1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Windows 7 (?) can't start because %hs is missing

Discussion in 'Windows 7' started by Trentham, Oct 17, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. Trentham

    Trentham Thread Starter

    Joined:
    Nov 9, 2002
    Messages:
    304
    I'm trying to sort out a problem on a Win7 machine. Trying to boot gives the message

    Stop C0000135 The program can't start because %hs is missing from your computer. Try reinstalling the program to fix this problem.

    Clearly this is useless because if I can't boot the machine, I can't reinstall ANYTHING, even if it had given some sort of clue as to what was wrong!

    This happens exactly the same if I try to start Safe Mode or Safe Mode Command Prompt. Selecting Repair Computer (after F8 - it's a Dell Inspiron) just goes back to the boot menu but that may be down to lack of Dell bootloader.

    I've got an original Win7 DVD so thought to do a repair install but apparently I can only do that if I can start the OS in the first place! How crazy is that? This is an upgrade version... would a different version behave differently?

    I tried the repair options from the Win7 DVD but (not surprisingly) they didn't help. It wouldn't even let me run sfc from the command prompt.

    I've had the drive in another machine and scanned for malware (malwarebytes anti-malware) and viruses (AVG) but nothing was found. I've run chkdsk (using UBCD4Win) and no problems were found. The drives mount fine if I boot from Linux (Puppy was what I used) so at least I've been able to back up all the data.

    Google searches for this error message provided nothing of value - lots of references to it being caused by AVG but that's not on this computer.

    There is no \windows\minidump folder so I assume that facility wasn't turned on or it's not got far enough for windows to have recorded the fault!

    Now I'm after any further ideas. If I knew what was wrong I could probably fix it but at the moment all I can think is that I need to wipe the disk and install from scratch, which would be a real pain.

    Even just a confirmation that there's nothing I can do would be a help!
     
  2. managed

    managed Trusted Advisor

    Joined:
    May 24, 2003
    Messages:
    9,465
    First Name:
    Allan
  3. Trentham

    Trentham Thread Starter

    Joined:
    Nov 9, 2002
    Messages:
    304
    As I said in the original post, AVG's not on this computer. Absolutely no evidence that AVG has ever BEEN on this machine (no files or folders anywhere starting 'avg'). It was running Norton (when it was running)
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    54,755
    First Name:
    Derek
    Please do the following:

    Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive. (Choose the correct version depending on which architecture operating system you are using, 32bit (x86) or 64 (x64) bit)

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    •Restart the computer.
    •As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    •Use the arrow keys to select the Repair your computer menu item.
    •Choose your language settings, and then click Next.
    •Select the operating system you want to repair, and then click Next.
    •Select your user account and click Next.

    To enter System Recovery Options by using Windows installation disc:
    •Insert the installation disc.
    •Restart your computer.
    •If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    •Click Repair your computer.
    •Choose your language settings, and then click Next.
    •Select the operating system you want to repair, and then click Next.
    •Select your user account an click Next.

    On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button.
    • FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
      services.exe;winsrv.*
    • now press the search button
    • when the search is complete, search.txt will also be written to your USB
    • type exit and reboot the computer normally
    • please copy and paste both logs in your reply.(FRST.txt and Search.txt)
     
  5. Trentham

    Trentham Thread Starter

    Joined:
    Nov 9, 2002
    Messages:
    304
    Many thanks for your help with this.

    FRST.txt:-

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 21-10-2013
    Ran by SYSTEM on MININT-SL919DI on 21-10-2013 14:14:45
    Running from G:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    Internet Explorer Version 10
    Boot Mode: Recovery

    The current controlset is ControlSet001
    ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [Apoint] - C:\Program Files\DellTPad\Apoint.exe [305664 2009-01-22] (Alps Electric Co., Ltd.)
    HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [444416 2009-06-28] (IDT, Inc.)
    HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
    HKLM\...\Run: [Broadcom Wireless Manager UI] - C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe [4968960 2009-07-16] (Dell Inc.)
    HKLM\...\Run: [QuickSet] - C:\Program Files\Dell\QuickSet\QuickSet.exe [3180624 2009-07-02] (Dell Inc.)
    HKLM\...\Run: [IAAnotif] - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
    HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500208 2010-03-05] (Adobe Systems Incorporated)
    HKLM\...\Run: [PAC7302_Monitor] - C:\Windows\PixArt\PAC7302\Monitor.exe [319488 2006-11-03] (PixArt Imaging Incorporation)
    HKLM\...\Run: [Logitech Download Assistant] - C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
    HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] - "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-10] (Dell)
    Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
    Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
    HKLM-x32\...\Run: [PDVDDXSrv] - C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe [140520 2009-06-24] (CyberLink Corp.)
    HKLM-x32\...\Run: [Dell Webcam Central] - C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-24] (Creative Technology Ltd)
    HKLM-x32\...\Run: [DellSupportCenter] - C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe [206064 2009-05-21] (SupportSoft, Inc.)
    HKLM-x32\...\Run: [CPMonitor] - C:\Program Files (x86)\Roxio 2010\5.0\CPMonitor.exe [84464 2009-07-21] ()
    HKLM-x32\...\Run: [Desktop Disc Tool] - C:\Program Files (x86)\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe [494064 2009-06-22] ()
    HKLM-x32\...\Run: [MMReminderService] - C:\Program Files (x86)\Mindjet\MindManager 8\MMReminderService.exe [38240 2009-12-07] (Mindjet)
    HKLM-x32\...\Run: [AdobeCS5ServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe [406992 2010-02-21] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [SwitchBoard] - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] - C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [44128 2013-05-08] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Acrobat Assistant 8.0] - C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [642664 2013-05-07] (Adobe Systems Inc.)
    HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Everything] - C:\Program Files (x86)\Everything\Everything.exe [602624 2009-03-12] ()
    HKLM-x32\...\Run: [RoxWatchTray] - C:\Program Files (x86)\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe [240112 2009-07-24] (Sonic Solutions)
    HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
    HKLM-x32\...\Run: [BSDAppUpdater] - C:\Program Files (x86)\Common Files\BSD\AppUpdater\BSDChecker.exe [1660232 2011-05-11] (Bootstrap Software Development)
    HKLM-x32\...\Run: [OCDLMgr] - [x]
    HKLM-x32\...\Run: [DATAMNGR] - C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe [1683608 2012-12-27] (Bandoo Media Inc)
    HKLM-x32\...\Run: [TkBellExe] - c:\program files (x86)\real\realplayer\Update\realsched.exe [295512 2013-05-24] (RealNetworks, Inc.)
    HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-04-30] (Apple Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
    HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-09-30] (Apple Inc.)
    HKU\James McKay\...\Run: [GyroQ] - C:\Program Files (x86)\Gyronix\GyroQ\GyroQ.exe [752879 2009-10-09] ()
    HKU\James McKay\...\Run: [ISUSPM] - C:\ProgramData\Macrovision\FLEXnet Connect\11\ISUSPM.exe [210208 2008-09-26] (Acresso Corporation)
    HKU\James McKay\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-11-16] (Google Inc.)
    HKU\James McKay\...\Run: [MobileDocuments] - C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
    HKU\James McKay\...\Run: [TomTomHOME.exe] - C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe [247768 2012-07-26] (TomTom)
    HKU\James McKay\...\Run: [MyTomTomSA.exe] - C:\Program Files (x86)\MyTomTom 3\MyTomTomSA.exe [455608 2013-05-23] (TomTom)
    HKU\James McKay\...\Run: [iCloudServices] - C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-09-13] (Apple Inc.)
    HKU\James McKay\...\Run: [ApplePhotoStreams] - C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-09-15] (Apple Inc.)
    AppInit_DLLs: C:\PROGRA~3\Wincert\WIN64C~1.DLL C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll [1531400 2012-12-27] (Bandoo Media Inc)
    AppInit_DLLs-x32: C:\PROGRA~3\Wincert\WIN32C~1.DLL C:\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll [1189384 2012-12-27] (Bandoo Media Inc)
    Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\James McKay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
    ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

