Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Sluggish, can't find malware, Vista OS, OTL log include

Started by BeckyH , Jun 15 2011 09:26 AM

Page 3 of 8
1
2
3
4
5

Please log in to reply

#31
RKinner

Posted 17 June 2011 - 10:49 PM

Malware Expert

Expert
24,625 posts

Did it say which ones it couldn't fix?
Sometimes if you run the boot scan a second time it will clear up the things it couldn't get the first time.

Your Process Explorer is looking better. Is the PC running any faster?

#32
BeckyH

Posted 18 June 2011 - 09:04 AM

Member

Topic Starter
Member
146 posts

everything we have done has speeded it up a little more. Thank you so much for all the time you are putting into this.

the 4 that it can't move to chest are:
C:\Program Files (x86)\Update Today Driver\1.4.0.280\ITConfigMgr.dll (says Error:Error 0xC0000022.(-1073741790)
(there was one of theses that said C:\Program Files (x86)\Update Today Driver\1.4.0.280\ITConfigMgr.dll>[Embedded_I#d000]that it WAS successful in moving, it was listed directly above the one it could not move)

C:\Qoobox\Quarantine\C\Program Files (x86)\Advanced Entry Provider\4.4.0.2380\FF\Components\AEPFFAddon.dll.vir (says Error:Error 0xC0000022.(-1073741790)
(once again there was one directly above it that said C:\Qoobox\Quarantine\C\Program Files (x86)\Advanced Entry Provider\4.4.0.2380\FF\Components\AEPFFAddon.dll.vir>[Embedded_I#3c000] that is WAS successful in moving)

C:\Qoobox\Quarantine\C\Program Files (x86)\Live Access Operator\4.4.0.5790\FF\Components\LAOFFAddOn.dll.vir (says Error:Error 0xC0000022.(-1073741790))
(same as above there was one directly above it called (C:\Qoobox\Quarantine\C\Program Files (x86)\Live Access Operator\4.4.0.5790\FF\Components\LAOFFAddOn.dll.vir[Embedded_I41000] that it WAS able to move)

Edited by BeckyH, 18 June 2011 - 09:10 AM.

#33
RKinner

Posted 18 June 2011 - 11:49 AM

Malware Expert

Expert
24,625 posts

Items in C:\Qoobox were already removed by Combofix. It just changes the extension by adding .vir and puts them in Qoobox. We don't have to worry about them but Avast doesn't know that.

The other thing is just some adware but we can remove the whole folder:

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

DirLook::
C:\Program Files\Common
%user%\library

FCopy::
C:\WINDOWS\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe | C:\WINDOWS\SysWOW64\userinit.exe
C:\WINDOWS\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_384755998a0d6941\userinit.exe | C:\Windows\SysNative\userinit.exe

Folder::
C:\Program Files (x86)\Update Today Driver

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log.
Also delete the old version of ASWMBR.exe then get a new one from:
aswMBR.exe ( 511KB ) and save it to your desktop.

Right click on it and Run As Administrator. Let's see if it works now.

#34
BeckyH

Posted 18 June 2011 - 04:19 PM

Member

Topic Starter
Member
146 posts

while attempting to run the aswMBR it once again has given me the blue crash screen and shut down windows...and now I can't find the log it had ran (the combofix one)

Edited by BeckyH, 18 June 2011 - 04:22 PM.

