Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

STOP: C0000135 The program can't start because %hs is missing. Try resintalling the program


  • This topic is locked This topic is locked
20 replies to this topic

#1 Padishah

Padishah

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:08:23 PM

Posted 09 June 2012 - 01:48 PM

Hello,

Yesterday evening, while administering my Minecraft server, a message saying my Adobe Calson Pro font (the first one in my Fonts folder) was corrupted appeared in the notification area. That was the first message of this type that I had ever seen. A second message appeared after a few seconds, saying another file was corrupted (I think it was a system file, but I don't remember). I ignored the messages and opened a file with Notedpad++ but it failed to launch. I decided to restart my computer but Windows 7 failed to boot with a BSOD : "STOP: C0000135 The program can't start because %hs is missing. Try resintalling the program". Before searching this issue on Google, I ran a CHKDSK which completed whitout erros. Then I foud these two topics which present a similar issue : http://www.bleepingcomputer.com/forums/topic444580.html and http://www.bleepingcomputer.com/forums/topic455797.html. I followed the procedure mentioned in the first topic and got the following log :

Scan result of Farbar Recovery Scan Tool Version: 09-06-2012 01
Ran by Système at 09-06-2012 18:22:33
Running from E:\
Windows 7 Home Premium (X64) OS Language: French Standard
The current controlset is ControlSet001

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8084000 2009-08-25] (Realtek Semiconductor)
HKLM\...\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming [1744152 2011-06-24] (Logitech, Inc.)
HKLM\...\Run: [BDAgent] "C:\Program Files\Bitdefender\Bitdefender 2012\bdagent.exe" [1091200 2012-06-07] (Bitdefender)
HKLM\...\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun [825184 2009-09-30] (Microsoft Corporation)
HKLM\...\Run: [Launch LCore] C:\Program Files\Logitech Gaming Software\LCore.exe /minimized [5889816 2011-12-07] (Logitech Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-06] (Apple Inc.)
HKLM-x32\...\Run: [PMBVolumeWatcher] C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe [651832 2011-08-24] (Sony Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKU\Mcx1-PC-ROMAIN\...\Winlogon: [Shell] C:\Windows\eHome\McrMgr.exe [343552 2009-07-14] (Microsoft Corporation)
HKU\Romain\...\Run: [Google Update] "C:\Users\Romain\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-06-11] (Google Inc.)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
Tcpip\..\Interfaces\{4408C394-A674-48E6-877B-387C516176E5}: [NameServer]80.10.246.130,81.253.149.10
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

==================== Services (Whitelisted) ======

2 Akamai; C:\program files (x86)\common files\akamai/netsession_win_80c2ffa.dll [3417376 2012-05-30] ()
4 Futuremark SystemInfo Service; "C:\Program Files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe" [135584 2011-12-09] (Futuremark Corporation)
2 PMBDeviceInfoProvider; "C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe" [430136 2011-08-24] (Sony Corporation)
2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2012-03-24] ()
3 Update Server; C:\Program Files\Common Files\Bitdefender\Bitdefender Arrakis Server\bin\arrakis3.exe [466736 2011-11-04] (BitDefender)
2 UPDATESRV; "C:\Program Files\Bitdefender\Bitdefender 2012\updatesrv.exe" /service [66096 2012-04-06] (Bitdefender)
2 VSSERV; C:\Program Files\Bitdefender\Bitdefender 2012\vsserv.exe /service [1956616 2012-04-06] (Bitdefender)
2 HDD & SSD access service; "C:\Program Files (x86)\Common Files\BinarySense\disksvc.exe" [x]
3 odserv; "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE" [x]
2 PlugPlay; C:\Windows\System32\umpnpmgr.dll [x]
2 WSearch; C:\Windows\System32\SearchIndexer.exe /Embedding [x]

