Yes, assigning a drive letter worked temporarily in Drive Manager, but the next time I plugged in, it didn't work. Also, I tried to use a colleague's drive, and it didn't even register with Drive Manager, although it worked in my office's Mac - a FAT 32 drive.
Anyone have any insight into external drives not registering with Windows?
I swapped out my HDD for an SSD in my Win 8.1 Lenovo Y480, replacing the HDD in the optical drive slot using an HDD Caddy. The system runs fine. I still see the original copy of the Windows System disk that sits on the HDD in Windows listed as drive I:, in addition to the cloned C: drive which is booting from the SSD. I haven't deleted the old copy of the System Drive from the HDD yet, in case of errors &c. as I'm still trying the system.
However, when I plug in external USB HDDs now, none of them register with Windows. They are visible to Device Manager and Disk Manager, but they are not being assigned drive letters. They work fine on my mac, but not on this PC.
I get the message at startup saying "Check cable connections" or something. I will reboot and copy that text into another post below.
I'm also going to check the BIOS options, in case I changed some of those options when doing the change over. I can't see the option to save this post until I come back, so I'll just have to append the results in the next post down.
But has anyone encounted this problem, and do you have any suggestions? Thanks!
Thanks guys. The USB wouldn't boot and I finally rang Lenovo. They told me even before the warranty check (which was nice, and unexpected!) that the computer has an inbuilt recovery button to wipe and reinstall the system. Once I used that I was able to reload Acronis Trueimage and then install a system image I made earlier. So, basically back to good operating. I appreciate your help!
I pinged Microsoft, and b/c I have an OEM Windows Product ID, they can't give me media. I have to provide a product key, which didn't come with my laptop, apparently. I have to contact Lenovo to get one, which might cost me to get, since it's now out of warranty.
Lenovo Y480,
Win 8.1.
Last month a Malware Bytes update started cannibalizing my system, quarantining over 600 driver files, .dlls and assorted stuff.
(Earlier part of that story here.
I tried to undo everything, and in the process uninstalled MBAM, thereby deleting the quarantined files. My system is full of holes, and won't do odd things, like recognise external USB hard drives or thumb drives. There are no system restore points prior to the problem.
This is a problem for me, because my laptop came without a system restore disc. I took the precaution of making a system restore image on a USB stick - but now the computer won't recognize the stick. It blings and registers something's being plugged in, but the drive won't show in finder.
MBAM solved the problem with an update, but despite their assertions that they want to help restore my system, they haven't done anything. The thread on this was closed on their support site, but no further support was forthcoming after they closed it. (See Here).
Any help getting my device to recognize my external USB stick would be appreciated. I'm in conversation with Microsoft to see if they can send me some kind of recovery media. Will update as that conversation develops.
I got really messed over by an MBAM update last month- it deleted over 6,000 system files. I now can't read any external drives, and thus can't restore with my USB system restore. Real pain, and although tech support at MBAM said they were on it, they didn't do anything. I used MBAM free for years, and finally paid for it this year, only to have this happen.
Problem solved.
After a couple more attempts to un- and and reinstall MBAM, I noticed this error coming up repeatedly:
internal error: Expression error 'runtime error (at 79:177): External exception E06D7363
A quick google search found the solution here:
https://forums.malwarebytes.org/index.php?/topic/149048-internal-error-expression-error-runtime-error-at-79177-external-exeption-e06d763/
Thanks Gerbil;
I scanned a couple of times with eset, and it found things different times, and I think allowed me to remove them. Atually, it may have quarantined them, I can't seem to get it to reveal the quarantine from previous scans, however.
Anyway, still no joy getting Malwarebytes running, either directly or via Chameleon... Thanks for your help.
Hi thanks again. TDSKiller opened without problems, but didn't find anything. Log is here:
09:14:37.0848 0x2270 TDSS rootkit removing tool 3.0.0.39 Jun 5 2014 20:35:54
09:14:37.0848 0x2270 UEFI system
09:14:42.0537 0x2270 ============================================================
09:14:42.0537 0x2270 Current date / time: 2014/07/10 09:14:42.0537
09:14:42.0537 0x2270 SystemInfo:
09:14:42.0537 0x2270
09:14:42.0538 0x2270 OS Version: 6.3.9600 ServicePack: 0.0
09:14:42.0538 0x2270 Product type: Workstation
09:14:42.0538 0x2270 ComputerName: SHAKTIDEVA
09:14:42.0538 0x2270 UserName: Michael
09:14:42.0538 0x2270 Windows directory: C:\WINDOWS
09:14:42.0538 0x2270 System windows directory: C:\WINDOWS
09:14:42.0538 0x2270 Running under WOW64
09:14:42.0538 0x2270 Processor architecture: Intel x64
09:14:42.0538 0x2270 Number of processors: 8
09:14:42.0538 0x2270 Page size: 0x1000
09:14:42.0538 0x2270 Boot type: Normal boot
09:14:42.0538 0x2270 ============================================================
09:14:43.0561 0x2270 KLMD registered as C:\WINDOWS\system32\drivers\89614052.sys
09:14:45.0139 0x2270 System UUID: {DC586B67-9905-2508-105C-B16C539F126F}
09:14:46.0688 0x2270 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 ( 931.51 Gb ), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
09:14:46.0692 0x2270 ============================================================
09:14:46.0692 0x2270 \Device\Harddisk0\DR0:
09:14:46.0694 0x2270 GPT partitions:
09:14:46.0694 0x2270 \Device\Harddisk0\DR0\Partition1: GPT, TypeGUID: {DE94BBA4-06D1-4D40-A16A-BFD50179D6AC}, UniqueGUID: {033195CD-79D7-446E-9E02-F5D6AB75925E}, Name: Basic data partition, StartLBA 0x800, BlocksNum 0x1F4000
09:14:46.0694 0x2270 \Device\Harddisk0\DR0\Partition2: GPT, TypeGUID: {C12A7328-F81F-11D2-BA4B-00A0C93EC93B}, UniqueGUID: {5CDB7282-CB0C-4A9A-A194-71900DBF8811}, Name: EFI system partition, StartLBA 0x1F4800, BlocksNum 0x82000
09:14:46.0694 0x2270 \Device\Harddisk0\DR0\Partition3: GPT, TypeGUID: {BFBFAFE7-A34F-448A-9A5B-6213EB736C22}, UniqueGUID: {141F6F2F-EAB3-4C9B-96DF-811713C1BA07}, Name: Basic data partition, StartLBA 0x276800, BlocksNum 0x1F4000
09:14:46.0695 0x2270 \Device\Harddisk0\DR0\Partition4: GPT, TypeGUID: {E3C9E316-0B5C-4DB8-817D-F92DF00215AE}, UniqueGUID: {E001880D-F71C-4F81-B40B-01EC625A027C}, Name: Microsoft reserved partition, StartLBA 0x46A800, BlocksNum 0x40000
09:14:46.0695 0x2270 \Device\Harddisk0\DR0\Partition5: GPT, TypeGUID: {EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}, UniqueGUID: {9DB625A6-EEC7-47A5-A45A-5275711D47B8}, Name: Basic data partition, StartLBA 0x4AA800, BlocksNum 0x37498800
09:14:46.0695 0x2270 \Device\Harddisk0\DR0\Partition6: GPT, TypeGUID: {DE94BBA4-06D1-4D40-A16A-BFD50179D6AC}, UniqueGUID: {934D05CC-A50B-4266-AAAA-C7F508CC510E}, Name: , StartLBA 0x37943000, BlocksNum 0xAF000
09:14:46.0695 0x2270 \Device\Harddisk0\DR0\Partition7: GPT, TypeGUID: …Hi, thanks for your detailed response. Chameleon didn't work, and I haven't been able to run MBAM after trying all the variant scans it offered. I also tried JRT and ADware, but no results so far. There were errors during both those scans.
I should clarify that MBAM professional had been working for about 6 months or so before then.
Hi, Malware Bytes has stopped scanning. I had bought the full professional, and it stopped scanning files on request (from the pop-up menu when you right-click on files). I then realised it wouldn't update, and reinstalls have failed. The other virus software I use is simply Windows Defender.