    ==================== Services (Whitelisted) =================

    S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe [144368 2013-05-20] (Symantec Corporation)
    S2 RapportMgmtService; C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [1435928 2013-09-10] (Trusteer Ltd.)
    S2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-04-15] ()
    S2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe [240128 2009-06-28] (IDT, Inc.)
    S3 Symantec RemoteAssist; C:\Program Files (x86)\Common Files\Symantec Shared\Support Controls\ssrc.exe [394704 2008-01-29] (Symantec, Inc.)
    S2 wltrysvc; C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE [33280 2009-07-16] ()
    S3 Roxio UPnP Renderer 11; "C:\Program Files (x86)\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe" [x]

    ==================== Drivers (Whitelisted) ====================

    S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.0.36\Definitions\BASHDefs\20130924.001\BHDrvx64.sys [1525848 2013-09-23] (Symantec Corporation)
    S1 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1404000.028\ccSetx64.sys [169048 2013-04-15] (Symantec Corporation)
    S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-09-09] (Symantec Corporation)
    S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.0.36\Definitions\IPSDefs\20131005.002\IDSvia64.sys [520280 2013-09-06] (Symantec Corporation)
    S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.0.36\Definitions\VirusDefs\20131008.032\ENG64.SYS [126040 2013-09-09] (Symantec Corporation)
    S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.0.36\Definitions\VirusDefs\20131008.032\EX64.SYS [2099288 2013-09-09] (Symantec Corporation)
    S3 PAC7302; C:\Windows\System32\DRIVERS\PAC7302.SYS [527872 2007-11-08] (PixArt Imaging Inc.)
    S1 RapportCerberus_56758; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_56758.sys [589872 2013-08-14] ()
    S1 RapportEI64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [265872 2013-09-10] (Trusteer Ltd.)
    S0 RapportKE64; C:\Windows\System32\Drivers\RapportKE64.sys [295696 2013-09-10] (Trusteer Ltd.)
    S1 RapportPG64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [384432 2013-09-10] (Trusteer Ltd.)
    S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [31744 2009-01-09] (Research in Motion Ltd)
    S3 SRTSP; C:\Windows\System32\Drivers\NISx64\1404000.028\SRTSP64.SYS [796760 2013-05-15] (Symantec Corporation)
    S1 SRTSPX; C:\Windows\system32\drivers\NISx64\1404000.028\SRTSPX64.SYS [36952 2013-03-04] (Symantec Corporation)
    S0 SymDS; C:\Windows\System32\drivers\NISx64\1404000.028\SYMDS64.SYS [493656 2013-05-20] (Symantec Corporation)
    S0 SymEFA; C:\Windows\System32\drivers\NISx64\1404000.028\SYMEFA64.SYS [1139800 2013-05-22] (Symantec Corporation)
    S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2013-06-11] (Symantec Corporation)
    S1 SymIRON; C:\Windows\system32\drivers\NISx64\1404000.028\Ironx64.SYS [224416 2013-03-04] (Symantec Corporation)
    S1 SymNetS; C:\Windows\System32\Drivers\NISx64\1404000.028\SYMNETS.SYS [433752 2013-04-24] (Symantec Corporation)
    S3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-09-28] ()
    S3 RimUsb; System32\Drivers\RimUsb_AMD64.sys [x]