#35
RKinner

Posted 18 June 2011 - 05:08 PM

Malware Expert

Expert
24,625 posts

Should be C:\combofix.txt

Ron

#36
BeckyH

Posted 18 June 2011 - 05:56 PM

Member

Topic Starter
Member
146 posts

ComboFix 11-06-17.04 - Owner 06/18/2011 17:02:57.4.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3998.2328 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
Command switches used :: c:\users\Owner\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Update Today Driver
c:\program files (x86)\Update Today Driver\1.4.0.2080\data\itcfg.md
c:\program files (x86)\Update Today Driver\1.4.0.2080\InternetToday.ico
c:\program files (x86)\Update Today Driver\1.4.0.2080\InternetToday.skf
c:\program files (x86)\Update Today Driver\1.4.0.2080\mfc80.dll
c:\program files (x86)\Update Today Driver\1.4.0.2080\Microsoft.VC80.CRT.manifest
c:\program files (x86)\Update Today Driver\1.4.0.2080\Microsoft.VC80.MFC.manifest
c:\program files (x86)\Update Today Driver\1.4.0.2080\msvcr80.dll
c:\program files (x86)\Update Today Driver\1.4.0.2080\SkinCrafterDll.dll
c:\program files (x86)\Update Today Driver\1.4.0.2080\unins000.dat
c:\program files (x86)\Update Today Driver\1.4.0.2080\unins000.exe
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe --> c:\windows\SysWOW64\userinit.exe
c:\windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_384755998a0d6941\userinit.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((( Files Created from 2011-05-18 to 2011-06-18 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-16 22:46 . 2008-01-20 23:23 6144 ----a-w- c:\windows\system32\drivers\beep.sys
2011-05-29 13:11 . 2009-08-06 02:25 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-15 03:36 . 2011-05-15 03:36 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-05-13 22:58 . 2011-05-13 22:58 17720 ----a-w- c:\windows\system32\HPMDPCoInst12.dll
2011-05-13 22:58 . 2008-03-27 20:10 30008 ----a-w- c:\windows\system32\drivers\hpdskflt.sys
2011-05-13 22:58 . 2008-03-19 00:25 30520 ----a-w- c:\windows\system32\hpservice.exe
2011-05-13 22:58 . 2008-04-17 17:58 20792 ----a-w- c:\windows\system32\accelerometerdll.DLL
2011-05-13 22:57 . 2011-05-13 22:57 43320 ----a-w- c:\windows\system32\drivers\Accelerometer.sys
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----
.
.
---- Directory of c:\program files\Common ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DummyIconOverlay]
@="{B8A03725-03B9-485F-BB22-E848799D4C2A}"
[HKEY_CLASSES_ROOT\CLSID\{B8A03725-03B9-485F-BB22-E848799D4C2A}]
2011-06-05 01:36 72704 ----a-w- c:\users\Owner\AppData\Local\Knowledge Networks\PanelApp\pahelper_1502.2011.0310.1640.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"PanelApp"="c:\users\Owner\AppData\Local\Knowledge Networks\PanelApp\PanelApp.exe" [2010-04-15 31232]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2010-02-25 323640]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2010-05-20 500792]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\isCfgWiz]
c:\program files (x86)\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
c:\program files (x86)\Java\jre1.6.0_05\bin\jusched.exe [BU]
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate1c99f87d3bc63b0;Google Update Service (gupdate1c99f87d3bc63b0);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-03-08 133104]
R3 cpuz135;cpuz135;c:\users\Owner\AppData\Local\Temp\cpuz135\cpuz135_x64.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-03-08 133104]
R3 PanelSvc;PanelSvc;c:\program files (x86)\Knowledge Networks\PanelApp\PanelSvc.exe [2010-04-15 91136]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\AESTSr64.exe [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2010-10-14 92216]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-04-25 361808]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files (x86)\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-02-25 227896]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [x]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-08 23:44]
.
2011-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-03-08 00:49]
.
2011-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-03-08 00:49]
.
2011-06-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2902236165-3934322-1294904898-1000Core.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-21 13:15]
.
2011-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2902236165-3934322-1294904898-1000UA.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-21 13:15]
.
2011-05-23 c:\windows\Tasks\HPCeeScheduleForOwner.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2008-08-04 03:03]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DummyIconOverlay]
@="{B8A03725-03B9-485F-BB22-E848799D4C2A}"
[HKEY_CLASSES_ROOT\CLSID\{B8A03725-03B9-485F-BB22-E848799D4C2A}]
2011-06-05 01:36 90624 ----a-w- c:\users\Owner\AppData\Local\Knowledge Networks\PanelApp\pahelper64_1502.2011.0310.1640.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-01-21 246784]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2008-01-24 685568]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-04 442368]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-28 225816]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aol.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 24.159.64.23 24.178.162.3 97.81.22.195
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\64tmwv5x.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://aol.com/
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
.
**************************************************************************
.
Completion time: 2011-06-18 17:50:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-18 21:49
ComboFix2.txt 2011-06-17 12:23
ComboFix3.txt 2011-06-17 03:24
ComboFix4.txt 2011-06-16 13:55
.
Pre-Run: 90,573,815,808 bytes free
Post-Run: 90,787,954,688 bytes free
.
- - End Of File - - AAE1300F6208A240503542ACD6DE2033

#37
BeckyH

Posted 18 June 2011 - 05:57 PM

Member

Topic Starter
Member
146 posts

#38
RKinner

Posted 18 June 2011 - 06:55 PM

Malware Expert

Expert
24,625 posts

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it by right click and Run As Administrator. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.

Hit Y and Enter

Select 1. We want to dump the mbr from drive 0 to c:\mbrBecky.txt

Attach c:\mbrbecky.txt to your next post.

Perhaps that will tell us why aswMBR is crashing.