========================== Drivers (Whitelisted) =============

0 avc3; C:\Windows\System32\Drivers\avc3.sys [691896 2012-04-06] (BitDefender)
3 avchv; C:\Windows\System32\Drivers\avchv.sys [258736 2011-12-22] (BitDefender)
3 avckf; C:\Windows\System32\Drivers\avckf.sys [545064 2012-03-06] (BitDefender)
1 BdfNdisf; \??\c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys [90192 2011-11-25] (BitDefender LLC)
0 bdfsfltr; C:\Windows\System32\Drivers\bdfsfltr.sys [442088 2012-02-06] (BitDefender)
1 bdfwfpf; \??\C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [103504 2011-11-25] (BitDefender LLC)
3 bdsandbox; C:\Windows\System32\Drivers\bdsandbox.sys [79952 2012-02-06] (BitDefender SRL)
1 BDVEDISK; C:\Windows\System32\Drivers\BDVEDISK.sys [103944 2010-01-19] (BitDefender)
2 cpuz133; \??\C:\Windows\system32\drivers\cpuz133_x64.sys [20968 2010-05-11] (Windows ® Win 7 DDK provider)
3 cpuz134; \??\C:\Program Files (x86)\CPUID\PC Wizard 2010\pcwiz_x64.sys [21480 2010-07-09] (Windows ® Win 7 DDK provider)
2 cpuz135; \??\C:\Windows\system32\drivers\cpuz135_x64.sys [21992 2010-11-09] (CPUID)
3 gdrv; \??\C:\Windows\gdrv.sys [22336 2011-02-24] (Windows ® Server 2003 DDK provider)
3 LADF_CaptureOnly; C:\Windows\System32\DRIVERS\ladfGSCamd64.sys [410184 2011-10-07] (Logitech)
3 LADF_RenderOnly; C:\Windows\System32\DRIVERS\ladfGSRamd64.sys [341832 2011-10-07] (Logitech)
3 LGPBTDD; C:\Windows\System32\Drivers\LGPBTDD.sys [30728 2011-10-14] (Logitech Inc.)
3 LUsbFilt; C:\Windows\System32\Drivers\LUsbFilt.sys [42776 2011-04-30] (Logitech, Inc.)
3 MTsensor; C:\Windows\system32\DRIVERS\ASACPI.sys [8192 2005-03-29] ()
3 RT61; C:\Windows\System32\Drivers\RT61.sys [438784 2009-06-02] (Ralink Technology, Corp.)
3 rt61x64; C:\Windows\System32\DRIVERS\netr6164.sys [446304 2010-04-07] (Ralink Technology, Corp.)
0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [17720 2010-11-26] ()
0 trufos; C:\Windows\System32\Drivers\trufos.sys [329800 2011-11-25] (BitDefender S.R.L.)
3 ALSysIO; \??\C:\Users\Romain\AppData\Local\Temp\ALSysIO64.sys [x]
3 lvpopf64; C:\Windows\System32\DRIVERS\lvpopf64.sys [x]
3 LVPr2M64; C:\Windows\System32\DRIVERS\LVPr2M64.sys [x]
3 LVRS64; C:\Windows\System32\DRIVERS\lvrs64.sys [x]
3 LVUVC64; C:\Windows\System32\DRIVERS\lvuvc64.sys [x]
3 mrxsmb20; C:\Windows\System32\DRIVERS\mrxsmb20.sys [x]
3 NvStUSB; C:\Windows\System32\DRIVERS\nvstusb.sys [x]
3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-09 18:22 - 2012-06-09 18:22 - 00000000 ____D C:\FRST
2012-06-08 23:06 - 2012-06-08 23:06 - 02565632 ____A (Microsoft Corporation) C:\Windows\System32\esent.dll
2012-06-08 22:59 - 2012-06-08 22:59 - 01659776 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2012-06-08 22:53 - 2012-06-08 22:53 - 00000000 __SHD C:\found.000
2012-06-08 21:43 - 2012-06-08 21:43 - 00011027 ____A C:\Users\Romain\Desktop\Flights.mini
2012-06-08 21:13 - 2012-06-08 21:13 - 00017008 ____A C:\Users\Romain\Desktop\Flights.zip
2012-06-08 21:01 - 2012-06-08 21:01 - 10281784 ____A C:\Users\Romain\Desktop\console.log
2012-06-07 20:59 - 2012-06-08 20:43 - 00000000 ____D C:\Users\Romain\AppData\Roaming\.Nitrous
2012-06-04 20:25 - 2012-06-04 20:25 - 00071047 ____A C:\Users\Romain\Desktop\VanishNoPacket.jar
2012-06-03 10:17 - 2012-06-03 10:27 - 00000000 ____D C:\Users\Romain\Desktop\cartes
2012-05-27 19:25 - 2012-05-27 19:25 - 00021908 ____A C:\Users\Romain\Desktop\config 2.yml
2012-05-26 13:29 - 2012-06-08 21:12 - 00000000 ____D C:\Users\Romain\Desktop\Serveur
2012-05-26 09:38 - 2012-06-03 10:18 - 00000000 ____D C:\Users\Romain\Overviewer
2012-05-24 21:18 - 2012-05-24 21:18 - 00000000 ____D C:\Users\Romain\Desktop\Tyr_Ore_Obfuscation_for_1-2
2012-05-23 22:54 - 2012-05-23 22:54 - 00002140 ____A C:\Users\Romain\Desktop\3D Vision Photo Viewer.lnk
2012-05-23 22:50 - 2012-05-15 13:55 - 01468224 ____A (NVIDIA Corporation) C:\Windows\System32\nvir3dgenco6420142.dll
2012-05-23 22:50 - 2012-05-15 11:48 - 25248064 ____A (NVIDIA Corporation) C:\Windows\System32\nvcompiler.dll
2012-05-23 22:50 - 2012-05-15 11:48 - 19607872 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll
2012-05-23 22:50 - 2012-05-15 11:48 - 18044224 ____A (NVIDIA Corporation) C:\Windows\System32\nvd3dumx.dll
2012-05-23 22:50 - 2012-05-15 11:48 - 17551680 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll
2012-05-23 22:50 - 2012-05-15 11:48 - 14298944 ____A (NVIDIA Corporation) C:\Windows\System32\Drivers\nvlddmkm.sys
2012-05-23 22:50 - 2012-05-15 11:48 - 08139072 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuda.dll
2012-05-23 22:50 - 2012-05-15 11:48 - 05982528 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll
2012-05-23 22:50 - 2012-05-15 11:48 - 02881856 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuvenc.dll
2012-05-23 22:50 - 2012-05-15 11:48 - 02681664 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuvid.dll
2012-05-23 22:50 - 2012-05-15 11:48 - 02524992 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll
2012-05-23 22:50 - 2012-05-15 11:48 - 02445120 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvenc.dll
2012-05-23 22:50 - 2012-05-15 11:48 - 00818496 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvumdshim.dll
2012-05-23 22:50 - 2012-05-15 11:48 - 00364352 ____A (NVIDIA Corporation) C:\Windows\System32\nvdecodemft.dll
2012-05-23 22:50 - 2012-05-15 11:48 - 00301376 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvdecodemft.dll
2012-05-23 22:50 - 2012-05-15 11:48 - 00246592 ____A (NVIDIA Corporation) C:\Windows\System32\nvinitx.dll
2012-05-23 22:50 - 2012-05-15 11:48 - 00202048 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvinit.dll
2012-05-23 22:50 - 2012-04-18 18:08 - 00188736 ____A (NVIDIA Corporation) C:\Windows\System32\Drivers\nvhda64v.sys
2012-05-23 22:50 - 2012-04-18 18:08 - 00031040 ____A (NVIDIA Corporation) C:\Windows\System32\nvhdap64.dll
2012-05-23 22:43 - 2012-05-23 22:48 - 211927944 ____A (NVIDIA Corporation) C:\Users\Romain\Downloads\301.42-desktop-win7-winvista-64bit-international-whql.exe
2012-05-22 20:39 - 2012-05-22 20:39 - 00023922 ____A C:\Users\Romain\.recently-used.xbel
2012-05-21 20:21 - 2012-04-20 17:08 - 04169928 ____A C:\Users\Romain\Desktop\IMG_3046.JPG
2012-05-21 19:02 - 2012-05-21 19:04 - 00000000 ____D C:\Users\Romain\Desktop\Photos Rome Chloé
2012-05-18 22:06 - 2012-05-18 22:06 - 00115968 ____A C:\Users\Romain\Downloads\ansi151.zip
2012-05-18 22:06 - 2012-05-18 22:06 - 00000000 ____D C:\Users\Romain\Downloads\ansi151
2012-05-18 21:55 - 2012-06-08 07:04 - 00000309 ____A C:\Users\Romain\Desktop\Agenda.txt
2012-05-18 17:44 - 2012-05-18 17:44 - 01762312 ____A (Microsoft Corporation) C:\Users\Romain\Downloads\vcredist_x86.exe
2012-05-15 01:21 - 2012-05-15 01:21 - 00423744 ____A C:\Windows\SysWOW64\nvStreaming.exe
2012-05-13 20:48 - 2012-06-03 10:27 - 00000000 ____D C:\Users\Romain\Desktop\Images
2012-05-11 06:56 - 2012-03-31 07:05 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-11 06:56 - 2012-03-31 05:39 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-11 06:56 - 2012-03-31 05:39 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-11 06:56 - 2012-03-31 04:10 - 03146240 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-11 06:56 - 2012-03-03 07:35 - 01544704 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-05-11 06:56 - 2012-03-03 06:31 - 01077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-05-11 06:55 - 2012-03-30 12:35 - 01918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-05-11 06:55 - 2012-03-17 08:58 - 00075120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys

============ 3 Months Modified Files and Folders =============

2012-06-09 18:22 - 2012-06-09 18:22 - 00000000 ____D C:\FRST
2012-06-08 23:06 - 2012-06-08 23:06 - 02565632 ____A (Microsoft Corporation) C:\Windows\System32\esent.dll
2012-06-08 22:59 - 2012-06-08 22:59 - 01659776 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2012-06-08 22:53 - 2012-06-08 22:53 - 00000000 __SHD C:\found.000
2012-06-08 21:47 - 2011-10-16 20:06 - 00352455 ____A C:\bdlog.txt
2012-06-08 21:47 - 2009-10-26 12:19 - 02042275 ____A C:\Windows\WindowsUpdate.log
2012-06-08 21:43 - 2012-06-08 21:43 - 00011027 ____A C:\Users\Romain\Desktop\Flights.mini
2012-06-08 21:43 - 2012-03-29 17:30 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-06-08 21:43 - 2011-05-16 06:33 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-06-08 21:42 - 2011-01-12 07:11 - 00000000 ____D C:\Users\Romain\AppData\Roaming\.minecraft
2012-06-08 21:37 - 2011-06-17 10:28 - 00000000 ____D C:\Users\Romain\AppData\Roaming\FileZilla
2012-06-08 21:33 - 2009-12-25 18:44 - 00001068 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-08 21:32 - 2011-06-14 09:08 - 00001082 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3623759701-869614871-4158014252-1004UA.job
2012-06-08 21:13 - 2012-06-08 21:13 - 00017008 ____A C:\Users\Romain\Desktop\Flights.zip
2012-06-08 21:12 - 2012-05-26 13:29 - 00000000 ____D C:\Users\Romain\Desktop\Serveur
2012-06-08 21:02 - 2009-07-14 05:51 - 00191387 ____A C:\Windows\setupact.log
2012-06-08 21:01 - 2012-06-08 21:01 - 10281784 ____A C:\Users\Romain\Desktop\console.log
2012-06-08 20:43 - 2012-06-07 20:59 - 00000000 ____D C:\Users\Romain\AppData\Roaming\.Nitrous
2012-06-08 18:33 - 2009-12-25 18:44 - 00001064 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-06-08 18:14 - 2009-07-14 05:45 - 00014832 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-08 18:14 - 2009-07-14 05:45 - 00014832 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-08 18:07 - 2010-02-10 21:48 - 00000376 ____A C:\Users\Romain\AppData\Roamingprivacy.xml
2012-06-08 18:07 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-08 07:04 - 2012-05-18 21:55 - 00000309 ____A C:\Users\Romain\Desktop\Agenda.txt
2012-06-04 20:25 - 2012-06-04 20:25 - 00071047 ____A C:\Users\Romain\Desktop\VanishNoPacket.jar
2012-06-04 17:44 - 2011-06-14 09:08 - 00001030 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3623759701-869614871-4158014252-1004Core.job
2012-06-03 10:27 - 2012-06-03 10:17 - 00000000 ____D C:\Users\Romain\Desktop\cartes
2012-06-03 10:27 - 2012-05-13 20:48 - 00000000 ____D C:\Users\Romain\Desktop\Images
2012-06-03 10:18 - 2012-05-26 09:38 - 00000000 ____D C:\Users\Romain\Overviewer
2012-05-31 21:55 - 2011-06-14 09:56 - 00000000 ____D C:\Users\Romain\AppData\Roaming\Dropbox
2012-05-31 21:31 - 2009-07-14 16:24 - 00408906 ____A C:\Windows\System32\perfh00C.dat
2012-05-31 21:31 - 2009-07-14 16:24 - 00063754 ____A C:\Windows\System32\perfc00C.dat
2012-05-31 21:31 - 2009-07-14 06:13 - 00463776 ____A C:\Windows\System32\PerfStringBackup.INI
2012-05-31 16:16 - 2011-06-14 09:57 - 00000000 ___RD C:\Users\Romain\Dropbox
2012-05-27 19:25 - 2012-05-27 19:25 - 00021908 ____A C:\Users\Romain\Desktop\config 2.yml
2012-05-26 14:23 - 2009-12-25 17:04 - 00000000 ____D C:\Users\Romain\AppData\LocalLow
2012-05-26 09:38 - 2009-12-25 17:04 - 00000000 ____D C:\users\Romain
2012-05-25 06:54 - 2012-03-07 16:45 - 00000323 ____A C:\Windows\System32\checkdnsid.xml
2012-05-24 21:18 - 2012-05-24 21:18 - 00000000 ____D C:\Users\Romain\Desktop\Tyr_Ore_Obfuscation_for_1-2
2012-05-24 20:37 - 2010-04-03 10:36 - 00000000 ____D C:\Program Files (x86)\Steam
2012-05-24 06:33 - 2011-06-14 09:08 - 00002413 ____A C:\Users\Romain\Desktop\Google Chrome.lnk
2012-05-23 22:54 - 2012-05-23 22:54 - 00002140 ____A C:\Users\Romain\Desktop\3D Vision Photo Viewer.lnk
2012-05-23 22:53 - 2009-11-12 15:22 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2012-05-23 22:51 - 2010-11-07 16:33 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2012-05-23 22:48 - 2012-05-23 22:43 - 211927944 ____A (NVIDIA Corporation) C:\Users\Romain\Downloads\301.42-desktop-win7-winvista-64bit-international-whql.exe
2012-05-22 20:39 - 2012-05-22 20:39 - 00023922 ____A C:\Users\Romain\.recently-used.xbel
2012-05-22 20:39 - 2011-06-20 20:21 - 00000000 ____D C:\Users\Romain\AppData\Roaming\gtk-2.0
2012-05-21 19:04 - 2012-05-21 19:02 - 00000000 ____D C:\Users\Romain\Desktop\Photos Rome Chloé
2012-05-19 18:52 - 2012-02-22 19:44 - 00000000 ____D C:\Users\Romain\Desktop\Administration
2012-05-18 22:06 - 2012-05-18 22:06 - 00115968 ____A C:\Users\Romain\Downloads\ansi151.zip
2012-05-18 22:06 - 2012-05-18 22:06 - 00000000 ____D C:\Users\Romain\Downloads\ansi151
2012-05-18 17:44 - 2012-05-18 17:44 - 01762312 ____A (Microsoft Corporation) C:\Users\Romain\Downloads\vcredist_x86.exe
2012-05-17 16:43 - 2010-09-25 09:20 - 00280976 ____A C:\Windows\SysWOW64\PnkBstrB.exe
2012-05-17 16:43 - 2010-08-27 16:38 - 00280976 ____A C:\Windows\SysWOW64\PnkBstrB.xtr
2012-05-17 16:41 - 2010-09-25 09:20 - 00280976 ____A C:\Windows\SysWOW64\PnkBstrB.ex0
2012-05-16 18:25 - 2012-02-13 22:37 - 00000000 ____D C:\Users\Romain\Desktop\Maths