    ========================== Drivers MD5 =======================

    C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit
    C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit
    C:\Windows\system32\drivers\acpipmi.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\adp94xx.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\adpahci.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\adpu320.sys ==> MD5 is legit
    C:\Windows\system32\drivers\afd.sys 1C7857B62DE5994A75B054A9FD4C3825
    C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
    C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit
    C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\amdk8.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\amdppm.sys ==> MD5 is legit
    C:\Windows\system32\drivers\amdsata.sys D4121AE6D0C0E7E13AA221AA57EF2D49
    C:\Windows\system32\DRIVERS\amdsbs.sys ==> MD5 is legit
    C:\Windows\System32\drivers\amdxata.sys 540DAF1CEA6094886D72126FD7C33048
    C:\Windows\System32\DRIVERS\Apfiltr.sys ==> MD5 is legit
    C:\Windows\system32\drivers\appid.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\arc.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\arcsas.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
    C:\Windows\system32\drivers\atapi.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\bxvbda.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\b57nd60a.sys ==> MD5 is legit
    C:\Windows\System32\drivers\BCM42RLY.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\bcmwl664.sys F4CD5F52850BF2C978DE178F256BA372
    C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit
    C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.0.36\Definitions\BASHDefs\20130924.001\BHDrvx64.sys 4AD1940DAAAC84036B65EF78BAE42208
    C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\bowser.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\BrFiltLo.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\BrFiltUp.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\bthmodem.sys ==> MD5 is legit
    C:\Windows\system32\drivers\NISx64\1404000.028\ccSetx64.sys 56685951208AC81CF923B9B08BEDF3B7
    C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\cdrom.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\circlass.sys ==> MD5 is legit
    C:\Windows\System32\CLFS.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\CmBatt.sys ==> MD5 is legit
    C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\cng.sys AAFCB52FE0037207FB6FBEA070D25EFE
    C:\Windows\System32\DRIVERS\compbatt.sys ==> MD5 is legit
    C:\Windows\system32\drivers\CompositeBus.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\crcdisk.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\CtClsFlt.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\emDevice64.sys 95FEA1B0BF6486778AEBA1FB5977608B
    C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit
    C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\disk.sys ==> MD5 is legit
    C:\Windows\System32\drivers\drmkaud.sys ==> MD5 is legit
    C:\Windows\System32\drivers\dxgkrnl.sys AF2E16242AA723F68F461B6EAE2EAD3D
    C:\Windows\system32\DRIVERS\evbda.sys ==> MD5 is legit
    C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys A2DA3D8E0B336E13F7A155B5789B58CF
    C:\Windows\system32\DRIVERS\elxstor.sys ==> MD5 is legit
    C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\fdc.sys ==> MD5 is legit
    C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
    C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\emFilter64.sys 9B93B7B76F31E2A305F8641E2F2BD60B
    C:\Windows\system32\DRIVERS\flpydisk.sys ==> MD5 is legit
    C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
    C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\Fs_Rec.sys 6BD9295CC032DD3077C671FCCF579A7B
    C:\Windows\System32\DRIVERS\fvevol.sys 8F6322049018354F45F05A2FD2D4E5E0
    C:\Windows\system32\DRIVERS\gagp30kx.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\GEARAspiWDM.sys 8E98D21EE06192492A5671A6144D092F
    C:\Windows\system32\drivers\hcw85cir.sys ==> MD5 is legit
    C:\Windows\system32\drivers\HDAudBus.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\HidBatt.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\hidbth.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\hidir.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\hidusb.sys ==> MD5 is legit
    C:\Windows\system32\drivers\HpSAMD.sys ==> MD5 is legit
    C:\Windows\System32\drivers\HTTP.sys ==> MD5 is legit
    C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
    C:\Windows\system32\drivers\i8042prt.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\iaStor.sys 4F6FB2CDBDEEFC47E7D2066E78254580
    C:\Windows\system32\drivers\iaStorV.sys AAAF44DB3BD0B9D1FB6969B23ECC8366
    C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.0.36\Definitions\IPSDefs\20131005.002\IDSvia64.sys A1258065E8B16E23E2AFDE72FB5559BC
    C:\Windows\System32\DRIVERS\igdkmd64.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\iirsp.sys ==> MD5 is legit
    C:\Windows\system32\drivers\intelide.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\intelppm.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit
    C:\Windows\system32\drivers\IPMIDrv.sys ==> MD5 is legit
    C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit
    C:\Windows\System32\drivers\irenum.sys ==> MD5 is legit
    C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit
    C:\Windows\system32\drivers\msiscsi.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\kbdclass.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\kbdhid.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\ksecdd.sys 97A7070AEA4C058B6418519E869A63B4
    C:\Windows\System32\Drivers\ksecpkg.sys 7EFB9333E4ECCE6AE4AE9D777D9E553E
    C:\Windows\system32\drivers\ksthunk.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\lsi_fc.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\lsi_sas.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\lsi_sas2.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\lsi_scsi.sys ==> MD5 is legit
    C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\megasas.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\MegaSR.sys ==> MD5 is legit
    C:\Windows\System32\drivers\modem.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\mouclass.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\mouhid.sys ==> MD5 is legit
    C:\Windows\System32\drivers\mountmgr.sys ==> MD5 is legit
    C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit
    C:\Windows\system32\drivers\mrxdav.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\mrxsmb.sys A5D9106A73DC88564C825D317CAC68AC
    C:\Windows\System32\DRIVERS\mrxsmb10.sys D711B3C1D5F42C0C2415687BE09FC163
    C:\Windows\System32\DRIVERS\mrxsmb20.sys 9423E9D355C8D303E76B8CFBD8A5C30C
    C:\Windows\system32\drivers\msahci.sys ==> MD5 is legit
    C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\Msfs.sys ==> MD5 is legit
    C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit
    C:\Windows\System32\drivers\msisadrv.sys ==> MD5 is legit
    C:\Windows\System32\drivers\MSKSSRV.sys ==> MD5 is legit
    C:\Windows\System32\drivers\MSPCLOCK.sys ==> MD5 is legit
    C:\Windows\System32\drivers\MSPQM.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\MsRPC.sys ==> MD5 is legit
    C:\Windows\system32\drivers\mssmbios.sys ==> MD5 is legit
    C:\Windows\System32\drivers\MSTEE.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\MTConfig.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\mup.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\nwifi.sys ==> MD5 is legit
    C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.0.36\Definitions\VirusDefs\20131008.032\ENG64.SYS 702E07EC32F96ACDB873E9A5465D4401
    C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.0.36\Definitions\VirusDefs\20131008.032\EX64.SYS 302EA314A1AF0D7CEF0A3D0195F79561
    C:\Windows\System32\drivers\ndis.sys 760E38053BF56E501D562B70AD796B88
    C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\NDProxy.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\netbt.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\nfrd960.sys ==> MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\Ntfs.sys B98F8C6E31CD07B2E6F71F7F648E38C0
    C:\Windows\System32\Drivers\Null.sys ==> MD5 is legit
    C:\Windows\system32\drivers\nvraid.sys 0A92CB65770442ED0DC44834632F66AD
    C:\Windows\system32\drivers\nvstor.sys DAB0E87525C10052BF65F06152F37E4A
    C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit
    C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\PAC7302.SYS D61B764B27BF05CCCADCC5E1E7B73A21
    C:\Windows\system32\DRIVERS\parport.sys ==> MD5 is legit
    C:\Windows\System32\drivers\partmgr.sys E9766131EEADE40A27DC27D2D68FBA9C
    C:\Windows\System32\drivers\pci.sys ==> MD5 is legit
    C:\Windows\system32\drivers\pciide.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\pcmcia.sys ==> MD5 is legit
    C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit
    C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\processr.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\PxHlpa64.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\ql2300.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\ql40xx.sys ==> MD5 is legit
    C:\Windows\system32\drivers\qwavedrv.sys ==> MD5 is legit
    C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_56758.sys 81BE76652B1D5B9493B9DD339F2D0FC0
    C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys D580EC8506F84C8277140FD237127C4A
    C:\Windows\System32\Drivers\RapportKE64.sys A103F290C785F115D349DB25ED5AF733
    C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys 68828AC59A33164C2DF4AF21272A27CB
    C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\rdbss.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\rdpbus.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\RDPCDD.sys ==> MD5 is legit
    C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit
    C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit
    C:\Windows\System32\drivers\rdpvideominiport.sys 313F68E1A3E6345A4F47A36B07062F34
    C:\Windows\System32\Drivers\RDPWD.sys E61608AA35E98999AF9AAEEEA6114B0A
    C:\Windows\System32\drivers\rdyboost.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys C903D49655B4AAE46673F0AAA6BE0F58
    C:\Windows\System32\Drivers\RootMdm.sys 388D3DD1A6457280F3BADBA9F3ACD6B1
    C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\RtsUStor.sys ==> MD5 is legit
    C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\emScan64.sys 171F16CB80B8CFF1C406D52DBD16ECEB
    C:\Windows\System32\DRIVERS\scfilter.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\serenum.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\serial.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\sermouse.sys ==> MD5 is legit
    C:\Windows\system32\drivers\sffdisk.sys ==> MD5 is legit
    C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit
    C:\Windows\system32\drivers\sffp_sd.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\sfloppy.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\SiSRaid2.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\sisraid4.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\spldr.sys ==> MD5 is legit
    C:\Windows\System32\Drivers\NISx64\1404000.028\SRTSP64.SYS 2FD9346F9D76CB4192D37329CFA47A82
    C:\Windows\system32\drivers\NISx64\1404000.028\SRTSPX64.SYS 0E76CEF892C45734F7AED09FDDF35D4D
    C:\Windows\System32\DRIVERS\srv.sys 441FBA48BFF01FDB9D5969EBC1838F0B
    C:\Windows\System32\DRIVERS\srv2.sys B4ADEBBF5E3677CCE9651E0F01F7CC28
    C:\Windows\System32\DRIVERS\srvnet.sys 27E461F0BE5BFF5FC737328F749538C3
    C:\Windows\system32\DRIVERS\stexstor.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\stwrt64.sys ==> MD5 is legit
    C:\Windows\system32\drivers\swenum.sys ==> MD5 is legit
    C:\Windows\System32\drivers\NISx64\1404000.028\SYMDS64.SYS 52DC0048D667757A8A2E4C87182890AC
    C:\Windows\System32\drivers\NISx64\1404000.028\SYMEFA64.SYS 599872BAD7CFB45C7CE47CDED4B726D8
    C:\Windows\system32\Drivers\SYMEVENT64x86.SYS F19E5E37ED8134B9E5F6287F2D3A75D7
    C:\Windows\system32\drivers\NISx64\1404000.028\Ironx64.SYS ADF37F1A715D6C56C8E065FD8569A9A4
    C:\Windows\System32\Drivers\NISx64\1404000.028\SYMNETS.SYS 9CDCA70485BD6B9D230365F67C31F132
    C:\Windows\System32\drivers\tcpip.sys DB74544B75566C974815E79A62433F29
    C:\Windows\System32\DRIVERS\tcpip.sys DB74544B75566C974815E79A62433F29
    C:\Windows\System32\drivers\tcpipreg.sys 1B16D0BD9841794A6E0CDE0CEF744ABC
    C:\Windows\System32\drivers\tdpipe.sys ==> MD5 is legit
    C:\Windows\System32\drivers\tdtcp.sys 51C5ECEB1CDEE2468A1748BE550CFBC8
    C:\Windows\System32\DRIVERS\tdx.sys ==> MD5 is legit
    C:\Windows\system32\drivers\termdd.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\tssecsrv.sys 4CE278FC9671BA81A138D70823FCAA09
    C:\Windows\System32\drivers\tsusbflt.sys 17C6B51CBCCDED95B3CC14E22791F85E
    C:\Windows\System32\DRIVERS\tunnel.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\uagp35.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\udfs.sys ==> MD5 is legit
    C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\umbus.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\umpass.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\emBDA64.sys FFEFC1FCC33402571D65100662C5AF37
    C:\Windows\System32\DRIVERS\emOEM64.sys D7940283C43E440FCF83AB55B85689C9
    C:\Windows\System32\Drivers\usbaapl64.sys AF1B9474D67897D0C2CFF58E0ACEACCC
    C:\Windows\System32\drivers\usbaudio.sys 82E8F44688E6FAC57B5B7C6FC7ADBC2A
    C:\Windows\System32\DRIVERS\usbccgp.sys 6F1A3157A1C89435352CEB543CDB359C
    C:\Windows\system32\drivers\usbcir.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\usbehci.sys C025055FE7B87701EB042095DF1A2D7B
    C:\Windows\System32\DRIVERS\usbhub.sys 287C6C9410B111B68B52CA298F7B8C24
    C:\Windows\system32\DRIVERS\usbohci.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\usbprint.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\usbscan.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\USBSTOR.SYS FED648B01349A3C8395A5169DB5FB7D6
    C:\Windows\System32\DRIVERS\usbuhci.sys 62069A34518BCF9C1FD9E74B3F6DB7CD
    C:\Windows\System32\Drivers\usbvideo.sys 454800C2BC7F3927CE030141EE4F4C50
    C:\Windows\System32\DRIVERS\usb8023x.sys 7B28E2FBE75115660FAB31079C0A9F29
    C:\Windows\System32\drivers\vdrvroot.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
    C:\Windows\System32\drivers\vga.sys ==> MD5 is legit
    C:\Windows\system32\drivers\vhdmp.sys ==> MD5 is legit
    C:\Windows\system32\drivers\viaide.sys ==> MD5 is legit
    C:\Windows\System32\drivers\volmgr.sys ==> MD5 is legit
    C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit
    C:\Windows\System32\drivers\volsnap.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\vsmraid.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\vwifibus.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\vwififlt.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\vwifimp.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\wacompen.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
    C:\Windows\system32\DRIVERS\wd.sys ==> MD5 is legit
    C:\Windows\System32\drivers\Wdf01000.sys 442783E2CB0DA19873B7A63833FF4CB4
    C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\wimfltr.sys ==> MD5 is legit
    C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit
    C:\Windows\SysWow64\Drivers\wimmount.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\WinUsb.sys FE88B288356E7B47B74B13372ADD906D
    C:\Windows\system32\drivers\wmiacpi.sys ==> MD5 is legit
    C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit
    C:\Windows\System32\DRIVERS\WSDPrint.sys 8D918B1DB190A4D9B1753A66FA8C96E8
    C:\Windows\System32\drivers\WudfPf.sys AB886378EEB55C6C75B4F2D14B6C869F
    C:\Windows\System32\DRIVERS\WUDFRd.sys DDA4CAF29D8C0A297F886BFE561E6659
    C:\Windows\System32\DRIVERS\yk62x64.sys ==> MD5 is legit