Also please run Vino's Event Viewer again (right click and Run As Administrator)

3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application.

Ron

#39
BeckyH

Posted 18 June 2011 - 07:23 PM

Member

Topic Starter
Member
146 posts

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 64-bit
Base Board Manufacturer: Hewlett-Packard
BIOS Manufacturer: Insyde
System Manufacturer: Hewlett-Packard
System Product Name: HP Pavilion dv4 Notebook PC
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 196):
0x02602000 \SystemRoot\system32\ntoskrnl.exe
0x02B1A000 \SystemRoot\system32\hal.dll
0x00608000 \SystemRoot\system32\kdcom.dll
0x00612000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x0064D000 \SystemRoot\system32\PSHED.dll
0x00661000 \SystemRoot\system32\CLFS.SYS
0x006BE000 \SystemRoot\system32\CI.dll
0x0080A000 \SystemRoot\system32\drivers\Wdf01000.sys
0x008E4000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x008F2000 \SystemRoot\system32\drivers\acpi.sys
0x00948000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00951000 \SystemRoot\system32\drivers\msisadrv.sys
0x0095B000 \SystemRoot\system32\drivers\pci.sys
0x0098B000 \SystemRoot\system32\drivers\isapnp.sys
0x00994000 \SystemRoot\system32\drivers\mpio.sys
0x009B6000 \SystemRoot\System32\drivers\partmgr.sys
0x009CB000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x009CF000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x009DB000 \SystemRoot\system32\drivers\volmgr.sys
0x00770000 \SystemRoot\System32\drivers\volmgrx.sys
0x009EF000 \SystemRoot\system32\drivers\intelide.sys
0x007D6000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x009F7000 \SystemRoot\system32\drivers\pciide.sys
0x00800000 \SystemRoot\system32\drivers\aliide.sys
0x007E6000 \SystemRoot\system32\drivers\amdide.sys
0x007ED000 \SystemRoot\system32\drivers\cmdide.sys
0x00A04000 \SystemRoot\System32\drivers\mountmgr.sys
0x00A17000 \SystemRoot\system32\drivers\msdsm.sys
0x00A35000 \SystemRoot\system32\drivers\nvraid.sys
0x00A58000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x00A84000 \SystemRoot\system32\drivers\viaide.sys
0x00A8C000 \SystemRoot\system32\drivers\iastorv.sys
0x00B53000 \SystemRoot\system32\drivers\atapi.sys
0x00B5B000 \SystemRoot\system32\drivers\ataport.SYS
0x00B7F000 \SystemRoot\system32\drivers\lsi_scsi.sys
0x00B9D000 \SystemRoot\system32\drivers\storport.sys
0x00C0F000 \SystemRoot\system32\drivers\nvstor.sys
0x00C1F000 \SystemRoot\system32\drivers\msahci.sys
0x00C29000 \SystemRoot\system32\drivers\hpcisss.sys
0x00C37000 \SystemRoot\system32\drivers\adp94xx.sys
0x00CB0000 \SystemRoot\system32\drivers\adpahci.sys
0x00D06000 \SystemRoot\system32\drivers\adpu160m.sys
0x00D27000 \SystemRoot\system32\drivers\SCSIPORT.SYS
0x00D55000 \SystemRoot\system32\drivers\adpu320.sys
0x00D84000 \SystemRoot\system32\drivers\djsvs.sys
0x00D9C000 \SystemRoot\system32\drivers\arc.sys
0x00DB5000 \SystemRoot\system32\drivers\arcsas.sys
0x00E0C000 \SystemRoot\system32\drivers\elxstor.sys
0x00EAF000 \SystemRoot\system32\drivers\i2omp.sys
0x00EBA000 \SystemRoot\system32\drivers\iirsp.sys
0x00ECB000 \SystemRoot\system32\drivers\iteatapi.sys
0x00ED8000 \SystemRoot\system32\drivers\iteraid.sys
0x00EE5000 \SystemRoot\system32\drivers\lsi_fc.sys
0x00F03000 \SystemRoot\system32\drivers\lsi_sas.sys
0x00F1F000 \SystemRoot\system32\drivers\megasas.sys
0x00F2B000 \SystemRoot\system32\drivers\megasr.sys
0x00FF2000 \SystemRoot\system32\drivers\mraid35x.sys
0x00DCE000 \SystemRoot\system32\drivers\nfrd960.sys
0x0100E000 \SystemRoot\system32\drivers\ql2300.sys
0x01160000 \SystemRoot\system32\drivers\ql40xx.sys
0x011BE000 \SystemRoot\system32\drivers\sisraid2.sys
0x011CC000 \SystemRoot\system32\drivers\sisraid4.sys
0x011E2000 \SystemRoot\system32\drivers\symc8xx.sys
0x011F0000 \SystemRoot\system32\drivers\sym_hi.sys
0x01000000 \SystemRoot\system32\drivers\sym_u3.sys
0x01202000 \SystemRoot\system32\drivers\uliahci.sys
0x0124B000 \SystemRoot\system32\drivers\ulsata.sys
0x0127A000 \SystemRoot\system32\drivers\ulsata2.sys
0x012BC000 \SystemRoot\system32\drivers\vsmraid.sys
0x012E3000 \SystemRoot\system32\drivers\fltmgr.sys
0x0132A000 \SystemRoot\system32\drivers\fileinfo.sys
0x0133E000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01402000 \SystemRoot\system32\drivers\ndis.sys
0x01605000 \SystemRoot\system32\drivers\msrpc.sys
0x01655000 \SystemRoot\system32\drivers\NETIO.SYS
0x01804000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01984000 \SystemRoot\system32\drivers\wd.sys
0x0198C000 \SystemRoot\system32\drivers\volsnap.sys
0x019D0000 \SystemRoot\System32\Drivers\spldr.sys
0x019D8000 \SystemRoot\system32\drivers\sbp2port.sys
0x016AE000 \SystemRoot\System32\Drivers\mup.sys
0x016C0000 \SystemRoot\System32\drivers\ecache.sys
0x019F1000 \SystemRoot\system32\DRIVERS\hpdskflt.sys
0x016EC000 \SystemRoot\system32\drivers\disk.sys
0x01700000 \SystemRoot\system32\drivers\crcdisk.sys
0x0173B000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x01748000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x01751000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x019FB000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x0280D000 \SystemRoot\system32\DRIVERS\igdkmd64.sys
0x03008000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x030EB000 \SystemRoot\System32\drivers\watchdog.sys
0x030FB000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x03107000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x0314D000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x03204000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x03403000 \SystemRoot\system32\DRIVERS\bcmwl664.sys
