Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Computer Sluggish, Odd Restarts, CPU Load High on Odd Occasions

Started by brispuss , Jul 26 2017 04:54 PM

Please log in to reply

#1
brispuss

Posted 26 July 2017 - 04:54 PM

Member

Member
50 posts

Running a multi-boot system (W7 32bit, W7 64bit, and W XP 32bit SP3).

Trouble is now with Windows XP.

For some time now, noticed that the CPU load (and CPU fan increases in speed) seems to go up while playing some low load games, when previously this didn't happen. Likewise the CPU load increases while in Safe Mode!? Also seems to take longer to shut down computer via XP.

Speaking of Safe Mode, I'm unable to boot into Safe Mode by changing settings under "msconfig". After changing settings to boot into Safe Mode, the computer always boots into Normal Mode with the following message shown.

The only way I can boot into Safe Mode now is by pressing the F8 key when XP is starting.

Getting odd system restarts due to file errors (I think). Happened again last night while waiting for web page to finish loading and while playing small video to pass the time. Here is screenshot of BlueScreenView of the corresponding system dumps.

Have no problems when running either of the Windows 7 operating systems, which suggests a software issue.

Ran a FRST scan with the following results -

FRST scan log -

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-07-2017

Ran by Peter Bahniuk (administrator) on MINE (27-07-2017 10:22:51)

Running from C:\Documents and Settings\Peter Bahniuk\Desktop

Loaded Profiles: Peter Bahniuk (Available Profiles: Peter Bahniuk & Administrator)

Platform: Microsoft Windows XP Professional Service Pack 3, v.3264 (X86) Language: English (United States)

Internet Explorer Version 8 (Default browser: "C:\Program Files\Opera\Opera.exe" "%1")

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe

(Creative Technology Ltd) C:\Program Files\Creative\Shared Files\CTAudSvc.exe

(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore.exe

(LSI Corporation) C:\Program Files\LSI SoftModem\agrsmsvc.exe

() C:\WINDOWS\system32\srvany.exe

() C:\WINDOWS\KMService.exe

(Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe

(Creative Technology Ltd) C:\WINDOWS\system32\Ctxfihlp.exe

(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

(www.dennisbabkin.com) C:\Compact Tray meter\Compact Tray Meter.exe

(Tonec Inc.) C:\Program Files\Internet Download Manager\IDMan.exe

(the sz development) C:\Program Files\RimhillEx\RimhillEx.exe

(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

(Creative Technology Ltd) C:\WINDOWS\system32\CTxfispi.exe

(Tonec Inc.) C:\Program Files\Internet Download Manager\IEMonitor.exe

(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2013-12-23] (Advanced Micro Devices, Inc.)

HKLM\...\Run: [CTxfiHlp] => C:\WINDOWS\system32\CTXFIHLP.EXE [26112 2014-03-01] (Creative Technology Ltd)

HKLM\...\Run: [BrStsMon00] => C:\Program Files\Browny02\Brother\BrStMonW.exe [3084288 2012-07-31] (Brother Industries, Ltd.)

Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll [2013-12-23] (ATI Technologies Inc.)

HKU\S-1-5-21-1390067357-606747145-725345543-1003\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6825888 2016-12-07] (SUPERAntiSpyware)

HKU\S-1-5-21-1390067357-606747145-725345543-1003\...\Run: [Compact Tray Meter] => C:\Compact Tray meter\Compact Tray Meter.exe [3081672 2014-05-31] (www.dennisbabkin.com)

HKU\S-1-5-21-1390067357-606747145-725345543-1003\...\Run: [IDMan] => C:\Program Files\Internet Download Manager\IDMan.exe [4027504 2017-07-15] (Tonec Inc.)

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

ShellExecuteHooks: No Name - {16664848-0E00-11D2-8059-000000000000} - -> No File

ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [115440 2013-05-08] (SuperAdBlocker.com)

Startup: C:\Documents and Settings\Peter Bahniuk\Start Menu\Programs\Startup\RimhillEx.lnk [2016-11-07]

ShortcutTarget: RimhillEx.lnk -> C:\Program Files\RimhillEx\RimhillEx.exe (the sz development)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog9 12 %windir%\system32\vsocklib.dll => No File

Winsock: Catalog9 13 %windir%\system32\vsocklib.dll => No File

Tcpip\..\Interfaces\{6A394987-A551-40AF-9ADD-BA74B9C7F236}: [NameServer] 203.97.78.43 203.97.78.44

Internet Explorer:

==================

HKU\S-1-5-21-1390067357-606747145-725345543-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

HKU\S-1-5-21-1390067357-606747145-725345543-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files\Internet Download Manager\IDMIECC.dll [2017-07-13] (Internet Download Manager, Tonec Inc.)

BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)

FireFox:

========

FF DefaultProfile: nejrxvyi.default

FF ProfilePath: C:\Documents and Settings\Peter Bahniuk\Application Data\Mozilla\Firefox\Profiles\nejrxvyi.default [2017-06-29]

FF Extension: (Status-4-Evar) - C:\Documents and Settings\Peter Bahniuk\Application Data\Mozilla\Firefox\Profiles\nejrxvyi.default\Extensions\[email protected] [2016-11-04]

FF Extension: (ColorfulTabs) - C:\Documents and Settings\Peter Bahniuk\Application Data\Mozilla\Firefox\Profiles\nejrxvyi.default\Extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe} [2016-11-04]

FF Extension: (Flagfox) - C:\Documents and Settings\Peter Bahniuk\Application Data\Mozilla\Firefox\Profiles\nejrxvyi.default\Extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}.xpi [2016-11-04]

FF Extension: (FlashGot) - C:\Documents and Settings\Peter Bahniuk\Application Data\Mozilla\Firefox\Profiles\nejrxvyi.default\Extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}.xpi [2016-11-12]

FF Extension: (RightToClick) - C:\Documents and Settings\Peter Bahniuk\Application Data\Mozilla\Firefox\Profiles\nejrxvyi.default\Extensions\{cd617375-6743-4ee8-bac4-fbf10f35729e}.xpi [2016-11-04]

FF Extension: (Adblock Plus) - C:\Documents and Settings\Peter Bahniuk\Application Data\Mozilla\Firefox\Profiles\nejrxvyi.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-04]

FF Extension: (IDM integration) - C:\Program Files\Internet Download Manager\idmmzcc2.xpi [2017-01-26]

FF ProfilePath: C:\Documents and Settings\Peter Bahniuk\Application Data\K-Meleon\lvu8bvvw.default [2017-06-29]

FF user.js: detected! => C:\Documents and Settings\Peter Bahniuk\Application Data\K-Meleon\lvu8bvvw.default\user.js [2006-04-07]

FF Extension: (NewsFox) - C:\Program Files\K-Meleon\browser\extensions\{899DF1F8-2F43-4394-8315-37F6744E6319}.xpi [2015-03-13] [not signed]

FF HKU\S-1-5-21-1390067357-606747145-725345543-1003\...\Firefox\Extensions: [[email protected]] - C:\Program Files\Internet Download Manager\idmmzcc2.xpi

FF HKU\S-1-5-21-1390067357-606747145-725345543-1003\...\SeaMonkey\Extensions: [[email protected]] - C:\Documents and Settings\Peter Bahniuk\Application Data\IDM\idmmzcc5

FF Extension: (IDM CC) - C:\Documents and Settings\Peter Bahniuk\Application Data\IDM\idmmzcc5 [2017-07-26] [not signed]

FF HKU\S-1-5-21-1390067357-606747145-725345543-1003\...\SeaMonkey\Extensions: [[email protected]] - C:\Program Files\Internet Download Manager\idmmzcc2.xpi

FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_23_0_0_207.dll [2016-11-29] ()

FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)

FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)

Chrome:

=======

CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files\Internet Download Manager\IDMGCExt.crx [2017-07-15]

CHR HKLM\...\Chrome\Extension: [pkijdmeepjhpenmighhaodgfoogncnlk] - C:\Program Files\Offline Explorer\mpoe.crx <not found>

Opera:

