Vista unable to change startup items and more
White-Wolf
Alaska
A friend brought me his Vista box to help fix. Asus M232N, 3800+, 2G DDR2-800, nvidia 8500 GT, SB X-Fi, Vista 32bit Home Prem.
A mutual friend built it for him without really knowing what she was doing... Apparently a failed XP, Memtest and partition manager I saw remnants of, as well as needing other tweaks and bios changes, plus disabling onboard audio (AD-Soundmax) since it has a X-Fi in it.
He brought it to me as it started "acting strange" and his sister had used it and got a warning message about a trojan downloaded. I personally think the AV did it's job and simply blocked and bitched, but...
After bringing it here, I gave it a once over.. cleaned it out, swapped the frontpanel audio to the X-Fi, CPU fan to the CPU fan port -_-, boot drive from sata2 to sata1... Minor nit picks, really. Pretty sure changing the physical port made it start all new reindexing/fetching etc.
However, it was the slowest machine I've used in ages... Given that my own unit is nearly identical (same mobo, dual core, no Xfi, 7900 GTX) I knew the box was hurting somewhere. The prefetch and indexing were of course on, but shutting them off made little difference. Constant Disk access, particularly during his primary diversion, WoW, was running so slow he couldn't really play... Plus wow would get minimized constantly for no reason.
After several hours of poking, updates, ccleaner, changing his AV to Avast from AVG (it did have nortons at one time as well, removed... I force removed the remnants), and generally trying everything standard, nothing helped. No virii were found, rootkit detectors clean, malware was mostly cookies (Spybot S&D)... Nothing helped to speed it up or make the giant disk accesses stop. Prefetch and indexing, should they not have been disabled, should have finished long ago.
Eventually, I gave up and let it system restore... not my favourite option, but, next step is clean install. That seemed to work, WoW runs great, disk access is great (re-shut off indexing, etc). But now Firefox says it can't load it's security component, the startup items I disable in hijack this won't go away, the hosts file it says is unwritable, and I got -tons- of messages about being unable to change/access files all over the machine when I turned indexing off recursively. Un/Reinstalling firefox doesn't help.
Going to safe mode and removing the startup items might work, but, I doubt that is going to fix anything except the couple useless entries. I feel like there is a much deeper ownership/permission problem now due to the restore.
I don't know much about Vista, I refused till this point to bother with it, and my specialty is Linux and Network administration... I am sure you know, though, that as IT... I am fair game to any and all home PC friends needing help.
This one's got me stumped. I'm tired of poking, and the vista restrictions are starting to drive me up a tree. "I am Root! Stop asking me dumb admin dialogs and do what I say.. and where the hell are the hidden folders in the user dir! Gah!" Yes, Vista is all I thought it would be and more.
I'll post a Hijack log in a sec... anything else you might need, just ask.
A mutual friend built it for him without really knowing what she was doing... Apparently a failed XP, Memtest and partition manager I saw remnants of, as well as needing other tweaks and bios changes, plus disabling onboard audio (AD-Soundmax) since it has a X-Fi in it.
He brought it to me as it started "acting strange" and his sister had used it and got a warning message about a trojan downloaded. I personally think the AV did it's job and simply blocked and bitched, but...
After bringing it here, I gave it a once over.. cleaned it out, swapped the frontpanel audio to the X-Fi, CPU fan to the CPU fan port -_-, boot drive from sata2 to sata1... Minor nit picks, really. Pretty sure changing the physical port made it start all new reindexing/fetching etc.
However, it was the slowest machine I've used in ages... Given that my own unit is nearly identical (same mobo, dual core, no Xfi, 7900 GTX) I knew the box was hurting somewhere. The prefetch and indexing were of course on, but shutting them off made little difference. Constant Disk access, particularly during his primary diversion, WoW, was running so slow he couldn't really play... Plus wow would get minimized constantly for no reason.
After several hours of poking, updates, ccleaner, changing his AV to Avast from AVG (it did have nortons at one time as well, removed... I force removed the remnants), and generally trying everything standard, nothing helped. No virii were found, rootkit detectors clean, malware was mostly cookies (Spybot S&D)... Nothing helped to speed it up or make the giant disk accesses stop. Prefetch and indexing, should they not have been disabled, should have finished long ago.
Eventually, I gave up and let it system restore... not my favourite option, but, next step is clean install. That seemed to work, WoW runs great, disk access is great (re-shut off indexing, etc). But now Firefox says it can't load it's security component, the startup items I disable in hijack this won't go away, the hosts file it says is unwritable, and I got -tons- of messages about being unable to change/access files all over the machine when I turned indexing off recursively. Un/Reinstalling firefox doesn't help.
Going to safe mode and removing the startup items might work, but, I doubt that is going to fix anything except the couple useless entries. I feel like there is a much deeper ownership/permission problem now due to the restore.
I don't know much about Vista, I refused till this point to bother with it, and my specialty is Linux and Network administration... I am sure you know, though, that as IT... I am fair game to any and all home PC friends needing help.
This one's got me stumped. I'm tired of poking, and the vista restrictions are starting to drive me up a tree. "I am Root! Stop asking me dumb admin dialogs and do what I say.. and where the hell are the hidden folders in the user dir! Gah!" Yes, Vista is all I thought it would be and more.