0x036F2000 \SystemRoot\system32\DRIVERS\Rtlh64.sys
0x03728000 \SystemRoot\system32\DRIVERS\jmcr.sys
0x0374F000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x03765000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
0x03771000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x0377F000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0x037B3000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x037BF000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x037DB000 \SystemRoot\system32\DRIVERS\Accelerometer.sys
0x032F1000 \SystemRoot\system32\DRIVERS\enecir.sys
0x037E8000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x0330E000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x037F1000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x03347000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x0336A000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x03376000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x033A7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x033B7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x033D5000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x033ED000 \SystemRoot\system32\DRIVERS\termdd.sys
0x037FE000 \SystemRoot\system32\DRIVERS\swenum.sys
0x0315E000 \SystemRoot\system32\DRIVERS\ks.sys
0x03192000 \SystemRoot\system32\DRIVERS\circlass.sys
0x031A3000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x031AE000 \SystemRoot\system32\DRIVERS\umbus.sys
0x02FB8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x031BE000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x01764000 \SystemRoot\system32\DRIVERS\stwrt64.sys
0x015C5000 \SystemRoot\system32\DRIVERS\portcls.sys
0x031D2000 \SystemRoot\system32\DRIVERS\drmk.sys
0x031F5000 \SystemRoot\system32\drivers\ksthunk.sys
0x04A0B000 \SystemRoot\system32\DRIVERS\agrsm64.sys
0x04B3C000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x04B3E000 \SystemRoot\system32\drivers\modem.sys
0x04B4D000 \SystemRoot\system32\drivers\IntcHdmi.sys
0x04B72000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x04B8E000 \SystemRoot\system32\DRIVERS\hidir.sys
0x04B99000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x04BAB000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x04BBC000 \SystemRoot\System32\Drivers\usbvideo.sys
0x04BE6000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x04BF1000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x04C00000 \SystemRoot\System32\Drivers\aswSnx.SYS
0x04C98000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x04CA2000 \SystemRoot\System32\Drivers\Null.SYS
0x04CAB000 \SystemRoot\System32\drivers\vga.sys
0x04CB9000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x04CDE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x04CE7000 \SystemRoot\system32\drivers\rdpencdd.sys
0x04CF0000 \SystemRoot\System32\Drivers\Msfs.SYS
0x04CFB000 \SystemRoot\System32\Drivers\Npfs.SYS
0x04D0C000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x04E02000 \SystemRoot\System32\drivers\tcpip.sys
0x04F78000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x04FA4000 \SystemRoot\system32\DRIVERS\tdx.sys
0x04FC1000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x04FD1000 \SystemRoot\system32\DRIVERS\smb.sys
0x04D15000 \SystemRoot\System32\DRIVERS\netbt.sys
0x04D59000 \SystemRoot\system32\drivers\afd.sys
0x04FEC000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x04DC4000 \SystemRoot\system32\DRIVERS\pacer.sys
0x04DE2000 \SystemRoot\system32\DRIVERS\netbios.sys
0x017DF000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x05008000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x05055000 \SystemRoot\system32\drivers\nsiproxy.sys
0x05061000 \SystemRoot\System32\Drivers\dfsc.sys
0x0507E000 \SystemRoot\System32\Drivers\aswSP.SYS
0x050CB000 \SystemRoot\System32\Drivers\crashdmp.sys
0x050D9000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x050E5000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x00000000 \SystemRoot\System32\win32k.sys
0x050EF000 \SystemRoot\System32\drivers\Dxapi.sys
0x050FB000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00440000 \SystemRoot\System32\TSDDD.dll
0x006F0000 \SystemRoot\System32\cdd.dll
0x0510E000 \SystemRoot\system32\drivers\luafv.sys
0x05130000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0x0516A000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0x16A00000 \SystemRoot\system32\drivers\spsys.sys
0x16A9A000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x16AAE000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x16AE2000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x16AED000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x16B05000 \SystemRoot\system32\drivers\HTTP.sys
0x16BA8000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x16BD1000 \SystemRoot\system32\DRIVERS\bowser.sys
0x05173000 \SystemRoot\System32\drivers\mpsdrv.sys
0x0518D000 \SystemRoot\system32\drivers\mrxdav.sys
0x051B4000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x17409000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x17452000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x17471000 \SystemRoot\System32\DRIVERS\srv2.sys
0x174A3000 \SystemRoot\System32\DRIVERS\srv.sys
0x17536000 \SystemRoot\system32\drivers\peauth.sys
0x175EC000 \SystemRoot\System32\Drivers\secdrv.SYS
0x16BEF000 \SystemRoot\System32\drivers\tcpipreg.sys
0x051DD000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x175F7000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x76D70000 \WINDOWS\System32\ntdll.dll

