecsvc.dll
12:02:55.0956 3268 PolicyAgent - ok
12:02:55.0972 3268 [ ECFFFAEC0C1ECD8DBC77F39070EA1DB1 ] PptpMiniport C:\Windows\system32\DRIVERS\raspptp.sys
12:02:55.0972 3268 PptpMiniport - ok
12:02:55.0972 3268 [ 2027293619DD0F047C584CF2E7DF4FFD ] Processor C:\Windows\system32\drivers\processr.sys
12:02:55.0972 3268 Processor - ok
12:02:56.0019 3268 [ 0508FAA222D28835310B7BFCA7A77346 ] ProfSvc C:\Windows\system32\profsvc.dll
12:02:56.0019 3268 ProfSvc - ok
12:02:56.0034 3268 [ A3E186B4B935905B829219502557314E ] ProtectedStorage C:\Windows\system32\lsass.exe
12:02:56.0034 3268 ProtectedStorage - ok
12:02:56.0034 3268 [ 99514FAA8DF93D34B5589187DB3AA0BA ] PSched C:\Windows\system32\DRIVERS\pacer.sys
12:02:56.0034 3268 PSched - ok
12:02:56.0050 3268 [ D86B4A68565E444D76457F14172C875A ] PxHelp20 C:\Windows\system32\Drivers\PxHelp20.sys
12:02:56.0050 3268 PxHelp20 - ok
12:02:56.0097 3268 [ 0A6DB55AFB7820C99AA1F3A1D270F4F6 ] ql2300 C:\Windows\system32\drivers\ql2300.sys
12:02:56.0128 3268 ql2300 - ok
12:02:56.0128 3268 [ 81A7E5C076E59995D54BC1ED3A16E60B ] ql40xx C:\Windows\system32\drivers\ql40xx.sys
12:02:56.0144 3268 ql40xx - ok
12:02:56.0175 3268 [ E9ECAE663F47E6CB43962D18AB18890F ] QWAVE C:\Windows\system32\qwave.dll
12:02:56.0175 3268 QWAVE - ok
12:02:56.0175 3268 [ 9F5E0E1926014D17486901C88ECA2DB7 ] QWAVEdrv C:\Windows\system32\drivers\qwavedrv.sys
12:02:56.0175 3268 QWAVEdrv - ok
12:02:56.0206 3268 [ E2AA111B00F5205FFD52A57F48B4F642 ] RapportBuka C:\Windows\system32\drivers\RapportBuka.sys
12:02:56.0206 3268 RapportBuka - ok
12:02:56.0300 3268 [ 6BAF8B9538B62BD5484449A447BD63D9 ] RapportCerberus_51755 C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_51755.sys
12:02:56.0315 3268 RapportCerberus_51755 - ok
12:02:56.0393 3268 [ 718028792197E61FB7602DA78450F43E ] RapportEI C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
12:02:56.0393 3268 RapportEI - ok
12:02:56.0409 3268 [ 3E6C223D2372502CAE5C93DC1D7B654E ] RapportKELL C:\Windows\system32\Drivers\RapportKELL.sys
12:02:56.0424 3268 RapportKELL - ok
12:02:56.0456 3268 [ C4C4736DCE60276E9B0CB0FE3A848586 ] RapportMgmtService C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
12:02:56.0471 3268 RapportMgmtService - ok
12:02:56.0502 3268 [ 9BF048E74EA6986B1E9ABF8F3C64CA58 ] RapportPG C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
12:02:56.0502 3268 RapportPG - ok
12:02:56.0518 3268 [ 147D7F9C556D259924351FEB0DE606C3 ] RasAcd C:\Windows\system32\DRIVERS\rasacd.sys
12:02:56.0518 3268 RasAcd - ok
12:02:56.0534 3268 [ F6A452EB4CEADBB51C9E0EE6B3ECEF0F ] RasAuto C:\Windows\System32\rasauto.dll
12:02:56.0534 3268 RasAuto - ok
12:02:56.0549 3268 [ A214ADBAF4CB47DD2728859EF31F26B0 ] Rasl2tp C:\Windows\system32\DRIVERS\rasl2tp.sys
12:02:56.0549 3268 Rasl2tp - ok
12:02:56.0565 3268 [ 75D47445D70CA6F9F894B032FBC64FCF ] RasMan C:\Windows\System32\rasmans.dll
12:02:56.0565 3268 RasMan - ok
12:02:56.0580 3268 [ 509A98DD18AF4375E1FC40BC175F1DEF ] RasPppoe C:\Windows\system32\DRIVERS\raspppoe.sys
12:02:56.0580 3268 RasPppoe - ok
12:02:56.0596 3268 [ 2005F4A1E05FA09389AC85840F0A9E4D ] RasSstp C:\Windows\system32\DRIVERS\rassstp.sys
12:02:56.0612 3268 RasSstp - ok
12:02:56.0612 3268 [ B14C9D5B9ADD2F84F70570BBBFAA7935 ] rdbss C:\Windows\system32\DRIVERS\rdbss.sys
12:02:56.0612 3268 rdbss - ok
12:02:56.0627 3268 [ 89E59BE9A564262A3FB6C4F4F1CD9899 ] RDPCDD C:\Windows\system32\DRIVERS\RDPCDD.sys
12:02:56.0627 3268 RDPCDD - ok
12:02:56.0658 3268 [ FBC0BACD9C3D7F6956853F64A66E252D ] rdpdr C:\Windows\system32\drivers\rdpdr.sys
12:02:56.0658 3268 rdpdr - ok
12:02:56.0674 3268 [ 9D91FE5286F748862ECFFA05F8A0710C ] RDPENCDD C:\Windows\system32\drivers\rdpencdd.sys
12:02:56.0674 3268 RDPENCDD - ok
12:02:56.0690 3268 [ C127EBD5AFAB31524662C48DFCEB773A ] RDPWD C:\Windows\system32\drivers\RDPWD.sys
12:02:56.0690 3268 RDPWD - ok
12:02:56.0721 3268 [ BCDD6B4804D06B1F7EBF29E53A57ECE9 ] RemoteAccess C:\Windows\System32\mprdim.dll
12:02:56.0736 3268 RemoteAccess - ok
12:02:56.0736 3268 [ 9E6894EA18DAFF37B63E1005F83AE4AB ] RemoteRegistry C:\Windows\system32\regsvc.dll
12:02:56.0752 3268 RemoteRegistry - ok
12:02:56.0768 3268 [ 5123F83CBC4349D065534EEB6BBDC42B ] RpcLocator C:\Windows\system32\locator.exe
12:02:56.0768 3268 RpcLocator - ok
12:02:56.0814 3268 [ 3B5B4D53FEC14F7476CA29A20CC31AC9 ] RpcSs C:\Windows\system32\rpcss.dll
12:02:56.0814 3268 RpcSs - ok
12:02:56.0830 3268 [ 9C508F4074A39E8B4B31D27198146FAD ] rspndr C:\Windows\system32\DRIVERS\rspndr.sys
12:02:56.0830 3268 rspndr - ok
12:02:56.0830 3268 [ 283392AF1860ECDB5E0F8EBD7F3D72DF ] RTL8169 C:\Windows\system32\DRIVERS\Rtlh86.sys
12:02:56.0830 3268 RTL8169 - ok
12:02:56.0861 3268 [ 815445F4676CC96BC9AEEC303C727E19 ] s116bus C:\Windows\system32\DRIVERS\s116bus.sys
12:02:56.0861 3268 s116bus - ok
12:02:56.0892 3268 [ A3E186B4B935905B829219502557314E ] SamSs C:\Windows\system32\lsass.exe
12:02:56.0892 3268 SamSs - ok
12:02:56.0892 3268 [ 3CE8F073A557E172B330109436984E30 ] sbp2port C:\Windows\system32\drivers\sbp2port.sys
12:02:56.0892 3268 sbp2port - ok
12:02:56.0924 3268 [ 77B7A11A0C3D78D3386398FBBEA1B632 ] SCardSvr C:\Windows\System32\SCardSvr.dll
12:02:56.0939 3268 SCardSvr - ok
12:02:56.0955 3268 [ 1A58069DB21D05EB2AB58EE5753EBE8D ] Schedule C:\Windows\system32\schedsvc.dll
12:02:56.0970 3268 Schedule - ok
12:02:57.0017 3268 [ 312EC3E37A0A1F2006534913E37B4423 ] SCPolicySvc C:\Windows\System32\certprop.dll
12:02:57.0017 3268 SCPolicySvc - ok
12:02:57.0033 3268 [ 716313D9F6B0529D03F726D5AAF6F191 ] SDRSVC C:\Windows\System32\SDRSVC.dll
12:02:57.0033 3268 SDRSVC - ok
12:02:57.0048 3268 [ 90A3935D05B494A5A39D37E71F09A677 ] secdrv C:\Windows\system32\drivers\secdrv.sys
12:02:57.0048 3268 secdrv - ok
12:02:57.0064 3268 [ FD5199D4D8A521005E4B5EE7FE00FA9B ] seclogon C:\Windows\system32\seclogon.dll
12:02:57.0064 3268 seclogon - ok
12:02:57.0080 3268 [ A9BBAB5759771E523F55563D6CBE140F ] SENS C:\Windows\System32\sens.dll
12:02:57.0080 3268 SENS - ok
12:02:57.0080 3268 [ 68E44E331D46F0FB38F0863A84CD1A31 ] Serenum C:\Windows\system32\drivers\serenum.sys
12:02:57.0080 3268 Serenum - ok
12:02:57.0095 3268 [ C70D69A918B178D3C3B06339B40C2E1B ] Serial C:\Windows\system32\drivers\serial.sys
12:02:57.0095 3268 Serial - ok
12:02:57.0095 3268 [ 8AF3D28A879BF75DB53A0EE7A4289624 ] sermouse C:\Windows\system32\drivers\sermouse.sys
12:02:57.0111 3268 sermouse - ok
12:02:57.0126 3268 [ D2193326F729B163125610DBF3E17D57 ] SessionEnv C:\Windows\system32\sessenv.dll
12:02:57.0142 3268 SessionEnv - ok
12:02:57.0142 3268 [ 3EFA810BDCA87F6ECC24F9832243FE86 ] sffdisk C:\Windows\system32\drivers\sffdisk.sys
12:02:57.0142 3268 sffdisk - ok
12:02:57.0142 3268 [ E95D451F7EA3E583AEC75F3B3EE42DC5 ] sffp_mmc C:\Windows\system32\drivers\sffp_mmc.sys
12:02:57.0158 3268 sffp_mmc - ok
12:02:57.0158 3268 [ 3D0EA348784B7AC9EA9BD9F317980979 ] sffp_sd C:\Windows\system32\drivers\sffp_sd.sys
12:02:57.0158 3268 sffp_sd - ok
12:02:57.0173 3268 [ C33BFBD6E9E41FCD9FFEF9729E9FAED6 ] sfloppy C:\Windows\system32\DRIVERS\sfloppy.sys
12:02:57.0173 3268 sfloppy - ok
12:02:57.0204 3268 [ E1499BD0FF76B1B2FBBF1AF339D91165 ] SharedAccess C:\Windows\System32\ipnathlp.dll
12:02:57.0204 3268 SharedAccess - ok
12:02:57.0220 3268 [ C7230FBEE14437716701C15BE02C27B8 ] ShellHWDetection C:\Windows\System32\shsvcs.dll
12:02:57.0220 3268 ShellHWDetection - ok
12:02:57.0236 3268 [ 1D76624A09A054F682D746B924E2DBC3 ] sisagp C:\Windows\system32\drivers\sisagp.sys
12:02:57.0236 3268 sisagp - ok
12:02:57.0236 3268 [ 43CB7AA756C7DB280D01DA9B676CFDE2 ] SiSRaid2 C:\Windows\system32\drivers\sisraid2.sys
12:02:57.0236 3268 SiSRaid2 - ok
12:02:57.0251 3268 [ A99C6C8B0BAA970D8AA59DDC50B57F94 ] SiSRaid4 C:\Windows\system32\drivers\sisraid4.sys
12:02:57.0251 3268 SiSRaid4 - ok
12:02:57.0329 3268 [ 862BB4CBC05D80C5B45BE430E5EF872F ] slsvc C:\Windows\system32\SLsvc.exe
12:02:57.0392 3268 slsvc - ok
12:02:57.0407 3268 [ 6EDC422215CD78AA8A9CDE6B30ABBD35 ] SLUINotify C:\Windows\system32\SLUINotify.dll
12:02:57.0423 3268 SLUINotify - ok
12:02:57.0423 3268 [ 7B75299A4D201D6A6533603D6914AB04 ] Smb C:\Windows\system32\DRIVERS\smb.sys
12:02:57.0423 3268 Smb - ok
12:02:57.0438 3268 [ 2A146A055B4401C16EE62D18B8E2A032 ] SNMPTRAP C:\Windows\System32\snmptrap.exe
12:02:57.0454 3268 SNMPTRAP - ok
12:02:57.0454 3268 [ 7AEBDEEF071FE28B0EEF2CDD69102BFF ] spldr C:\Windows\system32\drivers\spldr.sys
12:02:57.0454 3268 spldr - ok
12:02:57.0485 3268 [ 8554097E5136C3BF9F69FE578A1B35F4 ] Spooler C:\Windows\System32\spoolsv.exe
12:02:57.0501 3268 Spooler - ok
12:02:57.0548 3268 [ 1A606A8D611816ADC47D2B25DBEDCB1F ] sptd C:\Windows\system32\Drivers\sptd.sys
12:02:57.0548 3268 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: 1A606A8D611816ADC47D2B25DBEDCB1F
12:02:57.0548 3268 sptd ( LockedFile.Multi.Generic ) - warning
12:02:57.0548 3268 sptd - detected LockedFile.Multi.Generic (1)
12:02:57.0563 3268 [ 41987F9FC0E61ADF54F581E15029AD91 ] srv C:\Windows\system32\DRIVERS\srv.sys
12:02:57.0579 3268 srv - ok
12:02:57.0594 3268 [ FF33AFF99564B1AA534F58868CBE41EF ] srv2 C:\Windows\system32\DRIVERS\srv2.sys
12:02:57.0594 3268 srv2 - ok
12:02:57.0610 3268 [ 7605C0E1D01A08F3ECD743F38B834A44 ] srvnet C:\Windows\system32\DRIVERS\srvnet.sys
12:02:57.0610 3268 srvnet - ok
12:02:57.0641 3268 [ 03D50B37234967433A5EA5BA72BC0B62 ] SSDPSRV C:\Windows\System32\ssdpsrv.dll
12:02:57.0641 3268 SSDPSRV - ok
12:02:57.0688 3268 [ 6F1A32E7B7B30F004D9A20AFADB14944 ] SstpSvc C:\Windows\system32\sstpsvc.dll
12:02:57.0688 3268 SstpSvc - ok
12:02:57.0735 3268 [ 5DE7D67E49B88F5F07F3E53C4B92A352 ] stisvc C:\Windows\System32\wiaservc.dll
12:02:57.0750 3268 stisvc - ok
12:02:57.0750 3268 [ 7BA58ECF0C0A9A69D44B3DCA62BECF56 ] swenum C:\Windows\system32\DRIVERS\swenum.sys
12:02:57.0750 3268 swenum - ok
12:02:57.0797 3268 [ F21FD248040681CCA1FB6C9A03AAA93D ] swprv C:\Windows\System32\swprv.dll
12:02:57.0797 3268 swprv - ok
12:02:57.0797 3268 [ 192AA3AC01DF071B541094F251DEED10 ] Symc8xx C:\Windows\system32\drivers\symc8xx.sys
12:02:57.0797 3268 Symc8xx - ok
12:02:57.0813 3268 [ 8C8EB8C76736EBAF3B13B633B2E64125 ] Sym_hi C:\Windows\system32\drivers\sym_hi.sys
12:02:57.0813 3268 Sym_hi - ok
12:02:57.0813 3268 [ 8072AF52B5FD103BBBA387A1E49F62CB ] Sym_u3 C:\Windows\system32\drivers\sym_u3.sys
12:02:57.0813 3268 Sym_u3 - ok
12:02:57.0860 3268 [ 9A51B04E9886AA4EE90093586B0BA88D ] SysMain C:\Windows\system32\sysmain.dll
12:02:57.0875 3268 SysMain - ok
12:02:57.0891 3268 [ 2DCA225EAE15F42C0933E998EE0231C3 ] TabletInputService C:\Windows\System32\TabSvc.dll
12:02:57.0891 3268 TabletInputService - ok
12:02:57.0906 3268 [ D7673E4B38CE21EE54C59EEEB65E2483 ] TapiSrv C:\Windows\System32\tapisrv.dll
12:02:57.0922 3268 TapiSrv - ok
12:02:57.0922 3268 [ CB05822CD9CC6C688168E113C603DBE7 ] TBS C:\Windows\System32\tbssvc.dll
12:02:57.0922 3268 TBS - ok
12:02:57.0953 3268 [ 74E2D020C47BB2B2FCCBA29A518A7EB4 ] Tcpip C:\Windows\system32\drivers\tcpip.sys
12:02:57.0969 3268 Tcpip - ok
12:02:58.0000 3268 [ 74E2D020C47BB2B2FCCBA29A518A7EB4 ] Tcpip6 C:\Windows\system32\DRIVERS\tcpip.sys
12:02:58.0000 3268 Tcpip6 - ok
12:02:58.0016 3268 [ 608C345A255D82A6289C2D468EB41FD7 ] tcpipreg C:\Windows\system32\drivers\tcpipreg.sys
12:02:58.0016 3268 tcpipreg - ok
12:02:58.0016 3268 [ 5DCF5E267BE67A1AE926F2DF77FBCC56 ] TDPIPE C:\Windows\system32\drivers\tdpipe.sys
12:02:58.0016 3268 TDPIPE - ok
12:02:58.0031 3268 [ 389C63E32B3CEFED425B61ED92D3F021 ] TDTCP C:\Windows\system32\drivers\tdtcp.sys
12:02:58.0031 3268 TDTCP - ok
12:02:58.0031 3268 [ 76B06EB8A01FC8624D699E7045303E54 ] tdx C:\Windows\system32\DRIVERS\tdx.sys
12:02:58.0031 3268 tdx - ok
12:02:58.0047 3268 [ 3CAD38910468EAB9A6479E2F01DB43C7 ] TermDD C:\Windows\system32\DRIVERS\termdd.sys
12:02:58.0047 3268 TermDD - ok
12:02:58.0078 3268 [ BB95DA09BEF6E7A131BFF3BA5032090D ] TermService C:\Windows\System32\termsrv.dll
12:02:58.0094 3268 TermService - ok
12:02:58.0109 3268 [ C7230FBEE14437716701C15BE02C27B8 ] Themes C:\Windows\system32\shsvcs.dll
12:02:58.0109 3268 Themes - ok
12:02:58.0140 3268 [ 1076FFCFFAAE8385FD62DFCB25AC4708 ] THREADORDER C:\Windows\system32\mmcss.dll
12:02:58.0140 3268 THREADORDER - ok
12:02:58.0156 3268 [ EC74E77D0EB004BD3A809B5F8FB8C2CE ] TrkWks C:\Windows\System32\trkwks.dll
12:02:58.0156 3268 TrkWks - ok
12:02:58.0203 3268 [ 97D9D6A04E3AD9B6C626B9931DB78DBA ] TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe
12:02:58.0218 3268 TrustedInstaller - ok
12:02:58.0218 3268 [ DCF0F056A2E4F52287264F5AB29CF206 ] tssecsrv C:\Windows\system32\DRIVERS\tssecsrv.sys
12:02:58.0218 3268 tssecsrv - ok
12:02:58.0250 3268 [ CAECC0120AC49E3D2F758B9169872D38 ] tunmp C:\Windows\system32\DRIVERS\tunmp.sys
12:02:58.0250 3268 tunmp - ok
12:02:58.0250 3268 [ 300DB877AC094FEAB0BE7688C3454A9C ] tunnel C:\Windows\system32\DRIVERS\tunnel.sys
12:02:58.0250 3268 tunnel - ok
12:02:58.0265 3268 [ 7D33C4DB2CE363C8518D2DFCF533941F ] uagp35 C:\Windows\system32\drivers\uagp35.sys
12:02:58.0265 3268 uagp35 - ok
12:02:58.0265 3268 [ D9728AF68C4C7693CB100B8441CBDEC6 ] udfs C:\Windows\system32\DRIVERS\udfs.sys
12:02:58.0265 3268 udfs - ok
12:02:58.0312 3268 [ ECEF404F62863755951E09C802C94AD5 ] UI0Detect C:\Windows\system32\UI0Detect.exe
12:02:58.0312 3268 UI0Detect - ok
12:02:58.0312 3268 [ B0ACFDC9E4AF279E9116C03E014B2B27 ] uliagpkx C:\Windows\system32\drivers\uliagpkx.sys
12:02:58.0312 3268 uliagpkx - ok
12:02:58.0328 3268 [ 9224BB254F591DE4CA8D572A5F0D635C ] uliahci C:\Windows\system32\drivers\uliahci.sys
12:02:58.0328 3268 uliahci - ok
12:02:58.0328 3268 [ 8514D0E5CD0534467C5FC61BE94A569F ] UlSata C:\Windows\system32\drivers\ulsata.sys
12:02:58.0343 3268 UlSata - ok
12:02:58.0343 3268 [ 38C3C6E62B157A6BC46594FADA45C62B ] ulsata2 C:\Windows\system32\drivers\ulsata2.sys
12:02:58.0343 3268 ulsata2 - ok
12:02:58.0359 3268 [ 32CFF9F809AE9AED85464492BF3E32D2 ] umbus C:\Windows\system32\DRIVERS\umbus.sys
12:02:58.0359 3268 umbus - ok
12:02:58.0374 3268 [ 68308183F4AE0BE7BF8ECD07CB297999 ] upnphost C:\Windows\System32\upnphost.dll
12:02:58.0374 3268 upnphost - ok
12:02:58.0406 3268 [ EAFE1E00739AFE6C51487A050E772E17 ] USBAAPL C:\Windows\system32\Drivers\usbaapl.sys
12:02:58.0406 3268 USBAAPL - ok
12:02:58.0437 3268 [ CAF811AE4C147FFCD5B51750C7F09142 ] usbccgp C:\Windows\system32\DRIVERS\usbccgp.sys
12:02:58.0437 3268 usbccgp - ok
12:02:58.0437 3268 [ E9476E6C486E76BC4898074768FB7131 ] usbcir C:\Windows\system32\drivers\usbcir.sys
12:02:58.0437 3268 usbcir - ok
12:02:58.0452 3268 [ 79E96C23A97CE7B8F14D310DA2DB0C9B ] usbehci C:\Windows\system32\DRIVERS\usbehci.sys
12:02:58.0452 3268 usbehci - ok
12:02:58.0452 3268 [ 4673BBCB006AF60E7ABDDBE7A130BA42 ] usbhub C:\Windows\system32\DRIVERS\usbhub.sys
12:02:58.0452 3268 usbhub - ok
12:02:58.0468 3268 [ CE697FEE0D479290D89BEC80DFE793B7 ] usbohci C:\Windows\system32\DRIVERS\usbohci.sys
12:02:58.0468 3268 usbohci - ok
12:02:58.0484 3268 [ E75C4B5269091D15A2E7DC0B6D35F2F5 ] usbprint C:\Windows\system32\DRIVERS\usbprint.sys
12:02:58.0484 3268 usbprint - ok
12:02:58.0484 3268 [ BE3DA31C191BC222D9AD503C5224F2AD ] USBSTOR C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:02:58.0484 3268 USBSTOR - ok
12:02:58.0499 3268 [ 814D653EFC4D48BE3B04A307ECEFF56F ] usbuhci C:\Windows\system32\DRIVERS\usbuhci.sys
12:02:58.0499 3268 usbuhci - ok
12:02:58.0530 3268 [ 1509E705F3AC1D474C92454A5C2DD81F ] UxSms C:\Windows\System32\uxsms.dll
12:02:58.0530 3268 UxSms - ok
12:02:58.0546 3268 [ CD88D1B7776DC17A119049742EC07EB4 ] vds C:\Windows\System32\vds.exe
12:02:58.0562 3268 vds - ok
12:02:58.0577 3268 [ 87B06E1F30B749A114F74622D013F8D4 ] vga C:\Windows\system32\DRIVERS\vgapnp.sys
12:02:58.0577 3268 vga - ok
12:02:58.0593 3268 [ 2E93AC0A1D8C79D019DB6C51F036636C ] VgaSave C:\Windows\System32\drivers\vga.sys
12:02:58.0593 3268 VgaSave - ok
12:02:58.0593 3268 [ 5D7159DEF58A800D5781BA3A879627BC ] viaagp C:\Windows\system32\drivers\viaagp.sys
12:02:58.0593 3268 viaagp - ok
12:02:58.0608 3268 [ C4F3A691B5BAD343E6249BD8C2D45DEE ] ViaC7 C:\Windows\system32\drivers\viac7.sys
12:02:58.0608 3268 ViaC7 - ok
12:02:58.0608 3268 [ AADF5587A4063F52C2C3FED7887426FC ] viaide C:\Windows\system32\drivers\viaide.sys
12:02:58.0608 3268 viaide - ok
12:02:58.0624 3268 [ 69503668AC66C77C6CD7AF86FBDF8C43 ] volmgr C:\Windows\system32\drivers\volmgr.sys
12:02:58.0624 3268 volmgr - ok
12:02:58.0640 3268 [ 23E41B834759917BFD6B9A0D625D0C28 ] volmgrx C:\Windows\system32\drivers\volmgrx.sys
12:02:58.0671 3268 volmgrx - ok
12:02:58.0671 3268 [ 786DB5771F05EF300390399F626BF30A ] volsnap C:\Windows\system32\drivers\volsnap.sys
12:02:58.0671 3268 volsnap - ok
12:02:58.0686 3268 [ 587253E09325E6BF226B299774B728A9 ] vsmraid C:\Windows\system32\drivers\vsmraid.sys
12:02:58.0686 3268 vsmraid - ok
12:02:58.0733 3268 [ DB3D19F850C6EB32BDCB9BC0836ACDDB ] VSS C:\Windows\system32\vssvc.exe
12:02:58.0764 3268 VSS - ok
12:02:58.0780 3268 [ 96EA68B9EB310A69C25EBB0282B2B9DE ] W32Time C:\Windows\system32\w32time.dll
12:02:58.0780 3268 W32Time - ok
12:02:58.0796 3268 [ 48DFEE8F1AF7C8235D4E626F0C4FE031 ] WacomPen C:\Windows\system32\drivers\wacompen.sys
12:02:58.0796 3268 WacomPen - ok
12:02:58.0796 3268 [ 55201897378CCA7AF8B5EFD874374A26 ] Wanarp C:\Windows\system32\DRIVERS\wanarp.sys
12:02:58.0796 3268 Wanarp - ok
12:02:58.0811 3268 [ 55201897378CCA7AF8B5EFD874374A26 ] Wanarpv6 C:\Windows\system32\DRIVERS\wanarp.sys
12:02:58.0811 3268 Wanarpv6 - ok
12:02:58.0842 3268 [ A3CD60FD826381B49F03832590E069AF ] wcncsvc C:\Windows\System32\wcncsvc.dll
12:02:58.0842 3268 wcncsvc - ok
12:02:58.0858 3268 [ 11BCB7AFCDD7AADACB5746F544D3A9C7 ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll
12:02:58.0874 3268 WcsPlugInService - ok
12:02:58.0874 3268 [ 78FE9542363F297B18C027B2D7E7C07F ] Wd C:\Windows\system32\drivers\wd.sys
12:02:58.0874 3268 Wd - ok
12:02:58.0905 3268 [ A840213F1ACDCC175B4D1D5AAEAC0D7A ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys
12:02:58.0920 3268 Wdf01000 - ok
12:02:58.0920 3268 [ ABFC76B48BB6C96E3338D8943C5D93B5 ] WdiServiceHost C:\Windows\system32\wdi.dll
12:02:58.0920 3268 WdiServiceHost - ok
12:02:58.0920 3268 [ ABFC76B48BB6C96E3338D8943C5D93B5 ] WdiSystemHost C:\Windows\system32\wdi.dll
12:02:58.0936 3268 WdiSystemHost - ok
12:02:58.0967 3268 [ 04C37D8107320312FBAE09926103D5E2 ] WebClient C:\Windows\System32\webclnt.dll
12:02:58.0967 3268 WebClient - ok
12:02:58.0983 3268 [ AE3736E7E8892241C23E4EBBB7453B60 ] Wecsvc C:\Windows\system32\wecsvc.dll
12:02:58.0983 3268 Wecsvc - ok
12:02:58.0998 3268 [ 670FF720071ED741206D69BD995EA453 ] wercplsupport C:\Windows\System32\wercplsupport.dll
12:02:58.0998 3268 wercplsupport - ok
12:02:58.0998 3268 [ 32B88481D3B326DA6DEB07B1D03481E7 ] WerSvc C:\Windows\System32\WerSvc.dll
12:02:58.0998 3268 WerSvc - ok
12:02:59.0045 3268 [ 4575AA12561C5648483403541D0D7F2B ] WinDefend C:\Program Files\Windows Defender\mpsvc.dll
12:02:59.0061 3268 WinDefend - ok
12:02:59.0061 3268 WinHttpAutoProxySvc - ok
12:02:59.0139 3268 [ 6B2A1D0E80110E3D04E6863C6E62FD8A ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll
12:02:59.0139 3268 Winmgmt - ok
12:02:59.0186 3268 [ 7CFE68BDC065E55AA5E8421607037511 ] WinRM C:\Windows\system32\WsmSvc.dll
12:02:59.0217 3268 WinRM - ok
12:02:59.0248 3268 [ C008405E4FEEB069E30DA1D823910234 ] Wlansvc C:\Windows\System32\wlansvc.dll
12:02:59.0264 3268 Wlansvc - ok
12:02:59.0279 3268 [ 2E7255D172DF0B8283CDFB7B433B864E ] WmiAcpi C:\Windows\system32\DRIVERS\wmiacpi.sys
12:02:59.0279 3268 WmiAcpi - ok
12:02:59.0326 3268 [ 43BE3875207DCB62A85C8C49970B66CC ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe
12:02:59.0326 3268 wmiApSrv - ok
12:02:59.0373 3268 [ 3978704576A121A9204F8CC49A301A9B ] WMPNetworkSvc C:\Program Files\Windows Media Player\wmpnetwk.exe
12:02:59.0388 3268 WMPNetworkSvc - ok
12:02:59.0404 3268 [ CFC5A04558F5070CEE3E3A7809F3FF52 ] WPCSvc C:\Windows\System32\wpcsvc.dll
12:02:59.0420 3268 WPCSvc - ok
12:02:59.0420 3268 [ 801FBDB89D472B3C467EB112A0FC9246 ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll
12:02:59.0435 3268 WPDBusEnum - ok
12:02:59.0466 3268 [ DE9D36F91A4DF3D911626643DEBF11EA ] WpdUsb C:\Windows\system32\DRIVERS\wpdusb.sys
12:02:59.0466 3268 WpdUsb - ok
12:02:59.0654 3268 [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
12:02:59.0669 3268 WPFFontCache_v0400 - ok
12:02:59.0685 3268 [ E3A3CB253C0EC2494D4A61F5E43A389C ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys
12:02:59.0685 3268 ws2ifsl - ok
12:02:59.0700 3268 [ 1CA6C40261DDC0425987980D0CD2AAAB ] wscsvc C:\Windows\System32\wscsvc.dll
12:02:59.0716 3268 wscsvc - ok
12:02:59.0716 3268 WSearch - ok
12:02:59.0763 3268 [ FC3EC24FCE372C89423E015A2AC1A31E ] wuauserv C:\Windows\system32\wuaueng.dll
12:02:59.0810 3268 wuauserv - ok
12:02:59.0841 3268 [ 06E6F32C8D0A3F66D956F57B43A2E070 ] WudfPf C:\Windows\system32\drivers\WudfPf.sys
12:02:59.0841 3268 WudfPf - ok
12:02:59.0872 3268 [ 867C301E8B790040AE9CF6486E8041DF ] WUDFRd C:\Windows\system32\DRIVERS\WUDFRd.sys
12:02:59.0872 3268 WUDFRd - ok
12:02:59.0888 3268 [ FE47B7BC8EA320C2D9B5E5BF6E303765 ] wudfsvc C:\Windows\System32\WUDFSvc.dll
12:02:59.0903 3268 wudfsvc - ok
12:02:59.0903 3268 ================ Scan global ===============================
12:02:59.0934 3268 [ F31EEBC1A1C81FD04005489CC3DCDFE7 ] C:\Windows\system32\basesrv.dll
12:02:59.0981 3268 [ A508314231C49AEE86987CEA3EAECAD1 ] C:\Windows\system32\winsrv.dll
12:02:59.0997 3268 [ A508314231C49AEE86987CEA3EAECAD1 ] C:\Windows\system32\winsrv.dll
12:03:00.0044 3268 [ D4E6D91C1349B7BFB3599A6ADA56851B ] C:\Windows\system32\services.exe
12:03:00.0044 3268 [Global] - ok
12:03:00.0059 3268 ================ Scan MBR ==================================
12:03:00.0075 3268 [ 5C616939100B85E558DA92B899A0FC36 ] \Device\Harddisk0\DR0
12:03:00.0402 3268 \Device\Harddisk0\DR0 - ok
12:03:00.0402 3268 ================ Scan VBR ==================================
12:03:00.0418 3268 [ 1564506FC0713D153B896AD06C0F6C1F ] \Device\Harddisk0\DR0\Partition1
12:03:00.0418 3268 \Device\Harddisk0\DR0\Partition1 - ok
12:03:00.0418 3268 ============================================================
12:03:00.0418 3268 Scan finished
12:03:00.0418 3268 ============================================================
12:03:00.0434 3260 Detected object count: 1
12:03:00.0434 3260 Actual detected object count: 1


----------



## xelahart (Apr 29, 2009)

FYI

The file TDSSKiller.exe is not available at that link. Perhaps it has been moved. I had to do a serch on the Kapersky site to find it.

I found it here: http://support.kaspersky.com/5353?el=88446


----------



## Cookiegal (Aug 27, 2003)

Yes thanks. I found out they had changed the link after.

Please visit *Combofix Guide & Instructions * for instructions for installing the Recovery Console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices (don't worry, the keyboard and mouse will still function) to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.


----------



## xelahart (Apr 29, 2009)

OK that seems to have completely fried the computer!

Some background:
1)
I couldn't save the ComboFix.exe file to the desktop, so I had to run it from the webpage. I can't save anything except notepad files. Within IE or any MS Office product (and probably other programs as well) the dialogue boxes that are supposed to pop up when you click Save As or Print don't pop up. Hence every log I have posted so far has been from something run from a webpage rather than saved to the desktop and run. It also means I was not able to rename it puppy.exe.
2)
As soon as ComboFix started it warned me that I have 2 McAfee programs running which will interfere with it and asked me to stop them. I tried but could not work out how to do it. I opened McAfee and turned off everything it would let me turn off. Then I opened Task Manager and ended every process associated with McAfee that it would let me turn off (many of them just refused to end). I went through a few cycles of opening and closing McAfee and closing every McAfee process in Task Manager, until eventually there were no McAfee processes showing in Task Manager. However when I clicked continue on ComboFix it said the 2 programs were still running and I proceed at my own risk.

The result:
I spotted a few "failed" and similar messages as the programme ran. Then saw that everything had closed and there was a notepad file open with the report. I was able to save this (Notepad is the only thing that lets me save).
When I tried to open IE to post the report I got an error message about the registry file, something about attempting an illeagle operation on a registry file marked for deletion. I tried using various shortcuts on the desktop, in the Start menu and even going into Programme Files in My Computer and trying to run iexplorer.exe directly - all gave me the same error message.
I tried to restart the computer. It shut down ok, loaded as far as the screen where I choose a login, but after I had chosen one it hung for 15 minutes before I powered it down.
I am now posting this from another computer. If I can't make the sick computer turn on any more I don't know how I am going to post the ComboFix report.


----------



## xelahart (Apr 29, 2009)

Hmm...
A few cycles of trying to start it up and powering it down when it hung seem to have cleared it up. At least it has started this time. I will post the ComboFix log in the next post.


----------



## xelahart (Apr 29, 2009)

ComboFix 13-05-25.02 - Hart 26/05/2013 13:21:18.1.4 - x86 NETWORK
Microsoft® Windows Vista Home Premium 6.0.6002.2.1252.44.1033.18.3070.2463 [GMT 1:00]
Running from: c:\users\Hart\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\SEC8B01.tmp
c:\users\Hart\AppData\Local\tsMuxeR.exe
c:\users\Hart\GoToAssistDownloadHelper.exe
c:\windows\system32\SET149D.tmp
c:\windows\system32\SETFEB2.tmp
.
.
((((((((((((((((((((((((( Files Created from 2013-04-26 to 2013-05-26 )))))))))))))))))))))))))))))))
.
.
2013-05-26 12:28 . 2013-05-26 12:28 -------- d-----w- c:\users\UpdatusUser.Hart-PC\AppData\Local\temp
2013-05-26 12:28 . 2013-05-26 12:28 -------- d-----w- c:\users\Emma (i-pod)\AppData\Local\temp
2013-05-26 12:28 . 2013-05-26 12:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-26 12:28 . 2013-05-26 12:28 -------- d-----w- c:\users\Alex\AppData\Local\temp
2013-05-26 12:28 . 2013-05-26 12:29 -------- d-----w- c:\users\Hart\AppData\Local\temp
2013-05-14 00:26 . 2013-05-14 00:26 -------- d-----w- c:\programdata\WindowsSearch
2013-05-01 19:15 . 2013-03-03 19:07 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-26 10:45 . 2012-04-01 14:47 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-26 10:45 . 2011-07-09 16:11 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-11 13:25 . 2013-04-11 19:54 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-11 13:25 . 2013-04-11 19:54 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-09 03:45 . 2013-04-11 19:54 49152 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-09 01:28 . 2013-04-11 19:54 64000 ----a-w- c:\windows\system32\smss.exe
2013-03-08 03:53 . 2013-04-11 19:54 376320 ----a-w- c:\windows\system32\winsrv.dll
2013-03-08 03:52 . 2013-04-11 19:54 2067968 ----a-w- c:\windows\system32\mstscax.dll
2013-03-06 20:48 . 2013-03-06 20:48 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-06 20:48 . 2012-06-14 12:31 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-06 20:48 . 2010-04-25 15:54 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-05 01:40 . 2013-04-11 19:54 2049024 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-26 6139904]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-13 1278064]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 10:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=1&o=vp32&d=1008&m=imedia_x2416
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-eRecoveryService - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-{5C82DAE5-6EB0-4374-9254-BE3319BAE82} - c:\progra~1\Skype\RunCmd.exe
AddRemove-{980B9958-1239-4FC5-8C88-AC5650321033} - c:\progra~1\Nero\RunCmd.exe
AddRemove-{CE9033AD-CBAE-4EDF-989A-BC479FBC6F1F} - c:\progra~1\Online Services\internet from BT\RunCmd.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-26 13:29
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-05-26 13:32:04
ComboFix-quarantined-files.txt 2013-05-26 12:32
.
Pre-Run: 361,621,344,256 bytes free
Post-Run: 362,090,639,360 bytes free
.
- - End Of File - - FCD3820A94B64567ABB4A63E5205C2F1


----------



## xelahart (Apr 29, 2009)

FYI
Between those last 2 posts I went through another cycle of freeze, power down, startup.