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2013-10-21 14:13 - 2013-10-21 14:13 - 00000000 ____D C:\FRST
    2013-10-10 00:15 - 2013-10-10 00:15 - 00003288 ____N C:\bootsqm.dat
    2013-10-08 06:44 - 2013-10-08 06:44 - 00001785 _____ C:\Users\Public\Desktop\iTunes.lnk
    2013-10-08 06:39 - 2013-10-08 06:40 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
    2013-10-08 03:03 - 2013-10-08 06:12 - 00765218 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
    2013-10-08 02:48 - 2013-10-08 02:59 - 50449456 _____ (Microsoft Corporation) C:\Users\James McKay\Downloads\dotNetFx40_Full_x86_x64.exe
    2013-10-08 02:45 - 2013-10-08 02:45 - 00002595 _____ C:\Users\Public\Desktop\uMark.lnk
    2013-10-08 02:45 - 2013-10-08 02:45 - 00000000 ____D C:\Windows\SysWOW64\Trusteer
    2013-10-08 02:45 - 2013-10-08 02:45 - 00000000 ____D C:\Users\James McKay\Desktop\Trusteer
    2013-10-08 02:45 - 2013-10-08 02:45 - 00000000 ____D C:\Program Files (x86)\Uconomix
    2013-10-03 05:27 - 2013-10-03 05:27 - 00000000 ____D C:\ProgramData\Oracle
    2013-10-03 05:27 - 2013-10-03 05:26 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
    2013-10-03 05:26 - 2013-10-03 05:26 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
    2013-10-03 05:26 - 2013-10-03 05:26 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
    2013-10-03 05:26 - 2013-10-03 05:26 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