Processes (total 79):
0 System Idle Process
4 System
544 C:\WINDOWS\System32\smss.exe
612 csrss.exe
648 C:\WINDOWS\System32\wininit.exe
668 csrss.exe
704 C:\WINDOWS\System32\services.exe
724 C:\WINDOWS\System32\lsass.exe
732 C:\WINDOWS\System32\lsm.exe
816 C:\WINDOWS\System32\winlogon.exe
928 C:\WINDOWS\System32\svchost.exe
1000 C:\WINDOWS\System32\svchost.exe
340 C:\WINDOWS\System32\svchost.exe
556 C:\WINDOWS\System32\svchost.exe
576 C:\WINDOWS\System32\svchost.exe
616 C:\WINDOWS\System32\svchost.exe
1036 C:\WINDOWS\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\stacsv64.exe
1140 C:\WINDOWS\System32\audiodg.exe
1176 C:\WINDOWS\System32\svchost.exe
1192 C:\WINDOWS\System32\SLsvc.exe
1272 C:\WINDOWS\System32\svchost.exe
1340 C:\WINDOWS\System32\hpservice.exe
1508 C:\WINDOWS\System32\svchost.exe
1628 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
1636 C:\WINDOWS\System32\wlanext.exe
1788 C:\WINDOWS\System32\dwm.exe
1816 C:\WINDOWS\explorer.exe
1540 C:\WINDOWS\System32\spoolsv.exe
1708 C:\WINDOWS\System32\taskeng.exe
1348 C:\WINDOWS\System32\svchost.exe
1672 C:\WINDOWS\System32\taskeng.exe
2464 C:\WINDOWS\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\AESTSr64.exe
2504 C:\Program Files\LSI SoftModem\agr64svc.exe
2516 C:\WINDOWS\System32\svchost.exe
2548 C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
2704 C:\WINDOWS\System32\inetsrv\inetinfo.exe
2748 C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
2816 C:\WINDOWS\System32\svchost.exe
2868 C:\WINDOWS\System32\svchost.exe
2892 C:\WINDOWS\System32\svchost.exe
2952 C:\WINDOWS\SMINST\BLService.exe
3004 C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
3060 C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
888 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
2272 C:\WINDOWS\System32\svchost.exe
1824 C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
3052 C:\WINDOWS\System32\svchost.exe
404 C:\WINDOWS\System32\svchost.exe
2432 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
3120 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
3392 C:\WINDOWS\System32\svchost.exe
3740 C:\Program Files\Apoint2K\Apoint.exe
3768 C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
3808 C:\Program Files\IDT\WDM\sttray64.exe
3820 C:\WINDOWS\System32\hkcmd.exe
3832 C:\WINDOWS\ehome\ehtray.exe
3840 C:\Users\Owner\AppData\Local\Knowledge Networks\PanelApp\PanelApp.exe
3912 C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
3968 C:\WINDOWS\ehome\ehmsas.exe
2528 C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
2068 C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
3580 C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
2404 C:\Program Files\AVAST Software\Avast\AvastUI.exe
3752 C:\WINDOWS\System32\igfxsrvc.exe
4040 C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
3924 C:\Program Files\Apoint2K\ApMsgFwd.exe
2440 WmiPrvSE.exe
4236 WmiPrvSE.exe
4260 C:\WINDOWS\System32\rundll32.exe
4452 C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
4496 C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
4796 C:\Program Files\Windows Media Player\wmpnscfg.exe
5068 C:\WINDOWS\System32\svchost.exe
1876 C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
4904 C:\WINDOWS\System32\wuauclt.exe
4596 C:\WINDOWS\SysWOW64\ctfmon.exe
1728 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
124 C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
876 C:\Users\Owner\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000037`69700000 (NTFS)