=======

OPR Extension: (EagleGet Free Downloader) - C:\Documents and Settings\Peter Bahniuk\Application Data\Opera Software\Opera Stable\Extensions\kaebhgioafceeldhgjmendlfhbfjefmo [2017-02-20]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-07-23] (SUPERAntiSpyware.com)

R2 AgereModemAudio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [14336 2009-03-27] (LSI Corporation)

R2 Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [643072 2013-12-23] (ATI Technologies Inc.) [File not signed]

S4 BrYNSvc; C:\Program Files\Browny02\BrYNSvc.exe [270336 2012-07-13] (Brother Industries, Ltd.) [File not signed]

S3 Creative Audio Engine Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2016-10-09] (Creative Labs) [File not signed]

R2 CTAudSvcService; C:\Program Files\Creative\Shared Files\CTAudSvc.exe [286720 2010-02-12] (Creative Technology Ltd) [File not signed]

R2 KMService; C:\WINDOWS\system32\srvany.exe [8192 2016-10-08] () [File not signed]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [6852096 2013-12-23] (ATI Technologies Inc.) [File not signed]

R3 EtronHub3; C:\WINDOWS\System32\Drivers\EtronHub3.sys [46848 2012-02-19] (Etron Technology Inc)

R3 EtronXHCI; C:\WINDOWS\System32\Drivers\EtronXHCI.sys [68352 2012-02-19] (Etron Technology Inc)

R1 HWiNFO32; C:\WINDOWS\system32\drivers\HWiNFO32.SYS [23840 2016-11-16] (REALiX™)

R1 IDMTDI; C:\WINDOWS\System32\DRIVERS\idmtdi.sys [142144 2017-07-15] (Tonec Inc.)

R3 pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [47360 2016-10-24] (VSO Software) [File not signed]

R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-23] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-13] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

S3 VClone; C:\WINDOWS\System32\DRIVERS\VClone.sys [30720 2013-07-25] (Elaborate Bytes AG) [File not signed]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-07-27 10:22 - 2017-07-27 10:23 - 00010733 _____ C:\Documents and Settings\Peter Bahniuk\Desktop\FRST.txt

2017-07-27 10:22 - 2017-07-27 10:22 - 01778176 _____ (Farbar) C:\Documents and Settings\Peter Bahniuk\Desktop\FRST.exe

2017-07-27 10:22 - 2017-07-27 10:22 - 00000000 ____D C:\FRST

2017-07-27 02:45 - 2017-07-27 02:47 - 00000000 ____D C:\Tweaking.com - Windows Repair

2017-07-27 02:34 - 2017-07-27 02:36 - 00000000 ____D C:\Documents and Settings\Peter Bahniuk\Desktop\Tweaking.com - Windows Repair

2017-07-27 01:57 - 2017-07-27 01:57 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Foxit Software

2017-07-27 01:16 - 2017-07-27 01:16 - 00094208 _____ C:\WINDOWS\Minidump\Mini072717-02.dmp

2017-07-27 01:05 - 2017-07-27 01:05 - 00094208 _____ C:\WINDOWS\Minidump\Mini072717-01.dmp

2017-07-27 00:56 - 2017-07-27 00:58 - 00000000 ____D C:\Documents and Settings\Peter Bahniuk\Application Data\Foxit Software

2017-07-27 00:56 - 2017-07-27 00:56 - 00000000 ____D C:\Documents and Settings\Peter Bahniuk\Application Data\Foxit AgentInformation

2017-07-27 00:56 - 2017-07-27 00:56 - 00000000 ____D C:\Documents and Settings\All Users\Foxit Software

2017-07-27 00:56 - 2017-07-27 00:56 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Foxit ContentPlatform

2017-07-26 20:16 - 2017-07-26 20:16 - 00000696 _____ C:\Documents and Settings\Peter Bahniuk\Desktop\Internet Download Manager.lnk

2017-07-26 20:15 - 2017-07-26 20:16 - 00000000 ____D C:\Documents and Settings\Peter Bahniuk\Start Menu\Programs\Internet Download Manager

2017-07-26 20:15 - 2017-07-26 20:16 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Internet Download Manager

2017-07-15 05:18 - 2017-07-15 05:13 - 00142144 _____ (Tonec Inc.) C:\WINDOWS\system32\Drivers\idmtdi.sys

2017-06-29 21:42 - 2013-08-28 13:09 - 00003072 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-handle-l1-1-0.dll

2017-06-29 21:38 - 2011-10-04 02:32 - 00005120 ____N (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-file-l1-1-0.dll

2017-06-29 21:36 - 2013-08-12 15:24 - 00003072 ____N (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-errorhandling-l1-1-0.dll

2017-06-29 21:32 - 2016-10-12 13:43 - 00160256 _____ (Microsoft Corporation) C:\WINDOWS\system32\werui.dll

2017-06-29 21:21 - 2016-09-27 18:23 - 00078848 _____ (Microsoft Corporation) C:\WINDOWS\system32\cryptsp.dll

2017-06-29 21:16 - 2016-10-02 11:07 - 00003072 ____N (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-security-sddl-l1-1-0.dll

2017-06-29 20:46 - 2016-12-08 15:24 - 00381440 _____ (Microsoft Corporation) C:\WINDOWS\system32\wer.dll

2017-06-29 16:16 - 2017-06-29 16:16 - 00000000 ____D C:\Program Files\PFFEditor

2017-06-29 16:16 - 2017-06-29 16:16 - 00000000 ____D C:\Dependency Walker

2017-06-29 16:12 - 2016-12-05 14:59 - 00401484 _____ (Microsoft Corporation) C:\WINDOWS\system32\msvcrtd.dll

2017-06-29 16:12 - 2016-12-05 14:36 - 01393152 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfc42d.dll

2017-06-29 14:07 - 2017-06-29 14:07 - 00000000 _____ C:\av.mof

2017-06-29 14:00 - 2017-06-29 14:00 - 00000000 __SHD C:\Documents and Settings\LocalService\IETldCache

2017-06-29 13:59 - 2017-06-29 13:59 - 00000000 ____D C:\RegBackup

2017-06-29 13:56 - 2017-07-27 02:47 - 00044496 _____ C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2017-06-29 13:55 - 2017-07-27 02:49 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini

2017-06-29 13:55 - 2017-07-27 02:47 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Temp

2017-06-29 13:55 - 2017-06-29 13:55 - 00000000 __SHD C:\Documents and Settings\Administrator\IETldCache

2017-06-29 13:55 - 2017-06-29 13:55 - 00000000 ____D C:\Documents and Settings\Administrator

2017-06-29 13:55 - 2016-11-12 16:38 - 00001697 _____ C:\Documents and Settings\Administrator\Desktop\Offline Explorer.lnk

2017-06-29 13:55 - 2016-11-12 16:38 - 00000000 ____D C:\Documents and Settings\Administrator\Start Menu\Programs\MetaProducts Offline Explorer

2017-06-29 13:55 - 2016-10-08 18:41 - 00001599 _____ C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk

2017-06-29 13:55 - 2016-10-08 18:41 - 00000792 _____ C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk

2017-06-29 13:54 - 2017-07-27 02:40 - 00313954 _____ C:\WINDOWS\ntbtlog.txt

2017-06-29 13:54 - 2017-06-29 13:54 - 00000000 __SHD C:\WINDOWS\CSC

2017-06-29 13:39 - 2017-07-27 10:03 - 00000550 _____ C:\WINDOWS\Tasks\Tweaking.com - Windows Repair Tray Icon.job

2017-06-29 13:39 - 2017-06-29 13:46 - 00000000 ____D C:\WINDOWS\pss

2017-06-29 13:39 - 2017-06-29 13:39 - 00183676 _____ C:\WINDOWS\Tweaking.com - Windows Repair Setup Log.txt

2017-06-29 13:39 - 2017-06-29 13:39 - 00000000 ____D C:\Program Files\Tweaking.com

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-07-27 10:23 - 2016-10-08 18:44 - 00000000 ____D C:\Documents and Settings\Peter Bahniuk\Local Settings\Temp