I'm running Windows 8.1 on a Lenovo Y480. I performed the "Read me Before" tasks, and AFT-Cleaner and GMER failed, and Windows Malicious Software Removal tool found nothing on a quick scan. Currently running a deep scan. DDS.scr says it "Will not run in compatibility mode" and closes. So, I basically haven't been able to do any of the prep scans for posting to the virus forum.
Other than MBAM not working I hadn't noticed any downgrade in functionality, so I'm concerned my traffic or data is being monitored. Your help much appreciated.
Oh I am a doofus. I found out the problem. I was trying to change permissions on the mounted image of the C: Drive, not the drive itself. Once I tried to change them on the actual hard drive, I acquired permissions and am now able to back up my personal files from that drive too.
Thanks for being willing to look into it.
They run from left to right.
Fairly similar results with the other tabs.
The series of windows is in the following image:
https://docs.google.com/drawings/d/1yReHHXpQ_noGsBnV4iXg1Xhnhbj2lPem5uTyHkixWms/edit?usp=sharing
I've made an Acronis image on a backup HDD. Is that the same?
It's not the files and folders, it's the user permissions that are greyed out. I can only see the top-level of the User folder that I want but can't grant permissions. I can left click and get the security tab and see all the selections, I just can't select any of them.
My motherboard got fried after an update to Windows 8.1 I don't know how, it did. Before I send the laptop off for repair, I want to backup my drives. I've removed the HDD and am reading it through an exertnal HDD reader to my Win 7 laptop.
Now, I can't get access to the user files, which don't have user access. I can't change the user access as recommended by
http://knowledge.seagate.com/articles/en_US/FAQ/203795en and other similar sites, because the users are all greyed out. Even if I go to Folder>Properties>Security>Advanced> all of these tabs: Perissions, Auditing, Owner and Effective Permissions all lock me out.
What can I do? Desperate as need to catch plane tomorrow back to States and need to ship it to repair when I get there (long story, but basically the "International" Warranty on this US-bought machine turned out not to be honoured in Germany, so I'm shipping it for repair while on a business trip). Your timely help much appreciated.
THanks, I will try that.
No, RAM is the same.
No probs w. W7 on old drive.
Actually, I'm taking it to Dell for diagnostics in the morning, and will see what they come up with.
Maybe what I wrote didn't make sense? I did Memtest with single RAM chips. When I tested individual ramchips in slot one, the computer crashed both times, around about test number 9 or so. However, when I tried to boot the computer with just a single ramchip in slot 2, it wouldn't even start - I think it's not possible to run it that way.
Ok, well the memtest just failed everything. Testing RAM chip 1 and 2 in the first slot, they both crashed during Memtest 9 or so. But I couldn't test either in slot 2 alone, the computer wouldn't even start properly. So what do I do know? How can I find the source of the problem and fix it?
Update. I did an sfc /scannow two times, and both came up naegative, no integrity violations.
With ref to the memtest86, since it's crashed this way, what about this testing procedure:
http://www.sevenforums.com/tutorials/105647-ram-test-memtest86.html
Do I understand correctly, by doing the procedure I may find if the probem is in one or the other RAM chip or the motherboard slots? And that the driver rimspx64.sys may have merely been accessing a bad section of the memory chip?
If it is a memory chip, then the solution would be to replace the chip?
Being a bit slow on the uptake here, but want to make sure I don't get ahead of myself.
Ok. The laptop bricked a number of times since, so the System Recovery by disk image has become less reliable. I managed finally to get it to reload (let's see how long it lasts this time), and burned the memtest to DVD. (I have a kid who demands all my attention on the weekends). The laptop died each time during memtests. The first two times, I'm not aware of what point in the process it happened. I watched it three times since. The first time it died during "Test 10 Modulo20, Random Pattern" or "Test 11 Bitfade test, 2 patterns." The second time I manually got it to go to test 11, and it died around the 70% mark. On the third time, it died while in the midst of test 3, while I was playing with the different kinds of test it can do.
Since then it has BSOD'ed on startup, but not consistently, this time I'm able to use it, don't know how long for.
I take it this is not to do with the driver rimspx64.sys?
THanks for your help. I'm really limping along here, hours and hours of my work time is being sucked into this. Any solution you can find would be a huge help.
Hi, BSOD struck again. The reboot was complicated for a number of reasons, and BSOD happened a number of times. The one dump file I got out of these is reported below as per your instructions. Thanks so much:
==================================================
Dump File : 111412-56721-01 - Copy.dmp
Crash Time : 11/14/2012 10:28:41 PM
Bug Check String : PAGE_FAULT_IN_NONPAGED_AREA
Bug Check Code : 0x00000050
Parameter 1 : ffffffff `fffffff0
Parameter 2 : 00000000`00000000
Parameter 3 : fffff880`0674977d
Parameter 4 : 00000000`00000000
Caused By Driver : rimspx64.sys
Caused By Address : rimspx64.sys+9713fe
File Description :
Product Name :
Company :
File Version :
Processor : x64
Crash Address : ntoskrnl.exe+705c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : E:\Minidump\111412-56721-01 - Copy.dmp
Processors Count : 2
Major Version : 15
Minor Version : 7600
Dump File Size : 303,684
==================================================
Also, do you recommend this software?
http://www.advancedpctweaker.com/exe-errors/Rimspx64.sys.html
Thank you, that is exactly what I was hoping for.
Unfortunately, at BSOD, I have to restore to an earlier system state, which erases any .dmp files on my C: drive, so BlueScreenView is drawing a blank. I've set the system to store the .dmp files on my E: drive, so next time, I'll have some clues to post. Thanks so much.
When you say "download Driver pack solution" what does that mean? I tried using Driver Robot, and suspect it produced errors. But I don't know which ones. Is there any way to do a diagnostic before re-installing Windows Home all over again?
O man, sorry. I replied but it clearly didn't post. I've been travelling for work the last few days. Original OEM OS is Win 7 Home Premium. OEM Copy is not pirated, it's from Dell, and has been verified in the past. Upgrade disk was bought from my university, and verified multiple times too.
When you say download drivers from the internet - Which drivers? And how to tell which of the existing ones that are now in my system recovery files are the one(s) producing the conlfict?
And, is my new HDD causing the problem?
O man, sorry. I replied but it clearly didn't post. I've been travelling for work the last few days. Original OEM OS is Win 7 Home Premium. OEM Copy is not pirated, it's from Dell, and has been verified in the past. Upgrade disk was bought from my university, and verified multiple times too.
When you say download drivers from the internet - Which drivers? And how to tell which of the existing ones that are now in my system recovery files are the one(s) producing the conlfict?
And, is my new HDD causing the problem?
Hi, I recently re-installed Win 7 Ultimate on a fresh hard drive in my Dell XPS 1340, and used my OEM-supplied disk to install drivers. I also used Driver Robot to auto-install or update the drivers, as well as searching the Dell website. I then burned a System Recovery disk and HDD file.
After Win 7's auto-update installs SP 1, it goes to BSOD when restarting - either from hibernation or from fresh boot. This has happened twice. The first time, in the midst of repairing startup, it tried to perform a system restore, which failed. I used my newly burned system recovery disk, which includes the drivers from various source (Is it possible there is a driver conflict?).
System recovery worked fine, but when Win 7 updated to SP 1, the BSOD occurred again. The second time around, after the failure to repair startup or to restore the system restore point, I found these error messages:
System Restore: Error code= 0x1f
System Files Integrity Check and Repair: Error code= 0x490.
Windows startup repair failed when, on its own, it attempted to revert to an earlier system restore point. However, when I attempted from one of the selection windows afterwards, reverting the to earlier restore point worked. Why this differed from the attempt from Startup repair I don't know. Anyway, it's running again.
Howeverm, I'm sure when SP 1 updates, I'll have the same problem, and I want to prevent it. I've looked for a dmp.rep file, but can't …
Problem solved. Contaced Microsoft, who told me it was a North/Latin American disk, but I've been upgrading in Germany. Used an IP masker, and upgrade worked a treat. Thanks for your help and suggestions.
My current install of my OEM Win 7 Home Premium will not allow me to upgrade by disk (Option 3) to Win 7 Ultimate. When I try to do it, it forwards me to Anytime Upgrade. However, Anytime Upgrade does not accept my Product Key which is for a disc upgrade.
Therefore, option 3 doesn't work.
But I was able to upgrade when I did this before in 2009, with the same computer, same upgrade disk.