    ==================== One Month Modified Files and Folders =======

    2013-10-21 14:13 - 2013-10-21 14:13 - 00000000 ____D C:\FRST
    2013-10-10 10:42 - 2013-03-16 08:16 - 00000000 ____D C:\Program Files\Microsoft Silverlight
    2013-10-10 10:42 - 2009-11-16 11:02 - 00000000 ____D C:\ProgramData\Norton
    2013-10-10 10:42 - 2009-11-16 07:10 - 00000000 ____D C:\users\James McKay
    2013-10-10 10:42 - 2009-09-27 03:42 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
    2013-10-10 10:42 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
    2013-10-10 10:42 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
    2013-10-10 10:34 - 2009-07-13 23:44 - 00000000 ___RD C:\Users\Public\Recorded TV
    2013-10-10 00:15 - 2013-10-10 00:15 - 00003288 ____N C:\bootsqm.dat
    2013-10-09 00:24 - 2013-07-29 08:27 - 00000000 ____D C:\Windows\System32\MRT
    2013-10-09 00:02 - 2009-07-13 21:10 - 01709528 _____ C:\Windows\WindowsUpdate.log
    2013-10-09 00:01 - 2012-07-18 13:29 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2013-10-09 00:01 - 2012-07-18 13:29 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
    2013-10-09 00:01 - 2012-07-18 13:29 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-10-09 00:01 - 2011-06-27 13:03 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2013-10-08 23:42 - 2009-07-13 20:45 - 00014240 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-10-08 23:42 - 2009-07-13 20:45 - 00014240 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-10-08 23:38 - 2009-12-09 00:55 - 00000000 ____D C:\Users\James McKay\AppData\Local\CrashDumps
    2013-10-08 23:37 - 2011-03-21 11:54 - 00000000 ____D C:\Program Files (x86)\Everything
    2013-10-08 23:37 - 2009-11-16 10:04 - 00000000 ____D C:\Users\James McKay\AppData\Roaming\Apple Computer
    2013-10-08 23:35 - 2009-11-16 10:04 - 00000000 ____D C:\Users\James McKay\AppData\Local\Apple Computer
    2013-10-08 23:34 - 2013-07-21 22:56 - 00003372 _____ C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-2993771258-328447339-3840180008-1000
    2013-10-08 23:34 - 2013-07-21 22:56 - 00003250 _____ C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-2993771258-328447339-3840180008-1000
    2013-10-08 23:33 - 2013-09-10 04:56 - 00000400 _____ C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_James McKay.job
    2013-10-08 23:33 - 2011-03-03 07:24 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-10-08 23:33 - 2010-06-07 14:02 - 00000394 _____ C:\Windows\Tasks\Registry Reviver64-James McKay-Startup.job
    2013-10-08 23:33 - 2009-11-23 09:59 - 00000000 ____D C:\Users\James McKay\AppData\Local\SoftThinks
    2013-10-08 23:33 - 2009-11-23 09:59 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
    2013-10-08 23:33 - 2009-11-23 09:59 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
    2013-10-08 23:33 - 2009-09-27 03:34 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
    2013-10-08 23:32 - 2013-07-21 22:51 - 00000650 _____ C:\Windows\setupact.log
    2013-10-08 23:32 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2013-10-08 06:53 - 2013-07-22 01:07 - 00022524 _____ C:\Windows\PFRO.log
    2013-10-08 06:44 - 2013-10-08 06:44 - 00001785 _____ C:\Users\Public\Desktop\iTunes.lnk
    2013-10-08 06:40 - 2013-10-08 06:39 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
    2013-10-08 06:40 - 2011-06-10 14:33 - 00000000 ____D C:\Program Files\iTunes
    2013-10-08 06:40 - 2011-06-10 14:33 - 00000000 ____D C:\Program Files (x86)\iTunes
    2013-10-08 06:39 - 2011-06-10 14:33 - 00000000 ____D C:\Program Files\iPod
    2013-10-08 06:12 - 2013-10-08 03:03 - 00765218 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
    2013-10-08 06:12 - 2009-07-13 21:13 - 00765218 _____ C:\Windows\System32\PerfStringBackup.INI
    2013-10-08 06:05 - 2011-03-03 07:24 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-10-08 06:03 - 2013-09-10 04:56 - 00002990 _____ C:\Windows\System32\Tasks\ReclaimerUpdateXML_James McKay
    2013-10-08 06:03 - 2013-09-10 04:56 - 00000390 _____ C:\Windows\Tasks\ReclaimerUpdateXML_James McKay.job
    2013-10-08 03:00 - 2013-09-10 04:56 - 00002994 _____ C:\Windows\System32\Tasks\ReclaimerUpdateFiles_James McKay
    2013-10-08 03:00 - 2013-09-10 04:56 - 00000394 _____ C:\Windows\Tasks\ReclaimerUpdateFiles_James McKay.job
    2013-10-08 02:59 - 2013-10-08 02:48 - 50449456 _____ (Microsoft Corporation) C:\Users\James McKay\Downloads\dotNetFx40_Full_x86_x64.exe
    2013-10-08 02:45 - 2013-10-08 02:45 - 00002595 _____ C:\Users\Public\Desktop\uMark.lnk
    2013-10-08 02:45 - 2013-10-08 02:45 - 00000000 ____D C:\Windows\SysWOW64\Trusteer
    2013-10-08 02:45 - 2013-10-08 02:45 - 00000000 ____D C:\Users\James McKay\Desktop\Trusteer
    2013-10-08 02:45 - 2013-10-08 02:45 - 00000000 ____D C:\Program Files (x86)\Uconomix
    2013-10-05 12:25 - 2010-02-26 13:38 - 00000674 _____ C:\Windows\Tasks\20100226_212500_James McKay3.job
    2013-10-03 05:27 - 2013-10-03 05:27 - 00000000 ____D C:\ProgramData\Oracle
    2013-10-03 05:26 - 2013-10-03 05:27 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
    2013-10-03 05:26 - 2013-10-03 05:26 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
    2013-10-03 05:26 - 2013-10-03 05:26 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
    2013-10-03 05:26 - 2013-10-03 05:26 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
    2013-10-03 05:26 - 2012-07-11 05:00 - 00868264 _____ (Oracle Corporation) C:\Windows\SysWOW64\npdeployJava1.dll
    2013-10-03 05:26 - 2010-07-23 09:36 - 00790440 _____ (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
    2013-10-03 05:11 - 2013-09-12 07:31 - 00003350 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2993771258-328447339-3840180008-1000
    2013-10-03 05:11 - 2013-09-12 07:31 - 00003228 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2993771258-328447339-3840180008-1000

    Some content of TEMP:
    ====================
    C:\Users\James McKay\AppData\Local\Temp\BundleSweetIMSetup.exe
    C:\Users\James McKay\AppData\Local\Temp\install_flashplayer11x32au_chra_awa_aih (1).exe
    C:\Users\James McKay\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exe
    C:\Users\James McKay\AppData\Local\Temp\MybabylonTB.exe
    C:\Users\James McKay\AppData\Local\Temp\Update.exe


    ==================== Known DLLs (Whitelisted) ================

    C:\Windows\System32\LPK.dll IS MISSING <==== ATTENTION!
    C:\Windows\SysWOW64\LPK.dll IS MISSING <==== ATTENTION!

    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================


    ==================== Memory info ===========================

    Percentage of memory in use: 19%
    Total physical RAM: 3032.36 MB
    Available physical RAM: 2427.84 MB
    Total Pagefile: 3030.51 MB
    Available Pagefile: 2426.99 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.87 MB

    ==================== Drives ================================

    Drive c: (OS) (Fixed) (Total:213.72 GB) (Free:69.55 GB) NTFS
    Drive e: (GRMCHPXFRER_EN_DVD) (CDROM) (Total:3 GB) (Free:0 GB) UDF
    Drive g: (UDISK) (Removable) (Total:3.73 GB) (Free:0.71 GB) FAT32
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    Drive y: (RECOVERY) (Fixed) (Total:18.87 GB) (Free:13.9 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 233 GB) (Disk ID: 2B391CB6)
    Partition 1: (Not Active) - (Size=298 MB) - (Type=DE)
    Partition 2: (Active) - (Size=19 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=214 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 2 (MBR Code: Windows XP) (Size: 4 GB) (Disk ID: C3072E18)
    Partition 1: (Active) - (Size=4 GB) - (Type=0C)


    LastRegBack: 2013-10-03 07:12

    ==================== End Of Log ============================

    Search.txt:-

    Farbar Recovery Scan Tool (x64) Version: 21-10-2013
    Ran by SYSTEM at 2013-10-21 14:21:11
    Running from G:\
    Boot Mode: Recovery

    ================== Search: "services.exe;winsrv.*" ===================

    C:\Windows\winsxs\wow64_microsoft-windows-winsrv.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a412dbba527dc14e\winsrv.dll.mui
    [2009-07-13 21:35] - [2009-07-13 18:08] - 0008192 ____A (Microsoft Corporation) 9848765E88322400BDC710A76ADEA841

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.22411_none_152b1d6acc153304\winsrv.dll
    [2013-09-12 06:03] - [2013-08-01 22:23] - 0215040 ____A (Microsoft Corporation) 99AACC82C6B8A8E976CA59CFD3C322EF

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.22379_none_14f23e4ccc3ea83b\winsrv.dll
    [2013-08-14 05:44] - [2013-07-07 21:18] - 0215040 ____A (Microsoft Corporation) 1F1DA89B6582F8728ECEB1C35438C1E7

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.22209_none_153debdacc05e77d\winsrv.dll
    [2013-02-14 06:58] - [2013-01-03 21:43] - 0215040 ____A (Microsoft Corporation) 5F38CFC96BCA5DD462E2B243B6E31849