2012-05-15 13:55 - 2012-05-23 22:50 - 01468224 ____A (NVIDIA Corporation) C:\Windows\System32\nvir3dgenco6420142.dll
2012-05-15 11:48 - 2012-05-23 22:50 - 25248064 ____A (NVIDIA Corporation) C:\Windows\System32\nvcompiler.dll
2012-05-15 11:48 - 2012-05-23 22:50 - 19607872 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll
2012-05-15 11:48 - 2012-05-23 22:50 - 18044224 ____A (NVIDIA Corporation) C:\Windows\System32\nvd3dumx.dll
2012-05-15 11:48 - 2012-05-23 22:50 - 17551680 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll
2012-05-15 11:48 - 2012-05-23 22:50 - 14298944 ____A (NVIDIA Corporation) C:\Windows\System32\Drivers\nvlddmkm.sys
2012-05-15 11:48 - 2012-05-23 22:50 - 08139072 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuda.dll
2012-05-15 11:48 - 2012-05-23 22:50 - 05982528 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll
2012-05-15 11:48 - 2012-05-23 22:50 - 02881856 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuvenc.dll
2012-05-15 11:48 - 2012-05-23 22:50 - 02681664 ____A (NVIDIA Corporation) C:\Windows\System32\nvcuvid.dll
2012-05-15 11:48 - 2012-05-23 22:50 - 02524992 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll
2012-05-15 11:48 - 2012-05-23 22:50 - 02445120 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvenc.dll
2012-05-15 11:48 - 2012-05-23 22:50 - 00818496 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvumdshim.dll
2012-05-15 11:48 - 2012-05-23 22:50 - 00364352 ____A (NVIDIA Corporation) C:\Windows\System32\nvdecodemft.dll
2012-05-15 11:48 - 2012-05-23 22:50 - 00301376 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvdecodemft.dll
2012-05-15 11:48 - 2012-05-23 22:50 - 00246592 ____A (NVIDIA Corporation) C:\Windows\System32\nvinitx.dll
2012-05-15 11:48 - 2012-05-23 22:50 - 00202048 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvinit.dll
2012-05-15 11:48 - 2012-03-15 08:48 - 00068928 ____A (Khronos Group) C:\Windows\System32\OpenCL.dll
2012-05-15 11:48 - 2012-03-15 08:48 - 00061248 ____A (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll
2012-05-15 11:48 - 2012-02-22 20:23 - 00949056 ____A (NVIDIA Corporation) C:\Windows\System32\nvumdshimx.dll
2012-05-15 11:48 - 2011-11-28 18:50 - 02368832 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvapi.dll
2012-05-15 11:48 - 2011-11-10 19:13 - 25743168 ____A (NVIDIA Corporation) C:\Windows\System32\nvoglv64.dll
2012-05-15 11:48 - 2011-11-10 19:13 - 15322432 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvd3dum.dll
2012-05-15 11:48 - 2011-11-10 19:13 - 10194752 ____A (NVIDIA Corporation) C:\Windows\System32\nvwgf2umx.dll
2012-05-15 11:48 - 2011-11-10 19:13 - 08105280 ____A (NVIDIA Corporation) C:\Windows\SysWOW64\nvwgf2um.dll
2012-05-15 11:48 - 2011-11-10 19:13 - 02741568 ____A (NVIDIA Corporation) C:\Windows\System32\nvapi64.dll
2012-05-15 11:48 - 2011-11-10 19:13 - 01738048 ____A (NVIDIA Corporation) C:\Windows\System32\nvdispco64.dll
2012-05-15 11:48 - 2011-11-10 19:13 - 01468224 ____A (NVIDIA Corporation) C:\Windows\System32\nvgenco64.dll
2012-05-15 11:48 - 2011-11-10 19:13 - 00014324 ____A C:\Windows\System32\nvinfo.pb
2012-05-15 10:29 - 2012-02-22 20:25 - 02621723 ____A C:\Windows\System32\nvcoproc.bin
2012-05-15 10:29 - 2011-11-10 19:15 - 03149632 ____A (NVIDIA Corporation) C:\Windows\System32\nvsvc64.dll
2012-05-15 10:29 - 2011-11-10 19:15 - 02561856 ____A (NVIDIA Corporation) C:\Windows\System32\nvsvcr.dll
2012-05-15 10:29 - 2011-11-10 19:15 - 00889664 ____A (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
2012-05-15 10:29 - 2011-11-10 19:15 - 00118080 ____A (NVIDIA Corporation) C:\Windows\System32\nvmctray.dll
2012-05-15 10:29 - 2011-11-10 19:15 - 00063296 ____A (NVIDIA Corporation) C:\Windows\System32\nvshext.dll
2012-05-15 10:28 - 2011-11-10 19:15 - 06151488 ____A (NVIDIA Corporation) C:\Windows\System32\nvcpl.dll
2012-05-15 01:21 - 2012-05-15 01:21 - 00423744 ____A C:\Windows\SysWOW64\nvStreaming.exe
2012-05-13 21:20 - 2010-10-07 19:36 - 00018960 ____A (Logitech, Inc.) C:\Windows\System32\Drivers\LNonPnP.sys
2012-05-13 21:20 - 2010-10-07 19:36 - 00003439 ____A C:\Windows\LkmdfCoInst.log
2012-05-12 11:19 - 2012-05-08 13:22 - 00000000 ____D C:\Users\Romain\Desktop\TV
2012-05-11 16:33 - 2009-07-14 05:45 - 05033384 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-11 07:04 - 2009-10-20 06:20 - 57848688 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-05-11 07:04 - 2009-10-19 16:06 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-05-11 06:57 - 2009-07-14 16:35 - 00000000 ____D C:\Program Files\Windows Journal
2012-05-10 21:53 - 2012-05-01 16:26 - 00000000 ____D C:\Users\Romain\Desktop\Blender
2012-05-10 18:21 - 2012-05-08 10:42 - 00000000 ____D C:\Users\Romain\Desktop\Anglais
2012-05-10 18:00 - 2011-10-16 17:35 - 00000000 ____D C:\Users\Romain\Documents\Vegas Movie Studio HD Platinum 11.0 Projets
2012-05-09 22:38 - 2012-02-17 18:05 - 00000000 ____D C:\Users\Romain\Desktop\ECJS
2012-05-09 19:13 - 2011-08-21 17:21 - 00094556 ____A C:\Users\Romain\Documents\Musique.odt
2012-05-08 21:23 - 2012-05-08 21:23 - 00000000 ____D C:\Users\Romain\AppData\Roaming\Media Player Classic