I neglected to add that the software always forces me to do an "Anytime Upgrade" with the following error message:
"To upgrade from one edition of Windows 7 to another edition of Windows 7, use Windows Anytime Upgrade. Cancel the upgrade, open the Start menu, and search for Windows Anytime Upgrade."
I understand this is a method to clean install, which will erase the previous installation, right?
I had a hard drive crash, which meant I had to install a new HDD in my Dell 64-Bit XPS 1350 (lovely computer). I had previously been running Windows 7 Ultimate Professional which I had upgraded from the OEM Win 7 Home Premium by means of a disk I purchased from my university.
Using the Recovery disk from Dell I installed Windows 7 Home Premium successfully on the new hard drive, but when I have tried to upgrade via my disk to Ultimate it installs the whole thing, says its complete, but when I reboot, tells me:
"This version of Windows could not be installed. Your previous version of Windows has been restored, and you can continue to use it."
I've installed the drivers from Dell's driver disk, but still to no avail. I've also used Driver Robot to update all my drivers.
I can't find a .dmp file anywhere under C:\$WINDOWS.~BT\Sources
but I did find this file under
C:\$WINDOWS.~BT\Sources\Panther.
setupact.log https://www.dropbox.com/s/yzy7fhkxlzc235y/setupact.log
If anyone could please advise me what I need to do to fix Windows so it will upgrade properly, I would greatly appreciate it.
Hi, thank you. Can't believe I didn't notice it had been set to default language - what an oversight.
I'm in the middle of high-pressue deadline, but will do the rootkit scan when I go to bed tonight, and post later. Thanks so much.
Thanks for the link, and your comments about the software.
When the other languages which I've installed are highlighted, they allow one to use the "add" button. It is for "adding" a language which isn't already listed in the box. They also all let me "remove" them. The Korean language option is distinct from all the other language options, it won't let me "remove" it. The thing is, I never installed Korean, it just appeared randomnly the other day.
If Hijack this is out of date, do you recommend a different scan?
Hi, I'm running Windows 7.64, with an English language systeem. I use Chinese and Japanase input. But suddenly Korean appears as the language when I log in to the system when awakening from sleep, and it's unremovable from the language bar. All the other languages can be "Removed", but Korean cannot (see attachment - where 'remove' is greyed out). Since it's appearing before the login, I suspect it's a rootkit?
I'm not a programmer, but am good at following isntructions. I thought my virus protection was pretty good but found out recently it is quite poor: I'm using Symantec Endpoint Protection as a background, and then manually scan any new files I download with MBAM. But after a big crash a few months back I scanned the laptop drive on a Linux Redhat (?), and it removed 50+ viruses. So I know my security's not great, despite these measures. I'm an unpaid graduate student, so can't afford expensive virus protection.
I think I've got something again, and am unsure how to go about getting it out, and worried it's tracking keystrokes or something. I've attached a Hijack this scan as a zip file.
Thanks for your help!
Dusting the insides kept the heat down, which has stopped the blackouts (Black Screens of Death), but it didn't stop the Blue Screens of Death, which kept producing the kernel error. I downloaded HDD Regenerator, and scanned a couple of times, and since then, no BSOD's of any kind. Thanks again!
I do have dual RAM. I tested each individually, and both produced the power out. They were quite hot to the touch (Dell XPS 1340's are known to run pretty hot anyway). I suspect that each one overheated and tripped the power. So I've installed Core Temp and am monitoring the temperature, with a safety option to go to sleep when/if it gets to TjMax. I also bought some air in a can, and have dusted out the fan, chip area and keyboard. So, far, today, while the computer's stayed cool, no power out.
Your insight about the RAM not processing the kernel was really helpful for looking away from the HDD to the RAM. Thank you!
Ok. Delay was a local tech scanned my HD and found 50+ viruses, and wanted me to see if that solved the problem. It didn't - I got a power out tonight, and it's happened multiple times. I've been trying memtest, but the laptop crashes when I'm not even at 5% tested - I wonder if that's a sign that it IS the RAM?
Such specs as I could find from System Information are below. I've been using this since June 2010 - not 2 years.
The HDD does keep going through Chkdsk and fixing stuff when I recover boot.
Does the code give any helpful info about the source of the problem?
Windows 7 Ultimate Service Pack 1
Dell Studio XPS 1340
Processor Intel(R) Core(TM)2 Duo CPU P8700 @ 2.53GHz 2.53 GHz
Installed memory (RAM): 4.00 GB (3.75 GB usable)
System type: 64-bit Operating System
Pen and Touch: No Pen or Touch Input is available for this Display
The E and C drive are on the same HDD.
Drive C:
Description Local Fixed Disk
Compressed No
File System NTFS
Size 246,79 GB (264,989,626,368 bytes)
Free Space 58.71 GB (63,036,121,088 bytes)
Volume Name Windows
Volume Serial Number 304637BC
Drive D:
Description CD-ROM Disc
Drive E:
Description Local Fixed Disk
Compressed No
File System NTFS
Size 204.28 GB (219,345,317,888 bytes)
Free Space 75.12 GB (80,657,899,520 bytes)
Volume Name Data
Volume Serial Number 247664B0
Thank you. I installed WinDbg, and managed to read the dump file, which is posted here. It says on the Windows website that "A hardware device, its driver, or related software might have caused this error" But I can't tell which one....
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 01:53:54, on 30/04/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Users\Xuyuan\AppData\Local\Google\Update\1.3.21.111\GoogleCrashHandler.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Users\Xuyuan\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files (x86)\Inventec\Dreye\DreyeMT\DreyeIMplugin.exe
C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FAIESSO Helper Object - {A2F122DA-055F-4df7-8F24-7354DBDBA85B} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - C:\Program Files (x86)\Inventec\Dreye\DreyeMT\DreyeIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [IME14 CHT Setup] C:\PROGRA~2\COMMON~1\MICROS~1\IME14\SHARED\IMEKLMG.EXE /SetPreload /CHT /Log
O4 - HKLM\..\Run: [IME14 JPN Setup] C:\PROGRA~2\COMMON~1\MICROS~1\IME14\SHARED\IMEKLMG.EXE /SetPreload /JPN /Log
O4 - HKLM\..\Run: [IME14 KOR Setup] C:\PROGRA~2\COMMON~1\MICROS~1\IME14\SHARED\IMEKLMG.EXE /SetPreload /KOR /Log
O4 - HKLM\..\Run: [IME14 CHS Setup] C:\PROGRA~2\COMMON~1\MICROS~1\IME14\SHARED\IMEKLMG.EXE /SetPreload /CHS /Log
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IMDreyePlugin] "C:\Program Files (x86)\Inventec\Dreye\DreyeMT\DreyeIMplugin.exe" /h
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\Windows\system32\spool\DRIVERS\x64\3\EKIJ5000MUI.EXE
O4 - HKLM\..\Run: [SSDMonitor] C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Xuyuan\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [EPSON SX125 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGGE.EXE /FU "C:\Windows\TEMP\E_SEBA7.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = Xuyuan\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: Jacquie Lawson Advent Calendar.lnk = C:\Program Files (x86)\Jacquie Lawson Advent Calendar\Jacquie Lawson Advent Calendar\Jacquie Lawson Advent Calendar.exe
O4 - Startup: Jacquie Lawson London Advent Calendar.lnk = C:\Program Files (x86)\Jacquie Lawson London Advent Calendar\Jacquie Lawson London Advent Calendar.exe
O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: English<->German - C:\Program Files (x86)\LingvoSoft\LingvoSoft Talking Dictionary 2007 (English-German) for Windows\Plugins\IE.htm
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserMicrosoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17790.amd64fre.win7sp1_gdr.120305-1505
Machine Name:
Kernel base = 0xfffff800`0341f000 PsLoadedModuleList = 0xfffff800`03663650
Debug session time: Sun Apr 29 23:08:16.269 2012 (UTC + 2:00)
System Uptime: 0 days 0:46:39.070
Loading Kernel Symbols
...............................................................
................................................................
................................Page 66d4c not present in the dump file. Type ".hh dbgerr004" for details
...Page 62d7d not present in the dump file. Type ".hh dbgerr004" for details
.............................
........