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.22177_none_14f039eccc407b3f\winsrv.dll
    [2013-01-18 17:05] - [2012-11-29 21:55] - 0215040 ____A (Microsoft Corporation) C2B1F6196C7FE1EA1BF827312B095D06

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.22125_none_152448f4cc19bcdc\winsrv.dll
    [2012-12-12 15:48] - [2012-10-04 09:43] - 0215040 ____A (Microsoft Corporation) CC44EBC3E04E76AABE19EB4A16663E4A

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.22091_none_14d49672cc561df0\winsrv.dll
    [2012-10-10 00:50] - [2012-08-20 10:27] - 0215040 ____A (Microsoft Corporation) 111AFE35DD2D423EE8E176CA7B2BBDC7

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21756_none_1504fba6cc30ff4f\winsrv.dll
    [2011-08-10 04:53] - [2011-06-23 21:27] - 0214528 ____A (Microsoft Corporation) C13D05A015346DED3D722BE285814495

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21738_none_151c9c12cc1efa1b\winsrv.dll
    [2011-07-12 22:52] - [2011-06-02 23:01] - 0214528 ____A (Microsoft Corporation) 5AA1C7B5F471C4657BE38447BC397665

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21728_none_15276bfecc16de2a\winsrv.dll
    [2011-07-12 22:52] - [2011-05-13 23:11] - 0214528 ____A (Microsoft Corporation) 1A589228B6DC007120F877DBBD6CB79D

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.21624_none_152368f0cc1a7ba7\winsrv.dll
    [2011-02-08 13:28] - [2010-12-18 00:52] - 0214016 ____A (Microsoft Corporation) A199CC08A13EEB667412423F712FE817

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.18229_none_149eb11db2f87cbc\winsrv.dll
    [2013-09-12 06:03] - [2013-08-01 18:14] - 0215040 ____A (Microsoft Corporation) 88EDD0B34EED542745931E581AD21A32

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.18043_none_14830bbdb30e2246\winsrv.dll
    [2013-02-14 06:58] - [2013-01-03 21:46] - 0215040 ____A (Microsoft Corporation) 0C27239FEA4DB8A2AAC9E502186B7264

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.18015_none_14a57c15b2f40121\winsrv.dll
    [2013-01-18 17:05] - [2012-11-29 21:45] - 0215040 ____A (Microsoft Corporation) 9E479C2B605C25DA4971ABA36250FAEF

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17965_none_146f9457b31c5994\winsrv.dll
    [2012-12-12 15:48] - [2012-10-04 09:45] - 0215040 ____A (Microsoft Corporation) 72CC564BBC70DE268784BCE91EB8A28F

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17932_none_148d033db306b9bc\winsrv.dll
    [2012-10-10 00:50] - [2012-08-20 10:48] - 0215040 ____A (Microsoft Corporation) F46BBAAC1C4980F4D0DD463F190A42D3

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17641_none_14812d55b30fc4e1\winsrv.dll
    [2011-08-10 04:53] - [2011-06-23 21:34] - 0214528 ____A (Microsoft Corporation) EB6A48CC998E1090E44E8E7F1009A640

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17625_none_149ace55b2fbf25b\winsrv.dll
    [2011-07-12 22:52] - [2011-06-02 22:57] - 0214528 ____A (Microsoft Corporation) 9F761CE1C6C013120B2F0DB27D48C06F

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17617_none_14a79ed5b2f20918\winsrv.dll
    [2011-07-12 22:52] - [2011-05-13 23:24] - 0214528 ____A (Microsoft Corporation) 3A8135A7DED2FA0DAD3BDE1B14865A8A

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17527_none_149ccd03b2fa27e2\winsrv.dll
    [2011-02-08 13:28] - [2010-12-17 03:42] - 0214016 ____A (Microsoft Corporation) 15822E7206C7A0A893395CB07A63C7E1

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17514_none_14a49c11b2f4bfec\winsrv.dll
    [2011-02-23 09:21] - [2010-11-20 05:27] - 0214016 ____A (Microsoft Corporation) E0406AEF04B088D1C49FC78D0546F689

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.21416_none_1349be0aceea4b7d\winsrv.dll
    [2013-02-14 06:58] - [2013-01-04 06:18] - 0215040 ____A (Microsoft Corporation) 7BAEFACB8C5048465B7E3D354554DA70

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.21386_none_12fe0cb0cf2311ed\winsrv.dll
    [2013-01-18 17:05] - [2012-11-29 21:43] - 0215040 ____A (Microsoft Corporation) B0F0F844BB3BA4C25837310FD0909BFD

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.21335_none_13331c02cefb6ce1\winsrv.dll
    [2012-12-12 15:48] - [2012-10-04 09:35] - 0215040 ____A (Microsoft Corporation) 7C17C4AACC79E619E6A4131F51588ED3

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.21306_none_13548c10cee23265\winsrv.dll
    [2012-10-10 00:50] - [2012-08-20 11:06] - 0215040 ____A (Microsoft Corporation) 0E83424D4CEC0665A3A916AD6B261E53

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.20995_none_12f25ea6cf2be9d0\winsrv.dll
    [2011-08-10 04:53] - [2011-06-23 21:26] - 0214528 ____A (Microsoft Corporation) 6D408ABD60A995A2DAB4BAAE38BCA04F

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.20978_none_130aff5ccf18fdf3\winsrv.dll
    [2011-07-12 22:52] - [2011-06-02 22:59] - 0214528 ____A (Microsoft Corporation) 55917E3ABDDC20D0AAEAC49F5CE67462

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.20864_none_1311cc3acf147f7f\winsrv.dll
    [2011-02-08 13:28] - [2010-12-21 23:15] - 0214016 ____A (Microsoft Corporation) 571543B93AE0319185970848024C9E04

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.17206_none_12caef45b5c4929b\winsrv.dll
    [2013-02-14 06:58] - [2013-01-03 21:36] - 0215040 ____A (Microsoft Corporation) 3FB74FF230B5D240A57AE1C4A3D0459D

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.17179_none_12823ec9b5faa510\winsrv.dll
    [2013-01-18 17:05] - [2012-11-29 21:49] - 0215040 ____A (Microsoft Corporation) C4C551E6AB333C0EB812A3A4672E89DB

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.17135_none_12a97d51b5ddcff0\winsrv.dll
    [2012-12-12 15:48] - [2012-10-04 09:38] - 0215040 ____A (Microsoft Corporation) 4343295C52C8B1ADD906F1A37B940AA1

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.17107_none_12cbeda9b5c3aecb\winsrv.dll
    [2012-10-10 00:50] - [2012-08-18 07:42] - 0215040 ____A (Microsoft Corporation) 79CDA06F75AD5373DD447F57575C4400

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16850_none_128f0019b5f25b8f\winsrv.dll
    [2011-08-10 04:53] - [2011-07-15 21:26] - 0214528 ____A (Microsoft Corporation) 0CB6EBF4B461A6043353C570BD72A1E1

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16823_none_12b270bbb5d753c1\winsrv.dll
    [2011-07-12 22:52] - [2011-06-01 22:44] - 0214528 ____A (Microsoft Corporation) DE09FA38A6544829F012B9531C18454F

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16816_none_12c04185b5cc83d5\winsrv.dll
    [2011-07-12 22:52] - [2011-05-13 23:41] - 0214528 ____A (Microsoft Corporation) 3739AA2F57FE492EA976E20C56CDF2F4