Also:
If unistalling McAfee will help with the diagnostics I am happy to do this, but given the computer won't allow me to do much at the moment this may prove tricky.


----------



## Cookiegal (Aug 27, 2003)

It looks like you were able to save ComboFix but in the wrong place.

Anyway, please do the following:

Download *OTS.exe * to your Desktop. 

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Double-click on *OTS.exe* to start the program.
At the top put a check mark in the box beside "Scan All Users".
Under the *Additional Scans *section put a check in the box next to Disabled MS Config Items, NetSvcs and EventViewer logs (Last 10 errors)
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## xelahart (Apr 29, 2009)

Yes, if I click 'Save' or 'Save and Run' it saves the file somewhere but I can't control or see where. I had to do the same with OTS. Log below.


```
OTS logfile created on: 27/05/2013 10:41:31 - Run 1
OTS by OldTimer - Version 3.1.47.2     Folder = C:\Users\Hart\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
 
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 80.00% Memory free
6.00 Gb Paging File | 6.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 586.17 Gb Total Space | 337.79 Gb Free Space | 57.63% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: HART-PC
Current User Name: Hart
Logged in as Administrator.
 
Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
 
[Processes - Safe List]
ots.exe -> C:\Users\Hart\Downloads\OTS.exe -> [2013/05/27 10:40:00 | 000,646,656 | ---- | M] (OldTimer Tools)
mfevtps.exe -> C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -> [2013/02/19 15:12:14 | 000,172,416 | ---- | M] (McAfee, Inc.)
mfefire.exe -> C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -> [2013/02/19 15:08:52 | 000,169,320 | ---- | M] (McAfee, Inc.)
mcsvhost.exe -> C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -> [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.)
explorer.exe -> C:\Windows\explorer.exe -> [2009/04/11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation)
 
[Modules - No Company Name]
[Win32 Services - Safe List]
(AdobeFlashPlayerUpdateSvc) Adobe Flash Player Update Service [On_Demand | Stopped] -> C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -> [2013/05/26 11:45:27 | 000,256,904 | ---- | M] (Adobe Systems Incorporated)
(RapportMgmtService) Rapport Management Service [Auto | Stopped] -> C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -> [2013/04/02 13:15:56 | 001,124,184 | ---- | M] (Trusteer Ltd.)
(nvUpdatusService) NVIDIA Update Service Daemon [Auto | Stopped] -> C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -> [2013/02/19 21:32:08 | 001,259,296 | ---- | M] (NVIDIA Corporation)
(mfevtp) McAfee Validation Trust Protection Service [Unknown | Running] -> C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -> [2013/02/19 15:12:14 | 000,172,416 | ---- | M] (McAfee, Inc.)
(mfefire) McAfee Firewall Core Service [Unknown | Running] -> C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -> [2013/02/19 15:08:52 | 000,169,320 | ---- | M] ()
(McShield) McAfee McShield [Unknown | Stopped] -> C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -> [2013/02/19 15:06:50 | 000,203,840 | ---- | M] ()
(McComponentHostService) McAfee Security Scan Component Host Service [On_Demand | Stopped] -> C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe -> [2013/02/05 16:48:00 | 000,235,216 | ---- | M] (McAfee, Inc.)
(McAfee SiteAdvisor Service) McAfee SiteAdvisor Service [Auto | Stopped] -> C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -> [2012/12/04 11:54:14 | 000,095,232 | ---- | M] (McAfee, Inc.)
(McODS) McAfee Scanner [On_Demand | Stopped] -> C:\Program Files\McAfee\VirusScan\mcods.exe -> [2012/11/16 22:07:20 | 000,279,048 | ---- | M] (McAfee, Inc.)
(McProxy) McAfee Proxy Service [Auto | Stopped] -> C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -> [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.)
(McNASvc) McAfee Network Agent [Auto | Stopped] -> C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -> [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.)
(McNaiAnn) McAfee VirusScan Announcer [Auto | Stopped] -> C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -> [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.)
(mcmscsvc) McAfee Services [Auto | Running] -> C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -> [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.)
(McMPFSvc) McAfee Personal Firewall Service [Unknown | Running] -> C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -> [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.)
(LeapFrog Connect Device Service) LeapFrog Connect Device Service [Auto | Stopped] -> C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -> [2012/07/05 18:41:08 | 007,392,136 | ---- | M] (LeapFrog Enterprises, Inc.)
(FLEXnet Licensing Service) FLEXnet Licensing Service [On_Demand | Stopped] -> C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -> [2008/08/21 22:08:35 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.)
(ETService) Empowering Technology Service [Auto | Stopped] -> C:\Program Files\PACKARDBELL\Packard Bell Recovery Management\Service\ETService.exe -> [2008/07/16 14:00:00 | 000,024,576 | ---- | M] ()
(WinDefend) Windows Defender [On_Demand | Stopped] -> C:\Program Files\Windows Defender\MpSvc.dll -> [2008/01/21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation)
(AdobeActiveFileMonitor6.0) Adobe Active File Monitor V6 [Auto | Stopped] -> C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -> [2007/09/11 00:45:04 | 000,124,832 | ---- | M] ()
(CCALib8) Canon Camera Access Library 8 [Auto | Stopped] -> C:\Program Files\Canon\CAL\CALMAIN.exe -> [2006/03/30 09:15:44 | 000,096,341 | ---- | M] (Canon Inc.)
 
[Driver Services - Safe List]
(RapportEI) RapportEI [Kernel | System | Stopped] -> C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -> [2013/04/02 13:16:10 | 000,102,680 | ---- | M] (Trusteer Ltd.)
(RapportPG) RapportPG [Kernel | System | Stopped] -> C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -> [2013/04/02 13:16:08 | 000,173,880 | ---- | M] (Trusteer Ltd.)
(RapportCerberus_51755) RapportCerberus_51755 [Kernel | System | Stopped] -> C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_51755.sys -> [2013/04/01 14:05:08 | 000,317,112 | ---- | M] ()
(nvlddmkm) nvlddmkm [Kernel | On_Demand | Stopped] -> C:\Windows\System32\drivers\nvlddmkm.sys -> [2013/02/19 21:32:54 | 010,919,200 | ---- | M] (NVIDIA Corporation)
(cfwids) McAfee Inc. cfwids [Kernel | Unknown | Running] -> C:\Windows\System32\drivers\cfwids.sys -> [2013/02/19 15:15:04 | 000,060,920 | ---- | M] (McAfee, Inc.)
(mfewfpk) McAfee Inc. mfewfpk [Kernel | Unknown | Running] -> C:\Windows\System32\drivers\mfewfpk.sys -> [2013/02/19 15:12:24 | 000,210,608 | ---- | M] (McAfee, Inc.)
(mferkdet) McAfee Inc. mferkdet [Kernel | Unknown | Stopped] -> C:\Windows\System32\drivers\mferkdet.sys -> [2013/02/19 15:10:52 | 000,092,632 | ---- | M] (McAfee, Inc.)
(mfehidk) McAfee Inc. mfehidk [Kernel | Unknown | Running] -> C:\Windows\System32\drivers\mfehidk.sys -> [2013/02/19 15:09:52 | 000,565,888 | ---- | M] (McAfee, Inc.)
(mfefirek) McAfee Inc. mfefirek [Kernel | Unknown | Running] -> C:\Windows\System32\drivers\mfefirek.sys -> [2013/02/19 15:09:02 | 000,363,080 | ---- | M] (McAfee, Inc.)
(mfebopk) McAfee Inc. mfebopk [Kernel | Unknown | Stopped] -> C:\Windows\System32\drivers\mfebopk.sys -> [2013/02/19 15:08:40 | 000,065,928 | ---- | M] (McAfee, Inc.)
(mfeavfk) McAfee Inc. mfeavfk [Kernel | Unknown | Stopped] -> C:\Windows\System32\drivers\mfeavfk.sys -> [2013/02/19 15:08:20 | 000,235,264 | ---- | M] (McAfee, Inc.)
(mfeapfk) McAfee Inc. mfeapfk [Kernel | Unknown | Stopped] -> C:\Windows\System32\drivers\mfeapfk.sys -> [2013/02/19 15:07:50 | 000,133,416 | ---- | M] (McAfee, Inc.)
(RapportKELL) RapportKELL [Kernel | Boot | Stopped] -> C:\Windows\System32\Drivers\RapportKELL.sys -> [2012/07/29 20:52:38 | 000,102,008 | ---- | M] (Trusteer Ltd.)
(sptd) sptd [Kernel | Boot | Running] -> C:\Windows\System32\Drivers\sptd.sys -> [2012/04/24 20:40:19 | 000,721,904 | ---- | M] ()
(HipShieldK) McAfee Inc. HipShieldK [Kernel | On_Demand | Stopped] -> C:\Windows\System32\drivers\HipShieldK.sys -> [2012/04/20 16:40:44 | 000,146,872 | ---- | M] (McAfee, Inc.)
(RapportBuka) RapportBuka [Kernel | System | Stopped] -> C:\Windows\System32\drivers\RapportBuka.sys -> [2010/02/28 13:32:52 | 000,390,528 | ---- | M] (Trusteer Ltd.)
(mcdbus) Driver for MagicISO SCSI Host Controller [Kernel | On_Demand | Running] -> C:\Windows\System32\drivers\mcdbus.sys -> [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.)
(NVHDA) Service for NVIDIA High Definition Audio Driver [Kernel | On_Demand | Stopped] -> C:\Windows\System32\drivers\nvhda32v.sys -> [2008/08/05 05:29:26 | 000,044,576 | ---- | M] (NVIDIA Corporation)
(int15) int15 [Kernel | Auto | Stopped] -> C:\Windows\System32\drivers\int15.sys -> [2008/07/16 13:56:06 | 000,015,392 | ---- | M] (Acer, Inc.)
(nvstor32) nvstor32 [Kernel | Boot | Running] -> C:\Windows\system32\DRIVERS\nvstor32.sys -> [2008/06/06 12:13:10 | 000,145,440 | ---- | M] (NVIDIA Corporation)
(s116bus) Sony Ericsson Device 116 driver (WDM) [Kernel | On_Demand | Stopped] -> C:\Windows\System32\drivers\s116bus.sys -> [2007/04/03 14:57:42 | 000,083,336 | ---- | M] (MCCI Corporation)
(RTL8169) Realtek 8169 NT Driver [Kernel | On_Demand | Running] -> C:\Windows\System32\drivers\Rtlh86.sys -> [2006/11/02 08:30:56 | 000,044,544 | ---- | M] (Realtek Corporation)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> [URL]http://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=1&o=vp32&d=1008&m=imedia_x2416[/URL] -> 
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> -> 
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> -> 
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\] > -> -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\: Main\\"SearchDefaultBranded" -> 1 -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\: Main\\"Start Page" -> [URL]http://www.google.co.uk/[/URL] -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\: Main\\"StartPageCache" -> 1 -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\: URLSearchHooks\\"{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" [HKLM] -> c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll [McAfee SiteAdvisor Toolbar] -> [2012/12/04 11:46:56 | 000,262,080 | ---- | M] (McAfee, Inc.)
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\: "ProxyEnable" -> 0 -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\: "ProxyOverride" -> *.local -> 
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  -> 
HKLM\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92} -> C:\Program Files\McAfee\SiteAdvisor [C:\PROGRAM FILES\MCAFEE\SITEADVISOR] -> [2013/05/14 00:56:30 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Firefox\Extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60} -> C:\Program Files\Common Files\McAfee\SystemCore [C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE] -> [2013/05/14 00:56:25 | 000,000,000 | ---D | M]
< FireFox Extensions [User Folders] > -> 
< HOSTS File > ([2013/05/26 13:29:06 | 000,000,027 | ---- | M] - 1 lines) -> C:\Windows\System32\drivers\etc\hosts -> 
Reset Hosts
127.0.0.1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2011/08/30 20:57:33 | 000,061,888 | ---- | M] (Adobe Systems Incorporated)
{0E8A89AD-95D7-40EB-8D9D-083EF7066A01} [HKLM] -> C:\Program Files\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll [MSS+ Identifier] -> [2013/02/05 16:47:56 | 000,094,112 | ---- | M] (McAfee, Inc.)
{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{6D53EC84-6AAE-4787-AEEE-F4628F01010C} [HKLM] ->  [Symantec Intrusion Prevention] -> File not found
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> C:\Program Files\Java\jre7\bin\ssv.dll [Java(tm) Plug-In SSV Helper] -> [2013/03/06 21:48:02 | 000,461,216 | ---- | M] (Oracle Corporation)
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} [HKLM] -> C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120706041929.dll [scriptproxy] -> [2012/05/25 17:09:18 | 000,079,776 | ---- | M] (McAfee, Inc.)
{B164E929-A1B6-4A06-B104-2CD0E90A88FF} [HKLM] -> c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll [McAfee SiteAdvisor BHO] -> [2012/12/04 11:46:56 | 000,262,080 | ---- | M] (McAfee, Inc.)
{DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [Java(tm) Plug-In 2 SSV Helper] -> [2013/03/06 21:48:02 | 000,170,912 | ---- | M] (Oracle Corporation)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
"{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" [HKLM] -> c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll [McAfee SiteAdvisor Toolbar] -> [2012/12/04 11:46:56 | 000,262,080 | ---- | M] (McAfee, Inc.)
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\] > -> HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\Software\Microsoft\Internet Explorer\Toolbar\ -> 
WebBrowser\\"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"mcui_exe" -> C:\Program Files\McAfee.com\Agent\mcagent.exe ["C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey] -> [2013/03/13 18:40:08 | 001,278,064 | ---- | M] (McAfee, Inc.)
"RtHDVCpl" -> C:\Windows\RtHDVCpl.exe [RtHDVCpl.exe] -> [2008/06/26 08:56:10 | 006,139,904 | ---- | M] (Realtek Semiconductor)
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< Software Policy Settings [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000] > -> HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
[URL="file://\\"NoDrives"]\\"NoDrives[/URL]" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000] > -> HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
[URL="file://\\"NoDrives"]\\"NoDrives[/URL]" ->  [0] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000] > -> HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< Internet Explorer Menu Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\ -> 
E&xport to Microsoft Excel ->  [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> File not found
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\ -> 
E&xport to Microsoft Excel ->  [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\] > -> HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\] > -> HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{CB50428B-657F-47DF-9B32-671F82AA73F7} [HKLM] -> [URL]http://www.photodex.com/pxplay.cab[/URL] [Photodex Presenter AX control] -> 
{E2883E8F-472F-4FB0-9522-AC9BF37916A7} [HKLM] -> [URL]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/URL] [Reg Error: Key error.] -> 
Garmin Communicator Plug-In [HKLM] -> [URL]https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB[/URL] [Reg Error: Key error.] -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 
DhcpNameServer -> 192.168.1.254 192.168.1.254 -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{27FA60FB-5855-47ED-90FC-73C7DFD953D2}\\DhcpNameServer -> 192.168.1.254 192.168.1.254   (Realtek RTL8101 Family PCI-E Fast Ethernet NIC (NDIS 6.0)) -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> C:\Windows\explorer.exe -> [2009/04/11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
C:\Windows\system32\userinit.exe -> C:\Windows\System32\userinit.exe -> [2008/01/21 03:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" ->  [system32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > ->  -> 
C:\autoexec.bat [REM Dummy file for NTVDM | ] -> C:\autoexec.bat [ NTFS ] -> [2006/09/18 22:43:36 | 000,000,024 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 
comfile [open] -> "%1" %* -> 
exefile [open] -> "%1" %* -> 
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
.com [@ = ComFile] -> "%1" %* -> 
.exe [@ = exefile] -> "%1" %* -> 
 
[Registry - Additional Scans - Safe List]
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost > -> ->
*netsvcs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs ->
FastUserSwitchingCompatibility ->  -> File not found
Ias -> C:\Windows\System32\ias.dll -> [2008/01/21 03:24:07 | 000,018,944 | ---- | M] (Microsoft Corporation)
Nla ->  -> File not found
Ntmssvc ->  -> File not found
NWCWorkstation ->  -> File not found
Nwsapagent ->  -> File not found
SRService ->  -> File not found
WmdmPmSp ->  -> File not found
LogonHours ->  -> File not found
PCAudit ->  -> File not found
helpsvc ->  -> File not found
uploadmgr ->  -> File not found
*MultiFile Done* -> -> 
< EventViewer Logs - Last 10 Errors > -> Event Information -> Description
Application [ Error ] 06/01/2012 12:49:26 Computer Name = Hart-PC | Source = Application Error | ID = 1000 -> Description = Faulting application NMIndexStoreSvr.exe, version 3.3.4.0, time stamp 0x4811da19, faulting module NMIndexStoreSvr.exe, version 3.3.4.0, time stamp 0x4811da19, exception code 0xc0000005, fault offset 0x000c463c,  process id 0xc4c, application start time 0x01cccc93083c22c8.
Application [ Error ] 06/01/2012 12:49:44 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 06/01/2012 13:28:04 Computer Name = Hart-PC | Source = McLogEvent | ID = 5051 -> Description = A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 90000 ms to complete a request.    The process will be terminated.  Thread id : 4940 (0x134c)    Thread address : 0x77C55CA4    Thread message :      Build VSCORE.14.4.0.380 / 5400.1158   Object being scanned = \Device\HarddiskVolume2\Program Files\McAfee\MSC\mcinfo.exe   by C:\Windows\system32\svchost.exe   4(0)(0)   4(0)(0)   7200(0)(0)   7595(0)(0)   7005(0)(0)   7004(0)(0)   5006(0)(0)   5004(0)(0)  
Application [ Error ] 06/01/2012 16:36:36 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 07/01/2012 04:56:36 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 07/01/2012 10:22:25 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 08/01/2012 09:09:05 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 08/01/2012 12:11:54 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 10/01/2012 13:40:39 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 10/01/2012 15:47:05 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
OSession [ Error ] 04/11/2011 14:24:29 Computer Name = Hart-PC | Source = Microsoft Office 12 Sessions | ID = 7001 -> Description = ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 16 seconds with 0 seconds of active time.  This session ended with a crash.
System [ Error ] 26/05/2013 09:32:46 Computer Name = Hart-PC | Source = DCOM | ID = 10005 -> Description = 
System [ Error ] 27/05/2013 05:37:33 Computer Name = Hart-PC | Source = Dhcp | ID = 1002 -> Description = The IP address lease 192.168.1.68 for the Network Card with network address 0021973496CB has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
System [ Error ] 27/05/2013 05:37:52 Computer Name = Hart-PC | Source = DCOM | ID = 10005 -> Description = 
System [ Error ] 27/05/2013 05:38:00 Computer Name = Hart-PC | Source = DCOM | ID = 10005 -> Description = 
System [ Error ] 27/05/2013 05:38:01 Computer Name = Hart-PC | Source = DCOM | ID = 10005 -> Description = 
System [ Error ] 27/05/2013 05:38:03 Computer Name = Hart-PC | Source = DCOM | ID = 10005 -> Description = 
System [ Error ] 27/05/2013 05:38:08 Computer Name = Hart-PC | Source = DCOM | ID = 10005 -> Description = 
System [ Error ] 27/05/2013 05:38:55 Computer Name = Hart-PC | Source = Service Control Manager | ID = 7001 -> Description = 
System [ Error ] 27/05/2013 05:38:55 Computer Name = Hart-PC | Source = Service Control Manager | ID = 7026 -> Description = 
System [ Error ] 27/05/2013 05:41:51 Computer Name = Hart-PC | Source = DCOM | ID = 10005 -> Description = 
 
[Files/Folders - Created Within 30 Days]
 McAfee -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee -> [2013/05/27 10:44:04 | 000,000,000 | ---D | C]
 temp -> C:\Windows\temp -> [2013/05/26 13:32:06 | 000,000,000 | ---D | C]
 temp -> C:\Users\Hart\AppData\Local\temp -> [2013/05/26 13:32:06 | 000,000,000 | ---D | C]
 $RECYCLE.BIN -> C:\$RECYCLE.BIN -> [2013/05/26 13:31:04 | 000,000,000 | -HSD | C]
 SWREG.exe -> C:\Windows\SWREG.exe -> [2013/05/26 13:17:16 | 000,518,144 | ---- | C] (SteelWerX)
 SWSC.exe -> C:\Windows\SWSC.exe -> [2013/05/26 13:17:16 | 000,406,528 | ---- | C] (SteelWerX)
 NIRCMD.exe -> C:\Windows\NIRCMD.exe -> [2013/05/26 13:17:16 | 000,060,416 | ---- | C] (NirSoft)
 ComboFix -> C:\ComboFix -> [2013/05/26 13:17:13 | 000,000,000 | ---D | C]
 Qoobox -> C:\Qoobox -> [2013/05/26 13:08:49 | 000,000,000 | ---D | C]
 erdnt -> C:\Windows\erdnt -> [2013/05/26 13:08:26 | 000,000,000 | ---D | C]
 WindowsSearch -> C:\ProgramData\WindowsSearch -> [2013/05/14 01:26:23 | 000,000,000 | ---D | C]
 
[Files/Folders - Modified Within 30 Days]
 perfh009.dat -> C:\Windows\System32\perfh009.dat -> [2013/05/27 10:43:11 | 000,607,990 | ---- | M] ()
 perfc009.dat -> C:\Windows\System32\perfc009.dat -> [2013/05/27 10:43:11 | 000,107,868 | ---- | M] ()
 bootstat.dat -> C:\Windows\bootstat.dat -> [2013/05/27 10:37:30 | 000,067,584 | --S- | M] ()
 LogConfigTemp.xml -> C:\Windows\System32\LogConfigTemp.xml -> [2013/05/26 14:21:16 | 000,000,000 | ---- | M] ()
 7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 -> C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 -> [2013/05/26 14:21:06 | 000,003,216 | -H-- | M] ()
 7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 -> C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 -> [2013/05/26 14:21:06 | 000,003,216 | -H-- | M] ()
 hosts -> C:\Windows\System32\drivers\etc\hosts -> [2013/05/26 13:29:06 | 000,000,027 | ---- | M] ()
 Adobe Flash Player Updater.job -> C:\Windows\tasks\Adobe Flash Player Updater.job -> [2013/05/26 12:13:06 | 000,000,830 | ---- | M] ()
 d3d9caps.dat -> C:\Users\Hart\AppData\Local\d3d9caps.dat -> [2013/05/26 12:07:14 | 000,001,356 | ---- | M] ()
 FlashPlayerApp.exe -> C:\Windows\System32\FlashPlayerApp.exe -> [2013/05/26 11:45:25 | 000,692,104 | ---- | M] (Adobe Systems Incorporated)
 FlashPlayerCPLApp.cpl -> C:\Windows\System32\FlashPlayerCPLApp.cpl -> [2013/05/26 11:45:25 | 000,071,048 | ---- | M] (Adobe Systems Incorporated)
 FNTCACHE.DAT -> C:\Windows\System32\FNTCACHE.DAT -> [2013/05/25 12:18:39 | 000,385,648 | ---- | M] ()
 
[Files - No Company Name]
 PEV.exe -> C:\Windows\PEV.exe -> [2013/05/26 13:17:16 | 000,256,000 | ---- | C] ()
 MBR.exe -> C:\Windows\MBR.exe -> [2013/05/26 13:17:16 | 000,208,896 | ---- | C] ()
 sed.exe -> C:\Windows\sed.exe -> [2013/05/26 13:17:16 | 000,098,816 | ---- | C] ()
 grep.exe -> C:\Windows\grep.exe -> [2013/05/26 13:17:16 | 000,080,412 | ---- | C] ()
 zip.exe -> C:\Windows\zip.exe -> [2013/05/26 13:17:16 | 000,068,096 | ---- | C] ()
 d3d9caps.dat -> C:\Users\Hart\AppData\Local\d3d9caps.dat -> [2012/03/15 09:18:27 | 000,001,356 | ---- | C] ()
 mlfcache.dat -> C:\Windows\System32\mlfcache.dat -> [2012/01/28 22:00:40 | 000,175,244 | -H-- | C] ()
< End of report >
```


----------



## xelahart (Apr 29, 2009)

That pasted strangely. I'll try again.


```
OTS logfile created on: 27/05/2013 10:41:31 - Run 1
OTS by OldTimer - Version 3.1.47.2     Folder = C:\Users\Hart\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
 
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 80.00% Memory free
6.00 Gb Paging File | 6.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 586.17 Gb Total Space | 337.79 Gb Free Space | 57.63% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: HART-PC
Current User Name: Hart
Logged in as Administrator.
 
Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
 
[Processes - Safe List]
ots.exe -> C:\Users\Hart\Downloads\OTS.exe -> [2013/05/27 10:40:00 | 000,646,656 | ---- | M] (OldTimer Tools)
mfevtps.exe -> C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -> [2013/02/19 15:12:14 | 000,172,416 | ---- | M] (McAfee, Inc.)
mfefire.exe -> C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -> [2013/02/19 15:08:52 | 000,169,320 | ---- | M] (McAfee, Inc.)
mcsvhost.exe -> C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -> [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.)
explorer.exe -> C:\Windows\explorer.exe -> [2009/04/11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation)
 
[Modules - No Company Name]
[Win32 Services - Safe List]
(AdobeFlashPlayerUpdateSvc) Adobe Flash Player Update Service [On_Demand | Stopped] -> C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -> [2013/05/26 11:45:27 | 000,256,904 | ---- | M] (Adobe Systems Incorporated)
(RapportMgmtService) Rapport Management Service [Auto | Stopped] -> C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -> [2013/04/02 13:15:56 | 001,124,184 | ---- | M] (Trusteer Ltd.)
(nvUpdatusService) NVIDIA Update Service Daemon [Auto | Stopped] -> C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -> [2013/02/19 21:32:08 | 001,259,296 | ---- | M] (NVIDIA Corporation)
(mfevtp) McAfee Validation Trust Protection Service [Unknown | Running] -> C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -> [2013/02/19 15:12:14 | 000,172,416 | ---- | M] (McAfee, Inc.)
(mfefire) McAfee Firewall Core Service [Unknown | Running] -> C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -> [2013/02/19 15:08:52 | 000,169,320 | ---- | M] ()
(McShield) McAfee McShield [Unknown | Stopped] -> C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -> [2013/02/19 15:06:50 | 000,203,840 | ---- | M] ()
(McComponentHostService) McAfee Security Scan Component Host Service [On_Demand | Stopped] -> C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe -> [2013/02/05 16:48:00 | 000,235,216 | ---- | M] (McAfee, Inc.)
(McAfee SiteAdvisor Service) McAfee SiteAdvisor Service [Auto | Stopped] -> C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -> [2012/12/04 11:54:14 | 000,095,232 | ---- | M] (McAfee, Inc.)
(McODS) McAfee Scanner [On_Demand | Stopped] -> C:\Program Files\McAfee\VirusScan\mcods.exe -> [2012/11/16 22:07:20 | 000,279,048 | ---- | M] (McAfee, Inc.)
(McProxy) McAfee Proxy Service [Auto | Stopped] -> C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -> [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.)
(McNASvc) McAfee Network Agent [Auto | Stopped] -> C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -> [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.)
(McNaiAnn) McAfee VirusScan Announcer [Auto | Stopped] -> C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -> [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.)
(mcmscsvc) McAfee Services [Auto | Running] -> C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -> [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.)
(McMPFSvc) McAfee Personal Firewall Service [Unknown | Running] -> C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -> [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.)
(LeapFrog Connect Device Service) LeapFrog Connect Device Service [Auto | Stopped] -> C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -> [2012/07/05 18:41:08 | 007,392,136 | ---- | M] (LeapFrog Enterprises, Inc.)
(FLEXnet Licensing Service) FLEXnet Licensing Service [On_Demand | Stopped] -> C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -> [2008/08/21 22:08:35 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.)
(ETService) Empowering Technology Service [Auto | Stopped] -> C:\Program Files\PACKARDBELL\Packard Bell Recovery Management\Service\ETService.exe -> [2008/07/16 14:00:00 | 000,024,576 | ---- | M] ()
(WinDefend) Windows Defender [On_Demand | Stopped] -> C:\Program Files\Windows Defender\MpSvc.dll -> [2008/01/21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation)
(AdobeActiveFileMonitor6.0) Adobe Active File Monitor V6 [Auto | Stopped] -> C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -> [2007/09/11 00:45:04 | 000,124,832 | ---- | M] ()
(CCALib8) Canon Camera Access Library 8 [Auto | Stopped] -> C:\Program Files\Canon\CAL\CALMAIN.exe -> [2006/03/30 09:15:44 | 000,096,341 | ---- | M] (Canon Inc.)
 
[Driver Services - Safe List]
(RapportEI) RapportEI [Kernel | System | Stopped] -> C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -> [2013/04/02 13:16:10 | 000,102,680 | ---- | M] (Trusteer Ltd.)
(RapportPG) RapportPG [Kernel | System | Stopped] -> C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -> [2013/04/02 13:16:08 | 000,173,880 | ---- | M] (Trusteer Ltd.)
(RapportCerberus_51755) RapportCerberus_51755 [Kernel | System | Stopped] -> C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_51755.sys -> [2013/04/01 14:05:08 | 000,317,112 | ---- | M] ()
(nvlddmkm) nvlddmkm [Kernel | On_Demand | Stopped] -> C:\Windows\System32\drivers\nvlddmkm.sys -> [2013/02/19 21:32:54 | 010,919,200 | ---- | M] (NVIDIA Corporation)
(cfwids) McAfee Inc. cfwids [Kernel | Unknown | Running] -> C:\Windows\System32\drivers\cfwids.sys -> [2013/02/19 15:15:04 | 000,060,920 | ---- | M] (McAfee, Inc.)
(mfewfpk) McAfee Inc. mfewfpk [Kernel | Unknown | Running] -> C:\Windows\System32\drivers\mfewfpk.sys -> [2013/02/19 15:12:24 | 000,210,608 | ---- | M] (McAfee, Inc.)
(mferkdet) McAfee Inc. mferkdet [Kernel | Unknown | Stopped] -> C:\Windows\System32\drivers\mferkdet.sys -> [2013/02/19 15:10:52 | 000,092,632 | ---- | M] (McAfee, Inc.)
(mfehidk) McAfee Inc. mfehidk [Kernel | Unknown | Running] -> C:\Windows\System32\drivers\mfehidk.sys -> [2013/02/19 15:09:52 | 000,565,888 | ---- | M] (McAfee, Inc.)
(mfefirek) McAfee Inc. mfefirek [Kernel | Unknown | Running] -> C:\Windows\System32\drivers\mfefirek.sys -> [2013/02/19 15:09:02 | 000,363,080 | ---- | M] (McAfee, Inc.)
(mfebopk) McAfee Inc. mfebopk [Kernel | Unknown | Stopped] -> C:\Windows\System32\drivers\mfebopk.sys -> [2013/02/19 15:08:40 | 000,065,928 | ---- | M] (McAfee, Inc.)
(mfeavfk) McAfee Inc. mfeavfk [Kernel | Unknown | Stopped] -> C:\Windows\System32\drivers\mfeavfk.sys -> [2013/02/19 15:08:20 | 000,235,264 | ---- | M] (McAfee, Inc.)
(mfeapfk) McAfee Inc. mfeapfk [Kernel | Unknown | Stopped] -> C:\Windows\System32\drivers\mfeapfk.sys -> [2013/02/19 15:07:50 | 000,133,416 | ---- | M] (McAfee, Inc.)
(RapportKELL) RapportKELL [Kernel | Boot | Stopped] -> C:\Windows\System32\Drivers\RapportKELL.sys -> [2012/07/29 20:52:38 | 000,102,008 | ---- | M] (Trusteer Ltd.)
(sptd) sptd [Kernel | Boot | Running] -> C:\Windows\System32\Drivers\sptd.sys -> [2012/04/24 20:40:19 | 000,721,904 | ---- | M] ()
(HipShieldK) McAfee Inc. HipShieldK [Kernel | On_Demand | Stopped] -> C:\Windows\System32\drivers\HipShieldK.sys -> [2012/04/20 16:40:44 | 000,146,872 | ---- | M] (McAfee, Inc.)
(RapportBuka) RapportBuka [Kernel | System | Stopped] -> C:\Windows\System32\drivers\RapportBuka.sys -> [2010/02/28 13:32:52 | 000,390,528 | ---- | M] (Trusteer Ltd.)
(mcdbus) Driver for MagicISO SCSI Host Controller [Kernel | On_Demand | Running] -> C:\Windows\System32\drivers\mcdbus.sys -> [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.)
(NVHDA) Service for NVIDIA High Definition Audio Driver [Kernel | On_Demand | Stopped] -> C:\Windows\System32\drivers\nvhda32v.sys -> [2008/08/05 05:29:26 | 000,044,576 | ---- | M] (NVIDIA Corporation)
(int15) int15 [Kernel | Auto | Stopped] -> C:\Windows\System32\drivers\int15.sys -> [2008/07/16 13:56:06 | 000,015,392 | ---- | M] (Acer, Inc.)
(nvstor32) nvstor32 [Kernel | Boot | Running] -> C:\Windows\system32\DRIVERS\nvstor32.sys -> [2008/06/06 12:13:10 | 000,145,440 | ---- | M] (NVIDIA Corporation)
(s116bus) Sony Ericsson Device 116 driver (WDM) [Kernel | On_Demand | Stopped] -> C:\Windows\System32\drivers\s116bus.sys -> [2007/04/03 14:57:42 | 000,083,336 | ---- | M] (MCCI Corporation)
(RTL8169) Realtek 8169 NT Driver [Kernel | On_Demand | Running] -> C:\Windows\System32\drivers\Rtlh86.sys -> [2006/11/02 08:30:56 | 000,044,544 | ---- | M] (Realtek Corporation)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> [URL]http://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=1&o=vp32&d=1008&m=imedia_x2416[/URL] -> 
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> -> 
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> -> 
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\] > -> -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\: Main\\"SearchDefaultBranded" -> 1 -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\: Main\\"Start Page" -> [URL]http://www.google.co.uk/[/URL] -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\: Main\\"StartPageCache" -> 1 -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\: URLSearchHooks\\"{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" [HKLM] -> c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll [McAfee SiteAdvisor Toolbar] -> [2012/12/04 11:46:56 | 000,262,080 | ---- | M] (McAfee, Inc.)
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\: "ProxyEnable" -> 0 -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\: "ProxyOverride" -> *.local -> 
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  -> 
HKLM\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92} -> C:\Program Files\McAfee\SiteAdvisor [C:\PROGRAM FILES\MCAFEE\SITEADVISOR] -> [2013/05/14 00:56:30 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Firefox\Extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60} -> C:\Program Files\Common Files\McAfee\SystemCore [C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE] -> [2013/05/14 00:56:25 | 000,000,000 | ---D | M]
< FireFox Extensions [User Folders] > -> 
< HOSTS File > ([2013/05/26 13:29:06 | 000,000,027 | ---- | M] - 1 lines) -> C:\Windows\System32\drivers\etc\hosts -> 
Reset Hosts
127.0.0.1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2011/08/30 20:57:33 | 000,061,888 | ---- | M] (Adobe Systems Incorporated)
{0E8A89AD-95D7-40EB-8D9D-083EF7066A01} [HKLM] -> C:\Program Files\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll [MSS+ Identifier] -> [2013/02/05 16:47:56 | 000,094,112 | ---- | M] (McAfee, Inc.)
{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{6D53EC84-6AAE-4787-AEEE-F4628F01010C} [HKLM] ->  [Symantec Intrusion Prevention] -> File not found
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> C:\Program Files\Java\jre7\bin\ssv.dll [Java(tm) Plug-In SSV Helper] -> [2013/03/06 21:48:02 | 000,461,216 | ---- | M] (Oracle Corporation)
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} [HKLM] -> C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120706041929.dll [scriptproxy] -> [2012/05/25 17:09:18 | 000,079,776 | ---- | M] (McAfee, Inc.)
{B164E929-A1B6-4A06-B104-2CD0E90A88FF} [HKLM] -> c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll [McAfee SiteAdvisor BHO] -> [2012/12/04 11:46:56 | 000,262,080 | ---- | M] (McAfee, Inc.)
{DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [Java(tm) Plug-In 2 SSV Helper] -> [2013/03/06 21:48:02 | 000,170,912 | ---- | M] (Oracle Corporation)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
"{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" [HKLM] -> c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll [McAfee SiteAdvisor Toolbar] -> [2012/12/04 11:46:56 | 000,262,080 | ---- | M] (McAfee, Inc.)
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\] > -> HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\Software\Microsoft\Internet Explorer\Toolbar\ -> 
WebBrowser\\"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"mcui_exe" -> C:\Program Files\McAfee.com\Agent\mcagent.exe ["C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey] -> [2013/03/13 18:40:08 | 001,278,064 | ---- | M] (McAfee, Inc.)
"RtHDVCpl" -> C:\Windows\RtHDVCpl.exe [RtHDVCpl.exe] -> [2008/06/26 08:56:10 | 006,139,904 | ---- | M] (Realtek Semiconductor)
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< Software Policy Settings [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000] > -> HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
[URL="file://\\"NoDrives"]\\"NoDrives[/URL]" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000] > -> HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
[URL="file://\\"NoDrives"]\\"NoDrives[/URL]" ->  [0] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000] > -> HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< Internet Explorer Menu Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\ -> 
E&xport to Microsoft Excel ->  [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> File not found
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\ -> 
E&xport to Microsoft Excel ->  [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\] > -> HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\] > -> HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{CB50428B-657F-47DF-9B32-671F82AA73F7} [HKLM] -> [URL]http://www.photodex.com/pxplay.cab[/URL] [Photodex Presenter AX control] -> 
{E2883E8F-472F-4FB0-9522-AC9BF37916A7} [HKLM] -> [URL]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/URL] [Reg Error: Key error.] -> 
Garmin Communicator Plug-In [HKLM] -> [URL]https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB[/URL] [Reg Error: Key error.] -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 
DhcpNameServer -> 192.168.1.254 192.168.1.254 -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{27FA60FB-5855-47ED-90FC-73C7DFD953D2}\\DhcpNameServer -> 192.168.1.254 192.168.1.254   (Realtek RTL8101 Family PCI-E Fast Ethernet NIC (NDIS 6.0)) -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> C:\Windows\explorer.exe -> [2009/04/11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
C:\Windows\system32\userinit.exe -> C:\Windows\System32\userinit.exe -> [2008/01/21 03:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" ->  [system32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > ->  -> 
C:\autoexec.bat [REM Dummy file for NTVDM | ] -> C:\autoexec.bat [ NTFS ] -> [2006/09/18 22:43:36 | 000,000,024 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 
comfile [open] -> "%1" %* -> 
exefile [open] -> "%1" %* -> 
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
.com [@ = ComFile] -> "%1" %* -> 
.exe [@ = exefile] -> "%1" %* -> 
 
[Registry - Additional Scans - Safe List]
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost > -> ->
*netsvcs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs ->
FastUserSwitchingCompatibility ->  -> File not found
Ias -> C:\Windows\System32\ias.dll -> [2008/01/21 03:24:07 | 000,018,944 | ---- | M] (Microsoft Corporation)
Nla ->  -> File not found
Ntmssvc ->  -> File not found
NWCWorkstation ->  -> File not found
Nwsapagent ->  -> File not found
SRService ->  -> File not found
WmdmPmSp ->  -> File not found
LogonHours ->  -> File not found
PCAudit ->  -> File not found
helpsvc ->  -> File not found
uploadmgr ->  -> File not found
*MultiFile Done* -> -> 
< EventViewer Logs - Last 10 Errors > -> Event Information -> Description
Application [ Error ] 06/01/2012 12:49:26 Computer Name = Hart-PC | Source = Application Error | ID = 1000 -> Description = Faulting application NMIndexStoreSvr.exe, version 3.3.4.0, time stamp 0x4811da19, faulting module NMIndexStoreSvr.exe, version 3.3.4.0, time stamp 0x4811da19, exception code 0xc0000005, fault offset 0x000c463c,  process id 0xc4c, application start time 0x01cccc93083c22c8.
Application [ Error ] 06/01/2012 12:49:44 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 06/01/2012 13:28:04 Computer Name = Hart-PC | Source = McLogEvent | ID = 5051 -> Description = A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 90000 ms to complete a request.    The process will be terminated.  Thread id : 4940 (0x134c)    Thread address : 0x77C55CA4    Thread message :      Build VSCORE.14.4.0.380 / 5400.1158   Object being scanned = \Device\HarddiskVolume2\Program Files\McAfee\MSC\mcinfo.exe   by C:\Windows\system32\svchost.exe   4(0)(0)   4(0)(0)   7200(0)(0)   7595(0)(0)   7005(0)(0)   7004(0)(0)   5006(0)(0)   5004(0)(0)  
Application [ Error ] 06/01/2012 16:36:36 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 07/01/2012 04:56:36 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 07/01/2012 10:22:25 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 08/01/2012 09:09:05 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 08/01/2012 12:11:54 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 10/01/2012 13:40:39 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 10/01/2012 15:47:05 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
OSession [ Error ] 04/11/2011 14:24:29 Computer Name = Hart-PC | Source = Microsoft Office 12 Sessions | ID = 7001 -> Description = ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 16 seconds with 0 seconds of active time.  This session ended with a crash.
System [ Error ] 26/05/2013 09:32:46 Computer Name = Hart-PC | Source = DCOM | ID = 10005 -> Description = 
System [ Error ] 27/05/2013 05:37:33 Computer Name = Hart-PC | Source = Dhcp | ID = 1002 -> Description = The IP address lease 192.168.1.68 for the Network Card with network address 0021973496CB has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
System [ Error ] 27/05/2013 05:37:52 Computer Name = Hart-PC | Source = DCOM | ID = 10005 -> Description = 
System [ Error ] 27/05/2013 05:38:00 Computer Name = Hart-PC | Source = DCOM | ID = 10005 -> Description = 
System [ Error ] 27/05/2013 05:38:01 Computer Name = Hart-PC | Source = DCOM | ID = 10005 -> Description = 
System [ Error ] 27/05/2013 05:38:03 Computer Name = Hart-PC | Source = DCOM | ID = 10005 -> Description = 
System [ Error ] 27/05/2013 05:38:08 Computer Name = Hart-PC | Source = DCOM | ID = 10005 -> Description = 
System [ Error ] 27/05/2013 05:38:55 Computer Name = Hart-PC | Source = Service Control Manager | ID = 7001 -> Description = 
System [ Error ] 27/05/2013 05:38:55 Computer Name = Hart-PC | Source = Service Control Manager | ID = 7026 -> Description = 
System [ Error ] 27/05/2013 05:41:51 Computer Name = Hart-PC | Source = DCOM | ID = 10005 -> Description = 
 
[Files/Folders - Created Within 30 Days]
 McAfee -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee -> [2013/05/27 10:44:04 | 000,000,000 | ---D | C]
 temp -> C:\Windows\temp -> [2013/05/26 13:32:06 | 000,000,000 | ---D | C]
 temp -> C:\Users\Hart\AppData\Local\temp -> [2013/05/26 13:32:06 | 000,000,000 | ---D | C]
 $RECYCLE.BIN -> C:\$RECYCLE.BIN -> [2013/05/26 13:31:04 | 000,000,000 | -HSD | C]
 SWREG.exe -> C:\Windows\SWREG.exe -> [2013/05/26 13:17:16 | 000,518,144 | ---- | C] (SteelWerX)
 SWSC.exe -> C:\Windows\SWSC.exe -> [2013/05/26 13:17:16 | 000,406,528 | ---- | C] (SteelWerX)
 NIRCMD.exe -> C:\Windows\NIRCMD.exe -> [2013/05/26 13:17:16 | 000,060,416 | ---- | C] (NirSoft)
 ComboFix -> C:\ComboFix -> [2013/05/26 13:17:13 | 000,000,000 | ---D | C]
 Qoobox -> C:\Qoobox -> [2013/05/26 13:08:49 | 000,000,000 | ---D | C]
 erdnt -> C:\Windows\erdnt -> [2013/05/26 13:08:26 | 000,000,000 | ---D | C]
 WindowsSearch -> C:\ProgramData\WindowsSearch -> [2013/05/14 01:26:23 | 000,000,000 | ---D | C]
 
[Files/Folders - Modified Within 30 Days]
 perfh009.dat -> C:\Windows\System32\perfh009.dat -> [2013/05/27 10:43:11 | 000,607,990 | ---- | M] ()
 perfc009.dat -> C:\Windows\System32\perfc009.dat -> [2013/05/27 10:43:11 | 000,107,868 | ---- | M] ()
 bootstat.dat -> C:\Windows\bootstat.dat -> [2013/05/27 10:37:30 | 000,067,584 | --S- | M] ()
 LogConfigTemp.xml -> C:\Windows\System32\LogConfigTemp.xml -> [2013/05/26 14:21:16 | 000,000,000 | ---- | M] ()
 7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 -> C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 -> [2013/05/26 14:21:06 | 000,003,216 | -H-- | M] ()
 7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 -> C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 -> [2013/05/26 14:21:06 | 000,003,216 | -H-- | M] ()
 hosts -> C:\Windows\System32\drivers\etc\hosts -> [2013/05/26 13:29:06 | 000,000,027 | ---- | M] ()
 Adobe Flash Player Updater.job -> C:\Windows\tasks\Adobe Flash Player Updater.job -> [2013/05/26 12:13:06 | 000,000,830 | ---- | M] ()
 d3d9caps.dat -> C:\Users\Hart\AppData\Local\d3d9caps.dat -> [2013/05/26 12:07:14 | 000,001,356 | ---- | M] ()
 FlashPlayerApp.exe -> C:\Windows\System32\FlashPlayerApp.exe -> [2013/05/26 11:45:25 | 000,692,104 | ---- | M] (Adobe Systems Incorporated)
 FlashPlayerCPLApp.cpl -> C:\Windows\System32\FlashPlayerCPLApp.cpl -> [2013/05/26 11:45:25 | 000,071,048 | ---- | M] (Adobe Systems Incorporated)
 FNTCACHE.DAT -> C:\Windows\System32\FNTCACHE.DAT -> [2013/05/25 12:18:39 | 000,385,648 | ---- | M] ()
 
[Files - No Company Name]
 PEV.exe -> C:\Windows\PEV.exe -> [2013/05/26 13:17:16 | 000,256,000 | ---- | C] ()
 MBR.exe -> C:\Windows\MBR.exe -> [2013/05/26 13:17:16 | 000,208,896 | ---- | C] ()
 sed.exe -> C:\Windows\sed.exe -> [2013/05/26 13:17:16 | 000,098,816 | ---- | C] ()
 grep.exe -> C:\Windows\grep.exe -> [2013/05/26 13:17:16 | 000,080,412 | ---- | C] ()
 zip.exe -> C:\Windows\zip.exe -> [2013/05/26 13:17:16 | 000,068,096 | ---- | C] ()
 d3d9caps.dat -> C:\Users\Hart\AppData\Local\d3d9caps.dat -> [2012/03/15 09:18:27 | 000,001,356 | ---- | C] ()
 mlfcache.dat -> C:\Windows\System32\mlfcache.dat -> [2012/01/28 22:00:40 | 000,175,244 | -H-- | C] ()
< End of report >
```