Loading User Symbols
PEB is paged out (Peb.Ldr = 000007ff`fffdf018). Type ".hh dbgerr001" for details
Loading unloaded module list
......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 7A, {fffff6fc5008ddd8, ffffffffc000009c, ba77880, fffff8a011bbb0d0}
Page 66d4c not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+3716a )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_DATA_INPAGE_ERROR (7a)
The requested page of kernel data could not be read in. Typically caused by
a bad block in the paging file or disk controller error. Also see
KERNEL_STACK_INPAGE_ERROR.
If the error status is 0xC000000E, 0xC000009C, 0xC000009D or 0xC0000185,
it means the disk subsystem has experienced a failure.
If the error status is 0xC000009A, then it means the request failed because
a filesystem failed to make forward progress.
Arguments:
Arg1: fffff6fc5008ddd8, lock type that was held (value 1,2,3, or PTE address)
Arg2: ffffffffc000009c, error status (normally i/o status code)
Arg3: 000000000ba77880, current process (virtual address for lock type 3, or PTE)
Arg4: fffff8a011bbb0d0, virtual address that could not be in-paged (or PTE contents if arg1 is a PTE address)
Debugging Details:
------------------
Page 66d4c not present in the dump file. Type ".hh dbgerr004" for details
ERROR_CODE: (NTSTATUS) 0xc000009c - STATUS_DEVICE_DATA_ERROR
DISK_HARDWARE_ERROR: There was error with disk hardware
BUGCHECK_STR: 0x7a_c000009c
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: svchost.exe
CURRENT_IRQL: 0
TRAP_FRAME: fffff8800e4776e0 -- (.trap 0xfffff8800e4776e0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffffa80087e40a0
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800037728d9 rsp=fffff8800e477870 rbp=0000000000000812
r8=0000000000000812 r9=fffff8a011bb7040 r10=fffff8a011bbb0d0
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
nt!MiRelocateImagePfn+0x29:
fffff800`037728d9 493902 cmp qword ptr [r10],rax ds:2220:b0d0=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff8000350bf12 to fffff8000349bc80
STACK_TEXT:
fffff880`0e4773c8 fffff800`0350bf12 : 00000000`0000007a fffff6fc`5008ddd8 ffffffff`c000009c 00000000`0ba77880 : nt!KeBugCheckEx
fffff880`0e4773d0 fffff800`034c2b0f : fffffa80`088e40a0 fffff880`0e477540 fffff800`036d0600 fffffa80`088e40a0 : nt! ?? ::FNODOBFM::`string'+0x3716a
fffff880`0e4774b0 fffff800`034a92a9 : 00000000`00000000 00000000`00000000 ffffffff`ffffffff fffff880`0e4777c8 : nt!MiIssueHardFault+0x28b
fffff880`0e477580 fffff800`03499dae : 00000000`00000000 fffff8a0`11bbb0d0 00000000`00000000 00000000`0010f82f : nt!MmAccessFault+0x1399
fffff880`0e4776e0 fffff800`037728d9 : fffffa80`0939fa50 fffffa80`0939fa00 fffffa80`05700000 fffffa80`0849e951 : nt!KiPageFault+0x16e
fffff880`0e477870 fffff800`034cab4b : fffffa80`05702200 fffffa80`00000009 fffffa80`056b8000 fffffa80`0996fc00 : nt!MiRelocateImagePfn+0x29
fffff880`0e4778d0 fffff800`034c2b0f : fffffa80`0939fa50 fffff880`0e477a40 fffffa80`08873ec8 fffffa80`0939fa50 : nt!MiWaitForInPageComplete+0x7ef
fffff880`0e4779b0 fffff800`034a937a : 00000000`00000000 00000000`00000000 ffffffff`ffffffff 00000000`00000000 : nt!MiIssueHardFault+0x28b
fffff880`0e477a80 fffff800`03499dae : 00000000`00000000 000007fe`f35927c0 00000000`00000001 00000000`0010530f : nt!MmAccessFault+0x146a
fffff880`0e477be0 00000000`77b09c12 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x16e
00000000`0153be60 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77b09c12
STACK_COMMAND: kb
FOLLOWUP_IP:
nt! ?? ::FNODOBFM::`string'+3716a
fffff800`0350bf12 cc int 3
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt! ?? ::FNODOBFM::`string'+3716a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4f558b55
FAILURE_BUCKET_ID: X64_0x7a_c000009c_nt!_??_::FNODOBFM::_string_+3716a
BUCKET_ID: X64_0x7a_c000009c_nt!_??_::FNODOBFM::_string_+3716a
Followup: MachineOwner
---------Hi, thanks for that. I installed WinDbg so I could open the memory dump, and see that Bugcheck 7A means probably some kind of hardware or driver error, but I am stymied as to figuring out what it is. I've attached a .txt file of the memory dump.
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17790.amd64fre.win7sp1_gdr.120305-1505
Machine Name:
Kernel base = 0xfffff800`0341f000 PsLoadedModuleList = 0xfffff800`03663650
Debug session time: Sun Apr 29 23:08:16.269 2012 (UTC + 2:00)
System Uptime: 0 days 0:46:39.070
Loading Kernel Symbols
...............................................................
................................................................
................................Page 66d4c not present in the dump file. Type ".hh dbgerr004" for details
...Page 62d7d not present in the dump file. Type ".hh dbgerr004" for details
.............................
........
Loading User Symbols
PEB is paged out (Peb.Ldr = 000007ff`fffdf018). Type ".hh dbgerr001" for details
Loading unloaded module list
......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 7A, {fffff6fc5008ddd8, ffffffffc000009c, ba77880, fffff8a011bbb0d0}
Page 66d4c not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+3716a )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_DATA_INPAGE_ERROR (7a)
The requested page of kernel data could not be read in. Typically caused by
a bad block in the paging file or disk controller error. Also see
KERNEL_STACK_INPAGE_ERROR.
If the error status is 0xC000000E, 0xC000009C, 0xC000009D or 0xC0000185,
it means the disk subsystem has experienced a failure.
If the error status is 0xC000009A, then it means the request failed because
a filesystem failed to make forward progress.
Arguments:
Arg1: fffff6fc5008ddd8, lock type that was held (value 1,2,3, or PTE address)
Arg2: ffffffffc000009c, error status (normally i/o status code)
Arg3: 000000000ba77880, current process (virtual address for lock type 3, or PTE)
Arg4: fffff8a011bbb0d0, virtual address that could not be in-paged (or PTE contents if arg1 is a PTE address)
Debugging Details:
------------------
Page 66d4c not present in the dump file. Type ".hh dbgerr004" for details
ERROR_CODE: (NTSTATUS) 0xc000009c - STATUS_DEVICE_DATA_ERROR
DISK_HARDWARE_ERROR: There was error with disk hardware
BUGCHECK_STR: 0x7a_c000009c
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: svchost.exe
CURRENT_IRQL: 0
TRAP_FRAME: fffff8800e4776e0 -- (.trap 0xfffff8800e4776e0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffffa80087e40a0
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800037728d9 rsp=fffff8800e477870 rbp=0000000000000812
r8=0000000000000812 r9=fffff8a011bb7040 r10=fffff8a011bbb0d0
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
nt!MiRelocateImagePfn+0x29:
fffff800`037728d9 493902 cmp qword ptr [r10],rax ds:2220:b0d0=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff8000350bf12 to fffff8000349bc80
STACK_TEXT:
fffff880`0e4773c8 fffff800`0350bf12 : 00000000`0000007a fffff6fc`5008ddd8 ffffffff`c000009c 00000000`0ba77880 : nt!KeBugCheckEx
fffff880`0e4773d0 fffff800`034c2b0f : fffffa80`088e40a0 fffff880`0e477540 fffff800`036d0600 fffffa80`088e40a0 : nt! ?? ::FNODOBFM::`string'+0x3716a
fffff880`0e4774b0 fffff800`034a92a9 : 00000000`00000000 00000000`00000000 ffffffff`ffffffff fffff880`0e4777c8 : nt!MiIssueHardFault+0x28b
fffff880`0e477580 fffff800`03499dae : 00000000`00000000 fffff8a0`11bbb0d0 00000000`00000000 00000000`0010f82f : nt!MmAccessFault+0x1399
fffff880`0e4776e0 fffff800`037728d9 : fffffa80`0939fa50 fffffa80`0939fa00 fffffa80`05700000 fffffa80`0849e951 : nt!KiPageFault+0x16e
fffff880`0e477870 fffff800`034cab4b : fffffa80`05702200 fffffa80`00000009 fffffa80`056b8000 fffffa80`0996fc00 : nt!MiRelocateImagePfn+0x29
fffff880`0e4778d0 fffff800`034c2b0f : fffffa80`0939fa50 fffff880`0e477a40 fffffa80`08873ec8 fffffa80`0939fa50 : nt!MiWaitForInPageComplete+0x7ef
fffff880`0e4779b0 fffff800`034a937a : 00000000`00000000 00000000`00000000 ffffffff`ffffffff 00000000`00000000 : nt!MiIssueHardFault+0x28b
fffff880`0e477a80 fffff800`03499dae : 00000000`00000000 000007fe`f35927c0 00000000`00000001 00000000`0010530f : nt!MmAccessFault+0x146a
fffff880`0e477be0 00000000`77b09c12 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x16e
00000000`0153be60 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77b09c12
STACK_COMMAND: kb
FOLLOWUP_IP:
nt! ?? ::FNODOBFM::`string'+3716a
fffff800`0350bf12 cc int 3
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt! ?? ::FNODOBFM::`string'+3716a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4f558b55
FAILURE_BUCKET_ID: X64_0x7a_c000009c_nt!_??_::FNODOBFM::_string_+3716a
BUCKET_ID: X64_0x7a_c000009c_nt!_??_::FNODOBFM::_string_+3716a
Followup: MachineOwner
---------Hi, I'm getting BSOD extremely frequently over the last 24 hours. The blue screen says:
Kernal Data Inpage Error,
and
0x0000007a.