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16723_none_12b26ed5b5d7569a\winsrv.dll
    [2011-02-08 13:28] - [2010-12-20 22:16] - 0214016 ____A (Microsoft Corporation) B200DECA2186858595A97FBE63E896CC

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16385_none_12738849b6063c52\winsrv.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0214016 ____A (Microsoft Corporation) 457B44AB6D502E55F64A867D4F35C76C

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv.resources_31bf3856ad364e35_6.1.7600.16385_en-us_99be31681e1cff53\winsrv.dll.mui
    [2009-07-13 21:35] - [2009-07-13 18:25] - 0008192 ____A (Microsoft Corporation) 0E4E26AF593AC5023E55333096DDD9EA

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv-adm_31bf3856ad364e35_6.1.7600.16385_none_74fe9f3a6d505307\Winsrv.admx
    [2009-06-10 12:42] - [2009-06-10 12:42] - 0001342 ____A () B28573159BDEA736F3BDFF16604A4AD3

    C:\Windows\winsxs\amd64_microsoft-windows-winsrv-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c01e7ca36d3191ee\Winsrv.adml
    [2009-07-13 21:35] - [2009-07-13 18:29] - 0001453 ____A () 76D4B8899387BCD0C081D4301E1B18DE

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\SysWOW64\en-US\winsrv.dll.mui
    [2009-07-13 21:35] - [2009-07-13 18:08] - 0008192 ____A (Microsoft Corporation) 9848765E88322400BDC710A76ADEA841

    C:\Windows\System32\services.exe
    [2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\winsrv.dll
    [2013-09-12 06:03] - [2013-08-01 18:14] - 0215040 ____A (Microsoft Corporation) 88EDD0B34EED542745931E581AD21A32

    C:\Windows\System32\en-US\winsrv.dll.mui
    [2009-07-13 21:35] - [2009-07-13 18:25] - 0008192 ____A (Microsoft Corporation) 0E4E26AF593AC5023E55333096DDD9EA

    ====== End Of Search ======
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    54,755
    First Name:
    Derek
    Ok lets see if we can find a replacement for the infected/missing file that I think is stopping windows from booting

    Boot back into the recovery Environment and run FRST like you did before

    Type the following in the edit box after "Search:".

    LPK.dll

    It then should look like:

    Search: LPK.dll

    Click Search button and post the log (Search.txt) it makes to your reply.
     
  7. Trentham

    Trentham Thread Starter

    Joined:
    Nov 9, 2002
    Messages:
    304
    OK, I ran that and copied lpk.dll from the last entry in winsxs to \windows\system32 and \windows\syswow64 and it's PROBABLY starting up now! I say probably because it's at least getting to the login screen so I need to ask my client what his password is or simply remove it (which is a little less friendly and might make him think that Microsnot's not a secure environment ;-))

    This goes a bit against what I understood about winsxs, which I'd thought were normally just hard links to the files stored in system32. Obviously not!

    So can you explain (or point me to) what all this was about? What did the scanner scan and what did the searcher search? I'm guessing for the latter, all folders known to the original OS.

    I've used a lot of tools in the past but never this one.

    The search results are as follows, and, of course, I might have jumped the gun...

    Farbar Recovery Scan Tool (x64) Version: 21-10-2013
    Ran by SYSTEM at 2013-10-21 22:04:37
    Running from G:\
    Boot Mode: Recovery

    ================== Search: "lpk.dll" ===================

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_1281c5a8bee46a0f\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22153_none_12ab04c4bec5c79d\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.21664_none_12a15568beccd507\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.21636_none_12c3c5c0beb2b3e2\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.18032_none_12360787a598d69a\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17991_none_11f44f93a5ca31a7\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17563_none_1216b853a5b01be6\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17537_none_123b293fa5942d6f\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17514_none_124dc839a586a988\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.21402_none_10f9b8f6c177b3cc\lpk.dll
    [2012-12-21 19:00] - [2012-12-16 08:34] - 0025600 ____A (Microsoft Corporation) BF6CDA72E4112DAC01E2ED8911C3FD74

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.21362_none_10b8d788c1a85e4b\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20905_none_10fcda1ac174d7f3\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20875_none_10b128c0c1ad9e63\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20821_none_10e33734c188ad52\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20720_none_10e23504c18996d4\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20553_none_10c4c252c19f3c5e\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20498_none_109e822ec1bb2dae\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.17194_none_1010c9a7a8a147db\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.17159_none_10410ac9a87c56ca\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16763_none_10305b4da889affa\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16734_none_1051cb5ba870757e\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16691_none_100de90fa8a3d3f8\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16600_none_106e3811a85bbf28\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16444_none_1046f5bda87899fa\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16402_none_107034d9a859f788\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16385_none_101cb471a89825ee\lpk.dll
    [2009-07-13 15:25] - [2009-07-13 17:11] - 0025600 ____A (Microsoft Corporation) 384721EF4024890092625E20CADFAF85

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_082d1b568a83a814\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22153_none_08565a728a6505a2\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.21664_none_084cab168a6c130c\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.21636_none_086f1b6e8a51f1e7\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.18032_none_07e15d357138149f\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17991_none_079fa54171696fac\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17563_none_07c20e01714f59eb\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17537_none_07e67eed71336b74\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17514_none_07f91de77125e78d\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.21402_none_06a50ea48d16f1d1\lpk.dll
    [2012-12-21 19:00] - [2012-12-16 09:19] - 0041472 ____A (Microsoft Corporation) 838BF2634A38B344B27AC080D76B28C2

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.21362_none_06642d368d479c50\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20905_none_06a82fc88d1415f8\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20875_none_065c7e6e8d4cdc68\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20821_none_068e8ce28d27eb57\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20720_none_068d8ab28d28d4d9\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20553_none_067018008d3e7a63\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.20498_none_0649d7dc8d5a6bb3\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.17194_none_05bc1f55744085e0\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.17159_none_05ec6077741b94cf\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16763_none_05dbb0fb7428edff\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16734_none_05fd2109740fb383\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16691_none_05b93ebd744311fd\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16600_none_06198dbf73fafd2d\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16444_none_05f24b6b7417d7ff\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16402_none_061b8a8773f9358d\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7600.16385_none_05c80a1f743763f3\lpk.dll
    [2009-07-13 15:38] - [2009-07-13 17:41] - 0041984 ____A (Microsoft Corporation) D202223587518B13D72D68937B7E3F70

    ====== End Of Search ======
     
  8. Trentham

    Trentham Thread Starter

    Joined:
    Nov 9, 2002
    Messages:
    304
    I managed to log on and was presented with a lot of applications that couldn't start correctly (0x7B), eg. TomTom Home. I suspect that there may be other files/DLLs missing.
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    54,755
    First Name:
    Derek
    you replaced the wrong lpk.dll
    you need slightly difference versions

    Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

    Code:
    Replace:C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_082d1b568a83a814\lpk.dll C:\Windows\System32\LPK.dll
    Replace: C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_1281c5a8bee46a0f\lpk.dll C:\Windows\SysWOW64\LPK.dll
     
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.

    Run FRST again like we did before but this time press the Fix button just once and wait.
    The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

    Also boot the computer into normal mode and let me know how things are looking.

    Edit:
    if you are copying manually, then you always need the most recent version of the dll
    on a 64 bit computer there are 2 versions and they are different sizes
    the one from winsxs\amd64_ goes into C:\Windows\system32
    the one from winsxs\wow64_ goes into C:\Windows\SysWOW64
     
  10. Trentham

    Trentham Thread Starter

    Joined:
    Nov 9, 2002
    Messages:
    304
    Thwere's me jumping the gun again! ;-)

    fixlog.txt attached below.