2012-05-08 20:34 - 2012-05-08 20:34 - 00000000 ____D C:\Program Files\K-Lite Codec Pack x64
2012-05-08 20:31 - 2012-05-08 20:31 - 00000000 ____D C:\Program Files (x86)\K-Lite Codec Pack
2012-05-08 20:30 - 2012-05-08 20:29 - 21922618 ____A ( ) C:\Users\Romain\Downloads\K-Lite_Codec_Pack_870_Mega.exe
2012-05-08 20:18 - 2009-10-20 06:23 - 01054952 ____A C:\Windows\PFRO.log
2012-05-08 20:12 - 2009-12-29 13:36 - 00000000 ____D C:\Users\Romain\AppData\Roaming\Stereoscopic Player
2012-05-08 19:30 - 2010-11-21 16:17 - 00000000 ____D C:\Users\Romain\AppData\Roaming\Real
2012-05-08 19:30 - 2010-11-21 16:17 - 00000000 ____D C:\Program Files (x86)\Real
2012-05-08 18:45 - 2012-05-08 18:44 - 00000000 ____D C:\Users\All Users\Ultima_T15
2012-05-08 18:45 - 2010-08-24 17:15 - 00000000 ____D C:\Users\Romain\AppData\Local\Nikon
2012-05-08 18:45 - 2010-08-24 17:08 - 00000000 ____H C:\Users\All Users\PKP_DLev.DAT
2012-05-08 18:45 - 2010-08-24 17:08 - 00000000 ____H C:\Users\All Users\PKP_DLet.DAT
2012-05-08 18:45 - 2010-08-24 17:08 - 00000000 ____H C:\Users\All Users\PKP_DLes.DAT
2012-05-08 18:44 - 2009-12-25 21:24 - 00000000 ____H C:\Users\All Users\PKP_DLdu.DAT
2012-05-08 18:16 - 2012-05-08 18:16 - 00411509 ____A C:\Users\Romain\Downloads\GSpot270a.zip
2012-05-08 18:16 - 2012-05-08 18:16 - 00000000 ____D C:\Users\Romain\Downloads\GSpot270a
2012-05-08 17:54 - 2012-05-08 17:54 - 00001299 ____A C:\Users\Public\Desktop\Vegas Movie Studio HD Platinum 11.0.lnk
2012-05-08 17:54 - 2012-05-08 17:50 - 170240568 ____A (Sony Creative Software Inc.) C:\Users\Romain\Downloads\moviestudiope11.0.322.exe
2012-05-08 17:54 - 2011-05-11 20:10 - 00000000 ____D C:\Users\Romain\AppData\Roaming\Sony
2012-05-08 17:40 - 2012-05-08 17:40 - 11004395 ____A ( ) C:\Users\Romain\Downloads\K-Lite_Codec_Pack_64bit_620.exe
2012-05-08 11:50 - 2012-05-08 11:36 - 00221964 ____A C:\Windows\hpoins41.dat
2012-05-08 11:50 - 2010-02-26 20:31 - 00023872 ____A C:\Users\All Users\hpzinstall.log
2012-05-08 11:49 - 2009-12-25 17:04 - 00134640 ____A C:\Users\Romain\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-08 11:49 - 2009-07-14 03:34 - 00000777 ____A C:\Windows\win.ini
2012-05-08 11:45 - 2012-05-08 11:45 - 00000000 ____D C:\Users\All Users\HP Product Assistant
2012-05-08 11:45 - 2010-02-26 20:50 - 00000000 ____D C:\Program Files (x86)\HP
2012-05-08 11:45 - 2010-02-26 20:20 - 00000000 ____D C:\Users\All Users\HP
2012-05-08 09:53 - 2012-05-08 09:53 - 00032911 ____A C:\Users\Romain\Downloads\bignoodle_titling.zip
2012-05-08 09:53 - 2012-05-08 09:53 - 00000000 ____D C:\Users\Romain\Downloads\bignoodle_titling
2012-05-04 21:48 - 2012-05-04 21:48 - 00000000 ____D C:\Users\Romain\Downloads\TCPView
2012-05-04 21:47 - 2012-05-04 21:47 - 00291606 ____A C:\Users\Romain\Downloads\TCPView.zip
2012-05-03 20:20 - 2012-05-03 20:20 - 00268744 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-05-03 20:20 - 2012-05-03 20:20 - 00189384 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-05-03 20:20 - 2012-05-03 20:20 - 00188872 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-05-03 20:20 - 2012-05-03 20:20 - 00000000 ____D C:\Program Files\Java
2012-05-03 20:20 - 2011-10-25 10:07 - 00955848 ____A (Oracle Corporation) C:\Windows\System32\npdeployJava1.dll
2012-05-03 20:19 - 2012-05-03 20:19 - 00227784 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-05-03 20:19 - 2012-05-03 20:19 - 00174024 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-05-03 20:19 - 2012-05-03 20:19 - 00174024 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-05-03 20:19 - 2011-11-04 22:54 - 00772552 ____A (Oracle Corporation) C:\Windows\SysWOW64\npdeployJava1.dll
2012-05-03 20:19 - 2011-11-04 22:53 - 00000000 ____D C:\Program Files (x86)\Java
2012-05-03 20:19 - 2011-01-11 21:26 - 00687560 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-05-03 20:14 - 2012-05-03 20:14 - 21865936 ____A (Oracle Corporation) C:\Users\Romain\Downloads\jre-7u4-windows-x64.exe
2012-05-03 20:14 - 2012-05-03 20:14 - 21052880 ____A (Oracle Corporation) C:\Users\Romain\Downloads\jre-7u4-windows-i586.exe
2012-05-02 14:59 - 2012-05-02 14:59 - 00000000 ____D C:\Users\Romain\Downloads\djdec312
2012-05-01 15:42 - 2012-05-01 15:42 - 00196362 ____A C:\Users\Romain\logo6.png
2012-04-30 17:27 - 2012-04-30 17:25 - 00000000 ____D C:\Users\Romain\AppData\Roaming\Minecraft Skin Viewer
2012-04-30 16:32 - 2009-07-14 06:08 - 00032482 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-04-29 20:01 - 2012-04-29 20:01 - 00000000 ____D C:\Users\Romain\AppData\Roaming\Blender Foundation
2012-04-29 19:55 - 2012-04-29 19:55 - 00000000 ____D C:\Program Files\Blender Foundation
2012-04-29 19:54 - 2012-04-29 19:53 - 33195029 ____A C:\Users\Romain\Downloads\blender-2.63-release-windows64.exe
2012-04-29 19:50 - 2012-04-29 19:39 - 00000000 ____D C:\Users\Romain\AppData\Roaming\MAXON
2012-04-25 13:22 - 2012-04-04 21:07 - 00000000 ____D C:\Users\Romain\Documents\Sony PMB
2012-04-25 10:43 - 2012-04-25 10:43 - 00000000 ____D C:\Users\Romain\Desktop\Photos Sony
2012-04-25 10:41 - 2012-04-09 20:26 - 00000000 ____D C:\Users\Romain\Desktop\Fenwick
2012-04-23 19:00 - 2012-05-08 20:34 - 00092160 ____A C:\Windows\System32\ff_vfw.dll
2012-04-23 19:00 - 2012-05-08 20:31 - 00079360 ____A C:\Windows\SysWOW64\ff_vfw.dll
2012-04-20 17:08 - 2012-05-21 20:21 - 04169928 ____A C:\Users\Romain\Desktop\IMG_3046.JPG
2012-04-18 18:08 - 2012-05-23 22:50 - 00188736 ____A (NVIDIA Corporation) C:\Windows\System32\Drivers\nvhda64v.sys
2012-04-18 18:08 - 2012-05-23 22:50 - 00031040 ____A (NVIDIA Corporation) C:\Windows\System32\nvhdap64.dll
2012-04-18 18:08 - 2011-11-28 18:50 - 01451840 ____A (NVIDIA Corporation) C:\Windows\System32\nvhdagenco6420103.dll
2012-04-16 17:46 - 2012-04-16 17:46 - 00001836 ____A C:\Users\Public\Desktop\Opera.lnk
2012-04-16 17:46 - 2012-04-16 17:46 - 00000000 ____D C:\Users\Romain\AppData\Roaming\Opera
2012-04-16 17:46 - 2012-04-16 17:46 - 00000000 ____D C:\Users\Romain\AppData\Local\Opera
2012-04-16 17:46 - 2012-04-16 17:46 - 00000000 ____D C:\Program Files (x86)\Opera
2012-04-16 17:21 - 2012-04-16 17:20 - 10623728 ____A (Opera Software ASA) C:\Users\Romain\Downloads\Opera_1162_int_Setup.exe
2012-04-15 18:02 - 2010-01-05 19:40 - 00000000 ____D C:\Users\Romain\AppData\Local\ElevatedDiagnostics
2012-04-13 18:22 - 2010-01-16 17:30 - 00000000 ___AD C:\Users\Romain\Documents\Laser Game
2012-04-09 15:52 - 2012-04-09 15:52 - 00012209 ____A C:\Users\Romain\fenwick3.png
2012-04-07 10:56 - 2011-08-30 17:52 - 00000000 ____D C:\Program Files (x86)\Origin
2012-04-07 10:54 - 2012-03-24 17:33 - 00000000 ____D C:\Users\All Users\EA Logs
2012-04-06 21:34 - 2012-04-06 21:34 - 00262604 ____A C:\Windows\msxml4-KB973685-enu.LOG
2012-04-06 09:54 - 2011-09-01 11:12 - 00691896 ____A (BitDefender) C:\Windows\System32\Drivers\avc3.sys
2012-04-06 09:45 - 2012-04-06 09:45 - 00259583 ____A C:\Users\Romain\Downloads\1598.jpg
2012-04-04 21:30 - 2009-10-19 16:15 - 00405460 ____A C:\Windows\DirectX.log
2012-04-04 21:09 - 2012-04-04 21:09 - 03687352 ____A (Sony Corporation) C:\Users\Romain\Downloads\PMB56_Updater1105a.exe
2012-04-04 21:07 - 2012-04-04 21:07 - 00000000 ____D C:\Users\Romain\AppData\Roaming\Sony Corporation
2012-04-04 21:04 - 2012-04-04 21:04 - 00000000 ____D C:\Program Files (x86)\MSXML 4.0
2012-04-04 21:02 - 2012-04-04 21:02 - 00000000 ____D C:\Users\All Users\Sony Corporation
2012-04-04 21:02 - 2011-10-16 17:34 - 00000000 ____D C:\Program Files (x86)\Sony
2012-04-04 20:01 - 2012-04-04 20:01 - 00001137 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-04-04 20:01 - 2012-04-04 20:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-04-04 20:01 - 2012-04-04 20:00 - 16287888 ____A (Mozilla) C:\Users\Romain\Downloads\Firefox Setup 11.0.exe
2012-04-04 20:01 - 2012-02-21 21:13 - 00000000 ____D C:\Users\Romain\AppData\Roaming\Mozilla
2012-03-31 07:05 - 2012-05-11 06:56 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-31 05:39 - 2012-05-11 06:56 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-03-31 05:39 - 2012-05-11 06:56 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-03-31 04:10 - 2012-05-11 06:56 - 03146240 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-30 12:35 - 2012-05-11 06:55 - 01918320 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-25 10:22 - 2012-03-25 10:22 - 00001790 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-03-25 10:22 - 2012-03-25 10:21 - 00000000 ____D C:\Program Files\iTunes
2012-03-25 10:22 - 2012-03-25 10:21 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-03-25 10:21 - 2012-03-25 10:21 - 00000000 ____D C:\Program Files\iPod
2012-03-25 10:16 - 2012-03-25 10:16 - 00000000 ____D C:\Program Files (x86)\QuickTime
2012-03-24 17:37 - 2010-08-18 08:04 - 00076888 ____A C:\Windows\SysWOW64\PnkBstrA.exe
2012-03-24 17:35 - 2012-03-24 17:35 - 03870120 ____A C:\Users\Romain\Downloads\battlelog-web-plugins-1.116.0-retail-prod.exe
2012-03-24 17:35 - 2011-09-30 17:52 - 00000000 ____D C:\Program Files (x86)\Battlelog Web Plugins
2012-03-22 20:12 - 2012-03-22 20:12 - 04435968 ____A (Google Inc.) C:\Windows\SysWOW64\GPhotos.scr
2012-03-22 17:49 - 2011-12-25 20:38 - 00000000 ____D C:\Users\Romain\Documents\Assassin's Creed Revelations
2012-03-22 17:49 - 2010-08-27 16:36 - 00000000 ____D C:\Users\Romain\AppData\Local\PunkBuster
2012-03-22 17:49 - 2010-07-03 12:06 - 00000000 ____D C:\Users\Romain\AppData\Roaming\Ubisoft
2012-03-20 19:21 - 2009-10-19 16:09 - 00455920 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-03-19 22:17 - 2012-02-13 20:18 - 00000000 ____D C:\Users\Romain\AppData\Roaming\Skype
2012-03-19 19:50 - 2012-02-13 20:17 - 00000000 ___RD C:\Program Files (x86)\Skype
2012-03-17 22:59 - 2012-03-17 22:59 - 03019952 ____A C:\Users\Romain\Downloads\canalplus.exe
2012-03-17 22:59 - 2011-02-26 14:08 - 00000000 ____D C:\Users\Romain\AppData\Local\Downloaded Installations
2012-03-17 08:58 - 2012-05-11 06:55 - 00075120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-03-15 08:50 - 2009-11-12 15:21 - 00000000 ____D C:\NVIDIA
2012-03-14 22:00 - 2012-03-14 21:55 - 209760560 ____A (NVIDIA Corporation) C:\Users\Romain\Downloads\296.10-desktop-win7-winvista-64bit-international-whql.exe
2012-03-14 12:38 - 2010-03-17 21:29 - 00048128 ____A C:\Users\Romain\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-03-12 08:00 - 2009-07-14 06:32 - 00000000 ____D C:\Windows\System32\FxsTmp

========================= Known DLLs (Whitelisted) ============

C:\Windows\System32\kernel32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\kernel32.dll IS MISSING <==== ATTENTION!

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 4091.48 MB
Available physical RAM: 3482 MB
Total Pagefile: 4089.63 MB
Available Pagefile: 3468.23 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: (Windows) (Fixed) (Total:698.64 GB) (Free:233.38 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (USB DISK) (Removable) (Total:1.86 GB) (Free:1.85 GB) FAT
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Nø disque Statut Taille Libre Dyn GPT
--------- ------------- ------- ------- --- ---
Disque 0 En ligne 698 G octets 0 octets
Disque 1 En ligne 1900 M octets 0 octets

Partitions of Disk 0:
===============

Nø partition Type Taille D‚calage
------------- ---------------- ------- --------
Partition 1 Principale 698 G 31 K

======================================================================================================

Disk: 0
Partition 1
Type : 07
Masqu‚ : Non
Active : Oui
D‚calage en octets : 32256

Nø volume Ltr Nom Fs Type Taille Statut Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C Windows NTFS Partition 698 G Sain

======================================================================================================

Partitions of Disk 1:
===============

Nø partition Type Taille D‚calage
------------- ---------------- ------- --------
Partition 1 Principale 1899 M 31 K

======================================================================================================

Disk: 1
Partition 1
Type : 0E
Masqu‚ : Non
Active : Oui
D‚calage en octets : 32256

Nø volume Ltr Nom Fs Type Taille Statut Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E USB DISK FAT Amovible 1899 M Sain

======================================================================================================

==========================================================

Last Boot: 2012-05-30 19:00

======================= End Of Log ==========================

I would really appreciate your help.

Thanks in advance,

Padishah

Edited by Padishah, 10 June 2012 - 08:43 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 PM

Posted 11 June 2012 - 08:09 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Padishah

Padishah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:08:23 PM

Posted 12 June 2012 - 03:55 AM

Hello m0le,

I'm there and ready to follow your instructions.

Thanks for your help.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 PM

Posted 12 June 2012 - 06:19 PM

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.


This could be a crucial thing because if you do have a rootkit present then they will be able to hide unless the recovery environment is used. The FRST log shows nothing as it stands.

Is there a reason that you didn't run it from the RE?
Posted Image
m0le is a proud member of UNITE

#5 Padishah

Padishah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:08:23 PM

Posted 13 June 2012 - 02:30 AM

What's strange is that I did run the tool from recovery environment ! I followed step by step the instructions given in the topic mentionned in my first post. I ran the tool several times from the recovery environment, and I even ran it from the recovery environment of the installation disc, but there is always this message saying it is not run from recovery environment...

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 PM

Posted 13 June 2012 - 02:19 PM

That is strange. Please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#7 Padishah

Padishah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:08:23 PM

Posted 13 June 2012 - 02:45 PM

I can't perform what you told me because I'm still not able to start Windows, not even in safe mode. "Repair your computer" is the only boot option working.
I'm not the only one having the message the tool is not run from recovery environment although it is. On this topic, somebody ran FRST from recovery environment, it displayed this message too and a Malware Response Team member called CatByte was able to provide him a fixlist.txt which fixed the issue and let him boot to Windows. However, this person had this line : "SubSystems: [Windows] ==> ZeroAccess" in his log whereas I don't. But it appears that I have some dll missing : "C:\Windows\System32\kernel32.dll IS MISSING" and "C:\Windows\SysWOW64\kernel32.dll IS MISSING". I have no idea of how they got deleted but I have the installation disc of Windows 7 if needed.

Edited by Padishah, 14 June 2012 - 06:48 AM.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 PM

Posted 14 June 2012 - 01:17 PM

I don't think the problem is malware and, as you pointed out, there is no sign of ZeroAccess.

I think the dll issue is likely the problem here. Are you able to use your disk to run a repair installation?
Posted Image
m0le is a proud member of UNITE

#9 Padishah

Padishah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:08:23 PM

Posted 14 June 2012 - 03:09 PM

As I can't start Windows, I booted from the installation disc. I attempted to perform an "upgrade install" so as to make a repair installation. When I tried to do this, the install process posted the message below :

The computer started using the Windows installation disc. Remove the Windows installation disc and restart your computer so that Windows starts normally. Then insert the Windows installation disc and restart the upgrade. (Do not select "Custom (advanced)" to perform an upgrade. "Custom (advanced)" installs a new copy of Windows and deletes your programs and settings.)

In other words, the Windows 7 install disc prevents performing an upgrade install if you booted from the install disc. It appears that the only way to perform an upgrade install is if you can start the install process from within the Windows 7 install which you wish to upgrade... So no, I can't run a repair installation.

I also forgot to mention that the startup repair which run after the BSOD failed to repair Windows, and that no restore points are found.

Edited by Padishah, 14 June 2012 - 03:16 PM.


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 PM

Posted 14 June 2012 - 04:51 PM

Let's use a tool that works within the recovery environment

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your next reply.[/list]
Posted Image
m0le is a proud member of UNITE

#11 Padishah

Padishah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:08:23 PM

Posted 15 June 2012 - 02:54 AM

I've already done that and I posted the log in my first post...

Edited by Padishah, 15 June 2012 - 02:57 AM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 PM

Posted 15 June 2012 - 02:35 PM

Sorry, that's right. I meant to go into Linux to boot the machine.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download dumpit to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Posted Image
m0le is a proud member of UNITE

#13 Padishah

Padishah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:08:23 PM

Posted 16 June 2012 - 04:52 AM

I booted to the flash drive, selected English, then it started to run. This screen came up after a couple of seconds:

(==) Log file: "/var/log/Xorg.0.log", Time: Tue Jan 31 21:44:15 2012
(==) Using config file: "/etc/X11/xorg.conf"
Primary device is not PCI
(EE) No devices detected.

Fatal server error:
no screens found

...

 ddxSigGiveUp: Closing log
giving up.
xinit: No such file or directory (errno 2): unable to connect to X server
xinit: NO such process (errno 3): Server error.
xauth: (argv):2: bad display name "(none):0" in "remove" command
sh: no job control in this shell
sh-4.0#

I downloaded and added the extra drivers opt package but same thing happened, so I followed the insructions here and finally got a mbr_dump.zip file which I attached.

Attached Files


Edited by Padishah, 16 June 2012 - 04:53 AM.


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 PM

Posted 17 June 2012 - 06:20 PM

The dump is from the wrong location so I can't use that.

We will try a similar Linux system and see if we can find something that works on what appears to be a very damaged system

Booting from Ubuntu Live from a USB Device

--------------

  • Please remove any existing information from your USB device
  • Download Ubuntu Live to your USB device (or if necessary do so from a working computer). This is a large file so allow it some time to download
  • With the USB device inserted into the infected computer restart your computer
  • If your computer does not automatically boot from the USB device please see here
  • Once the Ubuntu desktop is loaded please select English and then Try Ubuntu

    Posted Image
  • Type terminal in the search box
  • Click on the frirst Terminal icon that is displayed - this will open a command prompt window
  • Type the following line and press Enter

    sudo dd if=/dev/sda of=mbr.txt bs=512 count=1

  • Open Firefox and connect to this topic
  • To access the Home folder click the third icon from the top in the left panel (Home Folder). You will see some folders there, as well as the mbr.txt file you just created
  • Copy and paste the mbr.txt file located in Home Folder and post in your next reply
  • Remove the USB device from your computer
  • Restart your computer into Windows

Posted Image
m0le is a proud member of UNITE

#15 Padishah

Padishah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:08:23 PM

Posted 18 June 2012 - 04:40 AM

Just a wallpaper and a moving cursor showed up after loging into Ubuntu (as for xPUD, a driver problem maybe), so I opened the terminal, mounted my USB drive as /media/usb and typed this :
sudo dd if=/dev/sda of=/media/usb/mbr.txt bs=512 count=1
I attached the mbr.txt.

Attached Files

  • Attached File  mbr.txt   512bytes   1 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users