but goes by too fast for me to copy down any other code.
It also recommended stopping "Cache Shadowing" in the BIOS, but I could not find this option in the BIOS.
I've tried rebooting in safe more after a couple of these BSOD's and Windows stopped loading at the following line both times:
Windows\system32\drivers\bftpdskc64.sys
I'm not sure if this is a virus or a windows problem, so I'm posting in Windows, but with the requisite preliminary research recommended in the virus threads. I have done all the "read before you post" virus scans, but am having trouble completing the MBAM scan, as it BSOD's before the scan can complete.
Microsoft Malicious Software Removal Tool detected nothing.
ATF Cleaner: Cleaned
GMER did a preliminary scan on opening, but no results were posted. Most of the checkboxes, including the ones mentioned, were greyed out and did not allow checking.
I can't upload the GMER one.log, but have uploaded the GMER two.log.
I did a quick MBAM scan which is posted as QuickMBAM.txt I will try to do a full scan. I've found that the MBAM log folder has been deleted, and any logs are being prevented from saving there. I save them under other names and locations as soon as they pop up, and can thus post them.
The long MBAM has been interrupted …
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-12-12.02)
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume2
Install Date: 29/07/2010 04:39:22
System Uptime: 30/04/2012 01:22:38 (0 hours ago)
Motherboard: Dell Inc. | | 0Y525R
Processor: Intel(R) Core(TM)2 Duo CPU P8700 @ 2.53GHz | Socket 479 | 2534/133mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 247 GiB total, 56.721 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 204 GiB total, 75.107 GiB free.
F: is CDROM (CDFS)
G: is CDROM (CDFS)
H: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID:
Description: Bluetooth Peripheral Device
Device ID: BTHENUM\{00001204-0000-1000-8000-00805F9B34FB}_LOCALMFG&000F\8&169659AB&0&0023D4A9E78F_C00000003
Manufacturer:
Name: Bluetooth Peripheral Device
PNP Device ID: BTHENUM\{00001204-0000-1000-8000-00805F9B34FB}_LOCALMFG&000F\8&169659AB&0&0023D4A9E78F_C00000003
Service:
Class GUID:
Description: Officejet 4500 G510g-m
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer:
Name: Officejet 4500 G510g-m
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
Class GUID:
Description: Officejet 4500 G510g-m
Device ID: ROOT\MULTIFUNCTION\0001
Manufacturer:
Name: Officejet 4500 G510g-m
PNP Device ID: ROOT\MULTIFUNCTION\0001
Service:
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Officejet 4500 G510g-m
Device ID: ROOT\MULTIFUNCTION\0002
Manufacturer: HP
Name: Officejet 4500 G510g-m
PNP Device ID: ROOT\MULTIFUNCTION\0002
Service:
==== System Restore Points ===================
RP418: 29/04/2012 11:58:18 - Windows Backup
RP419: 29/04/2012 19:05:04 - Windows Backup
==== Installed Programs ======================
"Nero SoundTrax Help
4500_G510gm_Help
4500G510gm
4500G510gm_Software_Min
AC2 server emulator 0.44 by Dormine
Ad-Aware
Adobe Acrobat X Pro - English, Franais, Deutsch
Adobe AIR
Adobe Community Help
Adobe Dreamweaver CS5
Adobe Media Player
Adobe Reader X (10.1.1)
Adobe Shockwave Player 11.6
Advanced Audio FX Engine
Advertising Center
AnyDVD
Apple Application Support
Apple Software Update
Assassin's Creed Brotherhood
Assassin's Creed II
Assassin's Creed Revelations
Bayden ProxyPick (remove only)
Blu-ray Disc Authoring Plug-in
BUFFALO eco Manager for HD
BUFFALO TurboCopy
BUFFALO TurboPC for FLASH/HDD
BufferChm
calibre
Chinese Simplified Fonts Support For Adobe Reader 9
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Cobian Backup 10
ConvertHelper 2.2
D3DX10
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell Communications (Support Software)
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software
Dell Driver Download Manager
Dell Getting Started Guide
Dell Webcam Central
Destinations
DeviceDiscovery
DivXLand Media Subtitler
DjVuLibre+DjView
DocMgr
DocProc
DolbyFiles
Dr.eye 8.0 Professional for Multi-users
Dr.eye 8.0 Professional for Multi-users Dict
Dragon Age: Origins
Dropbox
EndNote X4
Eusing Free Registry Cleaner
Fax
FileZilla Client 3.3.5.1
France2Go for Smartphone
Google Chrome
Google Desktop
Google Talk Plugin
GoToAssist 8.0.0.514
GPBaseService2
Gracenote Plug-in
GTK+ Runtime 2.14.7 rev a (remove only)
Halftone Search
Hama Black Force Pad
Hewlett-Packard ACLM.NET v1.1.0.0
HiJackThis
HP Update
HPDiagnosticAlert
HPProductAssistant
IBM ViaVoice TTS Runtime v6.701 - US English
ImagXpress
Java Auto Updater
Java(TM) 6 Update 31
Junk Mail filter update
K-Lite Codec Pack 7.0.0 (Full)
LingvoSoft Talking Dictionary 2007 English<->German for Windows
Live! Cam Avatar Creator
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.61.0.1400
ManyCam 2.6.1 (remove only)
Menu Templates - Starter Kit
Microsoft AppLocale
Microsoft Office 2010 Proofing Tools Kit Service Pack 1 (SP1)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office IME (Chinese (Simplified)) 2010
Microsoft Office IME (Chinese (Traditional)) 2010
Microsoft Office IME (Japanese) 2010
Microsoft Office IME (Korean) 2010
Microsoft Office IME 2010
Microsoft Office IME 2010 (Traditional Chinese)
Microsoft Office IMESS (Chinese (Traditional)) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (Arabic) 2010
Microsoft Office Proof (Basque) 2010
Microsoft Office Proof (Bulgarian) 2010
Microsoft Office Proof (Catalan) 2010
Microsoft Office Proof (Chinese (Simplified)) 2010
Microsoft Office Proof (Chinese (Traditional)) 2010
Microsoft Office Proof (Croatian) 2010
Microsoft Office Proof (Czech) 2010
Microsoft Office Proof (Danish) 2010
Microsoft Office Proof (Dutch) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (Estonian) 2010
Microsoft Office Proof (Finnish) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Galician) 2010
Microsoft Office Proof (German) 2010
Microsoft Office Proof (Greek) 2010
Microsoft Office Proof (Gujarati) 2010
Microsoft Office Proof (Hebrew) 2010
Microsoft Office Proof (Hindi) 2010
Microsoft Office Proof (Hungarian) 2010
Microsoft Office Proof (Italian) 2010
Microsoft Office Proof (Japanese) 2010
Microsoft Office Proof (Kannada) 2010
Microsoft Office Proof (Kazakh) 2010
Microsoft Office Proof (Korean) 2010
Microsoft Office Proof (Latvian) 2010
Microsoft Office Proof (Lithuanian) 2010
Microsoft Office Proof (Marathi) 2010
Microsoft Office Proof (Norwegian (Bokmal)) 2010
Microsoft Office Proof (Norwegian (Nynorsk)) 2010
Microsoft Office Proof (Polish) 2010
Microsoft Office Proof (Portuguese (Brazil)) 2010
Microsoft Office Proof (Portuguese (Portugal)) 2010
Microsoft Office Proof (Punjabi) 2010
Microsoft Office Proof (Romanian) 2010
Microsoft Office Proof (Russian) 2010
Microsoft Office Proof (Serbian (Latin)) 2010
Microsoft Office Proof (Slovak) 2010
Microsoft Office Proof (Slovenian) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proof (Swedish) 2010
Microsoft Office Proof (Tamil) 2010
Microsoft Office Proof (Telugu) 2010
Microsoft Office Proof (Thai) 2010
Microsoft Office Proof (Turkish) 2010
Microsoft Office Proof (Ukrainian) 2010
Microsoft Office Proof (Urdu) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Proofing Kit 2010
Microsoft Office Proofing Tools Kit Compilation 2010
Microsoft Office ProofMUI (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 14
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Mobipocket Creator 4.2