2017-07-27 10:07 - 2016-10-09 06:30 - 00005196 _____ C:\WINDOWS\system32\PerfStringBackup.INI

2017-07-27 10:04 - 2016-10-08 19:02 - 00007288 _____ C:\WINDOWS\ModemLog_LSI PCI-SV92PP Soft Modem.txt

2017-07-27 10:03 - 2016-11-05 16:23 - 00000408 _____ C:\WINDOWS\Tasks\Opera scheduled Autoupdate 1478319800.job

2017-07-27 10:03 - 2016-10-08 18:43 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT

2017-07-27 10:01 - 2016-10-09 06:23 - 00000000 RSHDC C:\WINDOWS\system32\dllcache

2017-07-27 09:58 - 2016-10-09 19:22 - 00054760 _____ C:\WINDOWS\system32\BMXStateBkp-{00000004-00000000-00000001-00001102-00000005-00311102}.rfx

2017-07-27 09:58 - 2016-10-09 19:22 - 00054760 _____ C:\WINDOWS\system32\BMXState-{00000004-00000000-00000001-00001102-00000005-00311102}.rfx

2017-07-27 09:58 - 2016-10-09 19:22 - 00000788 _____ C:\WINDOWS\system32\DVCState-{00000004-00000000-00000001-00001102-00000005-00311102}.rfx

2017-07-27 09:57 - 2016-10-09 06:28 - 00000229 __RSH C:\boot.ini

2017-07-27 09:57 - 2016-10-08 18:57 - 00524288 _____ C:\WINDOWS\system32\config\ACEEvent.evt

2017-07-27 09:57 - 2016-10-08 18:44 - 00000178 ___SH C:\Documents and Settings\Peter Bahniuk\ntuser.ini

2017-07-27 09:57 - 2016-10-08 18:43 - 00032634 _____ C:\WINDOWS\SchedLgU.Txt

2017-07-27 09:57 - 2006-03-01 00:00 - 00000477 _____ C:\WINDOWS\win.ini

2017-07-27 09:57 - 2006-03-01 00:00 - 00000227 _____ C:\WINDOWS\system.ini

2017-07-27 01:16 - 2016-11-24 11:02 - 00000000 ____D C:\WINDOWS\Minidump

2017-07-27 00:56 - 2016-10-09 06:29 - 00000000 ____D C:\Documents and Settings\All Users

2017-07-27 00:43 - 2016-10-10 10:53 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Adobe

2017-07-26 22:33 - 2016-10-21 15:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Zoom Player

2017-07-26 20:50 - 2016-10-16 13:35 - 00000000 ____D C:\Program Files\VideoLAN

2017-07-26 20:16 - 2016-10-09 16:00 - 00000000 ____D C:\Documents and Settings\Peter Bahniuk\Application Data\IDM

2017-07-26 20:16 - 2016-10-09 15:56 - 00000000 ____D C:\Program Files\Internet Download Manager

2017-07-26 20:16 - 2016-10-09 06:23 - 00000000 ___HD C:\WINDOWS\inf

2017-07-26 20:11 - 2006-03-01 00:00 - 00012984 _____ C:\WINDOWS\system32\wpa.dbl

2017-07-01 13:09 - 2016-10-09 06:29 - 00000000 ___HD C:\Documents and Settings\Default User

2017-06-29 16:17 - 2017-06-25 15:11 - 00000095 _____ C:\WINDOWS\Settings.ini

2017-06-29 14:17 - 2016-10-09 06:29 - 00187408 _____ C:\WINDOWS\system32\FNTCACHE.DAT

2017-06-29 14:17 - 2016-10-08 18:57 - 00044496 _____ C:\Documents and Settings\Peter Bahniuk\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2017-06-29 14:08 - 2016-10-08 18:41 - 00023392 _____ C:\WINDOWS\system32\nscompat.tlb

2017-06-29 14:08 - 2016-10-08 18:41 - 00016832 _____ C:\WINDOWS\system32\amcompat.tlb

2017-06-29 14:07 - 2016-10-08 18:43 - 00000000 __SHD C:\Documents and Settings\LocalService

2017-06-29 13:55 - 2016-10-09 06:29 - 00000000 ____D C:\Documents and Settings

2017-06-27 17:16 - 2016-10-08 18:44 - 00000000 ____D C:\Documents and Settings\Peter Bahniuk

2017-06-27 17:16 - 2016-10-08 18:43 - 00000000 __SHD C:\Documents and Settings\NetworkService

==================== Files in the root of some directories =======

2016-10-24 21:04 - 2016-10-24 21:04 - 0087608 _____ () C:\Documents and Settings\Peter Bahniuk\Application Data\inst.exe

2016-10-09 21:03 - 2017-03-02 20:03 - 0000651 _____ () C:\Documents and Settings\Peter Bahniuk\Application Data\pacemaker.ini

2016-10-09 21:03 - 2016-10-09 21:03 - 0000010 _____ () C:\Documents and Settings\Peter Bahniuk\Application Data\pacemaker_songparams.txt

2016-10-24 21:04 - 2016-10-24 21:04 - 0007887 _____ () C:\Documents and Settings\Peter Bahniuk\Application Data\pcouffin.cat

2016-10-24 21:04 - 2016-10-24 21:04 - 0001144 _____ () C:\Documents and Settings\Peter Bahniuk\Application Data\pcouffin.inf

2016-10-24 21:04 - 2016-10-24 21:04 - 0000034 _____ () C:\Documents and Settings\Peter Bahniuk\Application Data\pcouffin.log

2016-10-24 21:04 - 2016-10-24 21:04 - 0047360 _____ (VSO Software) C:\Documents and Settings\Peter Bahniuk\Application Data\pcouffin.sys

2016-11-14 19:23 - 2016-11-14 19:23 - 0003584 _____ () C:\Documents and Settings\Peter Bahniuk\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Some files in TEMP:

====================

2017-07-27 01:57 - 2017-06-29 11:43 - 3700288 _____ (Foxit Corporation) C:\Documents and Settings\Administrator\Local Settings\Temp\FoxitUpdater.exe

2017-07-26 20:45 - 2017-07-27 02:32 - 0000000 _____ () C:\Documents and Settings\Peter Bahniuk\Local Settings\Temp\parctmp.exe

2016-10-10 10:50 - 2006-05-25 05:10 - 0455600 ____R (Macrovision Corporation) C:\Documents and Settings\Peter Bahniuk\Local Settings\Temp\_is1.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed

C:\WINDOWS\system32\winlogon.exe => File is digitally signed

C:\WINDOWS\system32\svchost.exe => File is digitally signed

C:\WINDOWS\system32\services.exe => File is digitally signed

C:\WINDOWS\system32\User32.dll => File is digitally signed

C:\WINDOWS\system32\userinit.exe => File is digitally signed

C:\WINDOWS\system32\rpcss.dll => File is digitally signed

C:\WINDOWS\system32\dnsapi.dll => File is digitally signed

C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

FRST Addition log -

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 26-07-2017

Ran by Peter Bahniuk (27-07-2017 10:23:21)

Running from C:\Documents and Settings\Peter Bahniuk\Desktop

Microsoft Windows XP Professional Service Pack 3, v.3264 (X86) (2016-10-08 06:42:53)

Boot Mode: Normal

==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-1390067357-606747145-725345543-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator

ASPNET (S-1-5-21-1390067357-606747145-725345543-1004 - Limited - Enabled)

Guest (S-1-5-21-1390067357-606747145-725345543-501 - Limited - Disabled)

HelpAssistant (S-1-5-21-1390067357-606747145-725345543-1000 - Limited - Disabled)

Peter Bahniuk (S-1-5-21-1390067357-606747145-725345543-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Peter Bahniuk

SUPPORT_388945a0 (S-1-5-21-1390067357-606747145-725345543-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 16.00 (HKLM\...\7-Zip) (Version: 16.00 - Igor Pavlov)

Adobe Flash Player 23 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 23.0.0.207 - Adobe Systems Incorporated)

Adobe Flash Player 23 PPAPI (HKLM\...\Adobe Flash Player PPAPI) (Version: 23.0.0.207 - Adobe Systems Incorporated)

Adobe Flash Player 24 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 24.0.0.221 - Adobe Systems Incorporated)

AMD Catalyst Install Manager (HKLM\...\{33C731E7-B72A-1587-A3EF-054FCC011A3C}) (Version: 8.0.891.0 - Advanced Micro Devices, Inc.)