----------



## xelahart (Apr 29, 2009)

I imagine you want to run all your diagnostics before you start making guesses, but have you seen anything that looks strange yet?

Is there anything in there that you think I could uninstall to see if it helps? McAfee? Rapport?

I do appreciate your help, but I am keen to resolve this as soon as possible, or bite the bullet and buy a new computer if that is the solution. I hadn't realised how dependent the family is on this computer until it went down.


----------



## Cookiegal (Aug 27, 2003)

ComboFix deleted some things and I see something suspicious in the GMER log so we'll continue to investigate.

Start *OTS*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here please.


```
[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} [HKLM] -> [Symantec Intrusion Prevention]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\] > -> HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Empty Temp Folders]
[EmptyFlash]
[EmptyJava]
[Start Explorer]
[Reboot]
```


----------



## Cookiegal (Aug 27, 2003)

Please download aswMBR.exe and save it to your desktop.

Double click aswMBR.exe to start the tool (Vista/Windows 7 users - right click to run as administrator) and allow it to download the Avast database.

Click *Scan*.

Upon completion of the scan, click *Save log* then save it to your desktop and post that log in your next reply for review. 
*Note - do NOT attempt any Fix yet. *

You will also notice another file created on the desktop named *MBR.dat*. This is only a backup of the MBR file in case we need it so please just leave it on the desktop for now.


----------



## xelahart (Apr 29, 2009)

OK, ran the fix in OTS, here is that log.

All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
Registry value HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
[Empty Temp Folders]

User: Alex
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 157676858 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1154 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Emma (i-pod)
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 240660828 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1473 bytes

User: Hart
->Temp folder emptied: 80984 bytes
->Temporary Internet Files folder emptied: 427067952 bytes
->Java cache emptied: 24692587 bytes
->Apple Safari cache emptied: 31744 bytes
->Flash cache emptied: 108416 bytes

User: Public
->Temp folder emptied: 0 bytes

User: TEMP
->Temp folder emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes

User: UpdatusUser.Hart-PC
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 106290 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 7480532 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 741 bytes
RecycleBin emptied: 63660 bytes

Total Files Cleaned = 818.00 mb

[EMPTYFLASH]

User: Alex
->Flash cache emptied: 0 bytes

User: All Users

User: Default

User: Default User

User: Emma (i-pod)
->Flash cache emptied: 0 bytes

User: Hart
->Flash cache emptied: 0 bytes

User: Public

User: TEMP

User: UpdatusUser

User: UpdatusUser.Hart-PC

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: Alex
->Java cache emptied: 0 bytes

User: All Users

User: Default

User: Default User

User: Emma (i-pod)
->Java cache emptied: 0 bytes

User: Hart
->Java cache emptied: 0 bytes

User: Public

User: TEMP

User: UpdatusUser

User: UpdatusUser.Hart-PC

Total Java Files Cleaned = 0.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.47.2 fix logfile created on 05282013_202722
Files\Folders moved on Reboot...
C:\Users\Hart\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\Hart\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZEB30IO9\push[1].htm moved successfully.
C:\Users\Hart\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SMRS37OK\1098665-sudden-failure-utilities-3[1].htm moved successfully.
Registry entries deleted on Reboot...


----------



## xelahart (Apr 29, 2009)

And here is the aswMBR log

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-05-28 20:44:38
-----------------------------
20:44:38.096 OS Version: Windows 6.0.6002 Service Pack 2
20:44:38.096 Number of processors: 4 586 0x1707
20:44:38.096 ComputerName: HART-PC UserName: Hart
20:44:39.095 Initialize success
20:59:43.832 AVAST engine defs: 13052800
21:04:33.259 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000061
21:04:33.259 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 3
21:04:33.290 Disk 0 MBR read successfully
21:04:33.290 Disk 0 MBR scan
21:04:33.290 Disk 0 Windows VISTA default MBR code
21:04:33.306 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 10240 MB offset 2048
21:04:33.322 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 600238 MB offset 20973568
21:04:33.322 Disk 0 scanning sectors +1250261680
21:04:33.384 Disk 0 scanning C:\Windows\system32\drivers
21:04:37.424 Service scanning
21:04:50.747 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
21:04:55.006 Modules scanning
21:04:57.377 Disk 0 trace - called modules:
21:04:57.392 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8c20b1f8]<<
21:04:57.408 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8c7e2030]
21:04:57.408 3 CLASSPNP.SYS[90dc98b3] -> nt!IofCallDriver -> [0x8c2d0700]
21:04:57.408 5 acpi.sys[807bb6bc] -> nt!IofCallDriver -> \Device\00000061[0x8c271c78]
21:04:57.424 \Driver\nvstor32[0x8c265680] -> IRP_MJ_CREATE -> 0x8c20b1f8
21:04:58.984 AVAST engine scan C:\Windows
21:05:03.430 AVAST engine scan C:\Windows\system32
21:07:03.518 AVAST engine scan C:\Windows\system32\drivers
21:07:16.014 AVAST engine scan C:\Users\Hart
21:14:53.297 AVAST engine scan C:\ProgramData
21:20:55.482 Scan finished successfully
22:14:37.943 Disk 0 MBR has been saved successfully to "C:\Users\Hart\Documents\IT Stuff\Repair - May 2013\MBR.dat"
22:14:37.958 The log file has been saved successfully to "C:\Users\Hart\Documents\IT Stuff\Repair - May 2013\aswMBR.txt"


----------



## Cookiegal (Aug 27, 2003)

Please go  here and download the *TDSSKiller.exe* to your desktop.

Double-click to TDSSKiller.exe on your desktop to run it.
Click on *Start Scan*
As we don't want to fix anything yet, if any malicious objects are detected, *do NOT select Cure* but select *Skip* instead.
It will produce a log once it finishes in the root drive which should look like this example:

C:\TDSSKiller.<version_date_time>log.txt

Please copy and paste the contents of that log in your next reply.


----------



## xelahart (Apr 29, 2009)

Please could you confirm that you definitely want me to run TDSS Killer again.

I have already run it once and posted the log (see post 23 http://forums.techguy.org/8697925-post23.html)
Are you expecting to see somethng different this time?


----------



## Cookiegal (Aug 27, 2003)

Sorry, I thought we had run it and did a search but the search returned no result.


Please download *RogueKiller* by Tigzy and save it to your desktop.
Allow the download if prompted by your security software and please close all your other browser windows.
Double-click *RogueKiller.exe* to run it.
If it does not run, please try a few times, If it really does not work (it could happen), rename it to winlogon.exe or RogueKiller.com
Wait for *PreScan* to finish, Then Accept the EULA.
Click on the *Scan* button in the upper right. Wait for it to finish.
Once completed, a log called *RKreport[1].txt* will be created on the desktop. It can also be accessed via the *Report* button.
Please copy and paste the contents of that log in your next reply.
When you exit RogueKiller, you may get a popup reporting "None of the Elements have been deleted. Do you want to quit?" Click *Yes*.


----------



## xelahart (Apr 29, 2009)

OK, here is the Rogue Killer report. It seems to have found 3 suspicious things in the registry.

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User : Hart [Admin rights]
Mode : Scan -- Date : 05/29/2013 20:51:34
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 3 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD64 00AAKS-22A7B SCSI Disk Device +++++
--- User ---
[MBR] cb937bfbef932355cd34b6cb6f4027a9
[BSP] 8484c7ec0314f855e9c1602adbcfff5f : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10240 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20973568 | Size: 600238 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1]_S_05292013_02d2051.txt >>
RKreport[1]_S_05292013_02d2051.txt


----------



## Cookiegal (Aug 27, 2003)

Please run GMER again but first remove the one you have by dragging it from the desktop to the recycle bin.

Please download GMER from: http://www.gmer.net

Click on the "Download EXE" button and save the randomly named .exe file to your desktop.

*Note: You must uninstall any CD Emulation programs that you have before running GMER as they can cause conflicts and give false results.*

Double click the GMER .exe file on your desktop to run the tool and it will automatically do a quick scan.

If the tool warns of rootkit activity and asks if you want to run a full scan, click on No and make sure the following are *unchecked *on the right-hand side:

IAT/EAT
Any drive letter other than the primary system drive (which is generally C).

Click the *Scan *button and when the scan is finished, click *Save* and save the log in Notepad with the name ark.txt to your desktop.

*Note: It's important that all other windows be closed and that you don't touch the mouse or do anything with the computer during the scan as it may cause it to freeze. You should disable your screen saver as if it comes on it may cause the program to freeze.*

Open the ark.txt file and copy and paste the contents of the log here please.


----------



## xelahart (Apr 29, 2009)

GMER doesn't say anything after it stops the quick scan.
So I unchecked IAT/EAT, unchecked Quick scan, and checked C:\
I am trying to upload a screen shot of what it looks like before I click scan, but the upload doesn't seem to be working.


----------



## xelahart (Apr 29, 2009)

When I run a full scan with GMER (using the settings in the pic in the last post) it alternates between crashing with the message "[random file name] has stopped working" and crashing with a blue screen of death.
It ran ok last time. Presumably this is not a good sign?


----------



## xelahart (Apr 29, 2009)

Tried using different settings.
I unchecked IET/EAT, but I left the rest as it starts i.e. Quick scan checked and C:\ unchecked.
Exactly the same result.
The first time I run the .exe it reports 3 lines of stuff in the quick scan (you can see these in the posted image). Then when I run the full scan it reports about another 6 lines and crashes.
The second time I run the .exe, it reports nothing in the quick scan, and when I run the full scan I instantly get a BSOD.
This is not feeling much like progress at the moment.
:-(


----------



## Cookiegal (Aug 27, 2003)

Please try running GMER in safe mode.


----------



## xelahart (Apr 29, 2009)

Everything I do is in safe mode. That is the only way anything runs. So the first time I ran GMER (a few days ago), and it worked, and I posted the log - that was in safe mode. And now, when I try to run GMER and it alternates between crashing and giving me a BSOD - that is also in safe mode. Any other suggestions? Safe mode with networking turned off?


----------



## Cookiegal (Aug 27, 2003)

Yes, try safe mode (without networking) please as fewer drivers will be loaded.


----------



## xelahart (Apr 29, 2009)

OK I have now tried safe mode (without networking) and it gives a very similar result.
The first time I double click on GMER.exe it does the quick scan, generates about 3-4 lines of text and stops.
I then uncheck IET/EAT and check C (this is the only drive it mentions and the default is for it to be unchecked) and click scan.
Then I run the full scan, it gets to about the 6th line which is an error message about the system not being able to find a path, the an error message pops up telling me GMER needs to shut down.
The second time I double click on GMER.exe the quick scan generates no lines of text and stops.
SO FAR NO DIFFERENT TO WITH NETWORKING ON
Then when I scan it gets much further through the lines of text and takes about 10 minutes before I get BSOD and it crashes.
So the only difference is that with networking off GMER gets further through the scan on the second attempt before hitting a BSOD.

Any other suggestions?


----------



## Cookiegal (Aug 27, 2003)

Please go back to safe mode with networking and see if you can run this on-line scan from Eset.

Please run the following on-line scanner.

Note: If you're running a 64-bit system you have to choose the 32-bit option in IE. To do that, go to the Start Menu and right-click the Internet Explorer (32-bit) icon and then select 'Run as administrator' from the right-click menu.

http://www.eset.com/online-scanner

Accept the Terms of Use and then press the Start button

Allow the ActiveX control to be installed.

Put a check by Remove found threats and then run the scan.

When the scan is finished, you will see the results in a window.

A log.txt file is created here: C:\Program Files\ESET\ESET Online Scanner\log.txt.

Open the log file with Notepad and copy and paste the contents here please.


----------



## xelahart (Apr 29, 2009)

Nope. Can't do that either. I followed your instructions, but the pop-up where I need to check 'Remove found threats' is not displaying properly and doesn't have any button to run the scan. It looks like the window has popped up too small, but the window has no scroll bars, and if I expand it I just get blank screen. See attached image.


----------



## xelahart (Apr 29, 2009)

Also, after GMER failed on me I tried unistalling some things to see if it made a difference. I had 2 McAfee security products, I uninstalled them both. It made no difference, but from the look of the picture I just posted ESET seems to think McAfee is still there.


----------



## Cookiegal (Aug 27, 2003)

Please run MalwareBytes Anti-Rootkit and post the log.

http://www.bleepingcomputer.com/download/malwarebytes-anti-rootkit/


----------



## xelahart (Apr 29, 2009)

OK
I followed the link and ran the Malware Bytes Anti Rootkit beta (including updating the database).
At the end of the scan it said it found nothing, did not create a log file that I can see and did not give me the option to save a log file.
See attached screenshot.


----------



## xelahart (Apr 29, 2009)

I tried a wrokaround and managed to get ESET to run.
I started in normal mode and used Apple Safari to follow the link and run ESET.
This worked it did the full scan and said it found nothing, didn't generate a log file.
Attached picture is the screen shot showing the all clear.


----------



## Cookiegal (Aug 27, 2003)

OK, that's good.

Download *OTS.exe * to your Desktop. 

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Double-click on *OTS.exe* to start the program.
At the top put a check mark in the box beside "Scan All Users".
Under the *Additional Scans *section put a check in the box next to Disabled MS Config Items and EventViewer logs (Last 10 errors)
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## xelahart (Apr 29, 2009)

OK I wil run OTS again, but I don't think I have changed anything since the last time you asked me to run it and post the log.

In post 30 (http://forums.techguy.org/8698499-post30.html) you asked me to run OTS the first time.
In post 31 (http://forums.techguy.org/8698932-post31.html) I posted the log
In post 34 (http://forums.techguy.org/8699332-post34.html) you asked me to use OTS to paste a fix
In post 35 (http://forums.techguy.org/8700128-post36.html) I posted the log after that fix
Sine then all I have done is run a Rogue Killer scan, fail to run GMER, run a MBAR scan and run a ESET scan.


----------



## xelahart (Apr 29, 2009)

3rd OTS scan log below


```
OTS logfile created on: 07/06/2013 07:01:07 - Run 2
OTS by OldTimer - Version 3.1.47.2     Folder = C:\Users\Hart\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
 
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 58.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 586.17 Gb Total Space | 329.95 Gb Free Space | 56.29% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: HART-PC
Current User Name: Hart
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
 
[Processes - Safe List]
ots.exe -> C:\Users\Hart\Downloads\OTS.exe -> [2013/06/07 07:00:17 | 000,646,656 | ---- | M] (OldTimer Tools)
flashutil32_11_7_700_202_activex.exe -> C:\Windows\System32\Macromed\Flash\FlashUtil32_11_7_700_202_ActiveX.exe -> [2013/05/26 11:45:25 | 000,813,448 | ---- | M] (Adobe Systems Incorporated)
rapportmgmtservice.exe -> C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -> [2013/04/02 13:15:56 | 001,124,184 | ---- | M] (Trusteer Ltd.)
rapportservice.exe -> C:\Program Files\Trusteer\Rapport\bin\RapportService.exe -> [2013/04/02 13:15:54 | 002,115,416 | ---- | M] (Trusteer Ltd.)
nvxdsync.exe -> C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe -> [2013/01/31 10:01:06 | 000,865,056 | ---- | M] (NVIDIA Corporation)
commandservice.exe -> C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -> [2012/07/05 18:41:08 | 007,392,136 | ---- | M] (LeapFrog Enterprises, Inc.)
explorer.exe -> C:\Windows\explorer.exe -> [2009/04/11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation)
etservice.exe -> C:\Program Files\PACKARDBELL\Packard Bell Recovery Management\Service\ETService.exe -> [2008/07/16 14:00:00 | 000,024,576 | ---- | M] ()
rthdvcpl.exe -> C:\Windows\RtHDVCpl.exe -> [2008/06/26 08:56:10 | 006,139,904 | ---- | M] (Realtek Semiconductor)
photoshopelementsfileagent.exe -> C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -> [2007/09/11 00:45:04 | 000,124,832 | ---- | M] ()
calmain.exe -> C:\Program Files\Canon\CAL\CALMAIN.exe -> [2006/03/30 09:15:44 | 000,096,341 | ---- | M] (Canon Inc.)
 
[Modules - No Company Name]
rapportms.dll -> C:\ProgramData\Trusteer\Rapport\store\exts\RapportMS\baseline\RapportMS.dll -> [2013/04/01 14:05:09 | 000,557,368 | ---- | M] ()
js32.dll -> C:\Program Files\Trusteer\Rapport\bin\js32.dll -> [2012/06/27 14:09:06 | 000,557,056 | ---- | M] ()
 
[Win32 Services - Safe List]
(McMPFSvc) McAfee Personal Firewall Service [Disabled | Stopped] ->  -> File not found
(AdobeFlashPlayerUpdateSvc) Adobe Flash Player Update Service [On_Demand | Stopped] -> C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -> [2013/06/06 21:46:10 | 000,256,904 | ---- | M] (Adobe Systems Incorporated)
(RapportMgmtService) Rapport Management Service [Auto | Running] -> C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -> [2013/04/02 13:15:56 | 001,124,184 | ---- | M] (Trusteer Ltd.)
(nvUpdatusService) NVIDIA Update Service Daemon [Auto | Stopped] -> C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -> [2013/02/19 21:32:08 | 001,259,296 | ---- | M] (NVIDIA Corporation)
(LeapFrog Connect Device Service) LeapFrog Connect Device Service [Auto | Running] -> C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -> [2012/07/05 18:41:08 | 007,392,136 | ---- | M] (LeapFrog Enterprises, Inc.)
(FLEXnet Licensing Service) FLEXnet Licensing Service [On_Demand | Stopped] -> C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -> [2008/08/21 22:08:35 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.)
(ETService) Empowering Technology Service [Auto | Running] -> C:\Program Files\PACKARDBELL\Packard Bell Recovery Management\Service\ETService.exe -> [2008/07/16 14:00:00 | 000,024,576 | ---- | M] ()
(WinDefend) Windows Defender [On_Demand | Stopped] -> C:\Program Files\Windows Defender\MpSvc.dll -> [2008/01/21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation)
(AdobeActiveFileMonitor6.0) Adobe Active File Monitor V6 [Auto | Running] -> C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -> [2007/09/11 00:45:04 | 000,124,832 | ---- | M] ()
(CCALib8) Canon Camera Access Library 8 [Auto | Running] -> C:\Program Files\Canon\CAL\CALMAIN.exe -> [2006/03/30 09:15:44 | 000,096,341 | ---- | M] (Canon Inc.)
 
[Driver Services - Safe List]
(RapportEI) RapportEI [Kernel | System | Running] -> C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -> [2013/04/02 13:16:10 | 000,102,680 | ---- | M] (Trusteer Ltd.)
(RapportPG) RapportPG [Kernel | System | Running] -> C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -> [2013/04/02 13:16:08 | 000,173,880 | ---- | M] (Trusteer Ltd.)
(RapportCerberus_51755) RapportCerberus_51755 [Kernel | System | Running] -> C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_51755.sys -> [2013/04/01 14:05:08 | 000,317,112 | ---- | M] ()
(nvlddmkm) nvlddmkm [Kernel | On_Demand | Running] -> C:\Windows\System32\drivers\nvlddmkm.sys -> [2013/02/19 21:32:54 | 010,919,200 | ---- | M] (NVIDIA Corporation)
(RapportKELL) RapportKELL [Kernel | Boot | Running] -> C:\Windows\System32\Drivers\RapportKELL.sys -> [2012/07/29 20:52:38 | 000,102,008 | ---- | M] (Trusteer Ltd.)
(sptd) sptd [Kernel | Boot | Running] -> C:\Windows\System32\Drivers\sptd.sys -> [2012/04/24 20:40:19 | 000,721,904 | ---- | M] ()
(RapportBuka) RapportBuka [Kernel | System | Running] -> C:\Windows\System32\drivers\RapportBuka.sys -> [2010/02/28 13:32:52 | 000,390,528 | ---- | M] (Trusteer Ltd.)
(NVHDA) Service for NVIDIA High Definition Audio Driver [Kernel | On_Demand | Running] -> C:\Windows\System32\drivers\nvhda32v.sys -> [2008/08/05 05:29:26 | 000,044,576 | ---- | M] (NVIDIA Corporation)
(int15) int15 [Kernel | Auto | Running] -> C:\Windows\System32\drivers\int15.sys -> [2008/07/16 13:56:06 | 000,015,392 | ---- | M] (Acer, Inc.)
(nvstor32) nvstor32 [Kernel | Boot | Running] -> C:\Windows\system32\DRIVERS\nvstor32.sys -> [2008/06/06 12:13:10 | 000,145,440 | ---- | M] (NVIDIA Corporation)
(s116bus) Sony Ericsson Device 116 driver (WDM) [Kernel | On_Demand | Stopped] -> C:\Windows\System32\drivers\s116bus.sys -> [2007/04/03 14:57:42 | 000,083,336 | ---- | M] (MCCI Corporation)
(RTL8169) Realtek 8169 NT Driver [Kernel | On_Demand | Running] -> C:\Windows\System32\drivers\Rtlh86.sys -> [2006/11/02 08:30:56 | 000,044,544 | ---- | M] (Realtek Corporation)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> [URL]http://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=1&o=vp32&d=1008&m=imedia_x2416[/URL] -> 
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> -> 
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> -> 
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\] > -> -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\: Main\\"SearchDefaultBranded" -> 1 -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\: Main\\"Start Page" -> [URL]http://www.google.co.uk/[/URL] -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\: Main\\"StartPageCache" -> 1 -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\: "ProxyEnable" -> 0 -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\: "ProxyOverride" -> *.local -> 
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  -> 
< FireFox Extensions [User Folders] > -> 
< HOSTS File > ([2013/05/26 13:29:06 | 000,000,027 | ---- | M] - 1 lines) -> C:\Windows\System32\drivers\etc\hosts -> 
Reset Hosts
127.0.0.1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2011/08/30 20:57:33 | 000,061,888 | ---- | M] (Adobe Systems Incorporated)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> C:\Program Files\Java\jre7\bin\ssv.dll [Java(tm) Plug-In SSV Helper] -> [2013/03/06 21:48:02 | 000,461,216 | ---- | M] (Oracle Corporation)
{DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [Java(tm) Plug-In 2 SSV Helper] -> [2013/03/06 21:48:02 | 000,170,912 | ---- | M] (Oracle Corporation)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"RtHDVCpl" -> C:\Windows\RtHDVCpl.exe [RtHDVCpl.exe] -> [2008/06/26 08:56:10 | 006,139,904 | ---- | M] (Realtek Semiconductor)
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< Software Policy Settings [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000] > -> HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
[URL="file://\\"NoDrives"]\\"NoDrives[/URL]" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000] > -> HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
[URL="file://\\"NoDrives"]\\"NoDrives[/URL]" ->  [0] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000] > -> HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< Internet Explorer Menu Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\ -> 
E&xport to Microsoft Excel ->  [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> File not found
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\ -> 
E&xport to Microsoft Excel ->  [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\] > -> HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\] > -> HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-21-3650955238-2046507532-1628930313-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{7530BFB8-7293-4D34-9923-61A11451AFC5} [HKLM] -> [URL]http://download.eset.com/special/eos/OnlineScanner.cab[/URL] [Reg Error: Key error.] -> 
{CB50428B-657F-47DF-9B32-671F82AA73F7} [HKLM] -> [URL]http://www.photodex.com/pxplay.cab[/URL] [Photodex Presenter AX control] -> 
{E2883E8F-472F-4FB0-9522-AC9BF37916A7} [HKLM] -> [URL]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/URL] [Reg Error: Key error.] -> 
Garmin Communicator Plug-In [HKLM] -> [URL]https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB[/URL] [Reg Error: Key error.] -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 
DhcpNameServer -> 192.168.1.254 192.168.1.254 -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{27FA60FB-5855-47ED-90FC-73C7DFD953D2}\\DhcpNameServer -> 192.168.1.254 192.168.1.254   (Realtek RTL8101 Family PCI-E Fast Ethernet NIC (NDIS 6.0)) -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> C:\Windows\explorer.exe -> [2009/04/11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
C:\Windows\system32\userinit.exe -> C:\Windows\System32\userinit.exe -> [2008/01/21 03:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" ->  [system32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > ->  -> 
C:\autoexec.bat [REM Dummy file for NTVDM | ] -> C:\autoexec.bat [ NTFS ] -> [2006/09/18 22:43:36 | 000,000,024 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 
comfile [open] -> "%1" %* -> 
exefile [open] -> "%1" %* -> 
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
.com [@ = ComFile] -> "%1" %* -> 
.exe [@ = exefile] -> "%1" %* -> 
 
[Registry - Additional Scans - Safe List]
< EventViewer Logs - Last 10 Errors > -> Event Information -> Description
Application [ Error ] 06/01/2012 13:28:04 Computer Name = Hart-PC | Source = McLogEvent | ID = 5051 -> Description = 
Application [ Error ] 06/01/2012 16:36:36 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 07/01/2012 04:56:36 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 07/01/2012 10:22:25 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 08/01/2012 09:09:05 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 08/01/2012 12:11:54 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 10/01/2012 13:40:39 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 10/01/2012 15:47:05 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 12/01/2012 04:27:07 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
Application [ Error ] 12/01/2012 08:08:59 Computer Name = Hart-PC | Source = WinMgmt | ID = 10 -> Description = 
OSession [ Error ] 04/11/2011 14:24:29 Computer Name = Hart-PC | Source = Microsoft Office 12 Sessions | ID = 7001 -> Description = ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 16 seconds with 0 seconds of active time.  This session ended with a crash.
System [ Error ] 06/06/2013 17:42:21 Computer Name = Hart-PC | Source = nvstor32 | ID = 262149 -> Description = A parity error was detected on \Device\RaidPort0.
System [ Error ] 06/06/2013 17:43:14 Computer Name = Hart-PC | Source = nvstor32 | ID = 262149 -> Description = A parity error was detected on \Device\RaidPort0.
System [ Error ] 06/06/2013 19:27:04 Computer Name = Hart-PC | Source = nvstor32 | ID = 262149 -> Description = A parity error was detected on \Device\RaidPort0.
System [ Error ] 06/06/2013 22:12:16 Computer Name = Hart-PC | Source = DCOM | ID = 10005 -> Description = 
System [ Error ] 06/06/2013 22:12:16 Computer Name = Hart-PC | Source = Service Control Manager | ID = 7009 -> Description = 
System [ Error ] 06/06/2013 22:12:16 Computer Name = Hart-PC | Source = Service Control Manager | ID = 7000 -> Description = 
System [ Error ] 06/06/2013 22:16:02 Computer Name = Hart-PC | Source = Service Control Manager | ID = 7009 -> Description = 
System [ Error ] 06/06/2013 22:16:02 Computer Name = Hart-PC | Source = Service Control Manager | ID = 7000 -> Description = 
System [ Error ] 06/06/2013 22:35:52 Computer Name = Hart-PC | Source = Service Control Manager | ID = 7038 -> Description = 
System [ Error ] 06/06/2013 22:35:52 Computer Name = Hart-PC | Source = Service Control Manager | ID = 7000 -> Description = 
 
[Files/Folders - Created Within 30 Days]
 mshtml.tlb -> C:\Windows\System32\mshtml.tlb -> [2013/06/07 03:15:27 | 002,382,848 | ---- | C] (Microsoft Corporation)
 msfeeds.dll -> C:\Windows\System32\msfeeds.dll -> [2013/06/07 03:08:34 | 000,607,744 | ---- | C] (Microsoft Corporation)
 ieui.dll -> C:\Windows\System32\ieui.dll -> [2013/06/07 03:08:34 | 000,176,640 | ---- | C] (Microsoft Corporation)
 ieUnatt.exe -> C:\Windows\System32\ieUnatt.exe -> [2013/06/07 03:08:34 | 000,142,848 | ---- | C] (Microsoft Corporation)
 jsproxy.dll -> C:\Windows\System32\jsproxy.dll -> [2013/06/07 03:08:34 | 000,065,024 | ---- | C] (Microsoft Corporation)
 jscript9.dll -> C:\Windows\System32\jscript9.dll -> [2013/06/07 03:08:33 | 001,800,704 | ---- | C] (Microsoft Corporation)
 url.dll -> C:\Windows\System32\url.dll -> [2013/06/07 03:08:33 | 000,231,936 | ---- | C] (Microsoft Corporation)
 inetcpl.cpl -> C:\Windows\System32\inetcpl.cpl -> [2013/06/07 03:08:32 | 001,427,968 | ---- | C] (Microsoft Corporation)
 MpSigStub.exe -> C:\Windows\System32\MpSigStub.exe -> [2013/06/06 21:35:24 | 000,238,872 | ---- | C] (Microsoft Corporation)
 cdd.dll -> C:\Windows\System32\cdd.dll -> [2013/06/06 21:34:49 | 000,037,376 | ---- | C] (Microsoft Corporation)
 win32k.sys -> C:\Windows\System32\win32k.sys -> [2013/06/06 21:34:40 | 002,049,024 | ---- | C] (Microsoft Corporation)
 Malwarebytes' Anti-Malware (portable) -> C:\ProgramData\Malwarebytes' Anti-Malware (portable) -> [2013/06/06 20:25:41 | 000,000,000 | ---D | C]
 Malwarebytes -> C:\ProgramData\Malwarebytes -> [2013/06/06 20:25:00 | 000,000,000 | ---D | C]
 _OTS -> C:\_OTS -> [2013/05/28 20:27:22 | 000,000,000 | ---D | C]
 temp -> C:\Windows\temp -> [2013/05/26 13:32:06 | 000,000,000 | ---D | C]
 temp -> C:\Users\Hart\AppData\Local\temp -> [2013/05/26 13:32:06 | 000,000,000 | ---D | C]
 $RECYCLE.BIN -> C:\$RECYCLE.BIN -> [2013/05/26 13:31:04 | 000,000,000 | -HSD | C]
 SWREG.exe -> C:\Windows\SWREG.exe -> [2013/05/26 13:17:16 | 000,518,144 | ---- | C] (SteelWerX)
 SWSC.exe -> C:\Windows\SWSC.exe -> [2013/05/26 13:17:16 | 000,406,528 | ---- | C] (SteelWerX)
 NIRCMD.exe -> C:\Windows\NIRCMD.exe -> [2013/05/26 13:17:16 | 000,060,416 | ---- | C] (NirSoft)
 ComboFix -> C:\ComboFix -> [2013/05/26 13:17:13 | 000,000,000 | ---D | C]
 Qoobox -> C:\Qoobox -> [2013/05/26 13:08:49 | 000,000,000 | ---D | C]
 erdnt -> C:\Windows\erdnt -> [2013/05/26 13:08:26 | 000,000,000 | ---D | C]
 WindowsSearch -> C:\ProgramData\WindowsSearch -> [2013/05/14 01:26:23 | 000,000,000 | ---D | C]
 
[Files/Folders - Modified Within 30 Days]
 Adobe Flash Player Updater.job -> C:\Windows\tasks\Adobe Flash Player Updater.job -> [2013/06/07 06:45:15 | 000,000,830 | ---- | M] ()
 7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 -> C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 -> [2013/06/07 05:33:37 | 000,003,216 | -H-- | M] ()
 7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 -> C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 -> [2013/06/07 05:33:37 | 000,003,216 | -H-- | M] ()
 perfh009.dat -> C:\Windows\System32\perfh009.dat -> [2013/06/07 03:39:16 | 000,609,182 | ---- | M] ()
 perfc009.dat -> C:\Windows\System32\perfc009.dat -> [2013/06/07 03:39:16 | 000,108,690 | ---- | M] ()
 LogConfigTemp.xml -> C:\Windows\System32\LogConfigTemp.xml -> [2013/06/07 03:33:50 | 000,000,000 | ---- | M] ()
 FNTCACHE.DAT -> C:\Windows\System32\FNTCACHE.DAT -> [2013/06/07 03:33:37 | 000,385,648 | ---- | M] ()
 bootstat.dat -> C:\Windows\bootstat.dat -> [2013/06/07 03:33:32 | 000,067,584 | --S- | M] ()
 hiberfil.sys -> C:\hiberfil.sys -> [2013/06/07 03:32:32 | 3220,422,656 | -HS- | M] ()
 FlashPlayerApp.exe -> C:\Windows\System32\FlashPlayerApp.exe -> [2013/06/06 21:46:10 | 000,692,104 | ---- | M] (Adobe Systems Incorporated)
 FlashPlayerCPLApp.cpl -> C:\Windows\System32\FlashPlayerCPLApp.cpl -> [2013/06/06 21:46:09 | 000,071,048 | ---- | M] (Adobe Systems Incorporated)
 MEMORY.DMP -> C:\Windows\MEMORY.DMP -> [2013/06/05 23:53:44 | 254,406,718 | ---- | M] ()
 Repair - May 2013 - Shortcut.lnk -> C:\Users\Hart\Desktop\Repair - May 2013 - Shortcut.lnk -> [2013/05/27 11:05:17 | 000,000,637 | ---- | M] ()
 hosts -> C:\Windows\System32\drivers\etc\hosts -> [2013/05/26 13:29:06 | 000,000,027 | ---- | M] ()
 d3d9caps.dat -> C:\Users\Hart\AppData\Local\d3d9caps.dat -> [2013/05/26 12:07:14 | 000,001,356 | ---- | M] ()
 
[Files - No Company Name]
 hiberfil.sys -> C:\hiberfil.sys -> [2013/06/06 21:20:26 | 3220,422,656 | -HS- | C] ()
 Repair - May 2013 - Shortcut.lnk -> C:\Users\Hart\Desktop\Repair - May 2013 - Shortcut.lnk -> [2013/05/27 11:05:17 | 000,000,637 | ---- | C] ()
 PEV.exe -> C:\Windows\PEV.exe -> [2013/05/26 13:17:16 | 000,256,000 | ---- | C] ()
 MBR.exe -> C:\Windows\MBR.exe -> [2013/05/26 13:17:16 | 000,208,896 | ---- | C] ()
 sed.exe -> C:\Windows\sed.exe -> [2013/05/26 13:17:16 | 000,098,816 | ---- | C] ()
 grep.exe -> C:\Windows\grep.exe -> [2013/05/26 13:17:16 | 000,080,412 | ---- | C] ()
 zip.exe -> C:\Windows\zip.exe -> [2013/05/26 13:17:16 | 000,068,096 | ---- | C] ()
 d3d9caps.dat -> C:\Users\Hart\AppData\Local\d3d9caps.dat -> [2012/03/15 09:18:27 | 000,001,356 | ---- | C] ()
 mlfcache.dat -> C:\Windows\System32\mlfcache.dat -> [2012/01/28 22:00:40 | 000,175,244 | -H-- | C] ()
< End of report >
```