Morgan M-JPEG codec V3
Movie Templates - Starter Kit
Mozilla Firefox 11.0 (x86 en-US)
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 9
Nero BurningROM
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero Disc Copy Gadget
Nero Disc Copy Gadget Help
Nero DiscSpeed
Nero DriveSpeed
Nero Express
Nero InfoTool
Nero Installer
Nero Live
Nero Live Help
Nero PhotoSnap
Nero PhotoSnap Help
Nero Recode
Nero Recode Help
Nero Rescue Agent
Nero RescueAgent Help
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero Vision
Nero WaveEditor
Nero WaveEditor Help
NeroBurningROM
NeroExpress
neroxml
NTFS Undelete 3.0.2.210
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
OJOsoft Total Video Converter
PunkBuster Services
QuickTime
Registry Mechanic 10.0
ResearchSoft Direct Export Helper
Scan
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2596511) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
Security Update for Microsoft Visio Viewer 2010 (KB2597170) 32-Bit Edition
Skype? 5.8
SmartWebPrinting
SolutionCenter
Sophos Anti-Rootkit 1.5.4
SoundTrax
Spybot - Search & Destroy
Star Wars Battlefront II
Star Wars: The Force Unleashed
Status
System Requirements Lab
System Requirements Lab for Intel
TeamViewer 5
Toolbox
TrayApp
Ubisoft Game Launcher
Ultralingua 6.1
Update for Microsoft .NET FrameworkDDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Xuyuan at 1:45:47.97 on 30/04/2012
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Microsoft Windows 7 Ultimate 6.1.7601.1.950.886.1033.18.3838.1576 [GMT 2:00]
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files (x86)\Cobian Backup 10\cbVSCService.exe
C:\Windows\system32\CISVC.EXE
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMEDICTUPDATE.EXE
C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\SysWOW64\rpcnet.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\spool\drivers\x64\3\EKIJ5000MUI.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVD.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\System32\vds.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Xuyuan\AppData\Local\Google\Update\1.3.21.111\GoogleCrashHandler.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Users\Xuyuan\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files (x86)\Inventec\Dreye\DreyeMT\DreyeIMplugin.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE
C:\Users\Xuyuan\AppData\Local\Google\Update\1.3.21.111\GoogleCrashHandler64.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Users\Xuyuan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Users\Xuyuan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Xuyuan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Xuyuan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Xuyuan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Xuyuan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Xuyuan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Xuyuan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Users\Xuyuan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Xuyuan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
E:\My Documents\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp
uDefault_Page_URL = hxxp://www.bing.com
uInternet Settings,ProxyOverride = localhost, 127.0.0.1, hxxp://gaeapanda.dyndns.org:8888/cgi-bin/html/login.html
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: FAIESSO Helper Object: {a2f122da-055f-4df7-8f24-7354dbdba85b} - FAIESSOHelper Class
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Dr.eye WebPage Translation: {92b255fe-94e2-4bca-958d-3926ce38913f} - C:\Program Files (x86)\Inventec\Dreye\DreyeMT\DreyeIEBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [AnyDVD] C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVD.exe
uRun: [ISUSPM Startup] C:\PROGRA~2\COMMGMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-29 23:57:39
Windows 6.1.7601 Service Pack 1
Running: 5n4whji7.exe
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\701a049c7429
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\701a049c7437
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f1a101fac3
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f1a101fac3@58170ce50349 0x60 0x25 0xF5 0xB7 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f1a101fac3@0023d4a9e78f 0x5F 0x25 0x35 0x2B ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\904ce5fa4793
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x86 0xAE 0xE6 0x61 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE0 0x1E 0x14 0xAA ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x68 0x84 0x82 0x99 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xAA 0x4D 0xB6 0xD5 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xFD 0x41 0x31 0x7D ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0x5E 0xAD 0xDA 0x6A ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\701a049c7429 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\701a049c7437 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f1a101fac3 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f1a101fac3@58170ce50349 0x60 0x25 0xF5 0xB7 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f1a101fac3@0023d4a9e78f 0x5F 0x25 0x35 0x2B ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\904ce5fa4793 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0M�a�l�w�a�r�e�b�y�t�e�s� �A�n�t�i�-�M�a�l�w�a�r�e� �1�.�6�1�.�0�.�1�4�0�0�
�
�w�w�w�.�m�a�l�w�a�r�e�b�y�t�e�s�.�o�r�g�
�
�
�
�D�a�t�a�b�a�s�e� �v�e�r�s�i�o�n�:� �v�2�0�1�2�.�0�4�.�2�9�.�0�4�
�
�
�
�W�i�n�d�o�w�s� �7� �S�e�r�v�i�c�e� �P�a�c�k� �1� �x�6�4� �N�T�F�S�
�
�I�n�t�e�r�n�e�t� �E�x�p�l�o�r�e�r� �9�.�0�.�8�1�1�2�.�1�6�4�2�1�
�
�X�u�y�u�a�n� �:�:� �L�A�P�P�I�E� �[�a�d�m�i�n�i�s�t�r�a�t�o�r�]�
�
�
�
�3�0�/�0�4�/�2�0�1�2� �0�0�:�0�2�:�1�7�
�
�m�b�a�m�-�l�o�g�-�2�0�1�2�-�0�4�-�3�0� �(�0�0�-�1�0�-�0�0�)�.�t�x�t�
�
�
�
�S�c�a�n� �t�y�p�e�:� �Q�u�i�c�k� �s�c�a�n�
�
�S�c�a�n� �o�p�t�i�o�n�s� �e�n�a�b�l�e�d�:� �M�e�m�o�r�y� �|� �S�t�a�r�t�u�p� �|� �R�e�g�i�s�t�r�y� �|� �F�i�l�e� �S�y�s�t�e�m� �|� �H�e�u�r�i�s�t�i�c�s�/�E�x�t�r�a� �|� �H�e�u�r�i�s�t�i�c�s�/�S�h�u�r�i�k�e�n� �|� �P�U�P� �|� �P�U�M�
�
�S�c�a�n� �o�p�t�i�o�n�s� �d�i�s�a�b�l�e�d�:� �P�2�P�
�
�O�b�j�e�c�t�s� �s�c�a�n�n�e�d�:� �2�3�2�5�2�6�
�
�T�i�m�e� �e�l�a�p�s�e�d�:� �7� �m�i�n�u�t�e�(�s�)�,� �1�2� �s�e�c�o�n�d�(�s�)�
�
�
�
�M�e�m�o�r�y� �P�r�o�c�e�s�s�e�s� �D�e�t�e�c�t�e�d�:� �0�
�
�(�N�o� �m�a�l�i�c�i�o�u�s� �i�t�e�m�s� �d�e�t�e�c�t�e�d�)�
�
�
�
�M�e�m�o�r�y� �M�o�d�u�l�e�s� �D�e�t�e�c�t�e�d�:� �0�
�
�(�N�o� �m�a�l�i�c�i�o�u�s� �i�t�e�m�s� �d�e�t�e�c�t�e�d�)�
�
�
�
�R�e�g�i�s�t�r�y� �K�e�y�s� �D�e�t�e�c�t�e�d�:� �0�
�
�(�N�o� �m�a�l�i�c�i�o�u�s� �i�t�e�m�s� �d�e�t�e�c�t�e�d�)�
�
�
�
�R�e�g�i�s�t�r�y� �V�a�l�u�e�s� �D�e�t�e�c�t�e�d�:� �0�
�
�(�N�o� �m�a�l�i�c�i�o�u�s� �i�t�e�m�s� �d�e�t�e�c�t�e�d�)�
�
�
�
�R�e�g�i�s�t�r�y� �D�a�t�a� �I�t�e�m�s� �D�e�t�e�c�t�e�d�:� �0�
�
�(�N�o� �m�a�l�i�c�i�o�u�s� �i�t�e�m�s� �d�e�t�e�c�t�e�d�)�
�
�
�
�F�o�l�d�e�r�s� �D�e�t�e�c�t�e�d�:� �0�
�
�(�N�o� �m�a�l�i�c�i�o�u�s� �i�t�e�m�s� �d�e�t�e�c�t�e�d�)�
�
�
�
�F�i�l�e�s� �D�e�t�e�c�t�e�d�:� �1�
�
�E�:�\�M�y� �D�o�c�u�m�e�n�t�s�\�D�o�w�n�l�o�a�d�s�\�S�o�f�t�o�n�i�c�D�o�w�n�l�o�a�d�e�r�_�f�o�r�_�l�y�r�i�c�s�-�p�l�u�g�i�n�-�f�o�r�-�w�i�n�d�o�w�s�-�m�e�d�i�a�-�p�l�a�y�e�r�.�e�x�e� �(�P�U�P�.�B�u�n�d�l�e�O�f�f�e�r�.�D�o�w�n�l�o�a�d�e�r�.�S�)� �-�>� �N�o� �a�c�t�i�o�n� �t�a�k�e�n�.�
�
�
�
�(�e�n�d�)Thanks. I have backed up.