PhysicalDrive0 Model Number: WDCWD2500BEVS-60UST0, Rev: 01.01A01

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 08F21ADD893776C287CC68A3558F8D095B50ED3C

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit): 0Dumping \\.\PhysicalDisk0...
Enter filename to dump to: c:\mbrBecky.txtDumped successfully!

Enter the physical disk number to dump (0-99, -1 to exit):

ok this doesn't look like anything to me but..this is what popped up on the notepad..it did not open automatically however

3ÿ¾ Ž×¼ z» ‹ÎŽÛŽÃó¤êr z f‹U´BÆ |2Àf‰" ¾ ²€Í‚Â >þUªÃ¬
Àtú´» Íëò¸_fºQPH_Ís3Û€ã
ÛÃ‹é‹ÙÆ* ¿î¹ 8mt9è¢ÿu!f¸RECOf9t f9ðu
Æ* ‹ßÆE ëŠE<t
<t$õ<u‹ïˆ-ƒïâ»Ûtít‹ûöNuGöNuDè|ÿu;ë f3ÒèDÿ±¿¾€=€tJƒÇâö±¿¾€} u:ƒÇâõ‹6Qè>ÿ‹6Sè7ÿ´ ÍÍ‹ïë * ˆE‹ýÆ€€&Nùf3ÒÆ z´Cè÷þèéþ‹6OuÆê | PW\chErr2
Err1 Err3
Press F11 for Emergency Recovery s a key
M‚C € ïÿÿ? Á·´ ïÿÿïÿÿ ¸´ ˆg Uª

#40
BeckyH

Posted 18 June 2011 - 07:27 PM

Member

Topic Starter
Member
146 posts

VEW logs

Vino's Event Viewer v01c run on Windows Vista in English
Report run at 18/06/2011 9:25:47 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 18/06/2011 11:54:24 PM
Type: Error Category: 0
Event: 7034 Source: Service Control Manager
The HP CUE DeviceDiscovery Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 18/06/2011 11:54:24 PM
Type: Error Category: 0
Event: 7034 Source: Service Control Manager
The hpqcxs08 service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 18/06/2011 10:11:37 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Com4QLBEx service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 18/06/2011 10:11:37 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Com4QLBEx service to connect.

Log: 'System' Date/Time: 18/06/2011 10:11:37 PM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1053" attempting to start the service Com4QLBEx with arguments "" in order to run the server: {DB536E5D-10F7-4B34-B443-140161048E2E}

Log: 'System' Date/Time: 18/06/2011 10:11:03 PM
Type: Error Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Log: 'System' Date/Time: 18/06/2011 10:10:48 PM
Type: Error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: Beep

Log: 'System' Date/Time: 18/06/2011 10:09:39 PM
Type: Error Category: 0
Event: 6008 Source: EventLog
The previous system shutdown at 6:07:35 PM on 6/18/2011 was unexpected.

Log: 'System' Date/Time: 18/06/2011 10:09:14 PM
Type: Error Category: 0
Event: 1060 Source: Application Popup
\SystemRoot\System32\Drivers\Beep.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Log: 'System' Date/Time: 18/06/2011 9:28:10 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The HP Health Check Service service failed to start due to the following error: A device attached to the system is not functioning.