----------



## xelahart (Apr 29, 2009)

I decided to try running GMER in normal mode and had some success.
It seemed to run fine and got past the points it was crashing or BSODing when I run it in safe mode.
However the scan took so long (over 3 hours) that I gave up and went to bed, when I woke up the computer appeared to have restarted and I had no record of a log.
I will try again.


----------



## Cookiegal (Aug 27, 2003)

That report revealed errors that may indicate a hardware problem. Let's run this utility that will give more detail on the errors and then I'll ask a colleage to check that aspect out.

Please download the Event Viewer Tool by Vino Rosso *VEW* and save it to your Desktop:


Double-click *VEW.exe*

Under "Select log to query", select:

*Application*
*System*

Under "Select type to list", select:

*Error*
*Warning*

Click the radio button for "Number of events"
Type *20* in the 1 to 20 box 
Then click the *Run* button.

Notepad will open with the output log. Please copy and paste the contents here.


----------



## xelahart (Apr 29, 2009)

VEW.exe won't run. It loads up and I checked the things you said, but when I click 'Run' I get an error window saying: 'Run-time error 75: Patt/file access error'.

See attached image.


----------



## xelahart (Apr 29, 2009)

However on the plus side I got GMER to finish a full scan. Don't know if that helps.

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-06-07 18:37:00
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\00000058 WDC_WD64 rev.01.0 596.17GB
Running: yldpzouv.exe; Driver: C:\Users\Hart\AppData\Local\Temp\pxldipow.sys

---- System - GMER 2.1 ----
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwAssignProcessToJobObject [0x963861E6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwCreateFile [0x96386EDA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteFile [0x963871E2]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteKey [0x9638AC2E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteValueKey [0x9638AC7C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwLoadKey [0x9638AEC2]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenFile [0x9638708A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenProcess [0x96386398]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenThread [0x96386626]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwProtectVirtualMemory [0x963867E0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0x9638ADCA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRenameKey [0x9638ACE6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0x9638AD3A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRestoreKey [0x9638AD82]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetContextThread [0x96386154]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetInformationFile [0x963872F6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetValueKey [0x9638AB54]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSuspendThread [0x96386090]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateProcess [0x96385F20]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateThread [0x96385F96]
SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_51755.sys ZwCreateThreadEx [0x962A7DB0]
INT 0x51 ? 8BE05BF8
INT 0x72 ? 8D7DAF00
INT 0x82 ? 8BE04BF8
INT 0x92 ? 8BE05BF8
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!KeSetEvent + 191 888AD8D4 4 Bytes [E6, 61, 38, 96]
.text ntkrnlpa.exe!KeSetEvent + 1D9 888AD91C 4 Bytes [DA, 6E, 38, 96] {FISUBR DWORD [ESI+0x38]; XCHG ESI, EAX}
.text ntkrnlpa.exe!KeSetEvent + 2D1 888ADA14 8 Bytes [E2, 71, 38, 96, 2E, AC, 38, ...] {LOOP 0x73; CMP [ESI-0x69c753d2], DL}
.text ntkrnlpa.exe!KeSetEvent + 2E1 888ADA24 4 Bytes [7C, AC, 38, 96]
.text ntkrnlpa.exe!KeSetEvent + 381 888ADAC4 4 Bytes [C2, AE, 38, 96] {RET 0x38ae; XCHG ESI, EAX}
.text ... 
? System32\Drivers\spup.sys The system cannot find the path specified. !
---- User code sections - GMER 2.1 ----
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1004] ntdll.dll!KiUserApcDispatcher 76F15B78 5 Bytes JMP 00044710 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1004] kernel32.dll!LoadLibraryExW + 173 756E93DF 4 Bytes JMP 71AB000A 
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1004] WS2_32.dll!getaddrinfo 76E8418A 5 Bytes JMP 71A50022 
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1004] WS2_32.dll!gethostbyname 76E962D4 5 Bytes JMP 71AE0022 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] ntdll.dll!NtMapViewOfSection 76F14994 5 Bytes JMP 719F0022 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] ntdll.dll!KiUserApcDispatcher + E 76F15B86 5 Bytes JMP 67800FC0 c:\program files\trusteer\rapport\bin\rooksdol.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] kernel32.dll!QueueUserWorkItem 756D9104 6 Bytes PUSH 70EE0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] kernel32.dll!LoadLibraryExW + 173 756E93DF 4 Bytes JMP 71AC000A 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] kernel32.dll!SetUnhandledExceptionFilter 756EA8B5 6 Bytes PUSH 71A30022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] kernel32.dll!CreateThread 7570CB0E 5 Bytes JMP 6C2475E3 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WS2_32.dll!connect 76E840D9 5 Bytes JMP 710D0022 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WS2_32.dll!getaddrinfo 76E8418A 5 Bytes JMP 71080022 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WS2_32.dll!GetAddrInfoExW 76E9288D 5 Bytes JMP 71120022 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] GDI32.dll!BitBlt 758370A6 6 Bytes PUSH 71810022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!CreateDialogParamW 75AE72A2 5 Bytes JMP 6C3D9520 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!DdeInitializeW 75AE7921 6 Bytes PUSH 71750022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!GetAsyncKeyState 75AE863C 5 Bytes JMP 6C22DECD C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!SetWindowsHookExW 75AE87AD 5 Bytes JMP 6C2825B4 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!CallNextHookEx 75AE8E3B 5 Bytes JMP 6C2A7FF1 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!UnhookWindowsHookEx 75AE98DB 5 Bytes JMP 6C2CED14 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!EnableWindow 75AECD8B 5 Bytes JMP 6C289EBC C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!RegisterClassExW 75AEDA30 6 Bytes PUSH 71AE0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!DefWindowProcA 75AEDB88 7 Bytes JMP 6C24980D C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!CreateWindowExA 75AEDC2A 6 Bytes JMP 6C253643 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!RegisterClassA 75AEDF42 6 Bytes PUSH 71890022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!RegisterClassW 75AEE1AB 6 Bytes PUSH 71A60022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!CreateWindowExW 75AF1305 6 Bytes JMP 7196000A 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!GetKeyState 75AF8CB1 5 Bytes JMP 6C22DDA7 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!TranslateMessage 75B001AD 6 Bytes PUSH 716B0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!DefWindowProcW 75B003B4 7 Bytes JMP 6C2A8054 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!PeekMessageW 75B0045A 6 Bytes PUSH 719B0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!IsDialogMessageW 75B00745 5 Bytes JMP 6C3D9C7A C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!CreateDialogParamA 75B017AA 5 Bytes JMP 6C3D94E8 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!IsDialogMessage 75B01847 5 Bytes JMP 6C3D9C52 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!CreateDialogIndirectParamA 75B026F1 5 Bytes JMP 6C3D9558 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!CreateDialogIndirectParamW 75B09A62 5 Bytes JMP 6C3D9590 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!SetKeyboardState 75B10987 5 Bytes JMP 6C3DA571 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!DialogBoxParamW 75B110B0 5 Bytes JMP 6C1E189B C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!DialogBoxIndirectParamW 75B12EF5 5 Bytes JMP 6C3D91B6 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!SendInput 75B12F75 5 Bytes JMP 6C3DA519 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!EndDialog 75B1326E 5 Bytes JMP 6C3D9F26 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!SetCursorPos 75B26FB2 3 Bytes JMP 6C3DA5F2 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!SetCursorPos + 4 75B26FB6 1 Byte [F6]
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!GetClipboardData 75B2715A 6 Bytes PUSH 71710022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!DialogBoxParamA 75B28152 3 Bytes JMP 6C3D9151 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!DialogBoxParamA + 4 75B28156 1 Byte [F6]
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!DialogBoxIndirectParamA 75B2847D 3 Bytes JMP 6C3D921B C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!DialogBoxIndirectParamA + 4 75B28481 1 Byte [F6]
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!MessageBoxIndirectA 75B3D4D9 5 Bytes JMP 6C3D90D8 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!MessageBoxIndirectW 75B3D5D3 5 Bytes JMP 6C3D905F C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!MessageBoxExA 75B3D639 5 Bytes JMP 6C3D8FFB C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!MessageBoxExW 75B3D65D 5 Bytes JMP 6C3D8F97 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] USER32.dll!keybd_event 75B3D972 5 Bytes JMP 6C3DA4D6 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] SHELL32.dll!SHRestricted + D95 762689A8 4 Bytes [CF, 01, 5E, 68] {IRET ; ADD [ESI+0x68], EBX}
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] SHELL32.dll!SHRestricted + D9D 762689B0 8 Bytes [E0, 61, 5D, 68, 79, F7, 5D, ...] {LOOPNZ 0x63; POP EBP; PUSH DWORD 0x685df779}
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] ole32.dll!OleLoadFromStream 75591E80 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] ole32.dll!OleLoadFromStream  75591E80 5 Bytes JMP 6C3D9984 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] ole32.dll!CoCreateInstanceEx 755C9F81 5 Bytes JMP 717D0022 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!InternetCloseHandle 76FFC664 6 Bytes PUSH 714B0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!InternetReadFile 76FFF8D8 6 Bytes PUSH 712B0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!HttpAddRequestHeadersA 77002A3C 6 Bytes PUSH 71670022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!InternetQueryDataAvailable 77003184 6 Bytes PUSH 712F0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!InternetOpenA 7700D5E0 6 Bytes PUSH 71370022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!InternetConnectA 7702567E 6 Bytes PUSH 71470022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!HttpOpenRequestA 77025761 6 Bytes PUSH 71630022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!InternetConnectW 77025CFA 6 Bytes PUSH 71430022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!HttpOpenRequestW 77025FEF 6 Bytes PUSH 715F0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!HttpSendRequestW 7702632D 6 Bytes PUSH 714F0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!InternetOpenW 7702C596 6 Bytes PUSH 71330022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!InternetSetStatusCallback 7702C7AA 6 Bytes PUSH 711F0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!InternetReadFileExW 7702F9EE 6 Bytes PUSH 71230022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!InternetReadFileExA 7702FA49 6 Bytes PUSH 71270022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!InternetGetCookieExA 77032B91 6 Bytes PUSH 713B0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!HttpSendRequestExW 7703F564 6 Bytes PUSH 71530022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!InternetWriteFile 7703F6C6 6 Bytes PUSH 711B0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!HttpSendRequestA 7705525A 6 Bytes PUSH 715B0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!HttpSendRequestExA 7709ECE5 6 Bytes PUSH 71570022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[1792] WININET.dll!InternetGetCookieA 770A03DE 6 Bytes PUSH 713F0022; RET 
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[5228] ntdll.dll!KiUserApcDispatcher 76F15B78 5 Bytes JMP 013EC4A0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[5228] kernel32.dll!LoadLibraryExW + 173 756E93DF 4 Bytes JMP 71AC000A 
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[5228] kernel32.dll!CreateRemoteThread + 175 7570CCAA 4 Bytes JMP 719F0000 
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[5228] USER32.dll!InSendMessageEx + 3B1 75AEE6B0 6 Bytes JMP 71AE001E 
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[5228] WS2_32.dll!getaddrinfo 76E8418A 5 Bytes JMP 71A20022 
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[5228] WS2_32.dll!gethostbyname 76E962D4 5 Bytes JMP 71A60022 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] ntdll.dll!NtMapViewOfSection 76F14994 5 Bytes JMP 719E0022 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] ntdll.dll!KiUserApcDispatcher + E 76F15B86 5 Bytes JMP 67800FC0 c:\program files\trusteer\rapport\bin\rooksdol.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] kernel32.dll!QueueUserWorkItem 756D9104 6 Bytes PUSH 70E20022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] kernel32.dll!LoadLibraryExW + 173 756E93DF 4 Bytes JMP 71AB000A 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] kernel32.dll!SetUnhandledExceptionFilter 756EA8B5 6 Bytes PUSH 71A20022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!DdeInitializeW 75AE7921 6 Bytes PUSH 716A0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!EnableWindow 75AECD8B 5 Bytes JMP 6C289EBC C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!RegisterClassExW 75AEDA30 6 Bytes PUSH 71AD0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!CreateWindowExA 75AEDC2A 6 Bytes JMP 7191000A 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!RegisterClassA 75AEDF42 6 Bytes PUSH 71820022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!RegisterClassW 75AEE1AB 6 Bytes PUSH 71A50022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!CreateWindowExW 75AF1305 6 Bytes JMP 7195000A 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!TranslateMessage 75B001AD 6 Bytes PUSH 71600022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!PeekMessageW 75B0045A 6 Bytes PUSH 719A0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!DialogBoxParamW 75B110B0 5 Bytes JMP 6C1E189B C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!DialogBoxIndirectParamW 75B12EF5 5 Bytes JMP 6C3D91B6 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!GetClipboardData 75B2715A 6 Bytes PUSH 71660022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!DialogBoxParamA 75B28152 3 Bytes JMP 6C3D9151 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!DialogBoxParamA + 4 75B28156 1 Byte [F6]
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!DialogBoxIndirectParamA 75B2847D 3 Bytes JMP 6C3D921B C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!DialogBoxIndirectParamA + 4 75B28481 1 Byte [F6]
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!MessageBoxIndirectA 75B3D4D9 5 Bytes JMP 6C3D90D8 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!MessageBoxIndirectW 75B3D5D3 5 Bytes JMP 6C3D905F C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!MessageBoxExA 75B3D639 5 Bytes JMP 6C3D8FFB C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] USER32.dll!MessageBoxExW 75B3D65D 5 Bytes JMP 6C3D8F97 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] GDI32.dll!BitBlt 758370A6 6 Bytes PUSH 71760022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] ole32.dll!CoCreateInstance 755C9F3E 6 Bytes JMP 7187000A 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] ole32.dll!CoCreateInstanceEx 755C9F81 5 Bytes JMP 71720022 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!InternetCloseHandle 76FFC664 6 Bytes PUSH 71400022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!InternetReadFile 76FFF8D8 6 Bytes PUSH 71200022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!HttpAddRequestHeadersA 77002A3C 6 Bytes PUSH 715C0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!InternetQueryDataAvailable 77003184 6 Bytes PUSH 71240022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!InternetOpenA 7700D5E0 6 Bytes PUSH 712C0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!InternetConnectA 7702567E 6 Bytes PUSH 713C0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!HttpOpenRequestA 77025761 6 Bytes PUSH 71580022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!InternetConnectW 77025CFA 6 Bytes PUSH 71380022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!HttpOpenRequestW 77025FEF 6 Bytes PUSH 71540022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!HttpSendRequestW 7702632D 6 Bytes PUSH 71440022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!InternetOpenW 7702C596 6 Bytes PUSH 71280022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!InternetSetStatusCallback 7702C7AA 6 Bytes PUSH 71130022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!InternetReadFileExW 7702F9EE 6 Bytes PUSH 71170022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!InternetReadFileExA 7702FA49 6 Bytes PUSH 711B0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!InternetGetCookieExA 77032B91 6 Bytes PUSH 71300022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!HttpSendRequestExW 7703F564 6 Bytes PUSH 71480022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!InternetWriteFile 7703F6C6 6 Bytes PUSH 710F0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!HttpSendRequestA 7705525A 6 Bytes PUSH 71500022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!HttpSendRequestExA 7709ECE5 6 Bytes PUSH 714C0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WININET.dll!InternetGetCookieA 770A03DE 6 Bytes PUSH 71340022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WS2_32.dll!connect 76E840D9 5 Bytes JMP 71010022 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WS2_32.dll!getaddrinfo 76E8418A 5 Bytes JMP 70EE0022 
.text C:\Program Files\Internet Explorer\iexplore.exe[5336] WS2_32.dll!GetAddrInfoExW 76E9288D 5 Bytes JMP 71060022 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] ntdll.dll!NtMapViewOfSection 76F14994 5 Bytes JMP 719A0022 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] ntdll.dll!KiUserApcDispatcher + E 76F15B86 5 Bytes JMP 67800FC0 c:\program files\trusteer\rapport\bin\rooksdol.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] kernel32.dll!QueueUserWorkItem 756D9104 6 Bytes PUSH 70E60022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] kernel32.dll!LoadLibraryExW + 173 756E93DF 4 Bytes JMP 71AB000A 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] kernel32.dll!SetUnhandledExceptionFilter 756EA8B5 6 Bytes PUSH 719E0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] kernel32.dll!CreateThread 7570CB0E 5 Bytes JMP 6C2475E3 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!CreateDialogParamW 75AE72A2 5 Bytes JMP 6C3D9520 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!DdeInitializeW 75AE7921 6 Bytes PUSH 716E0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!GetAsyncKeyState 75AE863C 5 Bytes JMP 6C22DECD C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!SetWindowsHookExW 75AE87AD 5 Bytes JMP 6C2825B4 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!CallNextHookEx 75AE8E3B 5 Bytes JMP 6C2A7FF1 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!UnhookWindowsHookEx 75AE98DB 5 Bytes JMP 6C2CED14 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!EnableWindow 75AECD8B 5 Bytes JMP 6C289EBC C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!RegisterClassExW 75AEDA30 6 Bytes PUSH 71AD0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!DefWindowProcA 75AEDB88 7 Bytes JMP 6C24980D C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!CreateWindowExA 75AEDC2A 5 Bytes JMP 6C253643 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!RegisterClassA 75AEDF42 6 Bytes PUSH 71820022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!RegisterClassW 75AEE1AB 6 Bytes PUSH 71A50022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!CreateWindowExW 75AF1305 5 Bytes JMP 6C2B03DF C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!GetKeyState 75AF8CB1 5 Bytes JMP 6C22DDA7 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!TranslateMessage 75B001AD 6 Bytes PUSH 71640022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!DefWindowProcW 75B003B4 7 Bytes JMP 6C2A8054 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!PeekMessageW 75B0045A 6 Bytes PUSH 71960022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!IsDialogMessageW 75B00745 5 Bytes JMP 6C3D9C7A C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!CreateDialogParamA 75B017AA 5 Bytes JMP 6C3D94E8 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!IsDialogMessage 75B01847 5 Bytes JMP 6C3D9C52 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!CreateDialogIndirectParamA 75B026F1 5 Bytes JMP 6C3D9558 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!CreateDialogIndirectParamW 75B09A62 5 Bytes JMP 6C3D9590 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!SetKeyboardState 75B10987 5 Bytes JMP 6C3DA571 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!DialogBoxParamW 75B110B0 5 Bytes JMP 6C1E189B C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!DialogBoxIndirectParamW 75B12EF5 5 Bytes JMP 6C3D91B6 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!SendInput 75B12F75 5 Bytes JMP 6C3DA519 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!EndDialog 75B1326E 5 Bytes JMP 6C3D9F26 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!SetCursorPos 75B26FB2 3 Bytes JMP 6C3DA5F2 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!SetCursorPos + 4 75B26FB6 1 Byte [F6]
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!GetClipboardData 75B2715A 6 Bytes PUSH 716A0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!DialogBoxParamA 75B28152 3 Bytes JMP 6C3D9151 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!DialogBoxParamA + 4 75B28156 1 Byte [F6]
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!DialogBoxIndirectParamA 75B2847D 3 Bytes JMP 6C3D921B C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!DialogBoxIndirectParamA + 4 75B28481 1 Byte [F6]
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!MessageBoxIndirectA 75B3D4D9 5 Bytes JMP 6C3D90D8 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!MessageBoxIndirectW 75B3D5D3 5 Bytes JMP 6C3D905F C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!MessageBoxExA 75B3D639 5 Bytes JMP 6C3D8FFB C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!MessageBoxExW 75B3D65D 5 Bytes JMP 6C3D8F97 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] USER32.dll!keybd_event 75B3D972 5 Bytes JMP 6C3DA4D6 C:\Windows\system32\IEFRAME.dll
.text  C:\Program Files\Internet Explorer\iexplore.exe[5692] GDI32.dll!BitBlt 758370A6 6 Bytes PUSH 717A0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] SHELL32.dll!SHRestricted + D95 762689A8 4 Bytes [CF, 01, 5E, 68] {IRET ; ADD [ESI+0x68], EBX}
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] SHELL32.dll!SHRestricted + D9D 762689B0 8 Bytes [E0, 61, 5D, 68, 79, F7, 5D, ...] {LOOPNZ 0x63; POP EBP; PUSH DWORD 0x685df779}
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] ole32.dll!OleLoadFromStream 75591E80 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] ole32.dll!OleLoadFromStream 75591E80 5 Bytes JMP 6C3D9984 C:\Windows\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] ole32.dll!CoCreateInstanceEx 755C9F81 5 Bytes JMP 71760022 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!InternetCloseHandle 76FFC664 6 Bytes PUSH 71440022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!InternetReadFile 76FFF8D8 6 Bytes PUSH 71240022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!HttpAddRequestHeadersA 77002A3C 6 Bytes PUSH 71600022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!InternetQueryDataAvailable 77003184 6 Bytes PUSH 71280022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!InternetOpenA 7700D5E0 6 Bytes PUSH 71300022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!InternetConnectA 7702567E 6 Bytes PUSH 71400022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!HttpOpenRequestA 77025761 6 Bytes PUSH 715C0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!InternetConnectW 77025CFA 6 Bytes PUSH 713C0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!HttpOpenRequestW 77025FEF 6 Bytes PUSH 71580022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!HttpSendRequestW 7702632D 6 Bytes PUSH 71480022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!InternetOpenW 7702C596 6 Bytes PUSH 712C0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!InternetSetStatusCallback 7702C7AA 6 Bytes PUSH 71170022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!InternetReadFileExW 7702F9EE 6 Bytes PUSH 711B0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!InternetReadFileExA 7702FA49 6 Bytes PUSH 71200022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!InternetGetCookieExA 77032B91 6 Bytes PUSH 71340022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!HttpSendRequestExW 7703F564 6 Bytes PUSH 714C0022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!InternetWriteFile 7703F6C6 6 Bytes PUSH 71130022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!HttpSendRequestA 7705525A 6 Bytes PUSH 71540022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!HttpSendRequestExA 7709ECE5 6 Bytes PUSH 71500022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WININET.dll!InternetGetCookieA 770A03DE 6 Bytes PUSH 71380022; RET 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WS2_32.dll!connect 76E840D9 5 Bytes JMP 71050022 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WS2_32.dll!getaddrinfo 76E8418A 5 Bytes JMP 71000022 
.text C:\Program Files\Internet Explorer\iexplore.exe[5692] WS2_32.dll!GetAddrInfoExW 76E9288D 5 Bytes JMP 710A0022 
---- Devices - GMER 2.1 ----
Device \FileSystem\Ntfs \Ntfs 8BE0B1F8
Device \Driver\volmgr \Device\VolMgrControl 8BE071F8
Device \Driver\usbohci \Device\USBPDO-0 8D7251F8
Device \Driver\usbehci \Device\USBPDO-1 8D71D1F8
Device \Driver\nvstor32 \Device\00000058 8BE0A1F8
Device \Driver\volmgr \Device\HarddiskVolume1 8BE071F8
Device \Driver\USBSTOR \Device\00000064 8D8851F8
Device \Driver\volmgr \Device\HarddiskVolume2 8BE071F8
Device \Driver\cdrom \Device\CdRom0 8D72E1F8
Device \Driver\nvstor32 \Device\00000059 8BE0A1F8
Device \Driver\atapi \Device\Ide\IdePort0 8BE091F8
Device \Driver\atapi \Device\Ide\IdePort1 8BE091F8
Device \Driver\USBSTOR \Device\00000066 8D8851F8
Device \Driver\volmgr \Device\HarddiskVolume3 8BE071F8
Device \Driver\USBSTOR \Device\00000067 8D8851F8
Device \Driver\volmgr \Device\HarddiskVolume4 8BE071F8
Device \Driver\USBSTOR \Device\00000068 8D8851F8
Device \Driver\volmgr \Device\HarddiskVolume5 8BE071F8
Device \Driver\USBSTOR \Device\00000069 8D8851F8
Device \Driver\volmgr \Device\HarddiskVolume6 8BE071F8
Device \Driver\netbt \Device\NetBt_Wins_Export 8DDE81F8
Device \Driver\Smb \Device\NetbiosSmb 8DE021F8
Device \Driver\nvstor32 \Device\RaidPort0 8BE0A1F8
Device \Driver\iScsiPrt \Device\RaidPort1 8D7281F8
Device \Driver\usbohci \Device\USBFDO-0 8D7251F8
Device \Driver\usbehci \Device\USBFDO-1 8D71D1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{27FA60FB-5855-47ED-90FC-73C7DFD953D2} 8DDE81F8
Device \FileSystem\cdfs \Cdfs 8B7941F8
---- Trace I/O - GMER 2.1 ----
Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8be0a1f8]<< 8be0a1f8
Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8cb63470] 8cb63470
Trace 3 CLASSPNP.SYS[90dc58b3] -> nt!IofCallDriver -> [0x8be74188] 8be74188
Trace 5 acpi.sys[908136bc] -> nt!IofCallDriver -> \Device\00000058[0x8be744c0] 8be744c0
Trace \Driver\nvstor32[0x8be626b0] -> IRP_MJ_CREATE -> 0x8be0a1f8 8be0a1f8
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 285507792
---- Files - GMER 2.1 ----
File C:\ProgramData\Trusteer\Rapport\store\user\fsm_service_var_1.js.data 336 bytes
---- EOF - GMER 2.1 ----


----------



## Cookiegal (Aug 27, 2003)

Did you save VEW.exe to your desktop?


----------



## xelahart (Apr 29, 2009)

I didn't, but I just have and got exactly the same result.


----------



## Cookiegal (Aug 27, 2003)

Did you right-click the program and select "Run As Administrator"?


----------



## xelahart (Apr 29, 2009)

That seems to have been the problem. It ran fine as Administrator.
FYI your instructions don't say anythnig about running it as Administrator

"Please download the Event Viewer Tool by Vino Rosso *VEW* and save it to your Desktop:


Double-click *VEW.exe*"
Here is the log:

Vino's Event Viewer v01c run on Windows Vista in English
Report run at 09/06/2013 09:57:52
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 09/06/2013 08:48:58
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 08/06/2013 19:52:04
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 07/06/2013 06:22:04
Type: Error Category: 0
Event: 1010 Source: Microsoft-Windows-Perflib
The Collect Procedure for the "EmdCache" service in DLL "C:\Windows\system32\emdmgmt.dll" generated an exception or returned an invalid status. The performance data returned by the counter DLL will not be returned in the Perf Data Block. The first four bytes (DWORD) of the Data section contains the exception code or status code.
Log: 'Application' Date/Time: 07/06/2013 06:22:04
Type: Error Category: 0
Event: 1008 Source: Microsoft-Windows-Perflib
The Open Procedure for service "BITS" in DLL "C:\Windows\system32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
Log: 'Application' Date/Time: 07/06/2013 02:34:12
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 07/06/2013 02:12:16
Type: Error Category: 3
Event: 3007 Source: Microsoft-Windows-Search
Performance monitoring cannot be initialized for the gatherer object, because the counters are not loaded or the shared memory object cannot be opened. This only affects availability of the perfmon counters. Restart the computer.
Context: Application, SystemIndex Catalog

Log: 'Application' Date/Time: 07/06/2013 02:12:16
Type: Error Category: 3
Event: 3006 Source: Microsoft-Windows-Search
Performance monitoring cannot be initialized for the gatherer service, because the counters are not loaded or the shared memory object cannot be opened. This only affects availability of the perfmon counters. Restart the computer.

Log: 'Application' Date/Time: 06/06/2013 20:42:05
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\USERS\HART\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\PROGRAMDATA\NVIDIA CORPORATION\DRS> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 06/06/2013 20:42:05
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\USERS\HART\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\PROGRAMDATA\NVIDIA CORPORATION\DRS> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 06/06/2013 20:42:01
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\USERS\HART\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\USERS\HART\APPDATA\LOCAL\TRUSTEER\RAPPORT> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 06/06/2013 20:42:01
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\USERS\HART\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\USERS\HART\APPDATA\LOCAL\TRUSTEER\RAPPORT> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 06/06/2013 20:41:57
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\USERS\HART\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\USERS\HART\APPDATA\ROAMING\MICROSOFT> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 06/06/2013 20:41:57
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\USERS\HART\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\USERS\HART\APPDATA\ROAMING\MICROSOFT> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 06/06/2013 20:41:56
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\USERS\HART\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\USERS\HART\APPDATA\ROAMING\MICROSOFT\WINDOWS> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 06/06/2013 20:41:56
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\USERS\HART\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\USERS\HART\APPDATA\ROAMING\MICROSOFT\WINDOWS> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 06/06/2013 20:41:53
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\USERS\HART\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\PROGRAMDATA\NVIDIA CORPORATION> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 06/06/2013 20:41:53
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\USERS\HART\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\PROGRAMDATA\NVIDIA CORPORATION> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 06/06/2013 20:41:52
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\USERS\HART\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\USERS\HART\APPDATA\ROAMING\MICROSOFT\WINDOWS\PRIVACIE> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 06/06/2013 20:41:52
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\USERS\HART\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\USERS\HART\APPDATA\ROAMING\MICROSOFT\WINDOWS\PRIVACIE> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 06/06/2013 20:41:52
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\USERS\HART\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\MACROMEDIA.COM\SUPPORT> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 09/06/2013 08:47:34
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 08/06/2013 19:51:14
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 07/06/2013 02:33:49
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 06/06/2013 20:53:22
Type: Warning Category: 1
Event: 1015 Source: Microsoft-Windows-Search
Event ID 3013 for the Windows Search Service has been suppressed 30 time(s) since 21:42:16. This event is used to suppress Windows Search Service events that have occurred frequently within a short period of time. See Event ID 3013 for further details on this event.
Log: 'Application' Date/Time: 06/06/2013 20:20:43
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 06/06/2013 20:18:49
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Log: 'Application' Date/Time: 06/06/2013 20:18:48
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Log: 'Application' Date/Time: 06/06/2013 19:13:04
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Log: 'Application' Date/Time: 05/06/2013 23:13:15
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Log: 'Application' Date/Time: 05/06/2013 23:13:15
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Log: 'Application' Date/Time: 05/06/2013 22:54:21
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Log: 'Application' Date/Time: 05/06/2013 22:49:46
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Log: 'Application' Date/Time: 05/06/2013 22:48:06
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Log: 'Application' Date/Time: 05/06/2013 22:48:06
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Log: 'Application' Date/Time: 05/06/2013 22:43:47
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Log: 'Application' Date/Time: 05/06/2013 22:37:03
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Log: 'Application' Date/Time: 05/06/2013 22:35:29
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Log: 'Application' Date/Time: 05/06/2013 22:35:28
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Log: 'Application' Date/Time: 05/06/2013 22:25:33
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Log: 'Application' Date/Time: 05/06/2013 22:02:15
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 09/06/2013 08:49:38
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 09/06/2013 08:49:38
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 08/06/2013 19:53:26
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 08/06/2013 19:53:26
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 07/06/2013 08:21:19
Type: Error Category: 0
Event: 5 Source: nvstor32
A parity error was detected on \Device\RaidPort0.
Log: 'System' Date/Time: 07/06/2013 06:21:43
Type: Error Category: 0
Event: 5 Source: nvstor32
A parity error was detected on \Device\RaidPort0.
Log: 'System' Date/Time: 07/06/2013 02:35:52
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 07/06/2013 02:35:52
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 07/06/2013 02:16:02
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
Log: 'System' Date/Time: 07/06/2013 02:16:02
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
Log: 'System' Date/Time: 07/06/2013 02:12:16
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
Log: 'System' Date/Time: 07/06/2013 02:12:16
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
Log: 'System' Date/Time: 07/06/2013 02:12:16
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
Log: 'System' Date/Time: 06/06/2013 23:27:04
Type: Error Category: 0
Event: 5 Source: nvstor32
A parity error was detected on \Device\RaidPort0.
Log: 'System' Date/Time: 06/06/2013 21:43:14
Type: Error Category: 0
Event: 5 Source: nvstor32
A parity error was detected on \Device\RaidPort0.
Log: 'System' Date/Time: 06/06/2013 21:42:21
Type: Error Category: 0
Event: 5 Source: nvstor32
A parity error was detected on \Device\RaidPort0.
Log: 'System' Date/Time: 06/06/2013 21:41:59
Type: Error Category: 0
Event: 5 Source: nvstor32
A parity error was detected on \Device\RaidPort0.
Log: 'System' Date/Time: 06/06/2013 21:39:30
Type: Error Category: 0
Event: 5 Source: nvstor32
A parity error was detected on \Device\RaidPort0.
Log: 'System' Date/Time: 06/06/2013 21:36:38
Type: Error Category: 0
Event: 5 Source: nvstor32
A parity error was detected on \Device\RaidPort0.
Log: 'System' Date/Time: 06/06/2013 21:36:02
Type: Error Category: 0
Event: 5 Source: nvstor32
A parity error was detected on \Device\RaidPort0.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 07/06/2013 08:21:19
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 07/06/2013 06:21:43
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 07/06/2013 06:19:44
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 07/06/2013 02:15:40
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2847204(Security Update) into Install Requested(Install Requested) state
Log: 'System' Date/Time: 07/06/2013 02:15:40
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2847204(Security Update) into Install Requested(Install Requested) state
Log: 'System' Date/Time: 07/06/2013 02:15:40
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2847204(Security Update) into Install Requested(Install Requested) state
Log: 'System' Date/Time: 07/06/2013 02:15:27
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2830290(Security Update) into Install Requested(Install Requested) state
Log: 'System' Date/Time: 07/06/2013 02:15:27
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2830290(Security Update) into Install Requested(Install Requested) state
Log: 'System' Date/Time: 07/06/2013 02:15:27
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2830290(Security Update) into Install Requested(Install Requested) state
Log: 'System' Date/Time: 07/06/2013 02:15:27
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2830290(Security Update) into Install Requested(Install Requested) state
Log: 'System' Date/Time: 07/06/2013 02:15:21
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2830290(Security Update) is not applicable for this system
Log: 'System' Date/Time: 07/06/2013 02:15:21
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2830290(Security Update) is not applicable for this system
Log: 'System' Date/Time: 07/06/2013 02:15:18
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2804580(Security Update) into Install Requested(Install Requested) state
Log: 'System' Date/Time: 07/06/2013 02:15:18
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2804580(Security Update) into Install Requested(Install Requested) state
Log: 'System' Date/Time: 07/06/2013 02:15:18
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2804580(Security Update) into Install Requested(Install Requested) state
Log: 'System' Date/Time: 07/06/2013 02:15:18
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2804580(Security Update) into Install Requested(Install Requested) state
Log: 'System' Date/Time: 07/06/2013 02:15:18
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2804580(Security Update) into Install Requested(Install Requested) state
Log: 'System' Date/Time: 07/06/2013 02:15:12
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2804580(Security Update) is not applicable for this system
Log: 'System' Date/Time: 07/06/2013 02:15:12
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2804580(Security Update) is not applicable for this system
Log: 'System' Date/Time: 07/06/2013 02:15:12
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2804580(Security Update) is not applicable for this system


----------



## Cookiegal (Aug 27, 2003)

Please download *MBRCheck.exe* to your desktop.