Auslogics Disk Defrag Professional (HKLM\...\{ADE1535C-C836-4F2E-BDA1-1C7C304743E3}_is1) (Version: 4.3.4.0 - Auslogics Software Pty Ltd)

Auslogics Registry Cleaner (HKLM\...\{8D8024F1-2945-49A5-9B78-5AB7B11D7942}_is1) (Version: 3.4.0.0 - Auslogics Labs Pty Ltd)

Bass Audio Decoder (remove only) (HKLM\...\Bass Audio Decoder) (Version: - )

Blue Cat's Stereo Flanger VST 2.62 (HKLM\...\{0F0B0627-3CC7-4C3D-B246-D84FD3B30488}) (Version: 2.62 - Blue Cat Audio)

Corel PaintShop Pro X6 (HKLM\...\_{166D1CB6-DD8A-40DD-9E25-4D31D2D6DE4D}) (Version: 16.1.0.48 - Corel Corporation)

Corel PaintShop Pro X6 (HKLM\...\{161AB62E-65D6-46E5-B3D8-2AC15D3B920B}) (Version: 16.1.0.48 - Corel Corporation) Hidden

Creative Audio Control Panel (HKLM\...\AudioCS) (Version: 3.00 - Creative Technology Limited)

Creative Software AutoUpdate (HKLM\...\Creative Software AutoUpdate) (Version: 1.41 - Creative Technology Limited)

Delta Force Task Force Dagger (HKLM\...\Delta Force Task Force Dagger) (Version: - )

DirectVobSub (remove only) (HKLM\...\DirectVobSub) (Version: - )

EasyBCD 2.2 (HKLM\...\EasyBCD) (Version: 2.2 - NeoSmart Technologies)

Etron USB3.0 Host Controller (HKLM\...\{DFBB738C-71D8-4DC5-B8D2-D65C37680E27}) (Version: 0.109 - Etron Technology) Hidden

Etron USB3.0 Host Controller (HKLM\...\InstallShield_{DFBB738C-71D8-4DC5-B8D2-D65C37680E27}) (Version: 0.109 - Etron Technology)

GetDiz (HKLM\...\GetDiz) (Version: 4.91 - Outertech)

HashTab 5.2.0.14 (HKLM\...\HashTab) (Version: 5.2.0.14 - Implbits Software)

HL-3150CDN (HKLM\...\{C6580DE1-F539-4700-ADD2-3185121E51A8}) (Version: 1.0.1.0 - Brother Industries, Ltd.)

HWiNFO32 Version 5.38 (HKLM\...\HWiNFO32_is1) (Version: 5.38 - Martin Malík - REALiX)

ICA (HKLM\...\{166D1CB6-DD8A-40DD-9E25-4D31D2D6DE4D}) (Version: 16.1.0.48 - Corel Corporation) Hidden

ImgBurn (HKLM\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)

Internet Download Manager (HKLM\...\Internet Download Manager) (Version: - Tonec Inc.)

IPM_PSP_COM (HKLM\...\{164D34E1-0271-4960-8A26-E8990A302DB1}) (Version: 16.1.0.48 - Corel Corporation) Hidden

IrfanView (remove only) (HKLM\...\IrfanView) (Version: 4.42 - Irfan Skiljan)

K-Meleon 75.0 (x86 en-US) (HKLM\...\K-Meleon 75.0 (x86 en-US)) (Version: 75.0 - kmeleonbrowser.org)

LAV Filters 0.68.1 (HKLM\...\lavfilters_is1) (Version: 0.68.1 - Hendrik Leppkes)

LSI PCI-SV92PP Soft Modem (HKLM\...\LSI Soft Modem) (Version: 2.2.96 - LSI Corporation)

MadVR (remove only) (HKLM\...\MadVR) (Version: - )

Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)

Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)

Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)

Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.4763.1000 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)

Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)

Mozilla Firefox 49.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 49.0.1 (x86 en-US)) (Version: 49.0.1 - Mozilla)

Nero 11 DiscSpeed (HKLM\...\{B8B03F99-F600-4D96-ADBD-2F384240FB9C}) (Version: 11.0.00400 - Nero AG)

NirSoft BlueScreenView (HKLM\...\NirSoft BlueScreenView) (Version: - )

nLite 1.4.9.3 (HKLM\...\nLite_is1) (Version: 1.4.9.3 - Dino Nuhagic (nuhi))

OpenAL (HKLM\...\OpenAL) (Version: - )

Opera 12.17 (HKLM\...\Opera 12.17.1863) (Version: 12.17.1863 - Opera Software ASA)

Opera Stable 36.0.2130.65 (HKLM\...\Opera 36.0.2130.65) (Version: 36.0.2130.65 - Opera Software)

Opti Drive Control 1.70 (HKLM\...\{80157B54-DB3E-4EE9-8AD8-63A905765FF4}_is1) (Version: - Erik Deppe)

PaceMaker plug-in for Winamp and MediaMonkey (HKLM\...\PaceMaker plug-in) (Version: 2.7 - PaceMaker plug-inc.)

PFF Editor 1.2.9 (HKLM\...\PFF Editor_is1) (Version: - Dfzone.be)

PotPlayer (HKLM\...\PotPlayer) (Version: - Kakao Corp.)

PowerArchiver 2016 (HKLM\...\{A18ABA31-100B-4650-A221-0C13B08AD585}) (Version: 16.10.07 - ConeXware, Inc.) Hidden

PowerArchiver 2016 (HKLM\...\PowerArchiver 2016 16.10.07) (Version: 16.10.07 - ConeXware, Inc.)

PSPPContent (HKLM\...\{162BD2D6-6C63-41A7-8151-93188450D36A}) (Version: 16.1.0.48 - Corel Corporation) Hidden

PSPPHelp (HKLM\...\{16346B2A-87BC-407C-9D6B-72A4D21ABF03}) (Version: 16.1.0.48 - Corel Corporation) Hidden

Quake II (HKLM\...\Quake2UninstallKey) (Version: - )

RimhillEx 1.08 (HKU\S-1-5-21-1390067357-606747145-725345543-1003\...\RimhillEx_is1) (Version: - the sz development)

Setup (HKLM\...\{16006EE1-DDB7-4E5F-8696-9FEF32C0151A}) (Version: 16.1.0.48 - Corel Corporation) Hidden

SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1230 - SUPERAntiSpyware.com)

swMSM (HKLM\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden

TMPGEnc Plus 2.5 (HKLM\...\{2A1E27FF-BE53-45B4-950F-060236E98E3D}) (Version: 2.524.63.181 - Pegasys Inc.) Hidden

TMPGEnc Plus 2.5 (HKLM\...\InstallShield_{2A1E27FF-BE53-45B4-950F-060236E98E3D}) (Version: 2.524.63.181 - Pegasys Inc.)

Vivaldi (HKLM\...\Vivaldi) (Version: 1.0.435.46 - Vivaldi)

VSO Inspector 2.0.2 (HKLM\...\VSO Inspector_is1) (Version: - VSO-Software SARL)

WebFldrs XP (HKLM\...\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}) (Version: 9.50.7523 - Microsoft Corporation) Hidden

Winamp (HKLM\...\Winamp) (Version: 5.666 - Nullsoft, Inc)

Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)

Zoom Player (remove only) (HKLM\...\ZoomPlayer) (Version: 12.7 - Inmatrix LTD)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [ IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files\Internet Download Manager\IDMShellExt.dll [2017-06-24] (Tonec Inc.)

ContextMenuHandlers01: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-05-10] (Igor Pavlov)

ContextMenuHandlers01: [Corel PaintShop Pro X6] -> {8D7FD0F0-C023-4451-B68B-CD054993F53D} => c:\Program Files\Corel\Corel PaintShop Pro X6\PSPContextMenu.dll [2013-10-17] (Corel Software, Inc.)