I ran the sfc scan, and it didn't solve the problem. But it produced the attached report - is it helpful? It was originally titled CBS.log, I've renamed it to CBS.log.txt for uploading.
Many thanks for your help!
Michael
2011-08-02 07:37:57, Info CBS Starting TrustedInstaller initialization.
2011-08-02 07:37:57, Info CBS Loaded Servicing Stack v6.1.7601.17592 with Core: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17592_none_672ce6c3de2cb17f\cbscore.dll
2011-08-02 07:38:00, Info CSI 00000001@2011/8/2:05:38:00.161 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7fee893f0ad @0x7fee9959849 @0x7fee99234e3 @0xfff8e97c @0xfff8d799 @0xfff8db2f)
2011-08-02 07:38:00, Info CSI 00000002@2011/8/2:05:38:00.508 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7fee893f0ad @0x7fee99a6816 @0x7fee9972aac @0x7fee99235b9 @0xfff8e97c @0xfff8d799)
2011-08-02 07:38:00, Info CSI 00000003@2011/8/2:05:38:00.568 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7fee893f0ad @0x7feee748738 @0x7feee748866 @0xfff8e474 @0xfff8d7de @0xfff8db2f)
2011-08-02 07:38:00, Info CBS Ending TrustedInstaller initialization.
2011-08-02 07:38:00, Info CBS Starting the TrustedInstaller main loop.
2011-08-02 07:38:00, Info CBS TrustedInstaller service starts successfully.
2011-08-02 07:38:00, Info CBS SQM: Initializing online with Windows opt-in: False
2011-08-02 07:38:00, Info CBS SQM: Cleaning up report files older than 10 days.
2011-08-02 07:38:00, Info CBS SQM: Requesting upload of all unsent reports.
2011-08-02 07:38:00, Info CBS SQM: Failed to start upload with file pattern: C:\Windows\servicing\sqm\*_std.sqm, flags: 0x2 [HRESULT = 0x80004005 - E_FAIL]
2011-08-02 07:38:00, Info CBS SQM: Failed to start standard sample upload. [HRESULT = 0x80004005 - E_FAIL]
2011-08-02 07:38:00, Info CBS SQM: Queued 0 file(s) for upload with pattern: C:\Windows\servicing\sqm\*_all.sqm, flags: 0x6
2011-08-02 07:38:00, Info CBS SQM: Warning: Failed to upload all unsent reports. [HRESULT = 0x80004005 - E_FAIL]
2011-08-02 07:38:00, Info CBS No startup processing required, TrustedInstaller service was not set as autostart, or else a reboot is still pending.
2011-08-02 07:38:00, Info CBS NonStart: Checking to ensure startup processing was not required.
2011-08-02 07:38:00, Info CSI 00000004 IAdvancedInstallerAwareStore_ResolvePendingTransactions (call 1) (flags = 00000004, progress = NULL, phase = 0, pdwDisposition = @0x118f6e0
2011-08-02 07:38:00, Info CSI 00000005 Creating NT transaction (seq 1), objectname [6]"(null)"
2011-08-02 07:38:00, Info CSI 00000006 Created NT transaction (seq 1) result 0x00000000, handle @0x254
2011-08-02 07:38:00, Info CSI 00000007@2011/8/2:05:38:00.907 CSI perf trace:
CSIPERF:TXCOMMIT;1006
2011-08-02 07:38:00, Info CBS NonStart: Success, startup processing not required as expected.
2011-08-02 07:38:00, Info CBS Startup processing thread terminated normally
2011-08-02 07:38:01, Info CSI 00000008 CSI Store 4488704 (0x0000000000447e00) initialized
2011-08-02 07:38:03, Info CBS Archived backup log: C:\Windows\Logs\CBS\CbsPersist_20110802053757.cab.
2011-08-02 07:38:08, Info CSI 00000009 [SR] Verifying 100 (0x0000000000000064) components
2011-08-02 07:38:08, Info CSI 0000000a [SR] Beginning Verify and Repair transaction
2011-08-02 07:38:13, Info CSI 0000000b Repair results created:
POQ 0 starts:
POQ 0 ends.
2011-08-02 07:38:13, Info CSI 0000000c [SR] Verify complete
2011-08-02 07:38:13, Info CSI 0000000d [SR] Verifying 100 (0x0000000000000064) components
2011-08-02 07:38:13, Info CSI 0000000e [SR] Beginning Verify and Repair transaction
2011-08-02 07:38:20, Info CSI 0000000f Repair results created:
POQ 1 starts:
POQ 1 ends.
2011-08-02 07:38:20, Info CSI 00000010 [SR] Verify complete
2011-08-02 07:38:20, Info CSI 00000011 [SR] Verifying 100 (0x0000000000000064) components
2011-08-02 07:38:20, Info CSI 00000012 [SR] Beginning Verify and Repair transaction
2011-08-02 07:38:27, Info CSI 00000013 Repair results created:
POQ 2 starts:
POQ 2 ends.
2011-08-02 07:38:27, Info CSI 00000014 [SR] Verify complete
2011-08-02 07:38:28, Info CSI 00000015 [SR] Verifying 100 (0x0000000000000064) components
2011-08-02 07:38:28, Info CSI 00000016 [SR] Beginning Verify and Repair transaction
2011-08-02 07:38:36, Info CSI 00000017 Repair results created:
POQ 3 starts:
POQ 3 ends.
2011-08-02 07:38:36, Info CSI 00000018 [SR] Verify complete
2011-08-02 07:38:36, Info CSI 00000019 [SR] Verifying 100 (0x0000000000000064) components
2011-08-02 07:38:36, Info CSI 0000001a [SR] Beginning Verify and Repair transaction
2011-08-02 07:38:42, Info CSI 0000001b Repair results created:
POQ 4 starts:
POQ 4 ends.
2011-08-02 07:38:42, Info CSI 0000001c [SR] Verify complete
2011-08-02 07:38:42, Info CSI 0000001d [SR] Verifying 100 (0x0000000000000064) components
2011-08-02 07:38:42, Info CSI 0000001e [SR] Beginning Verify and Repair transaction
2011-08-02 07:38:48, Info CSI 0000001f Repair results created:
POQ 5 starts:
POQ 5 ends.