Be sure to disable your security programs prior to running the tool. 
Double click on MBRCheck.exe to run it. Please allow any prompts popped by Windows in order to run the tool.
_(Vista and Windows 7 users will have to confirm the UAC prompt)_
A command window will pop open and run. If any unknown MBR Code is found, you will have further options prompted, at this time please press *N* then press *Enter*.
Press *Enter* again to exit the program.
If nothing unusual is found, you will be shown the machine MBR status. Just press *Enter* to exit.
A text file named *MBRCheck_mm.dd.yy_hh.mm.ss* should appear on your desktop. Please post the contents of that file.


----------



## xelahart (Apr 29, 2009)

It said it found something funny, so I pressed N as instructed. Log below.

MBRCheck, version 1.2.3
(c) 2010, AD
Command-line: 
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Packard Bell BV
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: Packard Bell BV
System Product Name: IMEDIA X2416
Logical Drives Mask: 0x000002ec
Kernel Drivers (total 142):
0x88800000 \SystemRoot\system32\ntkrnlpa.exe
0x88BBA000 \SystemRoot\system32\hal.dll
0x80604000 \SystemRoot\system32\kdcom.dll
0x8060B000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8067B000 \SystemRoot\system32\PSHED.dll
0x8068C000 \SystemRoot\system32\BOOTVID.dll
0x80694000 \SystemRoot\system32\CLFS.SYS
0x806D5000 \SystemRoot\system32\CI.dll
0x88E08000 \SystemRoot\system32\drivers\Wdf01000.sys
0x88E89000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x88E97000 \SystemRoot\System32\Drivers\spna.sys
0x88F98000 \SystemRoot\System32\Drivers\WMILIB.SYS
0x88FA1000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0x807B5000 \SystemRoot\system32\drivers\acpi.sys
0x88FC7000 \SystemRoot\system32\drivers\msisadrv.sys
0x88FCF000 \SystemRoot\system32\drivers\pci.sys
0x90804000 \SystemRoot\System32\drivers\partmgr.sys
0x90814000 \SystemRoot\system32\drivers\volmgr.sys
0x90823000 \SystemRoot\System32\drivers\volmgrx.sys
0x9086D000 \SystemRoot\system32\drivers\pciide.sys
0x90874000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x90882000 \SystemRoot\System32\drivers\mountmgr.sys
0x90892000 \SystemRoot\system32\drivers\atapi.sys
0x9089A000 \SystemRoot\system32\drivers\ataport.SYS
0x908B8000 \SystemRoot\system32\DRIVERS\nvstor32.sys
0x908DD000 \SystemRoot\system32\DRIVERS\storport.sys
0x9091E000 \SystemRoot\system32\drivers\fltmgr.sys
0x90950000 \SystemRoot\system32\drivers\fileinfo.sys
0x90960000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x90969000 \SystemRoot\System32\Drivers\ksecdd.sys
0x90A08000 \SystemRoot\system32\drivers\ndis.sys
0x90B13000 \SystemRoot\system32\drivers\msrpc.sys
0x90B3E000 \SystemRoot\system32\drivers\NETIO.SYS
0x90C09000 \SystemRoot\System32\Drivers\Ntfs.sys
0x90D19000 \SystemRoot\system32\drivers\wd.sys
0x90D21000 \SystemRoot\system32\drivers\volsnap.sys
0x90D5A000 \SystemRoot\System32\Drivers\spldr.sys
0x90D62000 \SystemRoot\System32\Drivers\RapportKELL.sys
0x90D79000 \SystemRoot\System32\Drivers\mup.sys
0x90D88000 \SystemRoot\System32\drivers\ecache.sys
0x90DAF000 \SystemRoot\system32\drivers\disk.sys
0x90DC0000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x90DE1000 \SystemRoot\system32\drivers\crcdisk.sys
0x90BA8000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x90DF7000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x90BB3000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x90BC2000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x90BD5000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x90BE0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x90BEB000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x94C0B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x94C49000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x94C58000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x94CE5000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
0x94CF4000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x94D0C000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x95603000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x9608C000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x9612C000 \SystemRoot\System32\drivers\watchdog.sys
0x96138000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x96141000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x96170000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x9617B000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x96192000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x9619D000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x961C0000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x961CF000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x961E3000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x94D12000 \SystemRoot\system32\DRIVERS\termdd.sys
0x961F8000 \SystemRoot\system32\DRIVERS\swenum.sys
0x94D22000 \SystemRoot\system32\DRIVERS\ks.sys
0x94D4C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x94D56000 \SystemRoot\system32\DRIVERS\umbus.sys
0x94D63000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x94D98000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x96200000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x96408000 \SystemRoot\system32\drivers\portcls.sys
0x96435000 \SystemRoot\system32\drivers\drmk.sys
0x9645A000 \SystemRoot\system32\drivers\nvhda32v.sys
0x96468000 \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_51755.sys
0x964B4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x964BD000 \SystemRoot\System32\Drivers\Null.SYS
0x964C4000 \SystemRoot\System32\Drivers\Beep.SYS
0x964D4000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x964DB000 \SystemRoot\System32\drivers\vga.sys
0x964E7000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x96508000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x96510000 \SystemRoot\system32\drivers\rdpencdd.sys
0x96518000 \SystemRoot\System32\Drivers\Msfs.SYS
0x96523000 \SystemRoot\System32\Drivers\Npfs.SYS
0x96531000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x96609000 \SystemRoot\System32\drivers\tcpip.sys
0x966F3000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x9670E000 \SystemRoot\system32\DRIVERS\tdx.sys
0x96724000 \SystemRoot\system32\DRIVERS\smb.sys
0x96738000 \SystemRoot\System32\DRIVERS\netbt.sys
0x9676A000 \SystemRoot\system32\drivers\afd.sys
0x967B2000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x967BB000 \SystemRoot\system32\DRIVERS\pacer.sys
0x967D1000 \SystemRoot\system32\DRIVERS\netbios.sys
0x967DF000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x967F2000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x9653A000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x967FB000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x9654A000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x96600000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x96586000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
0x965AF000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
0x96C08000 \??\C:\Windows\system32\drivers\RapportBuka.sys
0x96C68000 \SystemRoot\system32\drivers\nsiproxy.sys
0x96C72000 \SystemRoot\System32\Drivers\dfsc.sys
0x96C89000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x96C9E000 \SystemRoot\System32\Drivers\crashdmp.sys
0x96CAB000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x96CB5000 \SystemRoot\System32\Drivers\dump_nvstor32.sys
0xA5CE0000 \SystemRoot\System32\win32k.sys
0x96CDA000 \SystemRoot\System32\drivers\Dxapi.sys
0x96CE4000 \SystemRoot\system32\DRIVERS\monitor.sys
0xA5F00000 \SystemRoot\System32\TSDDD.dll
0xA5F20000 \SystemRoot\System32\cdd.dll
0x96CF3000 \SystemRoot\system32\drivers\luafv.sys
0x96D0E000 \SystemRoot\system32\drivers\WudfPf.sys
0x96D22000 \SystemRoot\system32\drivers\spsys.sys
0x96DD2000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x96DE2000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x82A0A000 \SystemRoot\system32\drivers\HTTP.sys
0x82A77000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x82A94000 \SystemRoot\system32\DRIVERS\bowser.sys
0x82AAD000 \SystemRoot\System32\drivers\mpsdrv.sys
0x82AC2000 \SystemRoot\system32\drivers\mrxdav.sys
0x82AE3000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x82B02000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x82B3B000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x82B53000 \SystemRoot\System32\DRIVERS\srv2.sys
0x82B7B000 \SystemRoot\System32\DRIVERS\srv.sys
0x82BCA000 \??\C:\Windows\system32\drivers\int15.sys
0x84E09000 \SystemRoot\system32\drivers\peauth.sys
0x84EE7000 \SystemRoot\System32\Drivers\secdrv.SYS
0x84EF1000 \SystemRoot\System32\drivers\tcpipreg.sys
0x84EFD000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x84F28000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77470000 \Windows\System32\ntdll.dll
Processes (total 60):
0 System Idle Process
4 System
456 C:\Windows\System32\smss.exe
524 csrss.exe
584 C:\Windows\System32\wininit.exe
596 csrss.exe
628 C:\Windows\System32\services.exe
640 C:\Windows\System32\lsass.exe
656 C:\Windows\System32\lsm.exe
836 C:\Windows\System32\winlogon.exe
852 C:\Windows\System32\svchost.exe
908 C:\Windows\System32\nvvsvc.exe
940 C:\Windows\System32\svchost.exe
1000 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
1136 C:\Windows\System32\svchost.exe
1160 C:\Windows\System32\svchost.exe
1188 C:\Windows\System32\svchost.exe
1252 C:\Windows\System32\audiodg.exe
1276 C:\Windows\System32\svchost.exe
1300 C:\Windows\System32\SLsvc.exe
1352 C:\Windows\System32\svchost.exe
1500 C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
1508 C:\Windows\System32\nvvsvc.exe
1624 C:\Windows\System32\svchost.exe
1828 C:\Windows\System32\spoolsv.exe
1868 C:\Windows\System32\svchost.exe
472 C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
644 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
864 C:\Program Files\Bonjour\mDNSResponder.exe
1288 C:\Program Files\PACKARDBELL\Packard Bell Recovery Management\Service\ETService.exe
1436 C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
1236 C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
2096 C:\Windows\System32\IoctlSvc.exe
2120 C:\Windows\System32\svchost.exe
2180 C:\Windows\System32\svchost.exe
2252 C:\Windows\System32\svchost.exe
2308 C:\Windows\System32\SearchIndexer.exe
2664 WUDFHost.exe
2712 C:\Program Files\Canon\CAL\CALMAIN.exe
3020 C:\Windows\System32\dwm.exe
3052 C:\Windows\explorer.exe
3100 C:\Windows\System32\taskeng.exe
3200 C:\Windows\System32\mobsync.exe
3320 C:\Windows\RtHDVCpl.exe
3376 C:\Program Files\Windows Media Player\wmpnscfg.exe
3448 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
3596 C:\Program Files\Windows Media Player\wmpnetwk.exe
2512 C:\Windows\System32\taskeng.exe
3952 C:\Program Files\Internet Explorer\iexplore.exe
3224 C:\Program Files\Internet Explorer\iexplore.exe
2652 C:\Windows\System32\svchost.exe
3740 C:\Windows\servicing\TrustedInstaller.exe
3072 C:\Windows\System32\Macromed\Flash\FlashUtil32_11_7_700_202_ActiveX.exe
3540 C:\Program Files\Internet Explorer\iexplore.exe
2404 C:\Windows\System32\SearchFilterHost.exe
5284 C:\Windows\System32\SearchProtocolHost.exe
4612 WmiPrvSE.exe
5564 dllhost.exe
5600 dllhost.exe
5632 C:\Users\Hart\Documents\IT Stuff\Repair - May 2013\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`80100000 (NTFS)
PhysicalDrive0 Model Number: WDC WD6400AAKS-22A7B, Rev: 01.0
Size Device Name MBR Status
--------------------------------------------
596 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 90C10828C3538DFE7F856D1137321BB66C28DC98

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: 
Done!


----------



## xelahart (Apr 29, 2009)

Earlier we were looking for rootkits and now we are looking at the MBR. I combined these things in a Google searhc and started reading about rootkits that mess with the MBR. Perhaps the articles I read were being over dramatic, but they suggested these can be difficult to completely fixe without formatting the hard drive.

One of the lines from the MBRCheck log sounds pretty damning:
"596 GB \\.\PhysicalDrive0 MBR Code Faked!"

*Do I need to be preparing myself for a full format of the C drive?*

*Should I run MBRCheck on my external hard drives to see if they have the same problem?*


----------



## Cookiegal (Aug 27, 2003)

Yes, they are called bootkits. I noticed what looked like a problem with the MBR in earlier logs but usually those types of infections are handled by TDSSKiller and ComboFix but neither is seeing a problem. But one of the logs also shows the default XP MBR so it could be a false detection. The best thing to do would be to get a dump of the MBR for analysis but before we do that, please run the following scan that may give us more information.

Please download FRST (Farbar Recovery Scan Tool) and save it to your desktop.

*Note*: You need to run the version that's compatible with your system (32-bit or 64-bit).


Double-click FRST to run it. When the tool opens click *Yes* to the disclaimer.
Press the *Scan* button.
It will make a log named (*FRST.txt*) in the same directory the tool is run (which should be on the desktop). Please copy and paste the contents of the log in your reply.
The first time the tool is run it makes a second log named (*Addition.txt*). Please copy and paste the contents of that log as well.


----------



## xelahart (Apr 29, 2009)

FRST Log
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 10-06-2013 03
Ran by Hart (administrator) on 10-06-2013 21:56:47
Running from C:\Users\Hart\Documents\IT Stuff\Repair - May 2013
Windows Vista (TM) Home Premium Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
==================== Processes (Whitelisted) ===================
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Trusteer Ltd.) C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
() C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files\PACKARDBELL\Packard Bell Recovery Management\Service\ETService.exe
(LeapFrog Enterprises, Inc.) C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
(Nero AG) C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
(Prolific Technology Inc.) C:\Windows\system32\IoctlSvc.exe
(Canon Inc.) C:\Program Files\Canon\CAL\CALMAIN.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(Trusteer Ltd.) C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\system32\Macromed\Flash\FlashUtil32_11_7_700_202_ActiveX.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKCU\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-21] (Microsoft Corporation)
HKU\Emma (i-pod)\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [ 2008-01-21] (Microsoft Corporation)
HKU\Emma (i-pod)\...\RunOnce: [Application Restart #0] C:\Program Files\Windows Media Player\wmpnscfg.exe [ 2008-01-21] (Microsoft Corporation)
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=1&o=vp32&d=1008&m=imedia_x2416
SearchScopes: HKCU - {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL = http://websearch.ask.com/redirect?c...pn_sauid=33800EBC-5D8B-4F7A-98FF-D0D0F877B504
BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\system32\ieframe.dll (Microsoft Corporation)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} http://www.photodex.com/pxplay.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Handler: msdaipp - No CLSID Value - 
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 192.168.1.254
========================== Services (Whitelisted) =================
R2 AdobeActiveFileMonitor6.0; C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [124832 2007-09-11] ()
R2 CCALib8; C:\Program Files\Canon\CAL\CALMAIN.exe [96341 2006-03-30] (Canon Inc.)
R2 ETService; C:\Program Files\PACKARDBELL\Packard Bell Recovery Management\Service\ETService.exe [24576 2008-07-16] ()
S4 McMPFSvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [x]
==================== Drivers (Whitelisted) ====================
R2 int15; C:\Windows\system32\drivers\int15.sys [15392 2008-07-16] (Acer, Inc.)
R1 RapportBuka; C:\Windows\system32\drivers\RapportBuka.sys [390528 2010-02-28] (Trusteer Ltd.)
R1 RapportCerberus_51755; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_51755.sys [317112 2013-04-01] ()
R1 RapportEI; C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys [102680 2013-04-02] (Trusteer Ltd.)
R1 RapportPG; C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [173880 2013-04-02] (Trusteer Ltd.)
S3 s116bus; C:\Windows\System32\DRIVERS\s116bus.sys [83336 2007-04-03] (MCCI Corporation)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [721904 2012-04-24] ()
S3 catchme; \??\C:\Users\Hart\AppData\Local\Temp\catchme.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 mcdbus; system32\DRIVERS\mcdbus.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========
2013-06-10 21:56 - 2013-06-10 21:56 - 00000000 ____D C:\FRST
2013-06-09 09:57 - 2013-06-09 09:57 - 00022885 ____A C:\VEW.txt
2013-06-07 07:04 - 2013-06-07 07:04 - 00055360 ____A C:\Users\Hart\Downloads\OTS.Txt
2013-06-07 07:00 - 2013-06-07 07:00 - 00646656 ____A (OldTimer Tools) C:\Users\Hart\Downloads\OTS.exe
2013-06-07 03:15 - 2013-05-05 20:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-07 03:15 - 2013-05-05 20:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-07 03:08 - 2013-04-04 23:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-07 03:08 - 2013-04-04 23:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-07 03:08 - 2013-04-04 23:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-06-07 03:08 - 2013-04-04 23:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-07 03:08 - 2013-04-04 23:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-07 03:08 - 2013-04-04 23:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-06-07 03:08 - 2013-04-04 22:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-07 03:08 - 2013-04-04 22:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-07 03:08 - 2013-04-04 22:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-06-07 03:08 - 2013-04-04 22:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-06-07 03:08 - 2013-04-04 22:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-07 03:08 - 2013-04-04 22:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-07 03:08 - 2013-04-04 22:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-06-07 03:08 - 2013-04-04 22:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-06 21:35 - 2013-05-02 02:06 - 00238872 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-06-06 21:34 - 2013-04-15 15:20 - 00638328 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-06-06 21:34 - 2013-04-13 11:56 - 00037376 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll
2013-06-06 21:34 - 2013-04-09 02:36 - 02049024 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-06-06 20:25 - 2013-06-06 20:54 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-06-06 20:25 - 2013-06-06 20:25 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-06-05 23:53 - 2013-06-05 23:53 - 00139336 ____A C:\Windows\Minidump\Mini060513-04.dmp
2013-06-05 23:43 - 2013-06-05 23:43 - 00139336 ____A C:\Windows\Minidump\Mini060513-03.dmp
2013-06-05 23:25 - 2013-06-05 23:25 - 00139336 ____A C:\Windows\Minidump\Mini060513-02.dmp
2013-06-05 22:38 - 2013-06-05 22:38 - 00139336 ____A C:\Windows\Minidump\Mini060513-01.dmp
2013-06-01 10:14 - 2013-06-01 10:14 - 00139336 ____A C:\Windows\Minidump\Mini060113-02.dmp
2013-06-01 09:53 - 2013-06-01 09:53 - 00139336 ____A C:\Windows\Minidump\Mini060113-01.dmp
2013-05-28 20:27 - 2013-05-28 20:27 - 00000000 ____D C:\_OTS
2013-05-27 11:05 - 2013-05-27 11:05 - 00000637 ____A C:\Users\Hart\Desktop\Repair - May 2013 - Shortcut.lnk
2013-05-26 13:32 - 2013-05-26 13:32 - 00007531 ____A C:\ComboFix.txt
2013-05-26 13:17 - 2013-05-26 13:32 - 00000000 ____D C:\ComboFix
2013-05-26 13:17 - 2011-06-26 07:45 - 00256000 ____A C:\Windows\PEV.exe
2013-05-26 13:17 - 2010-11-07 18:20 - 00208896 ____A C:\Windows\MBR.exe
2013-05-26 13:17 - 2009-04-20 05:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2013-05-26 13:17 - 2000-08-31 01:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2013-05-26 13:17 - 2000-08-31 01:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2013-05-26 13:17 - 2000-08-31 01:00 - 00098816 ____A C:\Windows\sed.exe
2013-05-26 13:17 - 2000-08-31 01:00 - 00080412 ____A C:\Windows\grep.exe
2013-05-26 13:17 - 2000-08-31 01:00 - 00068096 ____A C:\Windows\zip.exe
2013-05-26 13:08 - 2013-05-26 13:32 - 00000000 ____D C:\Qoobox
2013-05-26 13:08 - 2013-05-26 13:30 - 00000000 ____D C:\Windows\erdnt
2013-05-26 12:14 - 2013-05-26 12:14 - 00000823 ____A C:\Users\Hart\Desktop\TEMP - Weekend Jobs.docx - Shortcut.lnk
2013-05-14 01:26 - 2013-05-14 01:26 - 00000000 ____D C:\ProgramData\WindowsSearch
==================== One Month Modified Files and Folders ========
2013-06-10 21:56 - 2013-06-10 21:56 - 00000000 ____D C:\FRST
2013-06-10 21:46 - 2006-11-02 11:33 - 00703516 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-10 21:45 - 2012-04-01 15:47 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-10 21:45 - 2008-10-13 10:11 - 01583071 ____A C:\Windows\WindowsUpdate.log
2013-06-10 21:41 - 2008-10-13 10:10 - 00000000 ____A C:\Windows\System32\LogConfigTemp.xml
2013-06-10 21:41 - 2006-11-02 14:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-10 21:41 - 2006-11-02 13:47 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-10 21:41 - 2006-11-02 13:47 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-09 23:48 - 2006-11-02 14:01 - 00032622 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-06-09 09:57 - 2013-06-09 09:57 - 00022885 ____A C:\VEW.txt
2013-06-07 07:04 - 2013-06-07 07:04 - 00055360 ____A C:\Users\Hart\Downloads\OTS.Txt
2013-06-07 07:00 - 2013-06-07 07:00 - 00646656 ____A (OldTimer Tools) C:\Users\Hart\Downloads\OTS.exe
2013-06-07 03:40 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-06-07 03:33 - 2006-11-02 13:47 - 00385648 ____A C:\Windows\System32\FNTCACHE.DAT
2013-06-07 03:16 - 2008-08-21 22:18 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-06-07 03:11 - 2009-01-14 23:26 - 00000039 ____A C:\Windows\vbaddin.ini
2013-06-07 03:09 - 2006-11-02 11:24 - 72607752 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-06-06 21:46 - 2012-04-01 15:47 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-06-06 21:46 - 2011-07-09 17:11 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-06-06 21:30 - 2009-03-28 20:28 - 00000000 ____D C:\Users\Hart\Documents\IT Stuff
2013-06-06 21:21 - 2009-03-14 18:15 - 00000000 ____D C:\Program Files\McAfee
2013-06-06 21:21 - 2009-03-14 17:57 - 00000000 ____D C:\ProgramData\McAfee
2013-06-06 20:54 - 2013-06-06 20:25 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-06-06 20:25 - 2013-06-06 20:25 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-06-05 23:53 - 2013-06-05 23:53 - 00139336 ____A C:\Windows\Minidump\Mini060513-04.dmp
2013-06-05 23:53 - 2009-08-19 19:31 - 254406718 ____A C:\Windows\MEMORY.DMP
2013-06-05 23:53 - 2009-08-19 19:31 - 00000000 ____D C:\Windows\Minidump
2013-06-05 23:49 - 2008-01-21 03:47 - 00173770 ____A C:\Windows\PFRO.log
2013-06-05 23:43 - 2013-06-05 23:43 - 00139336 ____A C:\Windows\Minidump\Mini060513-03.dmp
2013-06-05 23:25 - 2013-06-05 23:25 - 00139336 ____A C:\Windows\Minidump\Mini060513-02.dmp
2013-06-05 22:38 - 2013-06-05 22:38 - 00139336 ____A C:\Windows\Minidump\Mini060513-01.dmp
2013-06-01 10:14 - 2013-06-01 10:14 - 00139336 ____A C:\Windows\Minidump\Mini060113-02.dmp
2013-06-01 09:53 - 2013-06-01 09:53 - 00139336 ____A C:\Windows\Minidump\Mini060113-01.dmp
2013-05-29 20:49 - 2006-11-02 13:52 - 00076033 ____A C:\Windows\setupact.log
2013-05-28 20:27 - 2013-05-28 20:27 - 00000000 ____D C:\_OTS
2013-05-27 11:05 - 2013-05-27 11:05 - 00000637 ____A C:\Users\Hart\Desktop\Repair - May 2013 - Shortcut.lnk
2013-05-26 13:32 - 2013-05-26 13:32 - 00007531 ____A C:\ComboFix.txt
2013-05-26 13:32 - 2013-05-26 13:17 - 00000000 ____D C:\ComboFix
2013-05-26 13:32 - 2013-05-26 13:08 - 00000000 ____D C:\Qoobox
2013-05-26 13:32 - 2006-11-02 12:18 - 00000000 __RHD C:\users\Default
2013-05-26 13:32 - 2006-11-02 12:18 - 00000000 ___RD C:\users\Public
2013-05-26 13:30 - 2013-05-26 13:08 - 00000000 ____D C:\Windows\erdnt
2013-05-26 13:29 - 2006-11-02 11:23 - 00000215 ____A C:\Windows\system.ini
2013-05-26 13:27 - 2009-01-14 22:52 - 00000000 ____D C:\users\Hart
2013-05-26 12:14 - 2013-05-26 12:14 - 00000823 ____A C:\Users\Hart\Desktop\TEMP - Weekend Jobs.docx - Shortcut.lnk
2013-05-26 12:07 - 2012-03-15 09:18 - 00001356 ____A C:\Users\Hart\AppData\Local\d3d9caps.dat
2013-05-16 20:16 - 2009-04-29 18:33 - 00000000 ____D C:\Program Files\HijackThis
2013-05-14 01:26 - 2013-05-14 01:26 - 00000000 ____D C:\ProgramData\WindowsSearch
2013-05-14 01:16 - 2013-04-13 16:24 - 00000000 ____D C:\users\UpdatusUser.Hart-PC
2013-05-14 01:11 - 2006-11-02 11:22 - 55050240 ____A C:\Windows\System32\config\software_previous
2013-05-14 01:11 - 2006-11-02 11:22 - 36962304 ____A C:\Windows\System32\config\components_previous
2013-05-14 01:11 - 2006-11-02 11:22 - 128450560 ____A C:\Windows\System32\config\system_previous
2013-05-14 01:11 - 2006-11-02 11:22 - 00786432 ____A C:\Windows\System32\config\default_previous
2013-05-14 01:11 - 2006-11-02 11:22 - 00262144 ____A C:\Windows\System32\config\security_previous
2013-05-14 01:11 - 2006-11-02 11:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
2013-05-14 01:08 - 2012-01-20 10:41 - 00000000 ____D C:\users\Emma (i-pod)
2013-05-14 01:08 - 2011-06-17 20:42 - 00000000 ____D C:\users\Alex
2013-05-14 01:04 - 2009-11-16 19:49 - 00000000 ____D C:\Program Files\Windows Portable Devices
2013-05-14 01:04 - 2006-11-02 13:37 - 00000000 ____D C:\Windows\twain_32
2013-05-14 01:04 - 2006-11-02 13:37 - 00000000 ____D C:\Windows\System32\XPSViewer
2013-05-14 01:04 - 2006-11-02 13:37 - 00000000 ____D C:\Windows\ShellNew
2013-05-14 01:04 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Windows Sidebar
2013-05-14 01:04 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Windows Photo Gallery
2013-05-14 01:04 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Windows Journal
2013-05-14 01:04 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Windows Defender
2013-05-14 01:04 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Windows Collaboration
2013-05-14 01:04 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Movie Maker
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 __RSD C:\Windows\Media
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\zh-TW
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\zh-HK
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\zh-CN
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\uk-UA
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\tr-TR
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\th-TH
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\sv-SE
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\sr-Latn-CS
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\SLUI
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\sl-SI
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\sk-SK
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\ru-RU
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\ro-RO
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\ras
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\pt-PT
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\pt-BR
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\pl-PL
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\nl-NL
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\nb-NO
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\lv-LV
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\lt-LT
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\ko-KR
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\ja-JP
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\it-IT
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\icsxml
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\hu-HU
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\hr-HR
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\he-IL
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\fr-FR
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\fi-FI
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\et-EE
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\el-GR
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\de-DE
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\bg-BG
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\ar-SA
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\AdvancedInstallers
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\system
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\L2Schemas
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\IME
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\Cursors
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Program Files\Common Files\System
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Program Files\Common Files\Services
2013-05-14 01:03 - 2009-09-20 19:57 - 00000000 ____D C:\Windows\System32\vi-VN
2013-05-14 01:03 - 2009-09-20 19:57 - 00000000 ____D C:\Windows\System32\eu-ES
2013-05-14 01:03 - 2009-09-20 19:57 - 00000000 ____D C:\Windows\System32\ca-ES
2013-05-14 01:03 - 2006-11-02 13:37 - 00000000 ____D C:\Windows\DigitalLocker
2013-05-14 01:03 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Windows Calendar
2013-05-14 01:03 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\ias
2013-05-14 01:03 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\com
2013-05-14 01:03 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\MSAgent
2013-05-14 00:59 - 2009-09-20 19:33 - 00000000 ____D C:\Windows\System32\EventProviders
2013-05-14 00:59 - 2008-08-21 22:01 - 00000000 ____D C:\Windows\System32\RTCOM
2013-05-14 00:59 - 2006-11-02 13:37 - 00000000 ____D C:\Windows\System32\restore
2013-05-14 00:59 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\tapi
2013-05-14 00:59 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\spool
2013-05-14 00:59 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\Msdtc
2013-05-14 00:58 - 2011-04-05 14:55 - 00000000 ____D C:\Windows\System32\custom matrices
2013-05-14 00:58 - 2009-05-31 17:42 - 00000000 ____D C:\Windows\System32\C2MP
2013-05-14 00:58 - 2009-03-14 19:16 - 00000000 ____D C:\Users\Hart\AppData\Roaming\uTorrent
2013-05-14 00:58 - 2009-03-14 16:08 - 00000000 ___RD C:\Users\Hart\Desktop\Pre-Installed Shortcuts
2013-05-14 00:58 - 2006-11-02 12:18 - 00000000 ___RD C:\Windows\Offline Web Pages
2013-05-14 00:58 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\rescache
2013-05-14 00:57 - 2012-04-09 16:04 - 00000000 ____D C:\Users\Emma (i-pod)\AppData\Roaming\ICAClient
2013-05-14 00:57 - 2010-08-19 12:45 - 00000000 ____D C:\Users\Hart\AppData\Roaming\ICAClient
2013-05-14 00:57 - 2009-07-04 19:36 - 00000000 ____D C:\Users\Hart\AppData\Local\Microsoft Help
2013-05-14 00:56 - 2012-11-18 18:38 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2013-05-14 00:56 - 2012-01-29 12:49 - 00000000 ____D C:\Program Files\iTunes
2013-05-14 00:56 - 2012-01-29 12:43 - 00000000 ____D C:\Program Files\QuickTime
2013-05-14 00:56 - 2012-01-29 12:41 - 00000000 ____D C:\Program Files\Safari
2013-05-14 00:56 - 2012-01-29 12:40 - 00000000 ____D C:\Program Files\Bonjour
2013-05-14 00:56 - 2011-06-27 23:37 - 00000000 ____D C:\Program Files\Apple Software Update
2013-05-14 00:56 - 2009-08-10 21:29 - 00000000 ____D C:\Program Files\Garmin GPS Plugin
2013-05-14 00:56 - 2009-08-10 20:35 - 00000000 ____D C:\Garmin
2013-05-14 00:56 - 2009-07-13 14:28 - 00000000 ____D C:\Program Files\Photodex Presenter
2013-05-14 00:56 - 2009-04-15 21:20 - 00000000 ____D C:\Program Files\AviSynth 2.5
2013-05-14 00:56 - 2009-03-28 20:09 - 00000000 ____D C:\Program Files\MagicISO
2013-05-14 00:56 - 2009-03-18 22:32 - 00000000 ____D C:\Program Files\WinRAR
2013-05-14 00:56 - 2009-03-14 20:45 - 00000000 ____D C:\ProgramData\FLEXnet
2013-05-14 00:56 - 2009-03-14 19:16 - 00000000 ____D C:\Program Files\uTorrent
2013-05-14 00:56 - 2009-03-14 18:42 - 00000000 ____D C:\Program Files\GrabIt
2013-05-14 00:56 - 2008-08-21 22:19 - 00000000 ____D C:\Program Files\Microsoft Works
2013-05-14 00:56 - 2008-08-21 22:19 - 00000000 ____D C:\Program Files\Common Files\DESIGNER
2013-05-14 00:56 - 2008-08-21 22:18 - 00000000 ____D C:\Program Files\Microsoft Office
2013-05-14 00:56 - 2008-08-21 22:05 - 00000000 ____D C:\Program Files\HDReg
2013-05-14 00:56 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\MSBuild
2013-05-14 00:44 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\registration
2013-05-12 20:57 - 2009-10-06 11:29 - 00000000 ____D C:\Users\Hart\Documents\Emma Docs
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-06-10 21:56
==================== End Of Log ============================


----------



## xelahart (Apr 29, 2009)

FRST Additional Log
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 10-06-2013 03
Ran by Hart at 2013-06-10 21:57:25 Run:
Running from C:\Users\Hart\Documents\IT Stuff\Repair - May 2013
Boot Mode: Normal
==========================================================

==================== Installed Programs =======================
Update for Microsoft Office 2007 (KB2508958)
µTorrent (Version: 1.8.2)
Adobe Flash Player 11 ActiveX (Version: 11.7.700.202)
Adobe Flash Player 11 Plugin (Version: 11.7.700.202)
Adobe Photoshop Elements 6.0 (Version: 6.0)
Adobe Reader 8.3.1 (Version: 8.3.1)
Adobe Shockwave Player 11.5 (Version: 11.5.1.601)
Amazon MP3 Downloader 1.0.9
Apple Application Support (Version: 2.1.7)
Apple Mobile Device Support (Version: 5.1.1.4)
Apple Software Update (Version: 2.1.3.127)
AviSynth 2.5
Bonjour (Version: 3.0.0.10)
Canon Camera Access Library (Version: 8.2.0.1)
Canon Camera Window DC_DV 6 for ZoomBrowser EX (Version: 6.3.0.11)
Canon Camera Window MC 6 for ZoomBrowser EX (Version: 6.2.0.11)
Canon G.726 WMP-Decoder (Version: 1.0.1.3)
CANON iMAGE GATEWAY Task for ZoomBrowser EX (Version: 1.2.0.5)
Canon Internet Library for ZoomBrowser EX (Version: 1.4.2.6)
Canon MovieEdit Task for ZoomBrowser EX (Version: 2.3.0.19)
Canon RAW Image Task for ZoomBrowser EX (Version: 0.9.3.9)
Canon RemoteCapture Task for ZoomBrowser EX (Version: 1.6.0.9)
Canon Utilities EOS Utility (Version: 1.0.4.18)
Canon Utilities ZoomBrowser EX (Version: 5.7.0.74)
Citrix XenApp Web Plugin (Version: 11.0.0.5357)
Cole2k Media - Codec Pack (Advanced) 7.9.5
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Garmin City Navigator Europe NT 2008 (Version: 10.0.0.0)
Garmin Communicator Plugin (Version: 2.7.3)
Garmin USB Drivers (Version: 1.0.0.0)
GrabIt 1.7.2 Beta 4 (build 997)
HDReg (Version: 2.0.0)
HijackThis 2.0.2 (Version: 2.0.2)
iCloud (Version: 1.0.2.17)
Image Writer (Version: 1.00.0000)
iTunes (Version: 10.6.0.40)
Java 7 Update 17 (Version: 7.0.170)
Java Auto Updater (Version: 2.1.9.0)
JavaFX 2.1.1 (Version: 2.1.1)
LCD test (Version: 1.00.0000)
LeapFrog Connect (Version: 4.0.33.15045)
LeapFrog MyOwnLeaptop Plugin (Version: 4.0.33.15045)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access 2003 Developer Extensions (Version: 11.0.5614.0)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Enterprise 2007 (Version: 12.0.6612.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Groove MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Home and Student 2007 (Version: 12.0.6612.1000)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Visio Professional 2003 (Version: 11.0.8173.0)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Nero 8 Essentials (Version: 8.3.389)
neroxml (Version: 1.0.0)
NVIDIA Control Panel 307.83 (Version: 307.83)
NVIDIA Drivers
NVIDIA Graphics Driver 307.83 (Version: 307.83)
NVIDIA Install Application (Version: 2.1002.109.706)
NVIDIA Update 1.10.8 (Version: 1.10.8)
NVIDIA Update Components (Version: 1.10.8)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
Packard Bell Recovery Management (Version: 3.1.3003)
Photodex Presenter
PS3 Video 9 6 (Version: 6)
QuickTime (Version: 7.71.80.42)
Rapport (Version: 3.5.1208.34)
Realtek High Definition Audio Driver (Version: 6.0.1.5618)
Safari (Version: 5.34.52.7)
Shared C Run-time for x86 (Version: 10.0.0)
Spelling Dictionaries Support For Adobe Reader 8 (Version: 8.0.0)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596802) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2817359) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Updator (Version: 3.00.0000)
Use the entry named LeapFrog Connect to uninstall (LeapFrog MyOwnLeaptop Plugin) (Version: )
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0) (Version: 03/08/2007 2.2.1.0)
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012) (Version: 09/10/2009 02.03.05.012)
WinRAR archiver
==================== Restore Points =========================
01-05-2013 21:11:30 Windows Update
09-05-2013 08:13:26 Windows Update
09-05-2013 23:00:04 Scheduled Checkpoint
11-05-2013 12:11:46 Scheduled Checkpoint
26-05-2013 10:16:50 Installed Packard Bell Recovery Management
06-06-2013 20:34:25 Windows Update
07-06-2013 02:08:07 Windows Update
09-06-2013 19:23:06 Scheduled Checkpoint
==================== Faulty Device Manager Devices =============
Name: Microsoft PS/2 Mouse
Description: Microsoft PS/2 Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================
Application errors:
==================
Error: (06/10/2013 09:42:36 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (06/09/2013 07:49:54 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (06/09/2013 09:48:58 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (06/08/2013 08:52:04 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (06/07/2013 07:22:04 AM) (Source: Perflib) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4
Error: (06/07/2013 07:22:04 AM) (Source: Perflib) (User: )
Description: BITSC:\Windows\system32\bitsperf.dll4
Error: (06/07/2013 03:34:12 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (06/07/2013 03:12:16 AM) (Source: Windows Search Service) (User: )
Description: Performance monitoring cannot be initialized for the gatherer object, because the counters are not loaded or the shared memory object cannot be opened. This only affects availability of the perfmon counters. Restart the computer.
Context: Application, SystemIndex Catalog
Error: (06/07/2013 03:12:16 AM) (Source: Windows Search Service) (User: )
Description: Performance monitoring cannot be initialized for the gatherer service, because the counters are not loaded or the shared memory object cannot be opened. This only affects availability of the perfmon counters. Restart the computer.
Error: (06/06/2013 09:42:05 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\HART\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\PROGRAMDATA\NVIDIA CORPORATION\DRS> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

System errors:
=============
Error: (06/10/2013 09:43:17 PM) (Source: Service Control Manager) (User: )
Description: NVIDIA Update Service Daemon%%1069
Error: (06/10/2013 09:43:17 PM) (Source: Service Control Manager) (User: )
Description: nvUpdatusService.\UpdatusUser%%1330
Error: (06/09/2013 07:50:40 PM) (Source: Service Control Manager) (User: )
Description: NVIDIA Update Service Daemon%%1069
Error: (06/09/2013 07:50:40 PM) (Source: Service Control Manager) (User: )
Description: nvUpdatusService.\UpdatusUser%%1330
Error: (06/09/2013 09:49:38 AM) (Source: Service Control Manager) (User: )
Description: NVIDIA Update Service Daemon%%1069
Error: (06/09/2013 09:49:38 AM) (Source: Service Control Manager) (User: )
Description: nvUpdatusService.\UpdatusUser%%1330
Error: (06/08/2013 08:53:26 PM) (Source: Service Control Manager) (User: )
Description: NVIDIA Update Service Daemon%%1069
Error: (06/08/2013 08:53:26 PM) (Source: Service Control Manager) (User: )
Description: nvUpdatusService.\UpdatusUser%%1330
Error: (06/07/2013 09:21:19 AM) (Source: nvstor32) (User: )
Description: A parity error was detected on \Device\RaidPort0.
Error: (06/07/2013 07:21:43 AM) (Source: nvstor32) (User: )
Description: A parity error was detected on \Device\RaidPort0.