ContextMenuHandlers01: [PowerArchiver] -> {d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e} => C:\Program Files\PowerArchiver\PASHLEXT.DLL [2016-04-11] (ConeXware, Inc.)

ContextMenuHandlers02: [Corel PaintShop Pro X6] -> {8D7FD0F0-C023-4451-B68B-CD054993F53D} => c:\Program Files\Corel\Corel PaintShop Pro X6\PSPContextMenu.dll [2013-10-17] (Corel Software, Inc.)

ContextMenuHandlers04: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-05-10] (Igor Pavlov)

ContextMenuHandlers04: [Corel PaintShop Pro X6] -> {8D7FD0F0-C023-4451-B68B-CD054993F53D} => c:\Program Files\Corel\Corel PaintShop Pro X6\PSPContextMenu.dll [2013-10-17] (Corel Software, Inc.)

ContextMenuHandlers04: [ZPShellExt] -> {ABE00001-0123-ABED-1248-0248ADFA1909} => C:\Program Files\Zoom Player\zpshlext.dll [2008-08-12] ()

ContextMenuHandlers05: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll [2013-12-23] (Advanced Micro Devices, Inc.)

ContextMenuHandlers06: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-05-10] (Igor Pavlov)

ContextMenuHandlers06: [PowerArchiver] -> {d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e} => C:\Program Files\PowerArchiver\PASHLEXT.DLL [2016-04-11] (ConeXware, Inc.)

==================== Scheduled Tasks=============================

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Opera scheduled Autoupdate 1478319800.job => C:\Program Files\Opera\launcher.exe

Task: C:\WINDOWS\Tasks\Tweaking.com - Windows Repair Tray Icon.job => C:\Program Files\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe C:\Program Files\Tweaking.com\Windows Repair (All in One)Tweaking.com - Windows Repair)Created By Tweaking.com

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\Zoom Player\Buy or Upgrade Zoom Player.lnk -> hxxp://inmatrix.com/shop_relay/buyshortcut.shtm

Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\Zoom Player\Download Skins.lnk -> hxxp://skins.inmatrix.com

Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\Zoom Player\Video Tutorials.lnk -> hxxp://inmatrix.com/tutorial_redir.htm

Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\Zoom Player\Help\Forum.lnk -> hxxp://forum.inmatrix.com

Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\Zoom Player\Help\Frequently Asked Questions.lnk -> hxxp://www.inmatrix.com/zplayer/fa

Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\Zoom Player\Help\Home Page.lnk -> hxxp://www.inmatrix.com

Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\Zoom Player\Help\Online Help.lnk -> hxxp://www.inmatrix.com/zplaye

Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\Zoom Player\Help\Usage Guides.lnk -> hxxp://www.inmatrix.com/articles.shtm

Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\NeoSmart Technologies\EasyBCD\Online Documentation.lnk -> hxxp://neosmart.net/wiki/display/EBCD

==================== Loaded Modules (Whitelisted) ==============

2016-10-08 23:49 - 2016-10-08 23:48 - 00008192 _____ () C:\WINDOWS\system32\srvany.exe

2016-10-08 23:49 - 2016-10-08 23:48 - 00151552 _____ () C:\WINDOWS\KMService.exe

2014-03-01 00:20 - 2014-03-01 00:20 - 00002560 _____ () C:\WINDOWS\CTXFIRES.DLL

2010-03-16 11:22 - 2010-03-16 11:22 - 00014848 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\AxInterop.WBOCXLib.dll

2014-01-07 10:28 - 2014-01-07 10:28 - 00016384 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll

2013-12-23 02:15 - 2013-12-23 02:15 - 00270336 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Documents and Settings\Peter Bahniuk\Local Settings\Application Data\desktop.ini:722b2b1c349a06abf0e866180e5a7e63 [368]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppXSvc => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ClipSvc => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PAexec => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TweakingRemoveSafeBoot => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WSService => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppXSvc => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ClipSvc => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PAexec => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SamSs => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv => ""="Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv2 => ""="Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srvnet => ""="Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TweakingRemoveSafeBoot => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WSService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-03-01 00:00 - 2017-06-29 14:09 - 00000855 _____ C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1 localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1390067357-606747145-725345543-1003\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Bliss.bmp

DNS Servers: 203.97.78.43 - 203.97.78.44

Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

DomainProfile\AuthorizedApplications: [C:\Program Files\Winamp\winamp.exe] => Enabled:Winamp

DomainProfile\AuthorizedApplications: [C:\Program Files\DAUM\PotPlayer\PotPlayerMini.exe] => Enabled:PotPlayer (32-Bit)

StandardProfile\AuthorizedApplications: [C:\Program Files\Opera\opera.exe] => Enabled:Opera Internet Browser

StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files\Mozilla Firefox)

StandardProfile\AuthorizedApplications: [C:\Program Files\Winamp\winamp.exe] => Enabled:Winamp

StandardProfile\AuthorizedApplications: [C:\Program Files\Vivaldi\Application\vivaldi.exe] => Enabled:Vivaldi

StandardProfile\AuthorizedApplications: [C:\Program Files\DAUM\PotPlayer\PotPlayerMini.exe] => Enabled:PotPlayer (32-Bit)

StandardProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22004

StandardProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22005

StandardProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22001

StandardProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22002

StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22007

StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22008

==================== Restore Points =========================

29-06-2017 13:48:09 System Checkpoint

26-07-2017 21:52:52 System Checkpoint

27-07-2017 00:43:14 Removed Adobe Reader XI.

27-07-2017 00:56:24 Printer Driver Foxit Reader PDF Printer Driver Installed

==================== Faulty Device Manager Devices =============

Name: PCI Device

Description: PCI Device

Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Manufacturer:

Service:

Problem: : The drivers for this device are not installed. (Code 28)

Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Video Controller

Description: Video Controller

Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Manufacturer:

Service:

Problem: : The drivers for this device are not installed. (Code 28)

Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Simple Communications Controller

Description: PCI Simple Communications Controller

Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Manufacturer:

Service:

Problem: : The drivers for this device are not installed. (Code 28)

Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Ethernet Controller

Description: Ethernet Controller

Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Manufacturer:

Service:

Problem: : The drivers for this device are not installed. (Code 28)

Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:

==================

Error: (07/27/2017 10:07:43 AM) (Source: LoadPerf) (EventID: 3011) (User: )

Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The

Error code is the first DWORD in Data section.

Error: (07/27/2017 10:07:43 AM) (Source: LoadPerf) (EventID: 3012) (User: )

Description: The performance strings in the Performance registry value is corrupted when

process Performance extension counter provider. BaseIndex value from Performance

registry is the first DWORD in Data section, LastCounter value is the second

DWORD in Data section, and LastHelp value is the third DWORD in Data section.

Error: (06/29/2017 02:14:47 PM) (Source: COM+) (EventID: 4689) (User: )

Description: The run-time environment has detected an inconsistency in its internal state. This indicates a potential instability in the process that could be caused by the custom components running in the COM+ application, the components they make use of, or other factors. Error in d:\xpsp\com\com1x\src\comsvcs\package\cpackage.cpp(1184), hr = 8007043c: InitEventCollector failed

Error: (06/29/2017 02:14:46 PM) (Source: VSS) (EventID: 8193) (User: )

Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Error: (06/29/2017 02:14:46 PM) (Source: EventSystem) (EventID: 4609) (User: )

Description: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of f:\xpsp2\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Error: (06/29/2017 02:14:46 PM) (Source: VSS) (EventID: 4101) (User: )

Description: Volume Shadow Copy Service error: Cannot obtain the collection 'Applications' from the COM+ catalog [0x8007043c].

Error: (06/29/2017 02:14:35 PM) (Source: COM+) (EventID: 4689) (User: )

Error: (06/29/2017 02:14:34 PM) (Source: VSS) (EventID: 8193) (User: )

Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Error: (06/29/2017 02:14:34 PM) (Source: EventSystem) (EventID: 4609) (User: )

Error: (06/29/2017 02:14:34 PM) (Source: VSS) (EventID: 4101) (User: )

Description: Volume Shadow Copy Service error: Cannot obtain the collection 'Applications' from the COM+ catalog [0x8007043c].

System errors:

=============

Error: (07/27/2017 10:03:58 AM) (Source: 0) (EventID: 4311) (User: )

Description: Event-ID 4311

Error: (07/27/2017 10:03:35 AM) (Source: DCOM) (EventID: 10005) (User: MINE)

Description: DCOM got error "%%1058 = The service cannot be started, either because it is disabled or because it has no enabled devices associated with it." attempting to start the service BrYNSvc with arguments ""

in order to run the server:

{F2189AE3-E432-427F-93B6-38D1C6F5E8D4}

Error: (07/27/2017 10:03:35 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)

Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID

{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.

Error: (07/27/2017 10:03:34 AM) (Source: NETLOGON) (EventID: 3095) (User: )

Description: This computer is configured as a member of a workgroup, not as

a member of a domain. The Netlogon service does not need to run in this

configuration.

Error: (07/27/2017 10:03:34 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)

Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID

{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.

Error: (07/27/2017 09:59:17 AM) (Source: 0) (EventID: 4311) (User: )

Description: Event-ID 4311

Error: (07/27/2017 09:58:52 AM) (Source: DCOM) (EventID: 10005) (User: MINE)

in order to run the server:

{F2189AE3-E432-427F-93B6-38D1C6F5E8D4}

Error: (07/27/2017 09:58:52 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)

Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID

{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.

Error: (07/27/2017 09:58:51 AM) (Source: NETLOGON) (EventID: 3095) (User: )

Description: This computer is configured as a member of a workgroup, not as

a member of a domain. The Netlogon service does not need to run in this

configuration.

Error: (07/27/2017 09:58:51 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)

Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID

{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.

==================== Memory info ===========================

Processor: Intel® Core™ i5-3570K CPU @ 3.40GHz

Percentage of memory in use: 14%

Total physical RAM: 2966.07 MB

Available physical RAM: 2522.79 MB

Total Virtual: 4852.79 MB

Available Virtual: 4516.61 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:97.76 GB) (Free:79.93 GB) NTFS ==>[drive with boot components (Windows XP)]

Drive d: () (Fixed) (Total:119.73 GB) (Free:13.84 GB) NTFS ==>[drive with boot components (Windows XP)]

Drive e: () (Fixed) (Total:353.01 GB) (Free:226.22 GB) NTFS

Drive f: () (Fixed) (Total:14.99 GB) (Free:10.93 GB) NTFS

Drive g: () (Fixed) (Total:310 GB) (Free:16.81 GB) NTFS

Drive h: () (Fixed) (Total:35.91 GB) (Free:14.81 GB) NTFS

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 66CD451A)

Partition 1: (Active) - (Size=119.7 GB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=310 GB) - (Type=OF Extended)

Partition 3: (Not Active) - (Size=35.9 GB) - (Type=07 NTFS)

========================================================

Disk: 1 (MBR Code: Windows XP) (Size: 465.8 GB) (Disk ID: 4B19BE7B)

Partition 1: (Active) - (Size=97.8 GB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=368 GB) - (Type=OF Extended)

==================== End of Addition.txt ============================

Not sure about the KMService.exe, but otherwise everything else seems OK(?)

Haven't as yet run any anti-malware/anti-virus, waiting for your comments first.

Thanks!

Edited by brispuss, 26 July 2017 - 04:58 PM.

#2
RKinner

Posted 28 July 2017 - 08:10 PM

Malware Expert

Expert
24,624 posts

Get Process Explorer

http://live.sysinter...com/procexp.exe

Save it to your desktop then run it (Vista or Win7+ - right click and Run As Administrator).

View, Select Column, check Verified Signer, OK

Options, Verify Image Signatures

Click twice on the CPU column header to sort things by CPU usage with the big hitters at the top.

Wait a full minute then:

File, Save As, Save. Note the file name. Open the file on your desktop and copy and paste the text to a reply.

Get the free version of Speccy:

http://www.filehippo...download_speccy (Look in the upper right for the Download

Latest Version button - Do NOT press the large Start Download button on the upper left!)

Download, Save and Install it. Tell it you do not need CCLEANER. Run Speccy. When it finishes (the little icon in the bottom left will stop moving),

File, Save as Text File, (to your desktop) note the name it gives. OK. Open the file in notepad and delete the line that gives the serial number of your Operating System.

(It will be near the top, 10-20 lines down.) Save the file. Attach the file to your next post. Attaching the log is the best option as it is too big for the forum. Attaching is a multi step process.

First click on More Reply Options

Then scroll down to where you see

Choose File and click on it. Point it at the file and hit Open.

Now click on Attach this file.

#3
brispuss

Posted 29 July 2017 - 06:38 AM

Member

Topic Starter
Member
50 posts

Thanks for the response!

I have fairly recently run anti-malware programs in conjunction with RKill. They found a few minor infections which were quarantined.

Here is Process Explorer log -

Process CPU Private Bytes Working Set PID Description Company Name Verified Signer

System Idle Process 96.92 0 K 28 K 0

vivaldi.exe 1.54 67,856 K 118,172 K 3312 Vivaldi Vivaldi Technologies AS (Verified) Vivaldi Technologies AS

Interrupts 1.15 0 K 0 K n/a Hardware Interrupts and DPCs

procexp.exe 0.38 21,964 K 28,432 K 3836 Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Microsoft Corporation

wuauclt.exe 5,656 K 5,360 K 3272 Automatic Updates Microsoft Corporation (Verified) Microsoft Windows Component Publisher

wscntfy.exe 540 K 2,268 K 1852 Windows Security Center Notification App Microsoft Corporation (Verified) Microsoft Windows Component Publisher

wmiprvse.exe 1,772 K 4,828 K 3528 WMI Microsoft Corporation (Verified) Microsoft Windows Component Publisher

winlogon.exe 7,360 K 2,420 K 432 Windows NT Logon Application Microsoft Corporation (Verified) Microsoft Windows Component Publisher

vivaldi.exe 82,092 K 18,344 K 2892 Vivaldi Vivaldi Technologies AS (Verified) Vivaldi Technologies AS

vivaldi.exe 54,304 K 73,200 K 3080 Vivaldi Vivaldi Technologies AS (Verified) Vivaldi Technologies AS

vivaldi.exe 1,868 K 3,204 K 2900 Vivaldi Vivaldi Technologies AS (Verified) Vivaldi Technologies AS

vivaldi.exe 30,428 K 33,328 K 3072 Vivaldi Vivaldi Technologies AS (Verified) Vivaldi Technologies AS

System 0 K 240 K 4

svchost.exe 3,044 K 4,928 K 668 Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher

svchost.exe 1,884 K 4,476 K 728 Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher

svchost.exe 13,504 K 23,228 K 768 Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher

svchost.exe 1,252 K 3,288 K 824 Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher

svchost.exe 1,496 K 4,172 K 912 Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher

svchost.exe 2,364 K 4,200 K 1448 Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher

SUPERAntiSpyware.exe 14,036 K 7,012 K 2068 SUPERAntiSpyware Application SUPERAntiSpyware (Verified) SUPERAntiSpyware.com

spoolsv.exe 3,124 K 4,616 K 1096 Spooler SubSystem App Microsoft Corporation (Verified) Microsoft Windows Component Publisher

smss.exe 172 K 392 K 340 Windows NT Session Manager Microsoft Corporation (Verified) Microsoft Windows Component Publisher

services.exe 1,820 K 3,632 K 476 Services and Controller app Microsoft Corporation (Verified) Microsoft Windows Component Publisher

SASCore.exe 1,688 K 2,264 K 1256 Core Service SUPERAntiSpyware.com (Verified) SUPERAntiSpyware.com

RimhillEx.exe 972 K 3,840 K 2140 RimhillEx the sz development (No signature was present in the subject) the sz development

PsiService_2.exe 528 K 2,032 K 1368 PsiService PsiService Protexis Inc. (Verified) Protexis Inc.

MOM.exe 28,208 K 4,420 K 2156 Catalyst Control Center: Monitoring program Advanced Micro Devices Inc. (No signature was present in the subject) Advanced Micro Devices Inc.

mbamtray.exe 17,508 K 19,032 K 1160 Malwarebytes Tray Application Malwarebytes (Verified) Malwarebytes Corporation

MBAMService.exe 39,916 K 47,008 K 1536 Malwarebytes Service Malwarebytes (Verified) Malwarebytes Corporation

lsass.exe 3,896 K 2,060 K 488 LSA Shell (Export Version) Microsoft Corporation (Verified) Microsoft Windows Component Publisher

IEMonitor.exe 1,064 K 3,652 K 2384 Internet Download Manager agent for click monitoring in IE-based browsers Tonec Inc. (Verified) Tonec Inc.

IDMan.exe 3,456 K 9,236 K 2096 Internet Download Manager (IDM) Tonec Inc. (Verified) Tonec Inc.

explorer.exe 30,040 K 11,260 K 1720 Windows Explorer Microsoft Corporation (Verified) Microsoft Windows Component Publisher

CTxfispi.exe 3,120 K 5,432 K 2228 SPI (Creative X-Fi Module) Creative Technology Ltd (No signature was present in the subject) Creative Technology Ltd

Ctxfihlp.exe 3,568 K 5,948 K 1340 CTXfiHlp MFC Application Creative Technology Ltd (No signature was present in the subject) Creative Technology Ltd

ctfmon.exe 860 K 3,244 K 2076 CTF Loader Microsoft Corporation (Verified) Microsoft Windows Component Publisher

CTAudSvc.exe 816 K 2,688 K 1180 Creative Audio Service Creative Technology Ltd (No signature was present in the subject) Creative Technology Ltd

csrss.exe 1,548 K 5,116 K 392 Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows Component Publisher

Compact Tray Meter.exe 1,188 K 4,756 K 2084 Compact Tray Meter Utility www.dennisbabkin.com (Verified) Dennis A. Babkin

CCC.exe 40,340 K 5,572 K 2344 Catalyst Control Center: Host application ATI Technologies Inc. (No signature was present in the subject) ATI Technologies Inc.

ati2evxx.exe 1,916 K 3,344 K 652 ATI External Event Utility EXE Module ATI Technologies Inc. (No signature was present in the subject) ATI Technologies Inc.

ati2evxx.exe 2,764 K 4,924 K 896 ATI External Event Utility EXE Module ATI Technologies Inc. (No signature was present in the subject) ATI Technologies Inc.

alg.exe 1,124 K 3,508 K 2012 Application Layer Gateway Service Microsoft Corporation (Verified) Microsoft Windows Component Publisher

agrsmsvc.exe 368 K 1,284 K 1272 LSI Soft Modem Call Progress Service LSI Corporation (Verified) Microsoft Windows Hardware Compatibility Publisher

Here is the log for Speccy -

Speccy.txt 47.72KB 394 downloads

#4
RKinner

Posted 29 July 2017 - 07:30 AM

Malware Expert

Expert
24,624 posts

Not seeing anything. Process Explorer looks really good. System Idle is way over 90% and Interrupts value is below 1.4% so it should be pretty quick. Nothing odd running other than rimhill which appear to be legit.

Speccy says your hard drives are clean and the temps are very low. Can't really trust Speccy for temps these day tho plus it's only be on for a little while so let's get a second opinion:

http://www.filehippo...nload_speedfan/

Download, save and Install it then run it

What is the highest temp you see? Leave it on for a while and see if it goes up. Try running a scan or watch a video and see if it goes up a lot.

It will tell you your temps in real time in the systray when minimized tho the default is to show the hard drive temp . You can change it: Hit Configure then click on the highest temp and check Show in tray

Since you don't have problems with your other OS we can rule out RAM. It would not hurt to let it do a disk check and see if something is messed up in the file system:

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:

2. Click Properties, and then click Tools.

3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,

4. Check both boxes and then click Start.

You will receive the following message:

The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?

Click Yes to schedule the disk check, but don't restart yet.

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application.

Reboot.

The disk check will run and will probably take an hour or more to finish.

This next step often doesn't work on XP but give it a shot:

Start, Run, sfc /scannow, OK

SPACE after sfc. This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.

If you get too many requests for the disk you can just Ctrl + c to kill it.

Start, Run, sigverif, OK

Press Start. This will check your drivers. If you just get a few when it finishes tell me what they are. If you get a lot just look for those with newish dates (since about the time the problem started.)

1. Please download the Event Viewer Tool by Vino Rosso

http://images.malwar...om/vino/VEW.exe

and save it to your Desktop:

2. Double-click VEW.exe

3. Under 'Select log to query', select:

* System

4. Under 'Select type to list', select:

* Error

* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'

Type 20 in the 1 to 20 box

Then click the Run button.

Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application. (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)

IF you haven't run a defrag recently you should do so:

Start, Run, defrag C: /f

#5
brispuss

Posted 29 July 2017 - 05:31 PM

Member

Topic Starter
Member
50 posts

First. The removal of "malware" previously may have improved matters, in that the CPU fan doesn't speed up when in Safe Mode. Also shutdowns are a bit quicker now.

The highest HDD temperature according to SpeedFan, so far, is 23° C, while browsing the internet and playing a video at the same time.

Ran CHKDSK and SFC. Both seem to run OK with no errors reported.

Regarding drivers, the only one which was "modified" anywhere near when the problems started (according to system dumps; refer to screenshot of system dump in first post) is the file pcouffin.sys which was "modified" on 10/24/2016.

Logs of system events attached -

system -

Vino's Event Viewer v01c run on Windows XP in English

Report run at 30/07/2017 11:05:08 a.m.

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'System' Log - error Type

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log: 'System' Date/Time: 30/07/2017 10:44:18 a.m.

Type: error Category: 0

Event: 4311 Source: NetBT

Initialization failed because the driver device could not be created.

Log: 'System' Date/Time: 30/07/2017 10:44:09 a.m.

Type: error Category: 0

Event: 10005 Source: DCOM

DCOM got error "%1058" attempting to start the service BrYNSvc with arguments "" in order to run the server: {F2189AE3-E432-427F-93B6-38D1C6F5E8D4}

Log: 'System' Date/Time: 30/07/2017 10:44:07 a.m.

Type: error Category: 0

Event: 10016 Source: DCOM

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.

Log: 'System' Date/Time: 30/07/2017 10:43:59 a.m.

Type: error Category: 0

Event: 3095 Source: NETLOGON

This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.

Log: 'System' Date/Time: 30/07/2017 10:43:58 a.m.

Type: error Category: 0

Event: 10016 Source: DCOM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'System' Log - warning Type

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log: 'System' Date/Time: 30/07/2017 10:44:07 a.m.

Type: warning Category: 0

Event: 825 Source: Rasman

The event description cannot be found.

application -

Vino's Event Viewer v01c run on Windows XP in English

Report run at 30/07/2017 11:06:13 a.m.

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'Application' Log - error Type

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log: 'Application' Date/Time: 30/07/2017 10:48:21 a.m.

Type: error Category: 0

Event: 3011 Source: LoadPerf

Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The Error code is the first DWORD in Data section.

Log: 'Application' Date/Time: 30/07/2017 10:48:21 a.m.

Type: error Category: 0

Event: 3012 Source: LoadPerf

The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. BaseIndex value from Performance registry is the first DWORD in Data section, LastCounter value is the second DWORD in Data section, and LastHelp value is the third DWORD in Data section.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'Application' Log - warning Type

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I have now disabled several devices under Device Manager, see screenshot below -

Note that the "Video Controller" has been disabled. This device relates to the integrated graphics I believe, which has no drivers installed (I think). But I suspect that this might be the cause of conflict with the standalone video card with its own drivers, which in turn may have caused the system crashes/restarts(?)

The question still remains, why can't the system boot into Safe Mode after selecting Safe Mode via "msconfig" and rebooting?

Screenshot of setting -

EDIT: Just now rebooted, and once again I've lost the AMD video card drivers for the standalone video card (HD7700)!!??

Error message -

And in Device Manager -

Note that the Display Adapter now has a yellow exclamation mark!

What is going on here? Why are the video drivers being lost, so frequently!?

Seems I'll have to reinstall the video drivers again!

Edited by brispuss, 29 July 2017 - 05:48 PM.

#6
RKinner

Posted 29 July 2017 - 06:51 PM

Malware Expert

Expert
24,624 posts

As far as MSCONFIG & Safe Mode go I expect that MSCONFIG modifies boot.ini so if the permissions on C:\boot.ini have gotten screwed up it wouldn't be able to change it. Since you have XP Pro you can use

bootcfg /query

in a command prompt to see what is in boot.ini

notepad \boot.ini

might also work.

I don't have an XP handy right now but you can probably see the file if you

Open the Control Panel menu and click Folder Options.

After the new window appears select the View tab.

Put a checkmark in the checkbox labeled Display the contents of system folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Press the Apply button and then the OK button

Now right click on Start button and select Explorer then find C:\ and look in the right pane. Right click on boot.ini and select Properties then Security. See who has Full Control.

You can also let FRST show you:

Put the next line in the FRST search box

ListPermissions: c:\boot.ini

Hit Fix. It should tell you what permissions boot.ini has.

Alternatively you can get: Grant Perms

Please download GrantPerms.zip

http://download.blee.../GrantPerms.zip

and save it to your desktop.

Unzip the file and run GrantPerms.exe by right clicking and Run As Admin

Copy and paste the following in the edit box:

 
C:\boot.ini

Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

You can then:

Click Unlock. When it is done click "OK".

Looking at your device manager - I do not see a network adapter. Is there one?

Some PCs require you to go into the BIOS to turn off the builtin Video. You might look and see if yours has that option.

Your PC is XP Pro so it expects to be part of a corporate network. Several services such as

Network Access Protection Agent

NetLogon

should be turned off so as not to cause errors:

Start, Run, services.msc, OK to open the Services window. Find each, right click and select properties then change the Startup Type to Disabled. OK.

You can probably also disable

Remote Access Connection Manager while you are at it. Not something most people need.

You can also turn off NetBT which no one uses these days:

https://technet.micr...(v=sql.90).aspx

This is an odd error:

Log: 'System' Date/Time: 30/07/2017 10:44:09 a.m.

Type: error Category: 0

Event: 10005 Source: DCOM

DCOM got error "%1058" attempting to start the service BrYNSvc with arguments "" in order to run the server: {F2189AE3-E432-427F-93B6-38D1C6F5E8D4}

1058 means it thinks it is in Safe Mode.

#7
brispuss

Posted 29 July 2017 - 07:35 PM

Member

Topic Starter
Member
50 posts

Via Grant Permissions, the scan of boot.ini was -

GrantPerms by Farbar

Ran by Peter Bahniuk (administrator) at 2017-07-30 13:12:09

===============================================

\\?\C:\boot.ini

Owner: BUILTIN\Administrators

DACL(P)(AI):

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

BUILTIN\Power Users READ/EXECUTE ALLOW (NI)

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

"Unlock" was applied in Grant Permissions.

GrantPerms by Farbar

Ran by Peter Bahniuk (administrator) at 2017-07-30 13:16:44

===============================================

\\?\C:\boot.ini

Owner: BUILTIN\Administrators

DACL(P)(AI):

BUILTIN\Administrators FULL ALLOW (NI)

NT AUTHORITY\SYSTEM FULL ALLOW (NI)

BUILTIN\Users READ/EXECUTE ALLOW (NI)

There is no network adapter. I only have a dial-up modem (and an audio card, as well as the video card).

I checked for an option to disable the integrated graphics within BIOS, but haven't found it (yet). The nearest setting in BIOS is to just select the source of the primary video source from either the PCIe slot, or from integrated graphics. Setting is currently on PCIe slot (as it should be).

Disabled several services as mentioned, but Remote Access Connection Manager had already started and couldn't be stopped, although Startup Type was set to disabled for it.

Disabled "Netbios over Tcpip". I noticed that there was a yellow exclamation mark next to "Parport", if that means anything?

#8
RKinner

Posted 29 July 2017 - 09:20 PM

Malware Expert

Expert
24,624 posts

"Parport" is the old parallel port that used to be used for printers. You can disable it.

In MSCONFIG you have Network checked. Did you try unchecking it?

I'm surprised your modem works. Usually the PCI Simple Communication Controller is the modem.

Going to bed now.

#9
brispuss

Posted 29 July 2017 - 10:22 PM

Member

Topic Starter
Member
50 posts

OK.

After reboot, I now no longer have dial-up connection on my XP system. The modem itself seems to be OK, but there is no "network" connection; I can't dial out. I'll try to restore the previous settings and hope to get the dial-up connection back. I'm typing this on my W7 32 system, where my dial-up connection still works.

EDIT: Typing this via my XP system again! Got my dial up connection back after undoing recent changes to Services (Remote Access Connection Manager; Net Logon; Network Access Protection Agent), and also re-enabling NetBIOS over TCPIP. By experimenting I could find out which of these is not really required for dial up connection, but not just now.

Edited by brispuss, 29 July 2017 - 10:41 PM.

#10
RKinner

Posted 30 July 2017 - 05:06 AM

Malware Expert

Expert
24,624 posts

Probably Remote Access Connection Manager the others shouldn't be a problem.

#11
brispuss

Posted 30 July 2017 - 02:15 PM

Member

Topic Starter
Member
50 posts

OK.

So far the video drivers have not "disappeared". Hope it stays that way.

BTW, after fairly extensive searching in BIOS, there isn't an option to disable integrated graphics, and there is no other version of BIOS available either.

Safe Mode booting via "msconfig" is still not working.

Running msconfig, and selecting Boot.ini tab, notice that the SafeBoot box is already checked! Set SafeBoot to "Minimal", saved and restarted computer, but again system boots back to Normal Mode with the message box again appearing -

And General tab via "msconfig" shows -

Boot.ini tab -

#12
RKinner

Posted 30 July 2017 - 03:10 PM

Malware Expert

Expert
24,624 posts

What does it say after /fastdetect? (On the last picture (boot.ini) you have to scroll to the right to see the rest of the line.

Does it switch from Normal Startup to Selective when you check the Safe Mode box?

#13
brispuss

Posted 30 July 2017 - 07:02 PM

Member

Topic Starter
Member
50 posts

Added screenshot of Boot.ini showing extended details -

And yes, the boot mode changes from Normal Startup to Selective Startup as soon as I make any changes to the Boot.ini settings.

Currently the boot mode is set at Normal Startup, but note that SafeBoot is checked automatically with Network option.

#14
RKinner

Posted 30 July 2017 - 07:48 PM

Malware Expert

Expert
24,624 posts

Very strange that the /safeboot:network is there twice. Shouldn't be there at all for normal boot and just one should be added for safemode mode.

You should be able to edit boot.ini in notepad:

Start, Run, notepad \boot.ini, OK

One guy suggested you can add additional boot options then choose the one you want when it boots:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional, Safemode" /fastdetect /NoExecute=OptIn /bootsafe:minimal

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional, Safemode Network" /fastdetect /NoExecute=OptIn /bootsafe:network

#15
brispuss

Posted 30 July 2017 - 08:51 PM

Member

Topic Starter
Member
50 posts

I also thought it odd that there were two entries for the "Network" option in Boot.ini.

After disabling Read Only status, the Boot.ini file was edited, so it now reads -

[boot loader]

timeout=30

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Boot.ini modified file saved and Read Only status re-enabled.

On running msconfig, the Safe Boot option is now unchecked (see screenshot) -

I'm presuming that the "malware" removed earlier on may have had something to do with the odd settings in the Boot.ini file, as CHKDSK and SFC didn't find any errors otherwise.

Is there anything else that needs to be done to ensure as far as possible there is/are no (other) malware present, or that there is no issues with any legitimate (system) files?

I will probably run further anti-malware/anti-virus programs in a while anyway, but are there any specific other (system/file) programs that could be run also that might help in detecting any issues with files?