2011-08-02 07:38:48, Info CSI 00000020 [SR] Verify complete
2011-08-02 07:38:48, Info CSI 00000021 [SR] Verifying 100 (0x0000000000000064) components
2011-08-02 07:38:48, Info CSI 00000022 [SR] Beginning Verify and Repair transaction
2011-08-02 07:38:53, Info CSI 00000023 Repair results created:
POQ 6 starts:
POQ 6 ends.
2011-08-02 07:38:53, Info CSI 00000024 [SR] Verify complete
2011-08-02 07:38:53, Info CSI 00000025 [SR] Verifying 100 (0x0000000000000064) components
2011-08-02 07:38:53, Info CSI 00000026 [SR] Beginning Verify and Repair transaction
2011-08-02 07:38:59, Info CSI 00000027 Repair results created:
POQ 7 starts:
POQ 7 ends.
2011-08-02 07:38:59, Info CSI 00000028 [SR] Verify complete
2011-08-02 07:38:59, Info CSI 00000029 [SR] Verifying 100 (0x0000000000000064) components
2011-08-02 07:38:59, Info CSI 0000002a [SR] Beginning Verify and Repair transaction
2011-08-02 07:39:05, Info CSI 0000002b Repair results created:
POQ 8 starts:
POQ 8 ends.
2011-08-02 07:39:05, Info CSI 0000002c [SR] Verify complete
2011-08-02 07:39:06, Info CSI 0000002d [SR] Verifying 100 (0x0000000000000064) components
2011-08-02 07:39:06, Info CSI 0000002e [SR] Beginning Verify and Repair transaction
2011-08-02 07:39:11, Info CSI 0000002f Repair results created:
POQ 9 starts:
POQ 9 ends.
2011-08-02 07:39:11, Info CSI 00000030 [SR] Verify complete
2011-08-02 07:39:11, Info CSI 00000031 [SR] Verifying 100 (0x0000000000000064) components
2011-08-02 07:39:11, Info CSI 00000032 [SR] Beginning Verify and Repair transaction
2011-08-02 07:39:14, Info CSI 00000033 Repair results created:
POQ 10 starts:
POQ 10 ends.
2011-08-02 07:39:14, Info CSI 00000034 [SR] Verify complete
2011-08-02 07:39:15, Info CSI 00000035 [SR] Verifying 100 (0x0000000000000064) components
2011-08-02 07:39:15, Info CSI 00000036 [SR] Beginning Verify and Repair transaction
2011-08-02 07:39:23, Info CSI 00000037 Repair results created:
POQ 11 starts:
0: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\70ac2488d650cc01b20400001810e80b._0000000000000000.cdf-ms", Destination = [l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"
1: Move File: Source = [l:162{81}]"\SystemRoot\WinSxS\Temp\PendingRenames\40192988d650cc01b30400001810e80b.$$.cdf-ms", Destination = [l:74{37}]"\SystemRoot\WinSxS\FileMaps\$$.cdf-ms"
2: Move File: Source = [l:214{107}]"\SystemRoot\WinSxS\Temp\PendingRenames\50753588d650cc01b40400001810e80b.$$_system32_21f9a9c4a2f8b514.cdf-ms", Destination = [l:126{63}]"\SystemRoot\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms"
3: Move File: Source = [l:240{120}]"\SystemRoot\WinSxS\Temp\PendingRenames\90823888d650cc01b50400001810e80b.$$_system32_logfiles_ait_5b4995189d2e6c55.cdf-ms", Destination = [l:152{76}]"\SystemRoot\WinSxS\FileMaps\$$_system32_logfiles_ait_5b4995189d2e6c55.cdf-ms"
4: Move File: Source = [l:258{129}]"\SystemRoot\WinSxS\Temp\PendingRenames\00053c88d650cc01b60400001810e80b.programdata_microsoft_windows_ait_140a03828e6ffe97.cdf-ms", Destination = [l:170{85}]"\SystemRoot\WinSxS\FileMaps\programdata_microsoft_windows_ait_140a03828e6ffe97.cdf-ms"
5: Move File: Source = [l:234{117}]"\SystemRoot\WinSxS\Temp\PendingRenames\c07f4c88d650cc01b70400001810e80b.$$_help_windows_ja-jp_bf14e4c265261fbe.cdf-ms", Destination = [l:146{73}]"\SystemRoot\WinSxS\FileMaps\$$_help_windows_ja-jp_bf14e4c265261fbe.cdf-ms"
6: Move File: Source = [l:228{114}]"\SystemRoot\WinSxS\Temp\PendingRenames\008d4f88d650cc01b80400001810e80b.$$_help_help_ja-jp_9132a6bb9c317c46.cdf-ms", Destination = [l:140{70}]"\SystemRoot\WinSxS\FileMaps\$$_help_help_ja-jp_9132a6bb9c317c46.cdf-ms"
7: Move File: Source = [l:246{123}]"\SystemRoot\WinSxS\Temp\PendingRenames\105a5e88d650cc01b90400001810e80b.$$_diagnostics_system_audio_9d2751b7c84ca0f1.cdf-ms", Destination = [l:158{79}]"\SystemRoot\WinSxS\FileMaps\$$_diagnosticWhen explorer resets, it also tries to send a file back to Windows. It's called WER64D1.tmp.hdmp Is that useful for anyone for analysis?
I've further found that certain clicks in the Control Panel (such as managing backups) also causes explorer to fail.
In addition, my computer just spontaneously crashed tonight, with no warning - just froze for 10 minutes and then rebooted. It went through a self disk-check, but only found one .tmp file that it associated with a directory.
This is getting dangerous! I'm worried about losing work. I don't believe there's a disk problem, since the Disk Check didn't find anything - but I'm open to investigating. However, I think the issue of explorer.exe closing spontaneously is a soft error. What to do???
Dear Thomas;
Thank you but this also produced no results.
Thanks biggeo65 and Jingda. Jingda, I didn't see your post earlier, so I tried using both softwares. I disabled first half of everything in ShellMenu and no result. I then re-enabled and disabled the other half. No dice.
ShellexView was more complicated, as some Windows Office softwares are connected to the system(?) and I was told disabling them could prevent me starting up again. So I disabled everything I could that was either created or modified on or since the time of crash. No results, right-click still crashed explorer.
I don't know if I was using the software correctly - was I supposed to reboot each time after disabling something?
@Jingda - thanks. This thread is in Windows - should I somehow repost it to viruses?
Hello;
I got some kind of infection or something last week, which caused my virus software not to update, and finally my computer to totally crash and would not reboot. I successfully recovered my system from an image (it was one level up of messy from actual system restore - which never works, why is that?).
Now explorer.exe crashes and restarts whenever I right click on files in explorer (not folders, they work as normal). This is true whether I click a file in a folder, or a file appearing over the Windows button.
I need the right click for all kinds of things.
Thank you so much in advance for your help!
Michael
Windows 7 64-bit
Windows Malicious Software Remover found nothing.
ATF Cleaner: Done.
GMER.one scan did not post any results (I think this is due to Win7 64bit).
Gmer two.LOG Follows
MBAM found nothing.
DDS.txt follows
Attach.txt is available. I received three different instructions for this which were confusing. The webpage says paste in the page. The pop-up window says do no post, but attach the file. Attach.txt itself says do not post. I have not attached it, pending further instructions.
GMER 1.0.15.15641 - [url]http://www.gmer.net[/url]
Rootkit scan 2011-07-27 23:10:32
Windows 6.1.7600
Running: 3z7gk5t8.exe
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT
\Parameters\Keys\701a049c7429
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT
\Parameters\Keys\701a049c7437
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT
\Parameters\Keys\70f1a101fac3
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT
\Parameters\Keys\70f1a101fac3@58170ce50349
0x60 0x25 0xF5 0xB7 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT
\Parameters\Keys\70f1a101fac3@0023d4a9e78f
0x5F 0x25 0x35 0x2B ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT
\Parameters\Keys\904ce5fa4793
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 …Hi. Your point about Ad-aware noted, thanks. I'll be sure to use Sophos first in the future.
Problems solved once I manually deleted the Registry Entry and the associated folders in the Firefox directory.
But I was quite surprised a) that MBAM didin't find it, and b) that it was possible to do so by manually looking for "suspicious" registry keys. I clearly just got lucky this time.
Maybe dsc.exe has beaten out MBAM? I'm curious if Sophos would find it, but I'm not going to get reinfected just to test it out.