    Login working as before but this time without all the startup problems. One item noted saying it's missing a DLL and to try reinstalling (PDVDDXSrv missing DCIMAN32.dll)

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-10-2013
    Ran by SYSTEM at 2013-10-22 09:02:47 Run:1
    Running from G:\
    Boot Mode: Recovery
    ==============================================

    Content of fixlist:
    *****************
    Replace:C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_082d1b568a83a814\lpk.dll C:\Windows\System32\LPK.dll
    Replace: C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_1281c5a8bee46a0f\lpk.dll C:\Windows\SysWOW64\LPK.dll
    *****************

    C:\Windows\System32\LPK.dll => Moved successfully.
    C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_082d1b568a83a814\lpk.dll copied successfully to C:\Windows\System32\LPK.dll
    C:\Windows\SysWOW64\LPK.dll => Moved successfully.
    C:\Windows\winsxs\wow64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.22195_none_1281c5a8bee46a0f\lpk.dll copied successfully to C:\Windows\SysWOW64\LPK.dll

    ==== End of Fixlog ====
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    54,755
    First Name:
    Derek
    this (PDVDDXSrv missing DCIMAN32.dll) is cyberlink power cinema and the only cure for that one is to reinstall the cyberlink application

    now we have it booting properly we can deal with the malware that has shown up in the log
    Click on this link to download : ADWCleaner Click on the Download Now button and save it to your desktop.

    NOTE: If using Internet Explorer and you get an alert that stops the program downloading click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.

    Close your browser and double click on this icon on your desktop:

    [​IMG]

    You will then see the screen below, click on the Scan button (as indicated), accept any prompts that appear and allow it to run, it may take several minutes to complete, when it is done click on the Clean button, accept any prompts that appear and allow the system to reboot. You will then be presented with the report, Copy & Paste it into your next post.


    [​IMG]
     
  12. Trentham

    Trentham Thread Starter

    Joined:
    Nov 9, 2002
    Messages:
    304
    OK, ADWcleaner log follows... but what showed in the log to indicate malware was present?



    # AdwCleaner v3.007 - Report created 22/10/2013 at 15:01:19
    # Updated 09/10/2013 by Xplode
    # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
    # Username : James McKay - LAPTOP2
    # Running from : C:\Users\James McKay\Desktop\AdwCleaner.exe
    # Option : Clean

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****

    Folder Deleted : C:\ProgramData\Ask
    [#] Folder Deleted : C:\ProgramData\Browser Manager
    Folder Deleted : C:\Program Files (x86)\Search Results Toolbar
    Folder Deleted : C:\Users\James McKay\AppData\Local\apn
    Folder Deleted : C:\Users\James McKay\AppData\Local\PackageAware
    Folder Deleted : C:\Users\James McKay\AppData\Local\torch
    Folder Deleted : C:\Users\James McKay\AppData\LocalLow\searchresultstb
    Folder Deleted : C:\Users\James McKay\AppData\Roaming\DriverCure
    Folder Deleted : C:\Users\James McKay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\torch
    Folder Deleted : C:\Users\James McKay\AppData\Local\Google\Chrome\User Data\Default\Extensions\kiplfnciaokpcennlkldkdaeaaomamof
    File Deleted : C:\Users\James McKay\AppData\Roaming\Mozilla\Firefox\Profiles\gaxpi2ji.default\Extensions\{1FD91A9C-410C-4090-BBCC-55D3450EF433}
    File Deleted : C:\Program Files (x86)\Mozilla Firefox\Extensions\{1FD91A9C-410C-4090-BBCC-55D3450EF433}
    File Deleted : C:\Windows\System32\roboot64.exe
    File Deleted : C:\Users\James McKay\AppData\Roaming\Mozilla\Firefox\Profiles\gaxpi2ji.default\searchplugins\safesearch.xml
    File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\safesearch.xml
    File Deleted : C:\Users\James McKay\AppData\Roaming\Mozilla\Firefox\Profiles\gaxpi2ji.default\searchplugins\Search_Results.xml
    File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\Search_Results.xml

    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\kiplfnciaokpcennlkldkdaeaaomamof
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\BrowserConnection.dll
    Key Deleted : HKLM\SOFTWARE\Classes\BrowserConnection.Loader
    Key Deleted : HKLM\SOFTWARE\Classes\BrowserConnection.Loader.1
    Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
    Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskSLib_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskSLib_RASMANCS
    Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [DataMngr]
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_registry-reviver_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_registry-reviver_RASMANCS
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D97A8234-F2A2-4AD4-91D5-FECDB2C553AF}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
    Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    Key Deleted : HKCU\Software\APN DTX
    Key Deleted : HKCU\Software\DataMngr
    Key Deleted : HKCU\Software\DataMngr_Toolbar
    Key Deleted : HKCU\Software\Headlight
    Key Deleted : HKCU\Software\Softonic
    Key Deleted : HKCU\Software\SpeedyPC Software
    Key Deleted : HKCU\Software\torch
    Key Deleted : HKCU\Software\YahooPartnerToolbar
    Key Deleted : HKLM\Software\DataMngr
    Key Deleted : HKLM\Software\SpeedyPC Software
    Key Deleted : HKLM\Software\torch
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\torch
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Results Toolbar
    Key Deleted : [x64] HKLM\SOFTWARE\DataMngr
    Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~3\Wincert\WIN32C~1.DLL
    Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll
    Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll
    Data Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~3\Wincert\WIN64C~1.DLL
    Data Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll
    Data Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll

    ***** [ Browsers ] *****

    -\\ Internet Explorer v10.0.9200.16686


    -\\ Mozilla Firefox v3.5.5 (en-US)

    [ File : C:\Users\James McKay\AppData\Roaming\Mozilla\Firefox\Profiles\gaxpi2ji.default\prefs.js ]

    Line Deleted : user_pref("browser.search.selectedEngine", "Search Results");
    Line Deleted : user_pref("browser.search.defaultenginename", "Search Results");
    Line Deleted : user_pref("browser.search.order.1", "Search Results");
    Line Deleted : user_pref("keyword.URL", "hxxp://dts.search-results.com/sr?src=ffb&gct=ds&appid=0&systemid=405&apn_dtid=BND405&apn_ptnrs=AG8&apn_uid=9474393278594435&o=APN10647&q=");
    Line Deleted : user_pref("browser.startup.homepage", "hxxp://www.searchnu.com/405");

    -\\ Google Chrome v30.0.1599.69

    [ File : C:\Users\James McKay\AppData\Local\Google\Chrome\User Data\Default\preferences ]

    Deleted : homepage
    Deleted : urls_to_restore_on_startup
    Deleted : search_url

    *************************

    AdwCleaner[R0].txt - [6440 octets] - [22/10/2013 14:58:58]
    AdwCleaner[S0].txt - [6017 octets] - [22/10/2013 15:01:19]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6077 octets] ##########
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    54,755
    First Name:
    Derek
    the first thing that jumped out at me from post 5 was HKLM-x32\...\Run: [DATAMNGR] - C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe [1683608 2012-12-27] (Bandoo Media Inc)

    How is the computer now
    are there any problems with it or have we sorted them all?
     
  14. Trentham

    Trentham Thread Starter

    Joined:
    Nov 9, 2002
    Messages:
    304
    It's all looking pretty good now :) I ran another Malwarebytes Anti Malware scan and it found 5 files still floating around, largely to do with datamngr.

    Many thanks for your time and effort in this. Now I want to study it in more detail so I can find out a bit more about what was going on.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1110910

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice