I think I may have a virus, please help!

[wismommy]

Hello, I have attached the FRST.txt and Addition.txt files below because I received an error that my post was too long.

 

Thank you in advance, and I look forward to working with you on this.

FRST.txt

Addition.txt

[Naathim]

My name's Naathim and I'm a GeekU Minion! Now that we are mates and will be working together to clean your machine out of any junkware, feel free to call me Naat

Before we start please note the following:

• Analysis and research take some time, also sometimes real life gets in the way, please be patient.
• Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
• Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
• Paste the logs in your posts, attachments make my work harder and more complicated.
• Stay with me to the end, the absence of symtoms doesn't mean that your machine is fully operational.
• Note that we may live in totally different time zones, what may cause some delays between answers.

I can't foresee everything, so if anything unexpected happens, please stop and inform me!

There are no silly questions. Never be afraid to ask if in doubt!

Let's start and enjoy the fight!

Rules and policies

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

---

Can you please tell me what issues/symptoms do you see? I need to know that to connect them with items visible in your logfile.

Scan with RogueKiller

Please download RogueKiller and save the file to your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on icon and select Run as Administrator to start the tool.
• Wait patiently until the pre-scan will be done. It shouldn't take more than 2-3 minutes.
• Accept the Terms of use.
• When the Scan button becomes available, please click it. RogueKiller will start a full scan.
• Let this process run uninterrupted!.
• When finished, a Report button will become available. Click it. You will be presented with a logfile.

Please include the content of this logfile in your next reply.

Cheers,

Naat

[wismommy]

Hello Naat,

 

Thank you for taking the time to help me!  I have noticed lately that my laptop has been very sluggish, programs "stop responding", flash player keeps stopping, and some programs fail to open, such as Malwarebytes.  My children have taken over my laptop lately and I am afraid they may have accidently downloaded a virus.  Here is the log file from Rogue Killer:

 

Well, it says that it is too long so I will have to attach it as a file.  I hope that is ok?

RKreport_SCN_09202014_173021.log

[Naathim]

No worries, if the file is to big it's ok to attach it. However please always try to include it directly prior to attaching



Scan with TDSSKiller

Please download TDSSKiller by Kaspersky and save it to your desktop.

• Right-click on icon and select Run as Administrator to start the tool.
• Click on Change parameters and put a checkmark beside Loaded modules. A reboot will be needed to apply the changes, allow it to do so.
• Your machine may appear very slow and unusable after that - it's normal.
• TDSSKiller will run automaticaly. Click on Change parameters and click OK.
• Make sure that Verify driver digital signatures & Detect TDLFS File System are marked and click OK.
• Click the Start Scan button and wait patiently.

If anything will be found follow this guidelines:

• If a suspicious object is detected, the default action will be Skip, click on Continue.
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  > Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  > If Cure is not available, please choose Skip instead.
• Do not choose Delete unless instructed!

A report will be created in your root directory, (usually C:\ drive) in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt. Please include the contents of that file in your next post.

[wismommy]

sorry, again it wouldn't let me paste.  every time I tried my computer locked up.

 

here is the file:

 

TDSSKiller.3.0.0.40_23.09.2014_17.17.09_log.txt

[Naathim]

Hi

 

Before I will do something more invasive, I need to know something about this particular machine. I can see there lots of policies, that won't be present on a home machine. Or they may be stablished if somebody else would be administrating this one. Do you know anything about that?

[wismommy]

Nope, this is just an ordinary laptop, I use it for school and my kids have been gaming on it. I am the admin, and I don't know anything about any policies that may be present nor do I know what you mean by that

[AdvancedSetup]

I will go ahead and take over for Naathim in his absence
 

Please try the following which should be supported on Windows 8 - as the logs show you have not updated to 8.1 yet.

 

 

Please visit this webpage and read the ComboFix User's Guide:

• Once you've read the article and are ready to use the program you can download it directly from the link below.
• Important! - Please make sure you save combofix to your desktop and do not run it from your browser
• Direct download link for: ComboFix.exe
• Please make sure you disable your security applications before running ComboFix.
• Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
• Please attach that log file to your next reply.
• If needed the file can be located here:  C:\combofix.txt
• NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
  

 

[wismommy]

ComboFix 14-09-29.02 - Ann 09/28/2014  16:39:13.1.4 - x64
Microsoft Windows 8  6.2.9200.0.1252.1.1033.18.8071.6404 [GMT -5:00]
Running from: c:\users\Ann\Desktop\ComboFix.exe
AV: Webroot SecureAnywhere *Disabled/Updated* {66A6FE14-08CB-F415-3742-517201416109}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Webroot SecureAnywhere *Disabled/Updated* {DDC71FF0-2EF1-FB9B-0DF2-6A007AC62BB4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\Thumbs.db
c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744BA0000000010\11.0.0\eula.ini
c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744BA0000000010\11.0.0\eula.ini2
c:\windows\TEMP\WRusr.dll-410316984-1.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2014-08-28 to 2014-09-28  )))))))))))))))))))))))))))))))
.
.
2014-09-28 21:56 . 2014-09-28 21:56    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-09-20 22:11 . 2014-09-20 22:11    36456    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2014-09-20 22:11 . 2014-09-20 22:11    --------    d-----w-    c:\programdata\RogueKiller
2014-09-19 23:51 . 2014-09-19 23:51    --------    d-----w-    c:\programdata\KingsIsle Entertainment
2014-09-19 21:43 . 2014-09-19 21:48    --------    d-----w-    C:\FRST
2014-09-17 01:23 . 2014-09-17 01:23    --------    d-----w-    c:\program files (x86)\Common Files\Java
2014-09-17 01:23 . 2014-07-25 17:55    98216    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-09-16 02:47 . 2014-08-09 08:30    148480    ----a-w-    c:\windows\system32\poqexec.exe
2014-09-16 02:47 . 2014-08-09 08:29    144896    ----a-w-    c:\windows\system32\tssdisai.dll
2014-09-13 02:15 . 2014-09-13 02:15    305832    ----a-w-    c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10246.bin
2014-09-11 20:11 . 2013-05-14 13:14    2706432    ----a-w-    c:\windows\system32\mshtml.tlb
2014-09-11 19:23 . 2014-09-04 22:36    755712    ----a-w-    c:\windows\system32\aepdu.dll
2014-09-11 19:23 . 2014-09-03 01:49    556544    ----a-w-    c:\windows\system32\aeinv.dll
2014-09-11 19:23 . 2014-07-26 02:19    26218496    ----a-w-    c:\program files\Common Files\Microsoft Shared\Microsoft Camera Codec Pack\MicrosoftRawCodec.dll
2014-09-11 19:23 . 2014-07-26 01:52    25479168    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\Microsoft Camera Codec Pack\MicrosoftRawCodec.dll
2014-09-10 16:48 . 2014-09-10 16:48    --------    d-----w-    c:\program files\iPod
2014-09-10 16:48 . 2014-09-10 16:49    --------    d-----w-    c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-09-10 16:48 . 2014-09-10 16:49    --------    d-----w-    c:\program files\iTunes
2014-09-10 16:48 . 2014-09-10 16:49    --------    d-----w-    c:\program files (x86)\iTunes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-09-28 16:14 . 2013-08-26 15:48    154760    ----a-w-    c:\windows\SysWow64\WRusr.dll
2014-09-28 16:14 . 2013-08-26 15:48    115680    ----a-w-    c:\windows\system32\drivers\WRkrn.sys
2014-09-28 16:14 . 2013-08-26 15:48    105320    ----a-w-    c:\windows\system32\WRusr.dll
2014-09-20 15:16 . 2013-08-26 16:45    590536    ----a-w-    c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2014-09-19 21:39 . 2014-06-28 20:17    91352    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-09-11 19:59 . 2013-08-27 10:12    101694776    ----a-w-    c:\windows\system32\MRT.exe
2014-09-02 19:32 . 2014-07-13 21:54    705480    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2014-09-02 19:32 . 2014-07-13 21:54    104904    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-08-28 23:21 . 2012-07-26 08:13    23256    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-08-26 12:18 . 2013-08-26 15:51    10395072    ----a-w-    c:\program files (x86)\Common Files\wruninstall.exe
2014-08-23 06:47 . 2014-08-27 19:49    4036096    ----a-w-    c:\windows\system32\win32k.sys
2014-08-22 17:14 . 2014-04-08 15:19    13792    ----a-w-    c:\windows\system32\drivers\semav6thermal64ro.sys
2014-08-19 01:23 . 2014-06-28 20:17    122584    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-07-28 19:52 . 2014-07-28 19:52    6112072    ----a-w-    c:\windows\system32\usbaaplrc.dll
2014-07-28 19:52 . 2014-07-28 19:52    54784    ----a-w-    c:\windows\system32\drivers\usbaapl64.sys
2014-07-15 23:03 . 2014-08-13 19:16    1300992    ----a-w-    c:\windows\system32\gdi32.dll
2014-07-15 22:51 . 2014-08-13 20:03    71168    ----a-w-    c:\windows\system32\drivers\hdaudbus.sys
2014-07-12 02:36 . 2014-08-13 19:16    1023488    ----a-w-    c:\windows\SysWow64\gdi32.dll
2014-06-30 22:42 . 2014-07-10 14:42    394240    ----a-w-    c:\windows\system32\devinv.dll
2014-06-30 22:42 . 2014-07-10 14:42    87552    ----a-w-    c:\windows\system32\aepic.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-05-17 00:28    223432    ----a-w-    c:\users\Ann\AppData\Local\Microsoft\SkyDrive\17.0.4041.0512\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-05-17 00:28    223432    ----a-w-    c:\users\Ann\AppData\Local\Microsoft\SkyDrive\17.0.4041.0512\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-05-17 00:28    223432    ----a-w-    c:\users\Ann\AppData\Local\Microsoft\SkyDrive\17.0.4041.0512\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyDrive"="c:\users\Ann\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" [2014-05-17 257224]
"TomTomHOME.exe"="c:\program files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2013-08-27 248208]
"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2013-11-20 59720]
"GoogleDriveSync"="c:\program files (x86)\Google\Drive\googledrivesync.exe" [2014-08-08 22734160]
"Akamai NetSession Interface"="c:\users\Ann\AppData\Local\Akamai\netsession_win.exe" [2014-04-18 4672920]
"HP Deskjet 3050A J611 series (NET)"="c:\program files\HP\HP Deskjet 3050A J611 series\Bin\ScanToPCActivationApp.exe" [2012-10-17 2573416]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2013-11-20 59720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PlayMemories Home\PMBVolumeWatcher.exe" [2013-02-06 740376]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"WRSVC"="c:\program files\Webroot\WRSA.exe" [2014-09-28 767600]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-07-31 43816]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-09-01 152392]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Application Restart 0"="c:\program files\Common Files\microsoft shared\ink\TabTip.exe" [2014-06-11 394624]
"Application Restart 8DB02F5BFC3B45E39C60F87E4F10D0085A4CE723"="c:\program files\Common Files\microsoft shared\ink\TabTip.exe" [2014-06-11 394624]
.
c:\users\Ann\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Send to OneNote.lnk - c:\program files\Microsoft Office 15\root\office15\ONENOTEM.EXE /tsr [2014-9-20 195240]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\StartUp\
Install Webroot FF RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -q -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-8-26 10395072]
Install Webroot IE RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -p -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-8-26 10395072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableCursorSuppression"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"= 0 (0x0)
"DisableLocalMachineRunOnce"= 0 (0x0)
"DisableCurrentUserRun"= 0 (0x0)
"DisableCurrentUserRunOnce"= 0 (0x0)
"NoFile"= 0 (0x0)
"HideClock"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoEncryptOnMove"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 ESRV_SVC;Energy Server Service;c:\program files\Sony\VAIO Care\ESRV\esrv_svc.exe --AUTO_START --start --address 127.0.0.1;c:\program files\Sony\VAIO Care\ESRV\esrv_svc.exe --AUTO_START --start --address 127.0.0.1 [x]
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y60x64.sys;c:\windows\SYSNATIVE\DRIVERS\e1y60x64.sys [x]
R3 iscFlash;iscFlash;c:\programdata\Sony Corporation\Sony Packaging Manager\PackagingTemp\{A84ECFAD-3DE9-4CC7-98C2-F7EBDA07401A}\TOOL_WIN\iscflashx64.sys;c:\programdata\Sony Corporation\Sony Packaging Manager\PackagingTemp\{A84ECFAD-3DE9-4CC7-98C2-F7EBDA07401A}\TOOL_WIN\iscflashx64.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys;c:\windows\SYSNATIVE\DRIVERS\netaapl64.sys [x]
R3 NetworkSupport;NetworkSupport;c:\program files (x86)\Sony\VAIO Control Center\NetworkSetting\NetworkSupport.exe;c:\program files (x86)\Sony\VAIO Control Center\NetworkSetting\NetworkSupport.exe [x]
R3 semav6thermal64ro;semav6thermal64ro;c:\windows\system32\drivers\semav6thermal64ro.sys;c:\windows\SYSNATIVE\drivers\semav6thermal64ro.sys [x]
R3 SOHCImp;VAIO Content Importer;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [x]
R3 SOHDms;VAIO Digital Media Server;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [x]
R3 SOHDs;VAIO Device Searcher;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [x]
R3 SpfService;VAIO Entertainment Common Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe;c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\System32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe;c:\program files\Sony\VAIO Power Management\SPMService.exe [x]
R3 VCFw;VAIO Content Folder Watcher;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [x]
R3 WSDScan;WSD Scan Support;c:\windows\system32\DRIVERS\WSDScan.sys;c:\windows\SYSNATIVE\DRIVERS\WSDScan.sys [x]
R3 X6va021;X6va021;c:\windows\SysWOW64\Drivers\X6va021;c:\windows\SysWOW64\Drivers\X6va021 [x]
S0 iaStorA;iaStorA;c:\windows\System32\drivers\iaStorA.sys;c:\windows\SYSNATIVE\drivers\iaStorA.sys [x]
S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x]
S1 CLVirtualDrive;CLVirtualDrive;c:\windows\system32\DRIVERS\CLVirtualDrive.sys;c:\windows\SYSNATIVE\DRIVERS\CLVirtualDrive.sys [x]
S2 BcmBtRSupport;Bluetooth Radio Control Service;c:\windows\system32\BtwRSupportService.exe;c:\windows\SYSNATIVE\BtwRSupportService.exe [x]
S2 ClickToRunSvc;Microsoft Office ClickToRun Service;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [x]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 Intel® ME Service;Intel® ME Service;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe;c:\program files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe [x]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 bcbtums;Bluetooth RAM Firmware Download USB Filter;c:\windows\system32\drivers\bcbtums.sys;c:\windows\SYSNATIVE\drivers\bcbtums.sys [x]
S3 BthLEEnum;Bluetooth Low Energy Driver;c:\windows\system32\DRIVERS\BthLEEnum.sys;c:\windows\SYSNATIVE\DRIVERS\BthLEEnum.sys [x]
S3 btwampfl;btwampfl Bluetooth filter driver;c:\windows\system32\drivers\btwampfl.sys;c:\windows\SYSNATIVE\drivers\btwampfl.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]
S3 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsPStor.sys [x]
S3 RTL8168;Realtek 8168 NT Driver;c:\windows\system32\DRIVERS\Rt630x64.sys;c:\windows\SYSNATIVE\DRIVERS\Rt630x64.sys [x]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\System32\drivers\SFEP.sys;c:\windows\SYSNATIVE\drivers\SFEP.sys [x]
S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x]
S3 USER_ESRV_SVC;User Energy Server Service;c:\program files\Sony\VAIO Care\ESRV\esrv_svc.exe;c:\program files\Sony\VAIO Care\ESRV\esrv_svc.exe [x]
S3 VCService;VCService;c:\program files\Sony\VAIO Care\VCService.exe;c:\program files\Sony\VAIO Care\VCService.exe [x]
S3 VUAgent;VUAgent;c:\program files\Sony\VAIO Update\vuagent.exe;c:\program files\Sony\VAIO Update\vuagent.exe [x]
S3 WUDFWpdMtp;WUDFWpdMtp;c:\windows\system32\DRIVERS\WUDFRd.sys;c:\windows\SYSNATIVE\DRIVERS\WUDFRd.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-09-25 02:32    1096520    ----a-w-    c:\program files (x86)\Google\Chrome\Application\37.0.2062.124\Installer\chrmstp.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{A6EADE66-0000-0000-484E-7E8A45000000}]
2013-09-05 14:04    215416    ----a-w-    c:\program files (x86)\Adobe\Reader 11.0\Esl\AiodLite.dll
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-08-28 21:00]
.
2014-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-11-17 04:17]
.
2014-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-11-17 04:17]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-05-17 00:28    262344    ----a-w-    c:\users\Ann\AppData\Local\Microsoft\SkyDrive\17.0.4041.0512\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-05-17 00:28    262344    ----a-w-    c:\users\Ann\AppData\Local\Microsoft\SkyDrive\17.0.4041.0512\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-05-17 00:28    262344    ----a-w-    c:\users\Ann\AppData\Local\Microsoft\SkyDrive\17.0.4041.0512\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-09-20 15:17    2334416    ----a-w-    c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-09-20 15:17    2334416    ----a-w-    c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-09-20 15:17    2334416    ----a-w-    c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2014-08-08 15:34    777032    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-08-08 15:34    777032    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2014-08-08 15:34    777032    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2014-08-08 15:34    777032    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2014-08-08 15:34    777032    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\program files\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.exe" [2013-08-26 10592256]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2014-02-11 1381744]
"Bluetooth"="c:\program files\WIDCOMM\Bluetooth Software\bttray.exe" [2012-12-14 526704]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2013-03-14 172016]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2013-03-14 399856]
"Persistence"="c:\windows\system32\igfxpers.exe" [2013-03-14 442352]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\program files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\program files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Ann\AppData\Roaming\Mozilla\Firefox\Profiles\m2xatij3.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/default.aspx
.
.
------- File Associations -------
.
inifile=%SystemRoot%\SysWow64\NOTEPAD.EXE %1
JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
txtfile=%SystemRoot%\SysWow64\NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKLM-Run-NCUpdateHelper - c:\program files (x86)\NCWest\NCLauncher\NCUpdateHelper.exe
SafeBoot-60575516.sys
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\X6va021]
"ImagePath"="\??\c:\windows\SysWOW64\Drivers\X6va021"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
@SACL=(02 0000)
.
Completion time: 2014-09-28  17:01:55
ComboFix-quarantined-files.txt  2014-09-28 22:01
.
Pre-Run: 817,708,756,992 bytes free
Post-Run: 822,703,656,960 bytes free
.
- - End Of File - - 3F8349A656569195358FA71B8E4D3C47
 

[AdvancedSetup]

How is the computer running now?

Are there still signs of an infection?

 

What issues are you still having ?

[wismommy]

I am still having issues with it running slow and some programs continue to freeze up on me like Firefox/chrome/Word....

[AdvancedSetup]

Please run a Full Disk Check on your system drive.  If needed here are some links on how to run a Disk Check.


On Windows 8 the disk check log is in the Event Logs under Application with a heading source of  Chkdsk

How to Check a Drive for Errors with "chkdsk" in Windows 8

How to Read the Event Viewer Log for Check Disk (chkdsk) in Vista, Windows 7, and Windows 8
 

 

You want to run the full disk check and check for and fix errors and bad sectors during a restart of the computer.

 

Then find and copy/paste the results from the Event Logs for the disk check.

 

[wismommy]

Checking file system on C:
The type of the file system is NTFS.


One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.                         

CHKDSK is verifying files (stage 1 of 3)...
The attribute of type 0x80 and instance tag 0x4 in file 0xf21
has allocated length of 0x30000 instead of 0x170000.
Deleting corrupt attribute record (128, "")
from file record segment 3873.
The attribute of type 0x80 and instance tag 0x0 in file 0x165cb
has allocated length of 0xa7610000 instead of 0xa7590000.
Deleted corrupt attribute list entry
with type code 128 in file 91595.
Unable to locate attribute with instance tag 0x0 and segment
reference 0x100000006d2df.  The expected attribute type is 0x80.
Deleting corrupt attribute record (128, $J)
from file record segment 447199.
  612864 file records processed.                                          File verification completed.
  9916 large file records processed.                                      0 bad file records processed.                                      
CHKDSK is verifying indexes (stage 2 of 3)...
  736018 index entries processed.                                         Index verification completed.
  0 unindexed files scanned.                                           0 unindexed files recovered.                                       
CHKDSK is verifying security descriptors (stage 3 of 3)...
CHKDSK is compacting the security descriptor stream
Cleaning up 2218 unused security descriptors.
Inserting data attribute into file 3873.
  61579 data files processed.                                            CHKDSK is verifying Usn Journal...
Creating Usn Journal $J data stream
Usn Journal verification completed.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.

Windows has made corrections to the file system.
No further action is required.

 943269887 KB total disk space.
 139401868 KB in 414022 files.
    219344 KB in 61581 indexes.
         0 KB in bad sectors.
    709119 KB in use by the system.
     65536 KB occupied by the log file.
 802939556 KB available on disk.

      4096 bytes in each allocation unit.
 235817471 total allocation units on disk.
 200734889 allocation units available on disk.

Internal Info:
00 5a 09 00 dc 41 07 00 e4 b7 0c 00 00 00 00 00  .Z...A..........
12 07 00 00 2a 00 00 00 00 00 00 00 00 00 00 00  ....*...........
20 03 e9 e3 75 00 00 00 00 00 00 00 00 00 00 00   ...u...........

Windows has finished checking your disk.
Please wait while your computer restarts.

[wismommy]

also, is there a problem with my malwarebytes program as listed in this log:

 

Faulting application name: mbamscheduler.exe, version: 3.0.2.0, time stamp: 0x5339cec3
Faulting module name: MSVCR100.dll, version: 10.0.40219.325, time stamp: 0x4df2be1e
Exception code: 0x40000015
Fault offset: 0x0008d6fd
Faulting process id: 0x180
Faulting application start time: 0x01cfdce367fc1e51
Faulting application path: C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
Faulting module path: C:\Program Files (x86)\Malwarebytes Anti-Malware\MSVCR100.dll
Report Id: b02bffe5-48d6-11e4-befa-b8763fca6e94
Faulting package full name:
Faulting package-relative application ID:

[AdvancedSetup]

That is probably due to infection and or corruption. The disk check you ran was a basic check disk. 1 to 3 steps.

Please run a full one which will be 5 steps. The disk check found a lot of issues and best we check the entire drive for possible further errors to fix.

 

From an Elevated Admin command prompt you can type the following.

 

CHKDSK  C:  /R

 

Then Y key, then Enter key, then reboot and let it run.

[wismommy]

still trying...

[wismommy]

the chkdsk gets stuck at 27% complete and just sits there????  is there something else I can try??

[AdvancedSetup]

No just let it run. If it cannot complete it could be due to a failing hard drive which is part of why I wanted you to run the Full disk check so we can rule that out. If the drive is bad then it will need to get replaced and Windows reinstalled.

 

From the Device Manager you should be able to look at your hard drive and then do a Google Search on the name/number to verify who makes it and then download their OEM software to test the hard drive for issue.

 

It's the weekend so I may not reply right away but if I've not replied by Sunday night please send me a private message as a reminder.

 

 

Please see the following link which has all sorts of links and topics for hard drive diagnostics
Hard Drive Diagnostics Tools and Utilities
 

[wismommy]

I think I may have to do a clean reinstall, I have major problems. I tried running the CHKDSK and I accidently did the short one again (3 step) and every line said ".....file is corrupt" or "1383848 is an orphan"? Whatever that means! Anyway i am getting invalid directory errors, explorer.exe errors, etc. From what I have researched online it may be easier to do a clean install. However, I am doing a FULL CHKDSK right now, and will let it run overnight and see what I get in the morning. As of right now I can only email from my phone which is why I couldn't attach any files or screenshots for you at this time.

[wismommy]

ok this is what I got...notice at the end it cuts off??  not sure what this is all about but this is all that is there.

 

TimeCreated : 10/6/2014 3:26:59 AM
Message     :
              
              Checking file system on C:
              The type of the file system is NTFS.
              
              One of your disks needs to be checked for consistency. You
              may cancel the disk check, but it is strongly recommended
              that you continue.
              Windows will now check the disk.                         
              
              CHKDSK is verifying files (stage 1 of 5)...
              The attribute of type 0x80 and instance tag 0x3 in file 0xb59b
              has allocated length of 0x388000 instead of 0x38c000.
              Deleting corrupt attribute record (128, "")
              from file record segment 46491.
              The attribute of type 0x80 and instance tag 0x4 in file 0xe825
              has allocated length of 0xe000 instead of 0x10000.
              Deleting corrupt attribute record (128, "")
              from file record segment 59429.
              The attribute of type 0x80 and instance tag 0x4 in file 0x17379
              has allocated length of 0x148000 instead of 0x14f000.
              Deleting corrupt attribute record (128, "")
              from file record segment 95097.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x140c for possibly 0x4 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x19d09 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 105737.
              Attribute record of type 0x80 and instance tag 0x3 is cross linked
              starting at 0x13442c for possibly 0x4 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x3
              in file 0x1b1e6 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 111078.
              Attribute record of type 0x80 and instance tag 0x3 is cross linked
              starting at 0x412d0 for possibly 0x4 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x3
              in file 0x1c010 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 114704.
              Attribute record of type 0x80 and instance tag 0x3 is cross linked
              starting at 0x47014 for possibly 0x4 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x3
              in file 0x1c011 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 114705.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x3d058 for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x1c974 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 117108.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x39f2a for possibly 0x3 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x201f7 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 131575.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x41088 for possibly 0x3 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x2039a is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 131994.
              Attribute record of type 0x80 and instance tag 0x1 is cross linked
              starting at 0x63ce1 for possibly 0x4 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x1
              in file 0x2468a is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 149130.
              Attribute record of type 0x80 and instance tag 0x3 is cross linked
              starting at 0x46888 for possibly 0x3 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x3
              in file 0x24d91 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 150929.
              Attribute record of type 0x80 and instance tag 0x1 is cross linked
              starting at 0x3a10c for possibly 0x4 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x1
              in file 0x24f2f is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 151343.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x38aa4 for possibly 0x3 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x250e1 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 151777.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x10b5640 for possibly 0x10 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x25101 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 151809.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x3b724 for possibly 0x4 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x2879b is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 165787.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x91a0c for possibly 0x4 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x288c3 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 166083.
              Attribute record of type 0x80 and instance tag 0x0 is cross linked
              starting at 0x1254536 for possibly 0xf clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x0
              in file 0x28bb5 is already in use.
              The attribute of type 0x80 and instance tag 0x0 in file 0x28bb5
              has allocated length of 0x7b16000 instead of 0xb00000.
              Deleted corrupt attribute list entry
              with type code 128 in file 166837.
              Unable to locate attribute with instance tag 0x0 and segment
              reference 0x2c0000000124dd.  The expected attribute type is 0x80.
              Deleting corrupt attribute record (128, "")
              from file record segment 74973.
              Unable to locate attribute with instance tag 0x0 and segment
              reference 0x420000000129b2.  The expected attribute type is 0x80.
              Deleting corrupt attribute record (128, "")
              from file record segment 76210.
              Unable to locate attribute with instance tag 0x0 and segment
              reference 0x130000000129ce.  The expected attribute type is 0x80.
              Deleting corrupt attribute record (128, "")
              from file record segment 76238.
              Unable to locate attribute with instance tag 0x0 and segment
              reference 0x19000000013401.  The expected attribute type is 0x80.
              Deleting corrupt attribute record (128, "")
              from file record segment 78849.
              Unable to locate attribute with instance tag 0x0 and segment
              reference 0x2c000000013917.  The expected attribute type is 0x80.
              Deleting corrupt attribute record (128, "")
              from file record segment 80151.
              Attribute record of type 0x80 and instance tag 0x3 is cross linked
              starting at 0x10c6f47 for possibly 0xff clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x3
              in file 0x2cf78 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 184184.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x3ba9b for possibly 0x3 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x30b7e is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 199550.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x64f39 for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x30b8d is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 199565.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x3dc66 for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x3103a is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 200762.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x98f34 for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x31309 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 201481.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x98f35 for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x31f30 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 204592.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x44c3c for possibly 0x3 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x35cfb is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 220411.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x400ee for possibly 0x2 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x35f2a is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 220970.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x39fa8 for possibly 0x3 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x37434 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 226356.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x3ada9 for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x37461 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 226401.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x47c39 for possibly 0x3 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x37541 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 226625.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x3adab for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x37583 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 226691.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x403ad for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x37588 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 226696.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x3dc65 for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x375de is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 226782.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x400f0 for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x375ea is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 226794.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x3fc1d for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x378c1 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 227521.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x40e97 for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x378cb is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 227531.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x46cc0 for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x378f0 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 227568.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x65b44 for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x3790c is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 227596.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x64345 for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x3791f is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 227615.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x64f3b for possibly 0x5 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x37922 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 227618.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x3cc9f for possibly 0x3 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x37925 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 227621.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x3ce6c for possibly 0x3 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x3793f is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 227647.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x64528 for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x37dc3 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 228803.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x3b07c for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x37dcb is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 228811.
              Attribute record of type 0x80 and instance tag 0x3 is cross linked
              starting at 0x40ee5 for possibly 0x2 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x3
              in file 0x37f3d is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 229181.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x403ae for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x37f71 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 229233.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x403af for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x37f7a is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 229242.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x3b625 for possibly 0x3 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x381d0 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 229840.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x40e96 for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x38354 is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 230228.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x40e98 for possibly 0x1 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x384dc is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 230620.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x4211b for possibly 0x2 clusters.
              Some clusters occupied by attribute of type 0x80 and instance tag 0x4
              in file 0x385ed is already in use.
              Deleting corrupt attribute record (128, "")
              from file record segment 230893.
              Attribute record of type 0x80 and instance tag 0x4 is cross linked
              starting at 0x656a6 for possibly 0x1 clusters.
              Some clu

[AdvancedSetup]

This is looking more like you have a bad hard drive. If possible try to backup any data you can and then test the drive but I believe it is bad and will require that it be replaced.

If you look in the Device Manager under drives you can see your drive type and search that number to see who makes it and then download a test utility for it and test the hard drive.

Please see the following link which has all sorts of links and topics for hard drive diagnostics

Hard Drive Diagnostics Tools and Utilities

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!