Microsoft Office Sessions:
=========================
Error: (11/04/2011 07:24:29 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 16 seconds with 0 seconds of active time. This session ended with a crash.

CodeIntegrity Errors:
===================================
Date: 2013-06-10 21:57:12.602
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\RapportKELL.sys because the set of per-page image hashes could not be found on the system.
Date: 2013-06-10 21:57:12.376
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\RapportKELL.sys because the set of per-page image hashes could not be found on the system.
Date: 2013-06-10 21:57:12.153
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\RapportKELL.sys because the set of per-page image hashes could not be found on the system.
Date: 2013-06-10 21:57:11.924
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\RapportKELL.sys because the set of per-page image hashes could not be found on the system.
Date: 2013-06-07 07:17:27.804
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\Hart\AppData\Local\temp\tmp390D.tmp because the set of per-page image hashes could not be found on the system.
Date: 2013-06-07 07:17:27.601
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\Hart\AppData\Local\temp\tmp390D.tmp because the set of per-page image hashes could not be found on the system.
Date: 2013-06-07 07:17:27.397
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\Hart\AppData\Local\temp\tmp390D.tmp because the set of per-page image hashes could not be found on the system.
Date: 2013-06-07 07:17:27.182
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\Hart\AppData\Local\temp\tmp390D.tmp because the set of per-page image hashes could not be found on the system.
Date: 2013-06-07 07:17:26.910
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\Hart\AppData\Local\temp\tmp3593.tmp because the set of per-page image hashes could not be found on the system.
Date: 2013-06-07 07:17:26.706
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\Hart\AppData\Local\temp\tmp3593.tmp because the set of per-page image hashes could not be found on the system.

==================== Memory info =========================== 
Percentage of memory in use: 44%
Total physical RAM: 3070.32 MB
Available physical RAM: 1717.75 MB
Total Pagefile: 6378.63 MB
Available Pagefile: 5001.12 MB
Total Virtual: 2047.88 MB
Available Virtual: 1904.23 MB
==================== Drives ================================
Drive c: (OS) (Fixed) (Total:586.17 GB) (Free:331.34 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 596 GB) (Disk ID: 85801FD9)
Partition 1: (Not Active) - (Size=10 GB) - (Type=27)
Partition 2: (Active) - (Size=586 GB) - (Type=07 NTFS)
==================== End Of Log ============================


----------



## xelahart (Apr 29, 2009)

I note it says something about a non-responding device. My wireless mouse stopped working so I plugged in another, I think the dongle from the first is probably still plugged in at the back.

Also FRST was 'Not responding' for a bit, which I think was when it was scanning a Service called Trusteer. I think one of the other scans had issues with the Trusteer bits.

If there are multiple scans I can be doing batch me up, I would rather do 3 or 4 scans each 24 hour cycle if that gets me to an answer quicker.


----------



## xelahart (Apr 29, 2009)

On second thoughts the problem might have occured when scanning a Rapport service, which would correlate with the errors noted above.

I have a feeling that a lot of the error messages I have seen over the past month have had something to do with Rapport or Trusteer. But since I have no records I can't be sure.


----------



## Cookiegal (Aug 27, 2003)

Do you need Rapport from Trusteer? A colleague suggest uninstalling it as it may be causing problems.

Do you have Daemon Tools or Alcohol 120% installed? These typically don't show up in Add or Remove Programs and often cause false rootkit/mbr infection detections.


----------



## xelahart (Apr 29, 2009)

Rapport by Trusteer was something my online bank asked me to install. I certainly don't mind uninstalling it temporarily to help diagnostics. I have already uninstalled my antivirus for the same reason.
I plan to reinstall an antivirus once the comuter is well again and I might need a little more convincing not to reinstall Rapport once I go back to online banking, but we can cross that bridge when we get to it. I will uninstall Rapport when I get home from work tonight.

I have not knowingly installed Daemon Tools or Alcohol 120%. I used to have MagicISO which I have uninstalled in case that was causing problems.

Is there a way I can get my computer to list all the programs I have installed then you can tell me the ones I should uninstall to help with trouble shooting?


----------



## Cookiegal (Aug 27, 2003)

The problem with programs like Daemon Tools is that they don't appear in the list because they are installed stealth. This is why they sometimes interfere with the tools we use meaning the tools report possible problems with rootkits when possibly none really exist. I will post instructions for two things to try.

1) We'll get an off-line dump of your MBR to check
2) We'll run a program called Defogger that should disable any emulators or other such programs that might interfere and run new scans.

Try this please. You will also need a USB drive.

Download *GETxPUD.exe* to the desktop of your clean computer

Run *GETxPUD.exe*
A new folder will appear on the desktop.
Open the *GETxPUD* folder and click on the *get&burn.bat*
The program will download *xpud_0.9.2.iso*, and upon finished will open *BurnCDCC* ready to burn the image.
Click on *Start* and follow the prompts to burn the image to a CD.
Next download dumpit to your USB
Remove the USB & CD and insert it in the sick computer
Boot the Sick computer with the CD you just burned
The computer must be set to boot from the CD
Gently tap F12 and choose to boot from the CD
Follow the prompts
A *Welcome to xPUD* screen will appear
Press *File*
Expand *mnt*
Click on *sdb1* (sdb1 represents the USB drive).
Double click on the *dumpit* file.
A black window will pop-up and it will dump and zip the MBR to your USB drive.
Press *Enter* to exit the black window.
Click on *HOME* tab and choose *Power Off* to turn off xPUD.
Remove the USB drive and insert it back on your working computer.
Locate the *mbr.zip* file in your USB drive and attach it when you reply.

Then please do the following:

Please download *DeFogger* to your *desktop*.

Double click *DeFogger* to run the tool.
The application window will appear
Click the *Disable* button to disable your CD Emulation drivers
Click *Yes* to continue
A *'Finished!'* message will appear
Click *OK*
DeFogger will now ask to reboot the machine - click *OK*
*IMPORTANT!* If you receive an error message while running DeFogger, please post the log *defogger_disable* which will appear on your desktop.

*Do not* re-enable these drivers until otherwise instructed.

After doing that please run new scans with GMER, aswmbr and MBRCheck and post those logs.


----------



## xelahart (Apr 29, 2009)

OK Rapport from Trusteer uninstalled.
Now how do I test if that changed anything?

I took a screenshot of all my installed programmes (see attached).
Is there anything else you think I should kill? (either to help with this issue or just on principle)


Also since I am removing my antivirus and internet banking security programmes, and some Windows icon in my task bar keeps warning me that I am unprotected, I decided to turn the Windows Firewall and Windows Defender back on
Let me know if that was a bad idea, and I should turn it all back off.


----------



## xelahart (Apr 29, 2009)

Ah just spotted your latest instructions. Thanks.
It has got a bit late for those tonight, I will have a go tomorrow.


----------



## Cookiegal (Aug 27, 2003)

You don't want to be without anti-virus protection. I would reinstall it.

We have a list of installed programs in post. no. 72.


----------



## xelahart (Apr 29, 2009)

xPUD failed.

I managed to download it, burn it to the CD, downloaded the dumpit.txt file and saved it to the USB flash drive, restarted the computer, asked it to boot from the CD, got the xPUD welcome screen.

It then asked me to choose a language (I chose English). The welcome screen froze for a while as the disk whirred, then I got a black screen with white text full of error messages. Some of them scrolled off the screen before I could catch them but some that I noted include:
EE No drivers detected
Fatal server error: no screens found
Check log file at "/var/log/Xorg.0.log"
Giving up
Xinit: No such file or directory (errno2) : unable to connect to X server
Xinit: No such process (errno3) : Server error
Xauth: (argv):1: bad display name "(none):0" in "remove" command
Sh: no job control in this shell
​I then get left with a command prompt, but since I don't know the commands to exit or shut down I had to manually power it down.

I repeated a few times trying choosing different languages - same result every time.

I tried searching for the "/var/log/Xorg.0.log" it mentions but I can't find it and neither could the Windows search command.


----------



## xelahart (Apr 29, 2009)

Ran defogger, seemed to run fine, log below.

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 22:42 on 12/06/2013 (Hart)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
Unable to read sptd.sys
SPTD -> Disabled (Service running -> reboot required)

-=E.O.F=-


----------



## Cookiegal (Aug 27, 2003)

Please reboot after running defogger and then run the scans I mentioned and we'll see if the results are different. If so, we won't need the mbr dump.


----------



## xelahart (Apr 29, 2009)

I have rebooted after running defogger, but I don't know which scans you are referring to. There have been a few.


----------



## xelahart (Apr 29, 2009)

The last few we have tried, in reverse order, are:
FRST
MBRCheck
VEW
GMER
OTS
ESET
MBAR


----------



## xelahart (Apr 29, 2009)

On a different note, you said I should reinstall my anti-virus.
I have just done this.
In case this causes confusion the details I have for it are:
It is called BT Net Protect Plus
It is provided by BT in association with McAfee
BT is my ISP (I get the antivirus as part of my broadband package)


----------



## Cookiegal (Aug 27, 2003)

The instructions were quite lengthy so it was easy to miss but I did say to run new scans with GMER, aswmbr and MBRCheck after running Defogger and post those logs.


----------



## xelahart (Apr 29, 2009)

I decided to just start running scans and posting logs in reverse order:

FRST Log
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-06-2013 04
Ran by Hart (administrator) on 12-06-2013 23:36:21
Running from C:\Users\Hart\Documents\IT Stuff\Repair - May 2013
Windows Vista (TM) Home Premium Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
==================== Processes (Whitelisted) ===================
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
() C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files\PACKARDBELL\Packard Bell Recovery Management\Service\ETService.exe
(LeapFrog Enterprises, Inc.) C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
(Nero AG) C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
(Prolific Technology Inc.) C:\Windows\system32\IoctlSvc.exe
(Canon Inc.) C:\Program Files\Canon\CAL\CALMAIN.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe
(McAfee, Inc.) C:\Windows\system32\mfevtps.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(McAfee, Inc.) C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) c:\PROGRA~1\mcafee.com\agent\mcagent.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1278064 2013-03-13] (McAfee, Inc.)
HKCU\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-21] (Microsoft Corporation)
HKU\Emma (i-pod)\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [ 2008-01-21] (Microsoft Corporation)
HKU\Emma (i-pod)\...\RunOnce: [Application Restart #0] C:\Program Files\Windows Media Player\wmpnscfg.exe [ 2008-01-21] (Microsoft Corporation)
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=1&o=vp32&d=1008&m=imedia_x2416
SearchScopes: HKCU - {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL = http://websearch.ask.com/redirect?c...pn_sauid=33800EBC-5D8B-4F7A-98FF-D0D0F877B504
BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\system32\ieframe.dll (Microsoft Corporation)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} http://www.photodex.com/pxplay.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Handler: msdaipp - No CLSID Value - 
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~1\mcafee\msc\mcsniepl.dll (McAfee, Inc.)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 192.168.1.254
========================== Services (Whitelisted) =================
S2 0020671371075606mcinstcleanup; C:\Users\Hart\AppData\Local\Temp\002067~1.EXE [833616 2013-01-30] (McAfee, Inc.)
R2 AdobeActiveFileMonitor6.0; C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [124832 2007-09-11] ()
R2 CCALib8; C:\Program Files\Canon\CAL\CALMAIN.exe [96341 2006-03-30] (Canon Inc.)
R2 ETService; C:\Program Files\PACKARDBELL\Packard Bell Recovery Management\Service\ETService.exe [24576 2008-07-16] ()
R2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
R2 mcmscsvc; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
R2 McNASvc; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [279488 2013-02-25] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [203840 2013-02-19] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [169320 2013-02-19] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [172416 2013-02-19] (McAfee, Inc.)
==================== Drivers (Whitelisted) ====================
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [60920 2013-02-19] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [146872 2012-04-20] (McAfee, Inc.)
R2 int15; C:\Windows\system32\drivers\int15.sys [15392 2008-07-16] (Acer, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [133416 2013-02-19] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [235264 2013-02-19] (McAfee, Inc.)
S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [65928 2013-02-19] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [363080 2013-02-19] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [565888 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [92632 2013-02-19] (McAfee, Inc.)
R1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [210608 2013-02-19] (McAfee, Inc.)
S3 s116bus; C:\Windows\System32\DRIVERS\s116bus.sys [83336 2007-04-03] (MCCI Corporation)
S4 sptd; C:\Windows\System32\Drivers\sptd.sys [721904 2012-04-24] (Duplex Secure Ltd.)
S3 catchme; \??\C:\Users\Hart\AppData\Local\Temp\catchme.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 mcdbus; system32\DRIVERS\mcdbus.sys [x]
U3 mfeapfk01; No ImagePath
U3 mfeavfk01; No ImagePath
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S1 RapportBuka; \??\C:\Windows\system32\drivers\RapportBuka.sys [x]
==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========
2013-06-12 23:22 - 2013-06-12 23:27 - 00001737 ____A C:\Users\Public\Desktop\BT NetProtect Plus.lnk
2013-06-12 23:20 - 2012-04-20 16:40 - 00146872 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\HipShieldK.sys
2013-06-12 23:19 - 2013-06-12 23:20 - 00000000 ____D C:\Program Files\Common Files\Mcafee
2013-06-12 23:19 - 2013-06-12 23:19 - 00000000 ____D C:\Program Files\McAfee.com
2013-06-12 23:19 - 2013-02-19 14:15 - 00060920 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\cfwids.sys
2013-06-12 23:19 - 2013-02-19 14:11 - 00010088 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfeclnk.sys
2013-06-12 23:19 - 2013-02-19 14:10 - 00092632 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mferkdet.sys
2013-06-12 23:19 - 2013-02-19 14:09 - 00363080 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfefirek.sys
2013-06-12 23:19 - 2013-02-19 14:08 - 00235264 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfeavfk.sys
2013-06-12 23:19 - 2013-02-19 14:08 - 00065928 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfebopk.sys
2013-06-12 23:11 - 2013-02-19 14:12 - 00172416 ____A (McAfee, Inc.) C:\Windows\System32\mfevtps.exe
2013-06-12 22:42 - 2013-06-12 22:42 - 00000020 ____A C:\Users\Hart\defogger_reenable
2013-06-10 21:56 - 2013-06-10 21:56 - 00000000 ____D C:\FRST
2013-06-09 09:57 - 2013-06-09 09:57 - 00022885 ____A C:\VEW.txt
2013-06-07 07:04 - 2013-06-07 07:04 - 00055360 ____A C:\Users\Hart\Downloads\OTS.Txt
2013-06-07 07:00 - 2013-06-07 07:00 - 00646656 ____A C:\Users\Hart\Downloads\OTS.exe
2013-06-07 03:15 - 2013-05-05 20:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-07 03:15 - 2013-05-05 20:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-07 03:08 - 2013-04-04 23:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-07 03:08 - 2013-04-04 23:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-07 03:08 - 2013-04-04 23:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-06-07 03:08 - 2013-04-04 23:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-07 03:08 - 2013-04-04 23:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-07 03:08 - 2013-04-04 23:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-06-07 03:08 - 2013-04-04 22:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-07 03:08 - 2013-04-04 22:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-07 03:08 - 2013-04-04 22:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-06-07 03:08 - 2013-04-04 22:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-06-07 03:08 - 2013-04-04 22:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-07 03:08 - 2013-04-04 22:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-07 03:08 - 2013-04-04 22:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-06-07 03:08 - 2013-04-04 22:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-06 21:35 - 2013-05-02 02:06 - 00238872 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-06-06 21:34 - 2013-04-15 15:20 - 00638328 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-06-06 21:34 - 2013-04-13 11:56 - 00037376 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll
2013-06-06 21:34 - 2013-04-09 02:36 - 02049024 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-06-06 20:25 - 2013-06-06 20:54 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-06-06 20:25 - 2013-06-06 20:25 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-06-05 23:53 - 2013-06-05 23:53 - 00139336 ____A C:\Windows\Minidump\Mini060513-04.dmp
2013-06-05 23:43 - 2013-06-05 23:43 - 00139336 ____A C:\Windows\Minidump\Mini060513-03.dmp
2013-06-05 23:25 - 2013-06-05 23:25 - 00139336 ____A C:\Windows\Minidump\Mini060513-02.dmp
2013-06-05 22:38 - 2013-06-05 22:38 - 00139336 ____A C:\Windows\Minidump\Mini060513-01.dmp
2013-06-01 10:14 - 2013-06-01 10:14 - 00139336 ____A C:\Windows\Minidump\Mini060113-02.dmp
2013-06-01 09:53 - 2013-06-01 09:53 - 00139336 ____A C:\Windows\Minidump\Mini060113-01.dmp
2013-05-28 20:27 - 2013-05-28 20:27 - 00000000 ____D C:\_OTS
2013-05-27 11:05 - 2013-05-27 11:05 - 00000637 ____A C:\Users\Hart\Desktop\Repair - May 2013 - Shortcut.lnk
2013-05-26 13:32 - 2013-05-26 13:32 - 00007531 ____A C:\ComboFix.txt
2013-05-26 13:17 - 2013-05-26 13:32 - 00000000 ____D C:\ComboFix
2013-05-26 13:17 - 2011-06-26 07:45 - 00256000 ____A C:\Windows\PEV.exe
2013-05-26 13:17 - 2010-11-07 18:20 - 00208896 ____A C:\Windows\MBR.exe
2013-05-26 13:17 - 2009-04-20 05:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2013-05-26 13:17 - 2000-08-31 01:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2013-05-26 13:17 - 2000-08-31 01:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2013-05-26 13:17 - 2000-08-31 01:00 - 00098816 ____A C:\Windows\sed.exe
2013-05-26 13:17 - 2000-08-31 01:00 - 00080412 ____A C:\Windows\grep.exe
2013-05-26 13:17 - 2000-08-31 01:00 - 00068096 ____A C:\Windows\zip.exe
2013-05-26 13:08 - 2013-05-26 13:32 - 00000000 ____D C:\Qoobox
2013-05-26 13:08 - 2013-05-26 13:30 - 00000000 ____D C:\Windows\erdnt
2013-05-26 12:14 - 2013-05-26 12:14 - 00000823 ____A C:\Users\Hart\Desktop\TEMP - Weekend Jobs.docx - Shortcut.lnk
2013-05-14 01:26 - 2013-05-14 01:26 - 00000000 ____D C:\ProgramData\WindowsSearch
==================== One Month Modified Files and Folders ========
2013-06-12 23:27 - 2013-06-12 23:22 - 00001737 ____A C:\Users\Public\Desktop\BT NetProtect Plus.lnk
2013-06-12 23:23 - 2012-12-14 12:10 - 00262144 ____A C:\Windows\System32\config\ELAM
2013-06-12 23:22 - 2009-03-14 17:57 - 00000000 ____D C:\ProgramData\McAfee
2013-06-12 23:20 - 2013-06-12 23:19 - 00000000 ____D C:\Program Files\Common Files\Mcafee
2013-06-12 23:20 - 2009-03-14 18:15 - 00000000 ____D C:\Program Files\McAfee
2013-06-12 23:19 - 2013-06-12 23:19 - 00000000 ____D C:\Program Files\McAfee.com
2013-06-12 22:54 - 2006-11-02 11:33 - 00703516 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-12 22:52 - 2008-10-13 10:11 - 01897218 ____A C:\Windows\WindowsUpdate.log
2013-06-12 22:49 - 2012-04-01 15:47 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-12 22:49 - 2008-10-13 10:10 - 00000000 ____A C:\Windows\System32\LogConfigTemp.xml
2013-06-12 22:49 - 2006-11-02 14:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-12 22:49 - 2006-11-02 13:47 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-12 22:49 - 2006-11-02 13:47 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-12 22:46 - 2006-11-02 14:01 - 00032762 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-06-12 22:45 - 2012-04-01 15:47 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-06-12 22:45 - 2011-07-09 17:11 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-06-12 22:42 - 2013-06-12 22:42 - 00000020 ____A C:\Users\Hart\defogger_reenable
2013-06-12 22:42 - 2009-01-14 22:52 - 00000000 ____D C:\users\Hart
2013-06-12 21:59 - 2008-01-21 03:47 - 00177342 ____A C:\Windows\PFRO.log
2013-06-10 21:56 - 2013-06-10 21:56 - 00000000 ____D C:\FRST
2013-06-09 09:57 - 2013-06-09 09:57 - 00022885 ____A C:\VEW.txt
2013-06-07 07:04 - 2013-06-07 07:04 - 00055360 ____A C:\Users\Hart\Downloads\OTS.Txt
2013-06-07 03:40 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-06-07 03:33 - 2006-11-02 13:47 - 00385648 ____A C:\Windows\System32\FNTCACHE.DAT
2013-06-07 03:16 - 2008-08-21 22:18 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-06-07 03:11 - 2009-01-14 23:26 - 00000039 ____A C:\Windows\vbaddin.ini
2013-06-07 03:09 - 2006-11-02 11:24 - 72607752 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-06-06 21:30 - 2009-03-28 20:28 - 00000000 ____D C:\Users\Hart\Documents\IT Stuff
2013-06-06 20:54 - 2013-06-06 20:25 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-06-06 20:25 - 2013-06-06 20:25 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-06-05 23:53 - 2013-06-05 23:53 - 00139336 ____A C:\Windows\Minidump\Mini060513-04.dmp
2013-06-05 23:53 - 2009-08-19 19:31 - 254406718 ____A C:\Windows\MEMORY.DMP
2013-06-05 23:53 - 2009-08-19 19:31 - 00000000 ____D C:\Windows\Minidump
2013-06-05 23:43 - 2013-06-05 23:43 - 00139336 ____A C:\Windows\Minidump\Mini060513-03.dmp
2013-06-05 23:25 - 2013-06-05 23:25 - 00139336 ____A C:\Windows\Minidump\Mini060513-02.dmp
2013-06-05 22:38 - 2013-06-05 22:38 - 00139336 ____A C:\Windows\Minidump\Mini060513-01.dmp
2013-06-01 10:14 - 2013-06-01 10:14 - 00139336 ____A C:\Windows\Minidump\Mini060113-02.dmp
2013-06-01 09:53 - 2013-06-01 09:53 - 00139336 ____A C:\Windows\Minidump\Mini060113-01.dmp
2013-05-29 20:49 - 2006-11-02 13:52 - 00076033 ____A C:\Windows\setupact.log
2013-05-28 20:27 - 2013-05-28 20:27 - 00000000 ____D C:\_OTS
2013-05-27 11:05 - 2013-05-27 11:05 - 00000637 ____A C:\Users\Hart\Desktop\Repair - May 2013 - Shortcut.lnk
2013-05-26 13:32 - 2013-05-26 13:32 - 00007531 ____A C:\ComboFix.txt
2013-05-26 13:32 - 2013-05-26 13:17 - 00000000 ____D C:\ComboFix
2013-05-26 13:32 - 2013-05-26 13:08 - 00000000 ____D C:\Qoobox
2013-05-26 13:32 - 2006-11-02 12:18 - 00000000 __RHD C:\users\Default
2013-05-26 13:32 - 2006-11-02 12:18 - 00000000 ___RD C:\users\Public
2013-05-26 13:30 - 2013-05-26 13:08 - 00000000 ____D C:\Windows\erdnt
2013-05-26 13:29 - 2006-11-02 11:23 - 00000215 ____A C:\Windows\system.ini
2013-05-26 12:14 - 2013-05-26 12:14 - 00000823 ____A C:\Users\Hart\Desktop\TEMP - Weekend Jobs.docx - Shortcut.lnk
2013-05-26 12:07 - 2012-03-15 09:18 - 00001356 ____A C:\Users\Hart\AppData\Local\d3d9caps.dat
2013-05-16 20:16 - 2009-04-29 18:33 - 00000000 ____D C:\Program Files\HijackThis
2013-05-14 01:26 - 2013-05-14 01:26 - 00000000 ____D C:\ProgramData\WindowsSearch
2013-05-14 01:16 - 2013-04-13 16:24 - 00000000 ____D C:\users\UpdatusUser.Hart-PC
2013-05-14 01:11 - 2006-11-02 11:22 - 55050240 ____A C:\Windows\System32\config\software_previous
2013-05-14 01:11 - 2006-11-02 11:22 - 36962304 ____A C:\Windows\System32\config\components_previous
2013-05-14 01:11 - 2006-11-02 11:22 - 128450560 ____A C:\Windows\System32\config\system_previous
2013-05-14 01:11 - 2006-11-02 11:22 - 00786432 ____A C:\Windows\System32\config\default_previous
2013-05-14 01:11 - 2006-11-02 11:22 - 00262144 ____A C:\Windows\System32\config\security_previous
2013-05-14 01:11 - 2006-11-02 11:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
2013-05-14 01:08 - 2012-01-20 10:41 - 00000000 ____D C:\users\Emma (i-pod)
2013-05-14 01:08 - 2011-06-17 20:42 - 00000000 ____D C:\users\Alex
2013-05-14 01:04 - 2009-11-16 19:49 - 00000000 ____D C:\Program Files\Windows Portable Devices
2013-05-14 01:04 - 2006-11-02 13:37 - 00000000 ____D C:\Windows\twain_32
2013-05-14 01:04 - 2006-11-02 13:37 - 00000000 ____D C:\Windows\System32\XPSViewer
2013-05-14 01:04 - 2006-11-02 13:37 - 00000000 ____D C:\Windows\ShellNew
2013-05-14 01:04 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Windows Sidebar
2013-05-14 01:04 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Windows Photo Gallery
2013-05-14 01:04 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Windows Journal
2013-05-14 01:04 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Windows Defender
2013-05-14 01:04 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Windows Collaboration
2013-05-14 01:04 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Movie Maker
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 __RSD C:\Windows\Media
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\zh-TW
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\zh-HK
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\zh-CN
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\uk-UA
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\tr-TR
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\th-TH
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\sv-SE
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\sr-Latn-CS
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\SLUI
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\sl-SI
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\sk-SK
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\ru-RU
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\ro-RO
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\ras
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\pt-PT
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\pt-BR
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\pl-PL
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\nl-NL
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\nb-NO
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\lv-LV
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\lt-LT
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\ko-KR
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\ja-JP
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\it-IT
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\icsxml
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\hu-HU
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\hr-HR
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\he-IL
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\fr-FR
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\fi-FI
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\et-EE
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\el-GR
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\de-DE
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\bg-BG
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\ar-SA
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\AdvancedInstallers
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\system
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\L2Schemas
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\IME
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\Cursors
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Program Files\Common Files\System
2013-05-14 01:04 - 2006-11-02 12:18 - 00000000 ____D C:\Program Files\Common Files\Services
2013-05-14 01:03 - 2009-09-20 19:57 - 00000000 ____D C:\Windows\System32\vi-VN
2013-05-14 01:03 - 2009-09-20 19:57 - 00000000 ____D C:\Windows\System32\eu-ES
2013-05-14 01:03 - 2009-09-20 19:57 - 00000000 ____D C:\Windows\System32\ca-ES
2013-05-14 01:03 - 2006-11-02 13:37 - 00000000 ____D C:\Windows\DigitalLocker
2013-05-14 01:03 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Windows Calendar
2013-05-14 01:03 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\ias
2013-05-14 01:03 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\com
2013-05-14 01:03 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\MSAgent
2013-05-14 00:59 - 2009-09-20 19:33 - 00000000 ____D C:\Windows\System32\EventProviders
2013-05-14 00:59 - 2008-08-21 22:01 - 00000000 ____D C:\Windows\System32\RTCOM
2013-05-14 00:59 - 2006-11-02 13:37 - 00000000 ____D C:\Windows\System32\restore
2013-05-14 00:59 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\tapi
2013-05-14 00:59 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\spool
2013-05-14 00:59 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\Msdtc
2013-05-14 00:58 - 2011-04-05 14:55 - 00000000 ____D C:\Windows\System32\custom matrices
2013-05-14 00:58 - 2009-05-31 17:42 - 00000000 ____D C:\Windows\System32\C2MP
2013-05-14 00:58 - 2009-03-14 19:16 - 00000000 ____D C:\Users\Hart\AppData\Roaming\uTorrent
2013-05-14 00:58 - 2009-03-14 16:08 - 00000000 ___RD C:\Users\Hart\Desktop\Pre-Installed Shortcuts
2013-05-14 00:58 - 2006-11-02 12:18 - 00000000 ___RD C:\Windows\Offline Web Pages
2013-05-14 00:58 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\rescache
2013-05-14 00:57 - 2012-04-09 16:04 - 00000000 ____D C:\Users\Emma (i-pod)\AppData\Roaming\ICAClient
2013-05-14 00:57 - 2010-08-19 12:45 - 00000000 ____D C:\Users\Hart\AppData\Roaming\ICAClient
2013-05-14 00:57 - 2009-07-04 19:36 - 00000000 ____D C:\Users\Hart\AppData\Local\Microsoft Help
2013-05-14 00:56 - 2012-11-18 18:38 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2013-05-14 00:56 - 2012-01-29 12:49 - 00000000 ____D C:\Program Files\iTunes
2013-05-14 00:56 - 2012-01-29 12:43 - 00000000 ____D C:\Program Files\QuickTime
2013-05-14 00:56 - 2012-01-29 12:41 - 00000000 ____D C:\Program Files\Safari
2013-05-14 00:56 - 2012-01-29 12:40 - 00000000 ____D C:\Program Files\Bonjour
2013-05-14 00:56 - 2011-06-27 23:37 - 00000000 ____D C:\Program Files\Apple Software Update
2013-05-14 00:56 - 2009-08-10 21:29 - 00000000 ____D C:\Program Files\Garmin GPS Plugin
2013-05-14 00:56 - 2009-08-10 20:35 - 00000000 ____D C:\Garmin
2013-05-14 00:56 - 2009-07-13 14:28 - 00000000 ____D C:\Program Files\Photodex Presenter
2013-05-14 00:56 - 2009-04-15 21:20 - 00000000 ____D C:\Program Files\AviSynth 2.5
2013-05-14 00:56 - 2009-03-28 20:09 - 00000000 ____D C:\Program Files\MagicISO
2013-05-14 00:56 - 2009-03-18 22:32 - 00000000 ____D C:\Program Files\WinRAR
2013-05-14 00:56 - 2009-03-14 20:45 - 00000000 ____D C:\ProgramData\FLEXnet
2013-05-14 00:56 - 2009-03-14 19:16 - 00000000 ____D C:\Program Files\uTorrent
2013-05-14 00:56 - 2009-03-14 18:42 - 00000000 ____D C:\Program Files\GrabIt
2013-05-14 00:56 - 2008-08-21 22:19 - 00000000 ____D C:\Program Files\Microsoft Works
2013-05-14 00:56 - 2008-08-21 22:19 - 00000000 ____D C:\Program Files\Common Files\DESIGNER
2013-05-14 00:56 - 2008-08-21 22:18 - 00000000 ____D C:\Program Files\Microsoft Office
2013-05-14 00:56 - 2008-08-21 22:05 - 00000000 ____D C:\Program Files\HDReg
2013-05-14 00:56 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\MSBuild
2013-05-14 00:44 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\registration
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-06-12 22:55
==================== End Of Log ============================


----------



## Cookiegal (Aug 27, 2003)

xelahart said:


> On a different note, you said I should reinstall my anti-virus.
> I have just done this.
> In case this causes confusion the details I have for it are:
> It is called BT Net Protect Plus
> ...


OK, thanks.


----------



## xelahart (Apr 29, 2009)

FRST Addition

09-05-2013 23:00:04 Scheduled Checkpoint
11-05-2013 12:11:46 Scheduled Checkpoint
26-05-2013 10:16:50 Installed Packard Bell Recovery Management
06-06-2013 20:34:25 Windows Update
07-06-2013 02:08:07 Windows Update
09-06-2013 19:23:06 Scheduled Checkpoint
10-06-2013 21:29:34 Scheduled Checkpoint
11-06-2013 23:01:20 Scheduled Checkpoint
11-06-2013 23:18:16 Removed Rapport
12-06-2013 21:03:29 Windows Update
==================== Faulty Device Manager Devices =============
Name: Microsoft PS/2 Mouse
Description: Microsoft PS/2 Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================
Application errors:
==================
Error: (06/12/2013 11:27:34 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)
Error: (06/12/2013 11:27:34 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)
Error: (06/12/2013 10:51:02 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (06/12/2013 10:45:22 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (06/12/2013 10:28:54 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (06/12/2013 10:01:04 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (06/11/2013 11:26:24 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (06/11/2013 06:20:28 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (06/10/2013 09:42:36 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (06/09/2013 07:49:54 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

System errors:
=============
Error: (06/12/2013 11:19:50 PM) (Source: Service Control Manager) (User: )
Description: Windows Search%%1053
Error: (06/12/2013 11:19:50 PM) (Source: Service Control Manager) (User: )
Description: 30000Windows Search
Error: (06/12/2013 11:19:50 PM) (Source: DCOM) (User: )
Description: 1053WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
Error: (06/12/2013 10:51:38 PM) (Source: Service Control Manager) (User: )
Description: NVIDIA Update Service Daemon%%1069
Error: (06/12/2013 10:51:38 PM) (Source: Service Control Manager) (User: )
Description: nvUpdatusService.\UpdatusUser%%1330
Error: (06/12/2013 10:45:55 PM) (Source: Service Control Manager) (User: )
Description: NVIDIA Update Service Daemon%%1069
Error: (06/12/2013 10:45:55 PM) (Source: Service Control Manager) (User: )
Description: nvUpdatusService.\UpdatusUser%%1330
Error: (06/12/2013 10:29:57 PM) (Source: Service Control Manager) (User: )
Description: NVIDIA Update Service Daemon%%1069
Error: (06/12/2013 10:29:57 PM) (Source: Service Control Manager) (User: )
Description: nvUpdatusService.\UpdatusUser%%1330
Error: (06/12/2013 10:01:39 PM) (Source: Service Control Manager) (User: )
Description: NVIDIA Update Service Daemon%%1069

Microsoft Office Sessions:
=========================
Error: (11/04/2011 07:24:29 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 16 seconds with 0 seconds of active time. This session ended with a crash.

CodeIntegrity Errors:
===================================
Date: 2013-06-12 00:19:15.641
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\RapportKELL.sys because the set of per-page image hashes could not be found on the system.
Date: 2013-06-12 00:19:15.421
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\RapportKELL.sys because the set of per-page image hashes could not be found on the system.
Date: 2013-06-12 00:19:15.212
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\RapportKELL.sys because the set of per-page image hashes could not be found on the system.
Date: 2013-06-12 00:19:15.003
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\RapportKELL.sys because the set of per-page image hashes could not be found on the system.
Date: 2013-06-10 21:57:12.602
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\RapportKELL.sys because the set of per-page image hashes could not be found on the system.
Date: 2013-06-10 21:57:12.376
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\RapportKELL.sys because the set of per-page image hashes could not be found on the system.
Date: 2013-06-10 21:57:12.153
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\RapportKELL.sys because the set of per-page image hashes could not be found on the system.
Date: 2013-06-10 21:57:11.924
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\RapportKELL.sys because the set of per-page image hashes could not be found on the system.
Date: 2013-06-07 07:17:27.804
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\Hart\AppData\Local\temp\tmp390D.tmp because the set of per-page image hashes could not be found on the system.
Date: 2013-06-07 07:17:27.601
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\Hart\AppData\Local\temp\tmp390D.tmp because the set of per-page image hashes could not be found on the system.