Log: 'System' Date/Time: 18/06/2011 9:26:23 PM
Type: Error Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Log: 'System' Date/Time: 18/06/2011 9:25:42 PM
Type: Error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: Beep

Log: 'System' Date/Time: 18/06/2011 9:24:18 PM
Type: Error Category: 0
Event: 1060 Source: Application Popup
\SystemRoot\System32\Drivers\Beep.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Log: 'System' Date/Time: 18/06/2011 9:22:36 PM
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Log: 'System' Date/Time: 18/06/2011 9:16:17 PM
Type: Error Category: 0
Event: 1060 Source: Application Popup
\??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Log: 'System' Date/Time: 18/06/2011 9:16:16 PM
Type: Error Category: 0
Event: 1060 Source: Application Popup
\??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Log: 'System' Date/Time: 18/06/2011 9:08:17 PM
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Log: 'System' Date/Time: 18/06/2011 9:02:33 PM
Type: Error Category: 0
Event: 1060 Source: Application Popup
\??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Log: 'System' Date/Time: 18/06/2011 8:55:25 PM
Type: Error Category: 0
Event: 7034 Source: Service Control Manager
The HP CUE DeviceDiscovery Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 18/06/2011 8:55:25 PM
Type: Error Category: 0
Event: 7034 Source: Service Control Manager
The hpqcxs08 service terminated unexpectedly. It has done this 1 time(s).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 18/06/2011 9:21:09 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:09 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:08 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:08 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:08 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:08 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:07 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:07 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:07 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:07 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:06 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:06 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:06 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:05 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:05 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:05 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:05 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:04 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:04 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Log: 'System' Date/Time: 18/06/2011 9:21:04 PM
Type: Warning Category: 0
Event: 4374 Source: Microsoft-Windows-Servicing
Windows Servicing identified that package KB2478660(Security Update) is not applicable for this system

Vino's Event Viewer v01c run on Windows Vista in English
Report run at 18/06/2011 9:26:57 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 18/06/2011 10:10:43 PM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 18/06/2011 9:25:41 PM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 18/06/2011 4:28:17 AM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 18/06/2011 1:10:02 AM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 18/06/2011 1:05:38 AM
Type: Error Category: 0
Event: 11 Source: Microsoft-Windows-CAPI2
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. .

Log: 'Application' Date/Time: 18/06/2011 1:05:38 AM
Type: Error Category: 0
Event: 11 Source: Microsoft-Windows-CAPI2
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. .

Log: 'Application' Date/Time: 18/06/2011 12:55:02 AM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 18/06/2011 12:54:55 AM
Type: Error Category: 0
Event: 11 Source: Microsoft-Windows-CAPI2
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. .

Log: 'Application' Date/Time: 17/06/2011 1:00:02 PM
Type: Error Category: 0
Event: 11 Source: Microsoft-Windows-CAPI2
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. .

Log: 'Application' Date/Time: 17/06/2011 12:59:48 PM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 17/06/2011 12:03:34 PM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 17/06/2011 12:03:27 PM
Type: Error Category: 0
Event: 11 Source: Microsoft-Windows-CAPI2
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. .

Log: 'Application' Date/Time: 17/06/2011 3:09:45 AM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 17/06/2011 3:09:32 AM
Type: Error Category: 0
Event: 11 Source: Microsoft-Windows-CAPI2
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. .

Log: 'Application' Date/Time: 17/06/2011 2:44:04 AM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 17/06/2011 2:43:41 AM
Type: Error Category: 0
Event: 11 Source: Microsoft-Windows-CAPI2
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. .

Log: 'Application' Date/Time: 16/06/2011 11:02:46 PM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 16/06/2011 11:02:45 PM
Type: Error Category: 0
Event: 11 Source: Microsoft-Windows-CAPI2
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. .

Log: 'Application' Date/Time: 16/06/2011 10:18:15 PM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program mmc.exe version 6.0.6002.18005 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel. Process ID: 1618 Start Time: 01cc2c7317decb80 Termination Time: 173

Log: 'Application' Date/Time: 16/06/2011 6:52:44 PM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 18/06/2011 1:44:27 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2902236165-3934322-1294904898-1000_Classes:
Process 1700 (\Device\HarddiskVolume1\WINDOWS\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Log: 'Application' Date/Time: 18/06/2011 1:07:48 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2902236165-3934322-1294904898-1000_Classes:
Process 1644 (\Device\HarddiskVolume1\WINDOWS\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Log: 'Application' Date/Time: 18/06/2011 12:52:12 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2902236165-3934322-1294904898-1000_Classes:
Process 1692 (\Device\HarddiskVolume1\WINDOWS\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Log: 'Application' Date/Time: 17/06/2011 12:55:43 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2902236165-3934322-1294904898-1000_Classes:
Process 1772 (\Device\HarddiskVolume1\WINDOWS\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Log: 'Application' Date/Time: 17/06/2011 12:00:54 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 0 user registry handles leaked from \Registry\User\S-1-5-21-2902236165-3934322-1294904898-1000_Classes:

Log: 'Application' Date/Time: 17/06/2011 3:07:05 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2902236165-3934322-1294904898-1000_Classes:
Process 1704 (\Device\HarddiskVolume1\WINDOWS\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Log: 'Application' Date/Time: 17/06/2011 3:07:04 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 0 user registry handles leaked from \Registry\User\S-1-5-21-2902236165-3934322-1294904898-1000:

Log: 'Application' Date/Time: 17/06/2011 2:41:09 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2902236165-3934322-1294904898-1000_Classes:
Process 1704 (\Device\HarddiskVolume1\WINDOWS\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Log: 'Application' Date/Time: 16/06/2011 11:00:06 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2902236165-3934322-1294904898-1000_Classes:
Process 1900 (\Device\HarddiskVolume1\WINDOWS\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Log: 'Application' Date/Time: 16/06/2011 6:50:01 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2902236165-3934322-1294904898-1000_Classes:
Process 1880 (\Device\HarddiskVolume1\WINDOWS\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Log: 'Application' Date/Time: 16/06/2011 6:50:00 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 13 user registry handles leaked from \Registry\User\S-1-5-21-2902236165-3934322-1294904898-1000:
Process 3296 (\Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000
Process 3296 (\Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000
Process 3296 (\Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000
Process 3296 (\Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 3296 (\Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000\Software\Microsoft\SystemCertificates\My
Process 3296 (\Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000\Software\Microsoft\SystemCertificates\Disallowed
Process 3296 (\Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000\Software\Microsoft\SystemCertificates\CA
Process 3296 (\Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 3296 (\Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000\Software\Policies\Microsoft\SystemCertificates
Process 3296 (\Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000\Software\Policies\Microsoft\SystemCertificates
Process 3296 (\Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000\Software\Policies\Microsoft\SystemCertificates
Process 3296 (\Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000\Software\Microsoft\SystemCertificates\Root
Process 3296 (\Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000\Software\Microsoft\SystemCertificates\trust

Log: 'Application' Date/Time: 16/06/2011 6:39:14 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2902236165-3934322-1294904898-1000_Classes:
Process 1980 (\Device\HarddiskVolume1\WINDOWS\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Log: 'Application' Date/Time: 16/06/2011 5:28:12 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2902236165-3934322-1294904898-1000_Classes:
Process 1844 (\Device\HarddiskVolume1\WINDOWS\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Log: 'Application' Date/Time: 16/06/2011 5:05:59 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2902236165-3934322-1294904898-1000_Classes:
Process 1748 (\Device\HarddiskVolume1\WINDOWS\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-2902236165-3934322-1294904898-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

#41
RKinner

Posted 18 June 2011 - 07:59 PM

Malware Expert

Expert
24,625 posts

I need for you to attach mbrbecky.txt. Don't open it since it's not a real text file. The forum only lets certain extensions be attached so we have to fool it.

Ron

#42
BeckyH

Posted 18 June 2011 - 08:23 PM

Member

Topic Starter
Member
146 posts

oh....ok sorry

Attached Files

mbrBecky.txt 512bytes 249 downloads

#43
RKinner

Posted 18 June 2011 - 09:26 PM

Malware Expert

Expert
24,625 posts

I'm going to post a question in our internal forum about aswMBR not working. Will have to wait for them to reply.

Ron

#44
RKinner

Posted 19 June 2011 - 07:58 AM

Malware Expert

Expert
24,625 posts

Apparently this is a system specific problem which they haven't been able to reproduce. What make and model is this?

The beep.sys that we tried to use is not acceptable to your 64bit vista so you can go ahead and delete it.

Let's try rebuilding the WMI depository:

Click Start, click (All) Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

Type this command and press Enter:

net stop winmgmt

Minimize the Command window. Right click on Start and select Explore. Find the folder: C:\Windows\System32\Wbem\Repository. rename the folder C:\Windows\System32\Wbem\Repository to C:\Windows\System32\Wbem\RepositoryOld. Close Windows Explorer.

Switch back to Command Prompt window, and type the following and press ENTER after each line:

net start winmgmt

EXIT

Restart and run Process Explorer as before and post the new log.

Ron