==================== Memory info =========================== 
Percentage of memory in use: 41%
Total physical RAM: 3070.32 MB
Available physical RAM: 1809.36 MB
Total Pagefile: 6372.67 MB
Available Pagefile: 4705.91 MB
Total Virtual: 2047.88 MB
Available Virtual: 1923.2 MB
==================== Drives ================================
Drive c: (OS) (Fixed) (Total:586.17 GB) (Free:347.33 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 596 GB) (Disk ID: 85801FD9)
Partition 1: (Not Active) - (Size=10 GB) - (Type=27)
Partition 2: (Active) - (Size=586 GB) - (Type=07 NTFS)
==================== End Of Log ============================


----------



## xelahart (Apr 29, 2009)

The instructions were quite lengthy so it was easy to miss but I did say to run new scans with GMER, aswmbr and MBRCheck after running Defogger and post those logs.

Sorry, on it now.​


----------



## Cookiegal (Aug 27, 2003)

No problem but I will only be able to review all of those logs tomorrow morning.


----------



## xelahart (Apr 29, 2009)

aswMBR log

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-06-12 23:57:20
-----------------------------
23:57:20.876 OS Version: Windows 6.0.6002 Service Pack 2
23:57:20.876 Number of processors: 4 586 0x1707
23:57:20.878 ComputerName: HART-PC UserName: Hart
23:57:22.432 Initialize success
23:59:21.791 AVAST engine defs: 13061201
23:59:30.722 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000052
23:59:30.725 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 3
23:59:30.977 Disk 0 MBR read successfully
23:59:30.979 Disk 0 MBR scan
23:59:30.985 Disk 0 Windows VISTA default MBR code
23:59:31.002 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 10240 MB offset 2048
23:59:31.015 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 600238 MB offset 20973568
23:59:31.035 Disk 0 scanning sectors +1250261680
23:59:31.233 Disk 0 scanning C:\Windows\system32\drivers
23:59:45.113 Service scanning
00:00:02.435 Modules scanning
00:00:32.019 Disk 0 trace - called modules:
00:00:32.041 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys 
00:00:32.047 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8c1b73b0]
00:00:32.053 3 CLASSPNP.SYS[90a0f8b3] -> nt!IofCallDriver -> [0x8bb8ea60]
00:00:32.058 5 acpi.sys[88ea16bc] -> nt!IofCallDriver -> \Device\00000052[0x8bc5c738]
00:00:33.474 AVAST engine scan C:\Windows
00:00:50.342 AVAST engine scan C:\Windows\system32
00:07:28.840 AVAST engine scan C:\Windows\system32\drivers
00:07:46.220 Disk 0 MBR has been saved successfully to "C:\Users\Hart\Documents\IT Stuff\Repair - May 2013\MBR.dat"
00:07:46.236 The log file has been saved successfully to "C:\Users\Hart\Documents\IT Stuff\Repair - May 2013\aswMBR 2 (12Jun13).txt"


----------



## xelahart (Apr 29, 2009)

MBRcheck log

MBRCheck, version 1.2.3
(c) 2010, AD
Command-line: 
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Packard Bell BV
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: Packard Bell BV
System Product Name: IMEDIA X2416
Logical Drives Mask: 0x000002ec
Kernel Drivers (total 144):
0x88810000 \SystemRoot\system32\ntkrnlpa.exe
0x88BCA000 \SystemRoot\system32\hal.dll
0x80601000 \SystemRoot\system32\kdcom.dll
0x80608000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80678000 \SystemRoot\system32\PSHED.dll
0x80689000 \SystemRoot\system32\BOOTVID.dll
0x80691000 \SystemRoot\system32\CLFS.SYS
0x806D2000 \SystemRoot\system32\CI.dll
0x88E0A000 \SystemRoot\system32\drivers\Wdf01000.sys
0x88E8B000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x88E99000 \SystemRoot\system32\drivers\acpi.sys
0x88EDF000 \SystemRoot\system32\drivers\WMILIB.SYS
0x88EE8000 \SystemRoot\system32\drivers\msisadrv.sys
0x88EF0000 \SystemRoot\system32\drivers\pci.sys
0x88F17000 \SystemRoot\System32\drivers\partmgr.sys
0x88F27000 \SystemRoot\system32\drivers\volmgr.sys
0x88F36000 \SystemRoot\System32\drivers\volmgrx.sys
0x88F80000 \SystemRoot\system32\drivers\pciide.sys
0x88F87000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x88F95000 \SystemRoot\System32\drivers\mountmgr.sys
0x88FA5000 \SystemRoot\system32\drivers\atapi.sys
0x88FAD000 \SystemRoot\system32\drivers\ataport.SYS
0x88FCB000 \SystemRoot\system32\DRIVERS\nvstor32.sys
0x807B2000 \SystemRoot\system32\DRIVERS\storport.sys
0x9060E000 \SystemRoot\system32\drivers\fltmgr.sys
0x90640000 \SystemRoot\system32\drivers\fileinfo.sys
0x90650000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x90659000 \SystemRoot\System32\Drivers\ksecdd.sys
0x906CB000 \SystemRoot\system32\drivers\ndis.sys
0x90800000 \SystemRoot\system32\drivers\msrpc.sys
0x9082B000 \SystemRoot\system32\drivers\NETIO.SYS
0x90866000 \SystemRoot\System32\Drivers\Ntfs.sys
0x90976000 \SystemRoot\system32\drivers\wd.sys
0x9097E000 \SystemRoot\system32\drivers\volsnap.sys
0x909B7000 \SystemRoot\System32\Drivers\spldr.sys
0x909BF000 \SystemRoot\System32\Drivers\mup.sys
0x909CE000 \SystemRoot\System32\drivers\ecache.sys
0x907D6000 \SystemRoot\system32\drivers\disk.sys
0x90A0A000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x90A2B000 \SystemRoot\system32\drivers\crcdisk.sys
0x90A70000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x90A7B000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x90A84000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x90A93000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x90AA6000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x90AB1000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x90ABC000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x90AC6000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x90B04000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x90B13000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x90BA0000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
0x90BAF000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x90BC7000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x94A00000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x95489000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x95529000 \SystemRoot\System32\drivers\watchdog.sys
0x95535000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x9553E000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x9556D000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x95578000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x9558F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x9559A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x955BD000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x955CC000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x955E0000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x90BCD000 \SystemRoot\system32\DRIVERS\termdd.sys
0x955F5000 \SystemRoot\system32\DRIVERS\swenum.sys
0x95809000 \SystemRoot\system32\DRIVERS\ks.sys
0x95833000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x9583D000 \SystemRoot\system32\DRIVERS\umbus.sys
0x9584A000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x9587F000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x95A0B000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x95C13000 \SystemRoot\system32\drivers\portcls.sys
0x95C40000 \SystemRoot\system32\drivers\drmk.sys
0x95C65000 \SystemRoot\system32\drivers\nvhda32v.sys
0x95C73000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x95C7C000 \SystemRoot\System32\Drivers\Null.SYS
0x95C83000 \SystemRoot\System32\Drivers\Beep.SYS
0x95C93000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x95C9A000 \SystemRoot\System32\drivers\vga.sys
0x95CA6000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x95CC7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x95CCF000 \SystemRoot\system32\drivers\rdpencdd.sys
0x95CD7000 \SystemRoot\System32\Drivers\Msfs.SYS
0x95CE2000 \SystemRoot\System32\Drivers\Npfs.SYS
0x95CF0000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x95CF9000 \SystemRoot\System32\drivers\tcpip.sys
0x95DE3000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x95890000 \SystemRoot\system32\DRIVERS\tdx.sys
0x958A6000 \SystemRoot\system32\DRIVERS\smb.sys
0x958BA000 \SystemRoot\System32\DRIVERS\netbt.sys
0x958EC000 \SystemRoot\system32\drivers\afd.sys
0x95A00000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x95934000 \SystemRoot\system32\DRIVERS\pacer.sys
0x9594A000 \SystemRoot\system32\DRIVERS\netbios.sys
0x95958000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x9596B000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x959A7000 \SystemRoot\system32\drivers\nsiproxy.sys
0x959B1000 \SystemRoot\System32\Drivers\dfsc.sys
0x959C8000 \SystemRoot\System32\Drivers\crashdmp.sys
0x959D5000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x90A34000 \SystemRoot\System32\Drivers\dump_nvstor32.sys
0x95C8A000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x959DF000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x95DFE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x959EF000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x90A59000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA4E20000 \SystemRoot\System32\win32k.sys
0x90BDD000 \SystemRoot\System32\drivers\Dxapi.sys
0x90BE7000 \SystemRoot\system32\DRIVERS\monitor.sys
0xA5040000 \SystemRoot\System32\TSDDD.dll
0xA5060000 \SystemRoot\System32\cdd.dll
0x8180D000 \SystemRoot\system32\drivers\luafv.sys
0x81828000 \SystemRoot\system32\drivers\WudfPf.sys
0x8183C000 \SystemRoot\system32\drivers\spsys.sys
0x818EC000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x818FC000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x8190F000 \SystemRoot\system32\drivers\HTTP.sys
0x8197C000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x81999000 \SystemRoot\system32\DRIVERS\bowser.sys
0x819B2000 \SystemRoot\System32\drivers\mpsdrv.sys
0x819C7000 \SystemRoot\system32\drivers\mrxdav.sys
0x83201000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x83220000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x83259000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x83271000 \SystemRoot\System32\DRIVERS\srv2.sys
0x83299000 \SystemRoot\System32\DRIVERS\srv.sys
0x832E8000 \??\C:\Windows\system32\drivers\int15.sys
0x832EF000 \SystemRoot\system32\drivers\peauth.sys
0x833CD000 \SystemRoot\System32\Drivers\secdrv.SYS
0x833D7000 \SystemRoot\System32\drivers\tcpipreg.sys
0xAAE35000 \SystemRoot\system32\DRIVERS\cdfs.sys
0xAAE4B000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xA5070000 \SystemRoot\System32\ATMFD.DLL
0xAAE54000 \SystemRoot\system32\drivers\mfehidk.sys
0xAAEDC000 \SystemRoot\system32\drivers\mfewfpk.sys
0xAAFB5000 \SystemRoot\system32\drivers\mfeavfk.sys
0xAAF2D000 \SystemRoot\system32\drivers\mfefirek.sys
0xAAFA3000 \SystemRoot\system32\drivers\cfwids.sys
0xAAF84000 \Device\mfeapfk01.sys
0xAAF0E000 \??\C:\Users\Hart\AppData\Local\Temp\pxldipow.sys
0xAAFED000 \??\C:\Users\Hart\AppData\Local\Temp\aswMBR.sys
0x775C0000 \Windows\System32\ntdll.dll
Processes (total 64):
0 System Idle Process
4 System
432 C:\Windows\System32\smss.exe
500 csrss.exe
560 C:\Windows\System32\wininit.exe
572 csrss.exe
604 C:\Windows\System32\services.exe
616 C:\Windows\System32\lsass.exe
632 C:\Windows\System32\lsm.exe
728 C:\Windows\System32\winlogon.exe
828 C:\Windows\System32\svchost.exe
872 C:\Windows\System32\nvvsvc.exe
904 C:\Windows\System32\svchost.exe
964 C:\Windows\System32\svchost.exe
1024 C:\Windows\System32\svchost.exe
1040 C:\Windows\System32\svchost.exe
1116 C:\Windows\System32\audiodg.exe
1136 C:\Windows\System32\svchost.exe
1172 C:\Windows\System32\SLsvc.exe
1220 C:\Windows\System32\svchost.exe
1320 C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
1328 C:\Windows\System32\nvvsvc.exe
1464 C:\Windows\System32\svchost.exe
1660 C:\Windows\System32\spoolsv.exe
1684 C:\Windows\System32\svchost.exe
444 C:\Windows\System32\dwm.exe
380 C:\Windows\System32\taskeng.exe
720 C:\Windows\explorer.exe
812 C:\Windows\RtHDVCpl.exe
476 C:\Program Files\Windows Media Player\wmpnscfg.exe
1712 C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
1428 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
692 C:\Program Files\Bonjour\mDNSResponder.exe
2056 C:\Program Files\PACKARDBELL\Packard Bell Recovery Management\Service\ETService.exe
2196 C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
2252 C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
2372 C:\Windows\System32\IoctlSvc.exe
2396 C:\Windows\System32\svchost.exe
2424 C:\Windows\System32\svchost.exe
2488 C:\Windows\System32\svchost.exe
2800 C:\Program Files\Canon\CAL\CALMAIN.exe
3060 C:\Program Files\Windows Media Player\wmpnetwk.exe
3192 C:\Windows\System32\mobsync.exe
3112 C:\Windows\System32\taskeng.exe
2564 C:\Program Files\Internet Explorer\iexplore.exe
3600 C:\Program Files\Internet Explorer\iexplore.exe
3596 C:\Windows\System32\svchost.exe
3384 C:\Windows\System32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe
4180 C:\Windows\System32\mfevtps.exe
5404 C:\Program Files\Internet Explorer\iexplore.exe
4664 C:\Windows\System32\SearchIndexer.exe
4924 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
5784 C:\Windows\System32\rundll32.exe
5744 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
5828 C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
5248 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
6072 C:\Program Files\Internet Explorer\iexplore.exe
1424 C:\Program Files\Common Files\Mcafee\Core\mchost.exe
5420 C:\Windows\System32\SearchProtocolHost.exe
5396 C:\Windows\System32\SearchFilterHost.exe
4640 C:\Windows\System32\dllhost.exe
5824 dllhost.exe
1088 dllhost.exe
2404 C:\Users\Hart\Documents\IT Stuff\Repair - May 2013\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`80100000 (NTFS)
PhysicalDrive0 Model Number: WDC WD6400AAKS-22A7B, Rev: 01.0
Size Device Name MBR Status
--------------------------------------------
596 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 90C10828C3538DFE7F856D1137321BB66C28DC98

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: 
Done!


----------



## xelahart (Apr 29, 2009)

And GMER is back to giving me a BSOD before it finishes the scan.


----------



## xelahart (Apr 29, 2009)

Just did a quick search, it seems BSOD with GMER is not uncommon. Is there anything I can try to get it to run better?

I noticed a post in one forum that gave the same instructions as you but also said to uncheck "Show All". would that make a difference?


----------



## xelahart (Apr 29, 2009)

Another suggested unchecking "Files".


----------



## Cookiegal (Aug 27, 2003)

Generally "Show all" is now unchecked by default and should be grayed out. If that's not the case then yes, uncheck it.

You can try doing them one section at a time and the most important one I want to see is "Trace I/O" so try unchecking all but that section and the C drive please.


----------



## xelahart (Apr 29, 2009)

OK, now doing a run with everything unchecked except Trace I/Oand C:\


----------



## xelahart (Apr 29, 2009)

All I get is a message saying: "GMER hasn't found any system modification".
I'll try turning a few more things on, let me know if there is an order of priority I should use to save me time.


----------



## Cookiegal (Aug 27, 2003)

No, it's not necessary. The part that concerned me was under the Trace I/O section and that was caused by the emulator we disabled. But MBRCheck is still showing "596 GB \\.\PhysicalDrive0 MBR Code Faked!" so let's investigate further.

Please download *OTL* to your Desktop. 

Double-click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. 
Click the Run Scan button. Do not change any other settings unless otherwise instructed. The scan won't take long. 
When the scan completes, it will open two Notepad windows called *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL. 
Please copy and paste the contents of both of these files here in your next reply.


----------



## xelahart (Apr 29, 2009)

OTL Log

OTL logfile created on: 16/06/2013 18:34:42 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Hart\Documents\IT Stuff\Repair - May 2013
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 1.83 Gb Available Physical Memory | 61.03% Memory free
6.22 Gb Paging File | 4.58 Gb Available in Paging File | 73.72% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 586.17 Gb Total Space | 341.36 Gb Free Space | 58.24% Space Free | Partition Type: NTFS

Computer Name: HART-PC | User Name: Hart | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/06/16 18:31:49 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Hart\Documents\IT Stuff\Repair - May 2013\OTL.exe
PRC - [2013/06/11 23:45:13 | 000,814,472 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe
PRC - [2013/03/13 18:40:08 | 001,278,064 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2013/02/19 14:12:14 | 000,172,416 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2013/02/19 14:08:52 | 000,169,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PRC - [2013/02/19 14:06:50 | 000,203,840 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PRC - [2013/01/31 10:01:06 | 000,865,056 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
PRC - [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PRC - [2012/08/31 13:00:52 | 000,078,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\Core\mchost.exe
PRC - [2012/07/05 18:41:08 | 007,392,136 | ---- | M] (LeapFrog Enterprises, Inc.) -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
PRC - [2009/04/11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/07/16 14:00:00 | 000,024,576 | ---- | M] () -- C:\Program Files\PACKARDBELL\Packard Bell Recovery Management\Service\ETService.exe
PRC - [2008/06/26 08:56:10 | 006,139,904 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/09/11 00:45:04 | 000,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
PRC - [2006/03/30 09:15:44 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe

========== Modules (No Company Name) ==========

========== Services (SafeList) ==========

SRV - [2013/06/12 22:45:30 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/02/25 23:02:14 | 000,279,488 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2013/02/19 21:32:08 | 001,259,296 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
SRV - [2013/02/19 14:12:14 | 000,172,416 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2013/02/19 14:08:52 | 000,169,320 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2013/02/19 14:06:50 | 000,203,840 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2012/08/31 13:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2012/07/05 18:41:08 | 007,392,136 | ---- | M] (LeapFrog Enterprises, Inc.) [Auto | Running] -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -- (LeapFrog Connect Device Service)
SRV - [2012/01/09 15:47:32 | 000,827,456 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Windows\temp\0108111371399383mcinst.exe -- (0108111371399383mcinstcleanup)
SRV - [2008/08/21 22:08:35 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/07/16 14:00:00 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Program Files\PACKARDBELL\Packard Bell Recovery Management\Service\ETService.exe -- (ETService)
SRV - [2008/01/21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/09/11 00:45:04 | 000,124,832 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)
SRV - [2006/03/30 09:15:44 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\RapportBuka.sys -- (RapportBuka)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\Hart\AppData\Local\Temp\pxldipow.sys -- (pxldipow)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (mfeavfk01)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\mcdbus.sys -- (mcdbus)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Hart\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2013/02/19 21:32:54 | 010,919,200 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2013/02/19 14:15:04 | 000,060,920 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2013/02/19 14:12:24 | 000,210,608 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2013/02/19 14:10:52 | 000,092,632 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2013/02/19 14:09:52 | 000,565,888 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2013/02/19 14:09:02 | 000,363,080 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2013/02/19 14:08:40 | 000,065,928 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2013/02/19 14:08:20 | 000,235,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2013/02/19 14:07:50 | 000,133,416 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2012/04/24 20:40:19 | 000,721,904 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
DRV - [2012/04/20 16:40:44 | 000,146,872 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\HipShieldK.sys -- (HipShieldK)
DRV - [2008/08/05 05:29:26 | 000,044,576 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)
DRV - [2008/07/16 13:56:06 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\int15.sys -- (int15)
DRV - [2008/06/06 12:13:10 | 000,145,440 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2007/04/03 14:57:42 | 000,083,336 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s116bus.sys -- (s116bus)
DRV - [2006/11/02 08:30:56 | 000,044,544 | ---- | M] (Realtek Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=1&o=vp32&d=1008&m=imedia_x2416
IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?source...nputEncoding}&oe={outputEncoding}&rlz=1I7ACPW

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?c...pn_sauid=33800EBC-5D8B-4F7A-98FF-D0D0F877B504
IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?source...&oe={outputEncoding}&rlz=1I7ACPW_enGB318GB318
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@garmin.com/GpsControl: C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2013/06/16 17:16:19 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2013/05/26 13:29:06 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} http://www.photodex.com/pxplay.cab (Photodex Presenter AX control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{27FA60FB-5855-47ED-90FC-73C7DFD953D2}: DhcpNameServer = 192.168.1.254 192.168.1.254
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Hart\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Hart\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/06/16 17:13:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2013/06/13 00:27:23 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/06/13 00:27:22 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/06/13 00:27:22 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/06/13 00:27:22 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2013/06/13 00:27:22 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/06/13 00:27:21 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/06/13 00:27:21 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2013/06/13 00:27:20 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2013/06/12 23:20:20 | 000,146,872 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\HipShieldK.sys
[2013/06/12 23:19:59 | 000,010,088 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeclnk.sys
[2013/06/12 23:19:56 | 000,363,080 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfefirek.sys
[2013/06/12 23:19:56 | 000,235,264 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeavfk.sys
[2013/06/12 23:19:56 | 000,092,632 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mferkdet.sys
[2013/06/12 23:19:56 | 000,065,928 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfebopk.sys
[2013/06/12 23:19:56 | 000,060,920 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\cfwids.sys
[2013/06/12 23:19:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Mcafee
[2013/06/12 23:19:50 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2013/06/12 23:11:55 | 000,172,416 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
[2013/06/12 22:07:51 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\printcom.dll
[2013/06/12 22:07:49 | 000,812,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\certutil.exe
[2013/06/12 22:07:49 | 000,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\certenc.dll
[2013/06/12 22:07:46 | 003,603,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2013/06/12 22:07:45 | 003,551,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2013/06/12 22:07:43 | 000,024,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cryptdlg.dll
[2013/06/10 21:56:35 | 000,000,000 | ---D | C] -- C:\FRST
[2013/06/06 21:35:24 | 000,238,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2013/06/06 21:34:49 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cdd.dll
[2013/06/06 21:34:40 | 002,049,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2013/06/06 20:25:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2013/06/06 20:25:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/05/28 20:27:22 | 000,000,000 | ---D | C] -- C:\_OTS
[2013/05/26 13:32:06 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2013/05/26 13:32:06 | 000,000,000 | ---D | C] -- C:\Users\Hart\AppData\Local\temp
[2013/05/26 13:31:04 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013/05/26 13:17:16 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/05/26 13:17:16 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/05/26 13:17:16 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/05/26 13:17:13 | 000,000,000 | ---D | C] -- C:\ComboFix
[2013/05/26 13:08:49 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/05/26 13:08:26 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2009/11/30 07:56:33 | 001,822,720 | ---- | C] (LIGHTNING UK!) -- C:\Users\Hart\AppData\Local\ImgBurn.exe

========== Files - Modified Within 30 Days ==========

[2013/06/16 17:45:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/06/16 17:14:38 | 000,609,182 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/06/16 17:14:38 | 000,108,690 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/06/16 17:09:10 | 000,000,000 | ---- | M] () -- C:\Windows\System32\LogConfigTemp.xml
[2013/06/16 17:08:59 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/06/16 17:08:58 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/06/16 17:08:52 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/06/16 17:08:19 | 3220,299,776 | -HS- | M] () -- C:\hiberfil.sys
[2013/06/13 00:20:40 | 000,001,737 | ---- | M] () -- C:\Users\Public\Desktop\BT NetProtect Plus.lnk
[2013/06/13 00:14:56 | 425,692,454 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2013/06/12 22:45:30 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013/06/12 22:45:30 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/06/12 22:42:32 | 000,000,020 | ---- | M] () -- C:\Users\Hart\defogger_reenable
[2013/06/07 03:33:37 | 000,385,648 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/05/27 11:05:17 | 000,000,637 | ---- | M] () -- C:\Users\Hart\Desktop\Repair - May 2013 - Shortcut.lnk
[2013/05/26 13:29:06 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2013/05/26 12:07:14 | 000,001,356 | ---- | M] () -- C:\Users\Hart\AppData\Local\d3d9caps.dat

========== Files Created - No Company Name ==========

[2013/06/12 23:22:27 | 000,001,737 | ---- | C] () -- C:\Users\Public\Desktop\BT NetProtect Plus.lnk
[2013/06/12 22:42:22 | 000,000,020 | ---- | C] () -- C:\Users\Hart\defogger_reenable
[2013/06/06 21:20:26 | 3220,299,776 | -HS- | C] () -- C:\hiberfil.sys
[2013/05/27 11:05:17 | 000,000,637 | ---- | C] () -- C:\Users\Hart\Desktop\Repair - May 2013 - Shortcut.lnk
[2013/05/26 13:17:16 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/05/26 13:17:16 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/05/26 13:17:16 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/05/26 13:17:16 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/05/26 13:17:16 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/03/15 09:18:27 | 000,001,356 | ---- | C] () -- C:\Users\Hart\AppData\Local\d3d9caps.dat
[2012/01/28 22:00:40 | 000,175,244 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat
[2009/11/30 07:56:33 | 000,001,210 | ---- | C] () -- C:\Users\Hart\AppData\Local\down-strk-720p.meta
[2009/03/15 23:37:19 | 000,166,400 | ---- | C] () -- C:\Users\Hart\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2006/11/02 13:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 18:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 07:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 07:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
< End of report >


----------



## xelahart (Apr 29, 2009)

OTL Extra Log

OTL Extras logfile created on: 16/06/2013 18:34:42 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Hart\Documents\IT Stuff\Repair - May 2013
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 1.83 Gb Available Physical Memory | 61.03% Memory free
6.22 Gb Paging File | 4.58 Gb Available in Paging File | 73.72% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 586.17 Gb Total Space | 341.36 Gb Free Space | 58.24% Space Free | Partition Type: NTFS

Computer Name: HART-PC | User Name: Hart | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1B89B50C-BBB4-4C7F-B7C9-AFD7D121D7FB}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe | 
"{31D3C6F8-FEED-427A-9EC7-3D8A16953188}" = lport=138 | protocol=17 | dir=in | app=system | 
"{5215A961-9FFD-4F69-B739-0F065E80D36C}" = lport=139 | protocol=6 | dir=in | app=system | 
"{5B28FFE2-A456-48CE-B6DF-663B271699DB}" = rport=138 | protocol=17 | dir=out | app=system | 
"{9BBF900B-F932-4BC9-9496-1F5BE3C2A8FE}" = rport=445 | protocol=6 | dir=out | app=system | 
"{B43FC22D-2C63-4A49-91A4-28A21BDC338C}" = rport=137 | protocol=17 | dir=out | app=system | 
"{B6E7ED6A-8B1E-4D35-933E-EA932685C2F7}" = lport=137 | protocol=17 | dir=in | app=system | 
"{BDE47E04-697D-4C0F-AA30-231F45953EC5}" = lport=445 | protocol=6 | dir=in | app=system | 
"{BEDD46CC-DA14-45CB-B4ED-54A620889400}" = rport=139 | protocol=6 | dir=out | app=system | 
"{CCCED067-0BAE-452C-ACA9-6E4B9F79FA06}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{EA4AD689-87B8-43CE-8E0C-59C434E770D8}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{07C93D0C-EF3C-478F-B0CC-5A3B89542FD0}" = dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe | 
"{14DF0DC8-6864-43F5-A2AA-45D80107B642}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
"{1A6EAA62-E8F0-4B9D-BF1E-77555DEF3F05}" = dir=in | app=c:\program files\itunes\itunes.exe | 
"{3D5D31AB-CA18-43E4-8373-CA65A0CD76EB}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe | 
"{46870E8E-937B-48A7-8E68-98F48E56887E}" = protocol=1 | dir=in | [email protected],-28543 | 
"{4BE9D647-36A1-4E2A-B688-23AF5439D94C}" = dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe | 
"{5C6EAEB3-7ED1-455D-91D9-F8463F470892}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe | 
"{7A41086D-BBF9-46EE-BB10-631C4FC8867B}" = protocol=58 | dir=out | [email protected],-28546 | 
"{7FB3D3D0-AF3F-4928-BFFC-F2069579DC9F}" = protocol=1 | dir=out | [email protected],-28544 | 
"{86ADC719-59C9-49C9-B1F0-5C292A42C189}" = dir=in | app=c:\program files\leapfrog\leapfrog connect\leapfrogconnect.exe | 
"{A4162045-CA98-40CC-9636-414FA1C68053}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe | 
"{BA7BEFA5-EF56-4FA8-93AD-EE2D4866F68E}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe | 
"{BCF3FB71-0CE2-4571-9524-A80ABC376AEC}" = protocol=58 | dir=in | [email protected],-28545 | 
"{BD813C16-9C6A-4CB5-84A1-6A7A20150931}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe | 
"{EA2E80A1-D88D-4F4D-91C8-9C2167542271}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{F1F73CFA-442E-42AE-AE6F-D05AF481F58F}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe | 
"{F240E117-C531-4075-AFD1-E052E2470EBD}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{F8CF52CA-A483-4F5C-8B9E-F3BF8027C04E}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe | 
"{F90DED55-3F1D-41B2-A5D1-FB82BB7E844F}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{1945A4B5-73B6-4DE9-99A3-05261B7FDED0}" = Shared C Run-time for x86
"{26A24AE4-039D-4CA4-87B4-2F83217017FF}" = Java 7 Update 17
"{2BD94085-2E05-4EBD-8F2D-AF7499C50D92}" = LCD test
"{3559CDE0-11FC-4D7B-A65C-D646035B1033}" = Nero 8 Essentials
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = Packard Bell Recovery Management
"{8B92D97D-DB3D-4926-A8F7-718FE7C5EE18}" = iTunes
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISER_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISER_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{90510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
"{90D00409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Access 2003 Developer Extensions
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{9DCB01AA-6846-474F-92C9-AA329F066697}" = LeapFrog MyOwnLeaptop Plugin
"{A7DEBAA4-B211-4D1A-A6B3-E52BFAAA1D0C}" = Garmin Communicator Plugin
"{AB7032FF-AFED-4C58-AA5C-8473B273793A}" = HDReg
"{AC76BA86-7AD7-1033-7B44-A83000000003}" = Adobe Reader 8.3.1
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 307.83
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 307.83
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.10.8
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{C6579A65-9CAE-4B31-8B6B-3306E0630A66}" = Apple Software Update
"{CA786CFF-1D31-4804-B436-F3405B14357F}" = Updator
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76}" = Citrix XenApp Web Plugin
"{EEC8205A-E3DE-4C00-B60C-48E3B9B58B13}" = Garmin City Navigator Europe NT 2008
"{EFC04D3F-A152-47E7-8517-EE0F6201AFEF}" = Apple Mobile Device Support
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2AF3E5D-9697-485C-A5AC-E2B9468C446A}" = Safari
"{F4EA67C9-6748-4C1E-9AFF-04149AC75D95}" = Image Writer
"{F54AC413-D2C6-4A24-B324-370C223C6250}" = Adobe Photoshop Elements 6.0
"{F9D1B35B-60DD-44F9-8FAF-29CD7CBD4BF3}" = LeapFrog Connect
"{FDB5E0F3-86EA-4379-8A2F-1BC2436543E9}" = iCloud
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"8F14F2ECEDE68D26EA515B48DC25B39103C4FE8D" = Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Photoshop Elements 6" = Adobe Photoshop Elements 6.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.9
"AviSynth" = AviSynth 2.5
"CAL" = Canon Camera Access Library
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"Cole2k Media - Codec Pack" = Cole2k Media - Codec Pack (Advanced) 7.9.5
"ENTERPRISER" = Microsoft Office Enterprise 2007
"EOS Utility" = Canon Utilities EOS Utility
"GrabIt_is1" = GrabIt 1.7.2 Beta 4 (build 997)
"HijackThis" = HijackThis 2.0.2
"LeaptopPlugin" = Use the entry named LeapFrog Connect to uninstall (LeapFrog MyOwnLeaptop Plugin)
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MSC" = BT NetProtect Plus
"NVIDIA Drivers" = NVIDIA Drivers
"Photodex Presenter" = Photodex Presenter
"PS3 Video 9" = PS3 Video 9 6
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"UPCShell" = LeapFrog Connect
"WinRAR archiver" = WinRAR archiver
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 06/01/2012 04:29:52 | Computer Name = Hart-PC | Source = WinMgmt | ID = 10
Description =

Error - 06/01/2012 10:32:22 | Computer Name = Hart-PC | Source = WinMgmt | ID = 10
Description =

Error - 06/01/2012 12:49:26 | Computer Name = Hart-PC | Source = Application Error | ID = 1000
Description = Faulting application NMIndexStoreSvr.exe, version 3.3.4.0, time stamp
0x4811da19, faulting module NMIndexStoreSvr.exe, version 3.3.4.0, time stamp 0x4811da19,
exception code 0xc0000005, fault offset 0x000c463c, process id 0xc4c, application
start time 0x01cccc93083c22c8.

Error - 06/01/2012 12:49:44 | Computer Name = Hart-PC | Source = WinMgmt | ID = 10
Description =

Error - 06/01/2012 13:28:04 | Computer Name = Hart-PC | Source = McLogEvent | ID = 5051
Description = A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
took longer than 90000 ms to complete a request. The process will be terminated.
Thread
id : 4940 (0x134c) Thread address : 0x77C55CA4 Thread message : Build VSCORE.14.4.0.380
/ 5400.1158 Object being scanned = \Device\HarddiskVolume2\Program Files\McAfee\MSC\mcinfo.exe
by C:\Windows\system32\svchost.exe 4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0)
7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 06/01/2012 16:36:36 | Computer Name = Hart-PC | Source = WinMgmt | ID = 10
Description =

Error - 07/01/2012 04:56:36 | Computer Name = Hart-PC | Source = WinMgmt | ID = 10
Description =

Error - 07/01/2012 10:22:25 | Computer Name = Hart-PC | Source = WinMgmt | ID = 10
Description =

Error - 08/01/2012 09:09:05 | Computer Name = Hart-PC | Source = WinMgmt | ID = 10
Description =

Error - 08/01/2012 12:11:54 | Computer Name = Hart-PC | Source = WinMgmt | ID = 10
Description =

[ OSession Events ]
Error - 04/11/2011 14:24:29 | Computer Name = Hart-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 16
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 16/06/2013 12:11:14 | Computer Name = Hart-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 16/06/2013 12:34:33 | Computer Name = Hart-PC | Source = nvstor32 | ID = 262149
Description = A parity error was detected on \Device\RaidPort0.

Error - 16/06/2013 13:15:30 | Computer Name = Hart-PC | Source = nvstor32 | ID = 262149
Description = A parity error was detected on \Device\RaidPort0.

Error - 16/06/2013 13:15:50 | Computer Name = Hart-PC | Source = nvstor32 | ID = 262149
Description = A parity error was detected on \Device\RaidPort0.

Error - 16/06/2013 13:16:23 | Computer Name = Hart-PC | Source = nvstor32 | ID = 262149
Description = A parity error was detected on \Device\RaidPort0.

Error - 16/06/2013 13:16:31 | Computer Name = Hart-PC | Source = nvstor32 | ID = 262149
Description = A parity error was detected on \Device\RaidPort0.

Error - 16/06/2013 13:16:50 | Computer Name = Hart-PC | Source = nvstor32 | ID = 262149
Description = A parity error was detected on \Device\RaidPort0.

Error - 16/06/2013 13:26:14 | Computer Name = Hart-PC | Source = nvstor32 | ID = 262149
Description = A parity error was detected on \Device\RaidPort0.

Error - 16/06/2013 13:29:43 | Computer Name = Hart-PC | Source = nvstor32 | ID = 262149
Description = A parity error was detected on \Device\RaidPort0.

Error - 16/06/2013 13:31:46 | Computer Name = Hart-PC | Source = nvstor32 | ID = 262149
Description = A parity error was detected on \Device\RaidPort0.

< End of report >


----------



## xelahart (Apr 29, 2009)

Also while I was experimenting with running GMER with different settings I did a scan that seemed to find something funny.

Log from GMER, with only 3 things checked: Services, Registry and C:\
(It took hours to run, but only created a very short log.)

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-06-16 21:27:00
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\0000005b WDC_WD64 rev.01.0 596.17GB
Running: yldpzouv.exe; Driver: C:\Users\Hart\AppData\Local\Temp\pxldipow.sys

---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session [email protected] ?????1 ???????????????????H??'??????????????? ???????'?????????????#??????????????????????????????????????????Z??)???????????????????'?'?????????????S???????????+?????????????(?????)?)??????????*??'???m?????????nA?????H??'???????????/???????????m??????????????????? ???)??????????s???????????????????????????? ???????'?????'???????%??$?????????????????? "??(???&?????}?????????????S?????s D???2?2???????????t???u?????>?>?????????????v??????????????T????????????d???1?2?,???2???????????????????????????G???????????????????????????????????????1??? ???????(?????$?????'?%?????????????????????????????????????\??????ag???????????1?????sc&??? ???????'?????????????%?????????????????f???'?'????? 0??'???8?????{53??STORAGE\VolumeSnapshot??c9??? ???????'?????%???????#??L????????? ??????}?1???'?'?0???????????2???????3?3?2???????????????????1??Port_#0005.Hub_#0002????? ?????????????(?????(?%??"???*????? ??????????????????????'?????????????????????????????(?(?(?????(???(?????g???'??????????????? ?????????????'???????%???????????
---- EOF - GMER 2.1 ----


----------



## xelahart (Apr 29, 2009)

And lastly for tonight:
Would I be right in assuming that my computer is now safe to use online, including shopping?
Becasue we have removed any malware and are now just trying to fix the damage the malware did while it was on the computer?


----------



## Cookiegal (Aug 27, 2003)

We can't be sure the malware is gone yet. We still need to check the MBR but there's another way to do it.

But before we do that are you getting redirected to other sites?

What are the symptoms, if any, that you're experiencing?


----------



## xelahart (Apr 29, 2009)

I'm not getting redirected, but then I never was.
Also I have not been using the computer to do much except try to fix it, so I have not really tested it.

The main symptoms I used to get (and no longer get) were:

Computer freezing indefinitiely, often when trying to move files around with Windows Explorer
Computer hanging for a minute after being given an instruction
Computer not allowing me to complete any task which has a pop-up window as one of the steps in the process, because the window won't pop-up (e.g. Print - the print options window doesn't appear, Save As - it doesn't pup-up the window with a miniature Windows Explorer in it to browse to where you want to save)
I still sometime feel that the computer pauses to think about completing an instruction for longer than I would like it to, but that may just be me having unrealistic expectations of an old computer.

Are there any classic things I could try to do to make a problem reveal itself?


----------



## xelahart (Apr 29, 2009)

Just thought of one other symptom - it was refusing to access my external hard drives. I have not tried reconnecting them since as I was worried there might be something nasty lurking on one of them.

Should I reconnect the external hard drives to see if they work, and is there anything I should do to check that they are clean?


----------



## Cookiegal (Aug 27, 2003)

Yes, we can check them.

Be sure to have your flash or external drives connected before doing this.

I'm attaching a MountPoints Diagnostic.zip file to this post. Save it to your desktop. Unzjip it and double click the MountPoints Diagnostic.bat file and let it run. It will create a report in Notepad named Diagnostic.txt. Please upload the Diagnostic.txt file as an attachment.


----------



## xelahart (Apr 29, 2009)

Diagnostic report at bottom of post.

The external hard drives are
K: (Samsung Freecom)
L: (Elements)
M: (Seagate)

Both L and M have files called Autorun on them (in fact M has two autorun files). I am pretty sure they all came loaded on the drives when I bought them. If I don't need them I am happy to delete them.
Mountpoints diagnostic found the one on L but neither of the ones on M.

Diagnostic Report
19/06/2013 20:34:09.41

Mountpoints > Drives subkeys: 
------------------------------------
No Autorun files found in C:\Windows 
No Autorun files found in C:\Windows\system32

No Autorun files found in root of C:

No Autorun files found in root of K:

Files found on L:
autorun.inf

Contents of autorun.inf on L:
[autorun]
ICON=AUTORUN\WDLOGO.ICO

No Autorun files found in root of M:

No Autorun files found in root of M:


----------



## Cookiegal (Aug 27, 2003)

The autorun file on L is fine.

I'm sure the others are too but they probably aren't in the root of the drive so that's why the tool didn't read them.

Can you right-click the autorun.inf files on the MD drive and select "open with" and "Notepad" and copy and paste the contents here please?


----------



## Cookiegal (Aug 27, 2003)

We should get an off-line dump of the MBR to check it.

Please download the latest version of Farbar's Recovery Scan Tool and save it to a flash drive.

*Note*: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Also download the enclosed file (fixlist.txt) and save it next to FRST.

Plug the flash drive into the infected PC.

If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

If you are using Vista or Windows 7 enter *System Recovery Options*.

*To enter System Recovery Options from the Advanced Boot Options:*
Restart the computer.
As soon as the BIOS is loaded begin tapping the* F8* key until Advanced Boot Options appears.
Use the arrow keys to select the *Repair your computer* menu item.
Select *US* as the keyboard language settings, and then click *Next*.
Select the operating system you want to repair and then click *Next*.
Select your user account and click *Next*.
*Note*: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

*To enter System Recovery Options by using Windows installation disc:*
Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click *Repair your computer*.
Select *US* as the keyboard language settings, and then click *Next*.
Select the operating system you want to repair, and then click *Next*.
Select your user account and click *Next*.
*On the System Recovery Options menu you will get the following options:*
*Startup Repair*
*System Restore*
*Windows Complete PC Restore*
*Windows Memory Diagnostic Tool*
*Command Prompt*
Select *Command Prompt*

*Once in the Command Prompt:*
In the command window type in *notepad* and press *Enter*.
The notepad opens. Under File menu select *Open*.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type *e:\frst* (for x64 bit version type *e:\frst64*) and press *Enter*
*Note:* Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press *Fix* button.
The tool will make a log on the flash drive (Fixlog.txt). It will also create a file labelled *MBRDUMP.txt*. Copy and Paste the contents of the *Fixlog.txt* in your next reply but attach the *MBRDUMP.txt* as it is a hex file.


----------



## xelahart (Apr 29, 2009)

Autorun files on M:\ (Seagate)

Autorun.inf
[autorun]
open=Setup.exe
icon=Setup.exe
action=Start my Seagate Expansion Drive
shell=Install
shell\Install="Start my Seagate Expansion Drive"
shell\Install\command="Setup.exe"

Autorun.inf
[autorun]
icon=\SeagateExpansion.ico


----------



## Cookiegal (Aug 27, 2003)

Nothing wrong with those. :up:


----------



## xelahart (Apr 29, 2009)

Just ran FRST, seemed to work fine. Fixlog pasted and MBRDump attached.

Fixlog.txt
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 22-06-2013
Ran by SYSTEM at 2013-06-23 21:11:44 Run:1
Running from L:\
Boot Mode: Recovery
==============================================
MBRDUMP.txt is made successfully.
==== End of Fixlog ====


----------



## Cookiegal (Aug 27, 2003)

That's good. Please upload the MBR dump for analysis at Virus Total.

Please go to *VirusTotal* and upload the MBR dump file for scanning.

Click *Choose File*
Navigate to the file on your computer then click *Open* 
Click *Scan It*
If you get a message saying the file has already been analyzed click *Reanalyse file now*
Wait for the scan to finish and then copy and paste the URL from your browser address bar in your next reply please.


----------



## xelahart (Apr 29, 2009)

Virus Total scan of MBRDump

https://www.virustotal.com/en-gb/fi...f0de2b07855282fd82969372/analysis/1372022223/


----------



## Cookiegal (Aug 27, 2003)

The MBR appears to be fine.

Let's try running chkdsk.

Click Start and My Computer. Right-click the hard drive you want to check, and click Properties. Select the Tools tab and click Check Now. Check both boxes. Click Start. You'll get a message that the computer must be rebooted to run a complete check. Click Yes and reboot. Chkdsk will take a while, so run it when you don't need to use the computer for something else.

To view results log:

Go to *Start *- *Run *and type in *eventvwr.msc*, and hit enter.
When Event Viewer opens, click on "Application", then scroll down to "Winlogon" and double-click on it to open it up. This is the log created after running chkdsk. Click on the icon that looks like two pieces of paper to copy it and then paste it here please.


----------



## xelahart (Apr 29, 2009)

Hmmm... I think your instructions must have been written for a different OS to Vista, everything is a bit different on my computer.

I went into Event Viewer/Windows Logs/Applications
and found about 10 thousand files called Winlogon, two of which have today's date, one with Event ID 4101 and one with Event ID 6000. Both copied below.

Event 4101
Log Name: Application
Source: Microsoft-Windows-Winlogon
Date: 24/06/2013 20:22:37
Event ID: 4101
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: Hart-PC
Description:
Windows license validated.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Winlogon" />
<EventID Qualifiers="16384">4101</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-06-24T19:22:37.000Z" />
<EventRecordID>72674</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Hart-PC</Computer>
<Security />
</System>
<EventData>
0x00000000
0x00000001
</EventData>
</Event>

Event 6000
Log Name: Application
Source: Microsoft-Windows-Winlogon
Date: 24/06/2013 20:22:37
Event ID: 6000
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: Hart-PC
Description:
The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Wlclntfy" />
<EventID Qualifiers="32768">6000</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-06-24T19:22:37.000Z" />
<EventRecordID>72675</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Hart-PC</Computer>
<Security />
</System>
<EventData>
SessionEnv
<Binary>D9060000</Binary>
</EventData>
</Event>


----------



## xelahart (Apr 29, 2009)

It just occured to me that since I ran the CHKDisk last night (my time) it might have been yesterdays Winlogon you want. There are 3 with yesterdays date, but I assume you only want the last one

Event 6000
Log Name: Application
Source: Microsoft-Windows-Winlogon
Date: 23/06/2013 23:44:38
Event ID: 6000
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: Hart-PC
Description:
The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Wlclntfy" />
<EventID Qualifiers="32768">6000</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-06-23T22:44:38.000Z" />
<EventRecordID>72642</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Hart-PC</Computer>
<Security />
</System>
<EventData>
SessionEnv
<Binary>D9060000</Binary>
</EventData>
</Event>


----------



## xelahart (Apr 29, 2009)

And while I am at it, I can see a log with an error and one with a warning every time I log on. I'll post the most recent example of these 2 as well in case they are relevant.

WMI - Error
Log Name: Application
Source: Microsoft-Windows-WMI
Date: 24/06/2013 02:00:24
Event ID: 10
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Hart-PC
Description:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WMI" Guid="{1edeee53-0afe-4609-b846-d8c0b2075b1f}" EventSourceName="WinMgmt" />
<EventID Qualifiers="49152">10</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-06-24T01:00:24.000Z" />
<EventRecordID>72667</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Hart-PC</Computer>
<Security />
</System>
<EventData>
//./root/CIMV2
SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99
0x80041003
</EventData>
</Event>

Leapfrog connect Device Service - Warning
Log Name: Application
Source: LeapFrog Connect Device Service
Date: 24/06/2013 01:59:39
Event ID: 0
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: Hart-PC
Description:
The description for Event ID 0 from source LeapFrog Connect Device Service cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event: 
WARNING: QApplication was not created in the main() thread.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LeapFrog Connect Device Service" />
<EventID Qualifiers="0">0</EventID>
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-06-24T00:59:39.000Z" />
<EventRecordID>72657</EventRecordID>
<Channel>Application</Channel>
<Computer>Hart-PC</Computer>
<Security />
</System>
<EventData>
WARNING: QApplication was not created in the main() thread.
</EventData>
</Event>


----------



## Cookiegal (Aug 27, 2003)

Sorry, yes, I was thinking XP. 

For Vista, look for an entry under Application called "Wininit ".


----------



## xelahart (Apr 29, 2009)

Aha - That looks more promising. It says things about a scheduled disk check.

Wininit
Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 24/06/2013 01:59:39
Event ID: 1001
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: Hart-PC
Description:

Checking file system on C:
The type of the file system is NTFS.
Volume label is OS.
A disk check has been scheduled.
Windows will now check the disk. 
338432 file records processed. 
1223 large file records processed. 
0 bad file records processed. 
0 EA records processed. 
 91 reparse records processed. 
427666 index entries processed. 
0 unindexed files processed. 
338432 security descriptors processed. 
Cleaning up 5365 unused index entries from index $SII of file 0x9.
Cleaning up 5365 unused index entries from index $SDH of file 0x9.
Cleaning up 5365 unused security descriptors.
44618 data files processed. 
CHKDSK is verifying Usn Journal...
37627416 USN bytes processed. 
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
338416 files processed. 
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
87921715 free clusters processed. 
Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.
614644055 KB total disk space.
262300912 KB in 152413 files.
185452 KB in 44619 indexes.
0 KB in bad sectors.
470827 KB in use by the system.
65536 KB occupied by the log file.
351686864 KB available on disk.
4096 bytes in each allocation unit.
153661013 total allocation units on disk.
87921716 allocation units available on disk.
Internal Info:
00 2a 05 00 b4 01 03 00 95 3a 05 00 00 00 00 00 .*.......:......
ce 12 00 00 5b 00 00 00 00 00 00 00 00 00 00 00 ....[...........
42 00 00 00 a2 73 4b 77 58 54 2e 00 58 4c 2e 00 B....sKwXT..XL..
Windows has finished checking your disk.
Please wait while your computer restarts.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
<EventID Qualifiers="16384">1001</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-06-24T00:59:39.000Z" />
<EventRecordID>72652</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Hart-PC</Computer>
<Security />
</System>
<EventData>

Checking file system on C:
The type of the file system is NTFS.
Volume label is OS.
A disk check has been scheduled.
Windows will now check the disk. 
338432 file records processed. 
1223 large file records processed. 
0 bad file records processed. 
0 EA records processed. 
91 reparse records processed. 
427666 index entries processed. 
0 unindexed files processed. 
338432 security descriptors processed. 
Cleaning up 5365 unused index entries from index $SII of file 0x9.
Cleaning up 5365 unused index entries from index $SDH of file 0x9.
Cleaning up 5365 unused security descriptors.
44618 data files processed. 
CHKDSK is verifying Usn Journal...
37627416 USN bytes processed. 
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
338416 files processed. 
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
87921715 free clusters processed. 
Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.
614644055 KB total disk space.
262300912 KB in 152413 files.
185452 KB in 44619 indexes.
0 KB in bad sectors.
470827 KB in use by the system.
65536 KB occupied by the log file.
351686864 KB available on disk.
4096 bytes in each allocation unit.
153661013 total allocation units on disk.
87921716 allocation units available on disk.
Internal Info:
00 2a 05 00 b4 01 03 00 95 3a 05 00 00 00 00 00 .*.......:......
ce 12 00 00 5b 00 00 00 00 00 00 00 00 00 00 00 ....[...........
42 00 00 00 a2 73 4b 77 58 54 2e 00 58 4c 2e 00 B....sKwXT..XL..
Windows has finished checking your disk.
Please wait while your computer restarts.

</EventData>
</Event>


----------



## Cookiegal (Aug 27, 2003)

I assume the Leapfrog thing is for a mobile device of some sort?

I've seen the other errors before and all indications found during my research were that they could be ignored.

The chkdsk didn't any bad clusters or sectors so the hard drive apepars to be fine.

Please run ComboFix again, disable all security programs temporarily and run a new scan then post the log. But first, please drag the version you have to the Recycle Bin and grab the latest version.

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.


----------



## xelahart (Apr 29, 2009)

Yes, Leapfrog is the software to connect a childs pretend laptop to the computer and load it with pretend e-mails etc. Maybe I'll get her some pretend malware to go with it!

ComboFix log below. I still had all the external hard drives connected and I have a feeling it took offense to one of the autorun files and deleted it.

ComboFix 13-06-24.01 - Hart 25/06/2013 0:16.1.4 - x86
Microsoft® Windows Vista Home Premium 6.0.6002.2.1252.44.1033.18.3070.1720 [GMT 1:00]
Running from: c:\users\Hart\Documents\IT Stuff\Repair - May 2013\Puppy.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
L:\autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2013-05-24 to 2013-06-24 )))))))))))))))))))))))))))))))
.
.
2013-06-24 23:23 . 2013-06-24 23:23 -------- d-----w- c:\users\Hart\AppData\Local\temp
2013-06-24 23:23 . 2013-06-24 23:23 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-06-24 23:23 . 2013-06-24 23:23 -------- d-----w- c:\users\UpdatusUser.Hart-PC\AppData\Local\temp
2013-06-24 23:23 . 2013-06-24 23:23 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2013-06-24 23:23 . 2013-06-24 23:23 -------- d-----w- c:\users\Emma (i-pod)\AppData\Local\temp
2013-06-24 23:23 . 2013-06-24 23:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-24 23:23 . 2013-06-24 23:23 -------- d-----w- c:\users\Alex\AppData\Local\temp
2013-06-12 22:20 . 2012-04-20 15:40 146872 ----a-w- c:\windows\system32\drivers\HipShieldK.sys
2013-06-12 22:19 . 2013-02-19 13:11 10088 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2013-06-12 22:19 . 2013-02-19 13:15 60920 ----a-w- c:\windows\system32\drivers\cfwids.sys
2013-06-12 22:19 . 2013-02-19 13:10 92632 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2013-06-12 22:19 . 2013-02-19 13:09 363080 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2013-06-12 22:19 . 2013-02-19 13:08 65928 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2013-06-12 22:19 . 2013-02-19 13:08 235264 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-06-12 22:19 . 2013-06-12 22:20 -------- d-----w- c:\program files\Common Files\Mcafee
2013-06-12 22:19 . 2013-06-12 22:19 -------- d-----w- c:\program files\McAfee.com
2013-06-12 22:11 . 2013-02-19 13:12 172416 ----a-w- c:\windows\system32\mfevtps.exe
2013-06-12 21:12 . 2013-05-14 00:49 7016152 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F9C41165-7C85-4435-B6C1-0D3593238C4B}\mpengine.dll
2013-06-12 21:07 . 2013-05-08 04:37 905576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-06-12 21:07 . 2013-05-02 04:04 443904 ----a-w- c:\windows\system32\win32spl.dll
2013-06-12 21:07 . 2013-05-02 04:03 37376 ----a-w- c:\windows\system32\printcom.dll
2013-06-12 21:07 . 2013-04-24 04:00 985600 ----a-w- c:\windows\system32\crypt32.dll
2013-06-12 21:07 . 2013-04-24 04:00 98304 ----a-w- c:\windows\system32\cryptnet.dll
2013-06-12 21:07 . 2013-04-24 04:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2013-06-12 21:07 . 2013-04-24 04:00 41984 ----a-w- c:\windows\system32\certenc.dll
2013-06-12 21:07 . 2013-04-24 01:46 812544 ----a-w- c:\windows\system32\certutil.exe
2013-06-12 21:07 . 2013-05-02 22:03 3603832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-12 21:07 . 2013-05-02 22:03 3551096 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-06-12 21:07 . 2013-04-17 12:30 24576 ----a-w- c:\windows\system32\cryptdlg.dll
2013-06-10 20:56 . 2013-06-10 20:56 -------- d-----w- C:\FRST
2013-06-06 20:35 . 2013-05-02 01:06 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-06-06 20:34 . 2013-04-15 14:20 638328 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-06-06 20:34 . 2013-04-13 10:56 37376 ----a-w- c:\windows\system32\cdd.dll
2013-06-06 20:34 . 2013-04-09 01:36 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-06-06 19:25 . 2013-06-06 19:54 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-06-06 19:25 . 2013-06-06 19:25 -------- d-----w- c:\programdata\Malwarebytes
2013-05-28 19:27 . 2013-05-28 19:27 -------- d-----w- C:\_OTS
2013-05-26 12:17 . 2013-05-26 12:32 -------- d-----w- C:\ComboFix
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 21:45 . 2012-04-01 14:47 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-12 21:45 . 2011-07-09 16:11 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-26 6139904]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-13 1278064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 21:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&s=1&o=vp32&d=1008&m=imedia_x2416
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-25 00:23
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-06-25 00:26:29
ComboFix-quarantined-files.txt 2013-06-24 23:26
ComboFix2.txt 2013-05-26 12:32
.
Pre-Run: 358,499,602,432 bytes free
Post-Run: 358,931,501,056 bytes free
.
- - End Of File - - 716585E2E93E4C5BEC8952D7940D5567
5C616939100B85E558DA92B899A0FC36


----------



## Cookiegal (Aug 27, 2003)

Please do this one more time but we've expanded the number of events to report. I believe there's a problem with the Nvidia Geforce graphics card or the hard drive itself and I want to see if certain errors are still repeating.

Right-click VEW.exe and select "Run As Administrator" to run the tool.


Under "Select log to query", select:

*Application*
*System*

Under "Select type to list", select:

*Error*
*Warning*

Click the radio button for "Number of events"
Type *20* in the 1 to 20 box 
Then click the *Run* button.

Notepad will open with the output log. Please copy and paste the contents here.


----------



## xelahart (Apr 29, 2009)

Not sure if it is related but I had a funny symptom today: the computer froze partway through startup. Never done it before, the green progress bar with Windows written next to it stopped moving and didn't stat again. Eventually I powered it down manually. When I restarted it recommended that I do a "Startup Repair", so I did. It then recommended that I do a System Restore back the last restore point, I decided not to do this since it said you coudn't change your mind afterwards and I thought it might confuse your diagnostics.

Seems to have started OK this time, except that now the curser is acting a bit weird when I try to edit what I have just written in this box.

Perhaps when I run VEW.exe the logs will shed some light on what happened.


----------



## xelahart (Apr 29, 2009)

VEW Log

Vino's Event Viewer v01c run on Windows Vista in English
Report run at 25/06/2013 23:06:59
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 25/06/2013 21:37:01
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 24/06/2013 01:00:24
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 23/06/2013 20:15:21
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 23/06/2013 19:51:39
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 20/06/2013 19:31:55
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 20/06/2013 19:31:55
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 20/06/2013 19:22:14
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 19/06/2013 19:22:21
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 16/06/2013 17:32:33
Type: Error Category: 0
Event: 1010 Source: Microsoft-Windows-Perflib
The Collect Procedure for the "EmdCache" service in DLL "C:\Windows\system32\emdmgmt.dll" generated an exception or returned an invalid status. The performance data returned by the counter DLL will not be returned in the Perf Data Block. The first four bytes (DWORD) of the Data section contains the exception code or status code.
Log: 'Application' Date/Time: 16/06/2013 17:32:33
Type: Error Category: 0
Event: 1008 Source: Microsoft-Windows-Perflib
The Open Procedure for service "BITS" in DLL "C:\Windows\system32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
Log: 'Application' Date/Time: 16/06/2013 16:10:01
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 12/06/2013 23:20:40
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application yldpzouv.exe, version 2.1.19163.0, time stamp 0x515d31f0, faulting module yldpzouv.exe, version 2.1.19163.0, time stamp 0x515d31f0, exception code 0xc0000005, fault offset 0x00012288, process id 0x1250, application start time 0x01ce67c2cdc97de1.
Log: 'Application' Date/Time: 12/06/2013 23:17:20
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 12/06/2013 23:17:20
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 12/06/2013 23:17:20
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 12/06/2013 23:17:20
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 12/06/2013 23:17:20
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 12/06/2013 23:17:20
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 12/06/2013 23:16:40
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 12/06/2013 22:50:40
Type: Error Category: 0
Event: 1010 Source: Microsoft-Windows-Perflib
The Collect Procedure for the "EmdCache" service in DLL "C:\Windows\system32\emdmgmt.dll" generated an exception or returned an invalid status. The performance data returned by the counter DLL will not be returned in the Perf Data Block. The first four bytes (DWORD) of the Data section contains the exception code or status code.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 25/06/2013 21:35:32
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 24/06/2013 00:59:39
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 23/06/2013 20:14:16
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 23/06/2013 19:50:29
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 20/06/2013 19:21:00
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 19/06/2013 19:21:18
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 16/06/2013 16:09:10
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 12/06/2013 23:15:15
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 12/06/2013 21:49:35
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 12/06/2013 21:43:53
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 12/06/2013 21:27:54
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 12/06/2013 21:12:37
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-3650955238-2046507532-1628930313-1000_Classes:
Process 2452 (\Device\HarddiskVolume2\Windows\System32\WUDFHost.exe) has opened key \REGISTRY\USER\S-1-5-21-3650955238-2046507532-1628930313-1000_CLASSES

Log: 'Application' Date/Time: 12/06/2013 20:59:37
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 11/06/2013 22:25:00
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 11/06/2013 05:19:05
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 10/06/2013 20:41:13
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 09/06/2013 18:48:28
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 09/06/2013 08:47:34
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 08/06/2013 19:51:14
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 07/06/2013 02:33:49
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 25/06/2013 21:37:36
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 25/06/2013 21:37:36
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 24/06/2013 23:23:51
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Log: 'System' Date/Time: 24/06/2013 23:19:53
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Log: 'System' Date/Time: 24/06/2013 23:16:04
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Log: 'System' Date/Time: 24/06/2013 01:01:44
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 24/06/2013 01:01:44
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 23/06/2013 20:16:19
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 23/06/2013 20:16:19
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 23/06/2013 19:52:33
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 23/06/2013 19:52:33
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 20/06/2013 19:23:07
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 20/06/2013 19:23:07
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 19/06/2013 19:23:23
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 19/06/2013 19:23:23
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 16/06/2013 19:38:52
Type: Error Category: 0
Event: 5 Source: nvstor32
A parity error was detected on \Device\RaidPort0.
Log: 'System' Date/Time: 16/06/2013 19:07:28
Type: Error Category: 0
Event: 5 Source: nvstor32
A parity error was detected on \Device\RaidPort0.
Log: 'System' Date/Time: 16/06/2013 17:31:46
Type: Error Category: 0
Event: 5 Source: nvstor32
A parity error was detected on \Device\RaidPort0.
Log: 'System' Date/Time: 16/06/2013 17:29:43
Type: Error Category: 0
Event: 5 Source: nvstor32
A parity error was detected on \Device\RaidPort0.
Log: 'System' Date/Time: 16/06/2013 17:26:14
Type: Error Category: 0
Event: 5 Source: nvstor32
A parity error was detected on \Device\RaidPort0.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 16/06/2013 19:38:52
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 19:07:28
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:31:46
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:29:43
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:26:14
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:16:50
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:16:31
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:16:23
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:15:50
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:15:30
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 16:34:32
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB974145(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB974145(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB978338(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB978338(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB978886(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB978886(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2563894(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2563894(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2588516(Security Update) into Installed(Installed) state


----------



## xelahart (Apr 29, 2009)

When I saw how many records were about Leapfrog I decided to unistall the Leapfrog software and device driver. This should at least remove the clutter from VEW.exe logs.


----------



## Cookiegal (Aug 27, 2003)

If you reboot again does it startup fine now?


----------



## xelahart (Apr 29, 2009)

Yes, started up fine last time. But unless I can understand why it failed to start up yesterday and fix it, I will always be worried that it is going to happen again.

Did VEW.exe shed any light on whether the problem is a hardware fault with the graphics card or hard drive?


----------



## Cookiegal (Aug 27, 2003)

It's possible the Startup Repair fixed the problem. 

But the errors I was concerned about were these ones:

Log: 'System' Date/Time: 25/06/2013 21:37:36
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 25/06/2013 21:37:36
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Those were occurring every day.

So please run VEW again and let's see if they occurred again since then or not.


----------



## xelahart (Apr 29, 2009)

Ran VEW again

Vino's Event Viewer v01c run on Windows Vista in English
Report run at 27/06/2013 21:05:28
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 27/06/2013 19:55:10
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 27/06/2013 19:55:10
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 27/06/2013 19:45:19
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 25/06/2013 21:37:01
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 24/06/2013 01:00:24
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 23/06/2013 20:15:21
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 23/06/2013 19:51:39
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 20/06/2013 19:31:55
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 20/06/2013 19:31:55
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 20/06/2013 19:22:14
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 19/06/2013 19:22:21
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 16/06/2013 17:32:33
Type: Error Category: 0
Event: 1010 Source: Microsoft-Windows-Perflib
The Collect Procedure for the "EmdCache" service in DLL "C:\Windows\system32\emdmgmt.dll" generated an exception or returned an invalid status. The performance data returned by the counter DLL will not be returned in the Perf Data Block. The first four bytes (DWORD) of the Data section contains the exception code or status code.
Log: 'Application' Date/Time: 16/06/2013 17:32:33
Type: Error Category: 0
Event: 1008 Source: Microsoft-Windows-Perflib
The Open Procedure for service "BITS" in DLL "C:\Windows\system32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
Log: 'Application' Date/Time: 16/06/2013 16:10:01
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 12/06/2013 23:20:40
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application yldpzouv.exe, version 2.1.19163.0, time stamp 0x515d31f0, faulting module yldpzouv.exe, version 2.1.19163.0, time stamp 0x515d31f0, exception code 0xc0000005, fault offset 0x00012288, process id 0x1250, application start time 0x01ce67c2cdc97de1.
Log: 'Application' Date/Time: 12/06/2013 23:17:20
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 12/06/2013 23:17:20
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 12/06/2013 23:17:20
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 12/06/2013 23:17:20
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 12/06/2013 23:17:20
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 25/06/2013 21:35:32
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 24/06/2013 00:59:39
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 23/06/2013 20:14:16
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 23/06/2013 19:50:29
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 20/06/2013 19:21:00
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 19/06/2013 19:21:18
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 16/06/2013 16:09:10
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 12/06/2013 23:15:15
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 12/06/2013 21:49:35
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 12/06/2013 21:43:53
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 12/06/2013 21:27:54
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 12/06/2013 21:12:37
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-3650955238-2046507532-1628930313-1000_Classes:
Process 2452 (\Device\HarddiskVolume2\Windows\System32\WUDFHost.exe) has opened key \REGISTRY\USER\S-1-5-21-3650955238-2046507532-1628930313-1000_CLASSES

Log: 'Application' Date/Time: 12/06/2013 20:59:37
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 11/06/2013 22:25:00
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 11/06/2013 05:19:05
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 10/06/2013 20:41:13
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 09/06/2013 18:48:28
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 09/06/2013 08:47:34
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 08/06/2013 19:51:14
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 07/06/2013 02:33:49
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 27/06/2013 19:45:56
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 27/06/2013 19:45:56
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 25/06/2013 21:37:36
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 25/06/2013 21:37:36
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 24/06/2013 23:23:51
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Log: 'System' Date/Time: 24/06/2013 23:19:53
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Log: 'System' Date/Time: 24/06/2013 23:16:04
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Log: 'System' Date/Time: 24/06/2013 01:01:44
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 24/06/2013 01:01:44
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 23/06/2013 20:16:19
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 23/06/2013 20:16:19
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 23/06/2013 19:52:33
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 23/06/2013 19:52:33
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 20/06/2013 19:23:07
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 20/06/2013 19:23:07
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 19/06/2013 19:23:23
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 19/06/2013 19:23:23
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 16/06/2013 19:38:52
Type: Error Category: 0
Event: 5 Source: nvstor32
A parity error was detected on \Device\RaidPort0.
Log: 'System' Date/Time: 16/06/2013 19:07:28
Type: Error Category: 0
Event: 5 Source: nvstor32
A parity error was detected on \Device\RaidPort0.
Log: 'System' Date/Time: 16/06/2013 17:31:46
Type: Error Category: 0
Event: 5 Source: nvstor32
A parity error was detected on \Device\RaidPort0.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 16/06/2013 19:38:52
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 19:07:28
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:31:46
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:29:43
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:26:14
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:16:50
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:16:31
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:16:23
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:15:50
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:15:30
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 16:34:32
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB974145(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB974145(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB978338(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB978338(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB978886(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB978886(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2563894(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2563894(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2588516(Security Update) into Installed(Installed) state


----------



## Triple6 (Dec 26, 2002)

You might be able to clear the nVidia update by updating/reinstalling the nVidia drivers. You can download the driver from here: http://www.geforce.com/drivers


----------



## xelahart (Apr 29, 2009)

Downloading the driver now.

This is probably nothing, but seemed a little strange:
When I got the GeForce website to scan my GPU to work out what driver I need the result it gave seemed odd (see attached)

Firstly it says that it has found two GPUs and can only work out the driver I need for one of them. But when you look closely you can see that the 2 GPUs it has found have the same numbers, just rearanged. I checked by putting the name of the mystery on into Google and it directed me back the the same GEForce driver. Could this be a symptom of something wrong withe the graphics card if the computer has 2 records for the same card?

Secondly the scan said that both the latest version of the driver and my current version are 307.83. So the driver doesn't need updating?

I am updating it anyway.


----------



## xelahart (Apr 29, 2009)

Download seemed to work ok.
I also unplugged a non-functioning device (wireless mouse) which might have been the cause of another repeated error message:
_Log: 'Application' Date/Time: 27/06/2013 19:55:10
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated._
_Context: Application, SystemIndex Catalog_
_Details:
A device attached to the system is not functioning. (0x8007001f)_
​Did a restart to give the error log a chance to generate some new error events and then ran VEW.exe. Log below.

It would appear that the 'device not functioning' error has stopped.
I think the nvidia one has also gone - I have a few error messages with todays date but the latest is at 20:31:22, whereas my last restart was more like 21:45, so I think that means it didn't generate an error message the last time it started up.

******************************************************

Vino's Event Viewer v01c run on Windows Vista in English
Report run at 30/06/2013 21:49:06
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 30/06/2013 20:30:49
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 30/06/2013 18:19:51
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 27/06/2013 19:55:10
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 27/06/2013 19:55:10
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 27/06/2013 19:45:19
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 25/06/2013 21:37:01
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 24/06/2013 01:00:24
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 23/06/2013 20:15:21
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 23/06/2013 19:51:39
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 20/06/2013 19:31:55
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 20/06/2013 19:31:55
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 20/06/2013 19:22:14
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 19/06/2013 19:22:21
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 16/06/2013 17:32:33
Type: Error Category: 0
Event: 1010 Source: Microsoft-Windows-Perflib
The Collect Procedure for the "EmdCache" service in DLL "C:\Windows\system32\emdmgmt.dll" generated an exception or returned an invalid status. The performance data returned by the counter DLL will not be returned in the Perf Data Block. The first four bytes (DWORD) of the Data section contains the exception code or status code.
Log: 'Application' Date/Time: 16/06/2013 17:32:33
Type: Error Category: 0
Event: 1008 Source: Microsoft-Windows-Perflib
The Open Procedure for service "BITS" in DLL "C:\Windows\system32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
Log: 'Application' Date/Time: 16/06/2013 16:10:01
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log: 'Application' Date/Time: 12/06/2013 23:20:40
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application yldpzouv.exe, version 2.1.19163.0, time stamp 0x515d31f0, faulting module yldpzouv.exe, version 2.1.19163.0, time stamp 0x515d31f0, exception code 0xc0000005, fault offset 0x00012288, process id 0x1250, application start time 0x01ce67c2cdc97de1.
Log: 'Application' Date/Time: 12/06/2013 23:17:20
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 12/06/2013 23:17:20
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

Log: 'Application' Date/Time: 12/06/2013 23:17:20
Type: Error Category: 3
Event: 3013 Source: Microsoft-Windows-Search
The entry <C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\MCAFEE\BT NETPROTECT PLUS.LNK> in the hash map cannot be updated.
Context: Application, SystemIndex Catalog
Details:
A device attached to the system is not functioning. (0x8007001f)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 25/06/2013 21:35:32
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 24/06/2013 00:59:39
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 23/06/2013 20:14:16
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 23/06/2013 19:50:29
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 20/06/2013 19:21:00
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 19/06/2013 19:21:18
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 16/06/2013 16:09:10
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 12/06/2013 23:15:15
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 12/06/2013 21:49:35
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 12/06/2013 21:43:53
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 12/06/2013 21:27:54
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 12/06/2013 21:12:37
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-3650955238-2046507532-1628930313-1000_Classes:
Process 2452 (\Device\HarddiskVolume2\Windows\System32\WUDFHost.exe) has opened key \REGISTRY\USER\S-1-5-21-3650955238-2046507532-1628930313-1000_CLASSES

Log: 'Application' Date/Time: 12/06/2013 20:59:37
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 11/06/2013 22:25:00
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 11/06/2013 05:19:05
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 10/06/2013 20:41:13
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 09/06/2013 18:48:28
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 09/06/2013 08:47:34
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 08/06/2013 19:51:14
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
Log: 'Application' Date/Time: 07/06/2013 02:33:49
Type: Warning Category: 0
Event: 0 Source: LeapFrog Connect Device Service
The event description cannot be found.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 30/06/2013 20:31:22
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 30/06/2013 20:31:22
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 30/06/2013 20:02:10
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {211EBA3A-EA5A-496B-A021-5C6BEB365E4C} did not register with DCOM within the required timeout.
Log: 'System' Date/Time: 30/06/2013 18:20:26
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 30/06/2013 18:20:26
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 27/06/2013 19:45:56
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 27/06/2013 19:45:56
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 25/06/2013 21:37:36
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 25/06/2013 21:37:36
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 24/06/2013 23:23:51
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Log: 'System' Date/Time: 24/06/2013 23:19:53
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Log: 'System' Date/Time: 24/06/2013 23:16:04
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Log: 'System' Date/Time: 24/06/2013 01:01:44
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 24/06/2013 01:01:44
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 23/06/2013 20:16:19
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 23/06/2013 20:16:19
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 23/06/2013 19:52:33
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 23/06/2013 19:52:33
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Log: 'System' Date/Time: 20/06/2013 19:23:07
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
Log: 'System' Date/Time: 20/06/2013 19:23:07
Type: Error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 16/06/2013 19:38:52
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 19:07:28
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:31:46
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:29:43
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:26:14
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:16:50
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:16:31
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:16:23
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:15:50
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 17:15:30
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 16/06/2013 16:34:32
Type: Warning Category: 0
Event: 129 Source: nvstor32
Reset to device, \Device\RaidPort0, was issued.
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB974145(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB974145(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB978338(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB978338(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB978886(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB978886(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2563894(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2563894(Security Update) into Installed(Installed) state
Log: 'System' Date/Time: 12/06/2013 23:28:46
Type: Warning Category: 0
Event: 4376 Source: Microsoft-Windows-Servicing
Servicing has required reboot to complete the operation of setting package KB2588516(Security Update) into Installed(Installed) state


----------



## Triple6 (Dec 26, 2002)

Might have just been a detection issue with the nVidia applet. Both cards would use the same driver anyway.

Looks like the McAfee error still is occurring and it may be caused by Windows Search, will have to look into that further.

Edit: Any new errors a restart now?


----------



## xelahart (Apr 29, 2009)

My errors are intermittent and inconsistent so hard to be certain if they are cleared up.

The only ones I have noticed in the last few days have been the computer freezing during start-up (which I gave the details about in an earleir post) and whilst trying to update the GeForce drivers last night the download started but sat at 0% for 10 minutes. I repeatedly cancelled it, closed the web pages, then started the download again but nothing changed. I restarted the computer and suddenly it worked fine.

I have got used to not using it as much, perhaps I should start using it more again to give it a chance to exhibit symptoms.


----------



## Triple6 (Dec 26, 2002)

Yup, give it some good use, record any issues and post any new logs/events. Cookiegal may have additional instructions and suggestions too.


----------



## Cookiegal (Aug 27, 2003)

I agree with Triple6. Let's see what errors/symptoms still occur after using it for two or three days.


----------



## xelahart (Apr 29, 2009)

I thought it was OK. Used it for various things with no problems.
Then today I had a problem, which might just be a result of me doing something silly, but it looked a bit like problems I was having before.

I wanted to create a DVD from some jpg files, found I had no DVD building software installed, so I dug out a CD of an old version of Roxio and installed it.
I got a warning that it had known compatiblity issues with Vista, but it allowed me to continue so I did. At the end of the install it said it would need a restart to finish the changes. I tried to use it before restarting, it seemed to work ok until I actually tried to build a DVD when I got error messages. So I restarted it and it froze during startup. I forced it to power down, tried to load it up again it tried to start a few times but failed eventuall it went into system restore. It said it needed to take itself back to an earlier restore point, so I let it. It now seems to work ok and there is no record of the Roxio install. At least not that I can see.

Does that all seem self explanatory to you, i.e. the sort of response you might expect from trying to install a version of Roxio that has known compatibility issues with Vista? Or would you like me to run a diagnostic to check if there was something more serious wrong?


----------



## Triple6 (Dec 26, 2002)

Older versions of Roxio are extremely problematic with newer versions of Windows, you should have heeded the warning. System Restore has probably taken care of it. Throw the disc out.

Vista has built in burning support for basic stuff and it has DVD Maker. Movie Maker can also be used for making videos or slideshows. But the basic Vista burning is adequate for simple for throwing pictures onto a disc.

Imgburn is a third party alternative: http://www.imgburn.com/


----------



## xelahart (Apr 29, 2009)

Thanks for the info about Roxio and the suggestions. I went with some simple freeware called DVD Flick which seems to do the trick with no issues.

One of the bits of software I removed while trying to eliminate problems with the computer was Magic Disk by Magic ISO (http://www.magiciso.com/tutorials/miso-magicdisc-overview.htm). I used to find it very useful for viewing downloaded .iso and .img files without having to burn them to disk first. Is there any reason I shouldn't reinstall it?


----------



## Triple6 (Dec 26, 2002)

I believe that software is safe and new versions are compatible with Windows Vista/7.


----------