I'll post a Hijack log in a sec... anything else you might need, just ask.
0
Comments
Scan saved at 1:40:52 AM, on 3/2/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Windows\System32\CTHELPER.EXE
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\CTXFISPI.EXE
C:\Windows\System32\rundll32.exe
C:\Users\Chris\AppData\Local\Temp\bwgo0003364b.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\AI Booster\OverClk.exe"
O4 - HKLM\..\Run: [AsusStartupHelp] "C:\Program Files\ASUS\AASP\1.00.14\AsRunHelp.exe"
O4 - HKLM\..\Run: [WinSys2] C:\Windows\system32\startup.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{6C05B038-B6D6-46A7-A793-3F2016769E1A}
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 8448 bytes
Now you see why I asked for help so quick
I also checked, the user account is listed as admin, and a fresh blank admin account has the same results.
go to C:\windows\system32, right click cmd.exe, and hit "Run as admin." Do sfc, it'll work.
I rebooted it, but, hijack still cannot modify the startup items, and firefox is still moaning about being unable to startup its security component. I hope that there is more than can be done. I scheduled and am running a simple diskchk at the moment, I'll try again after that, and send you any more log clippings from the system logs that look interesting at all.
Note, I forgot to mention one of the initial symptoms he brought the machine to me for, was the OS not shutting down and eventually doing the reboot-loop-shuffle. When it came here, I brought it to safe mode, ran a regclean and scanned with SpyBot. Don't remember if I did anything else, but, that brought it back to life, minus the resulting WoW uselessness, slowness and disk activity.
I ommitted the data from before the test, but it is still 375KB of plain text. So, here are a couple highlights. Sorry if they make this post huge. I will make the logfile available if you really need it, in part or whole.
<Begin log clippings>
2008-03-02 22:31:38, Info CBS Loaded Servicing Stack v6.0.6001.18000 with Core: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6001.18000_none_095f6148c74a7a64\cbscore.dll
2008-03-02 22:31:38, Info CSI 00000001@2008/3/3:07:31:38.411 WcpInitialize (wcp.dll version 0.0.0.5) called (stack @0x6bb18504 @0x6d408439 @0x6d3e62a3 @0xd2213c @0xd21ebb @0xd21949)
2008-03-02 22:31:38, Info CSI 00000002@2008/3/3:07:31:38.461 WcpInitialize (wcp.dll version 0.0.0.5) called (stack @0x6bb18504 @0x6d43e615 @0x6d420dec @0xd2213c @0xd21ebb @0xd21949)
2008-03-02 22:31:38, Info CSI 00000003@2008/3/3:07:31:38.481 WcpInitialize (wcp.dll version 0.0.0.5) called (stack @0x6bb18504 @0x74cd1a0d @0x74cd1794 @0xd23397 @0xd229f6 @0xd21949)
2008-03-02 22:31:38, Info CBS NonStart: Checking to ensure startup processing was not required.
2008-03-02 22:31:38, Info CSI 00000004 IAdvancedInstallerAwareStore_ResolvePendingTransactions (call 1) (flags = 00000004, progress = NULL, phase = 0, pdwDisposition = @0x80faa0
2008-03-02 22:31:38, Info CBS NonStart: Success, startup processing not required as expected.
2008-03-02 22:31:38, Info CSI 00000005 CSI Store 806432 (0x000c4e20) initialized
2008-03-02 22:31:40, Info CSI 00000006 [SR] Verifying 100 (0x00000064) components
2008-03-02 22:31:40, Info CSI 00000007 [SR] Beginning Verify and Repair transaction
2008-03-02 22:31:44, Info CSI 00000008 Repair results created:
POQ 0 starts:
0: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\498c91a1007dc80165000000c007f00f._0000000000000000.cdf-ms", Destination = [l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"
1: Move File: Source = [l:162{81}]"\SystemRoot\WinSxS\Temp\PendingRenames\a9e794a1007dc80166000000c007f00f.$$.cdf-ms", Destination = [l:74{37}]"\SystemRoot\WinSxS\FileMaps\$$.cdf-ms"
2: Move File: Source = [l:208{104}]"\SystemRoot\WinSxS\Temp\PendingRenames\39299ba1007dc80167000000c007f00f.$$_ehome_40103e2da1d121de.cdf-ms", Destination = [l:120{60}]"\SystemRoot\WinSxS\FileMaps\$$_ehome_40103e2da1d121de.cdf-ms"
3: Set File Information: File = [l:40{20}]"\??\C:\Windows\ehome", Attributes = 00000080
4: Move File: Source = [l:218{109}]"\SystemRoot\WinSxS\Temp\PendingRenames\d9a8b2a1007dc80168000000c007f00f.program_files_ffd0cbfc813cc4f1.cdf-ms", Destination = [l:130{65}]"\SystemRoot\WinSxS\FileMaps\program_files_ffd0cbfc813cc4f1.cdf-ms"
5: Move File: Source = [l:244{122}]"\SystemRoot\WinSxS\Temp\PendingRenames\997db4a1007dc80169000000c007f00f.program_files_common_files_d7a65bb2f0e854e7.cdf-ms", Destination = [l:156{78}]"\SystemRoot\WinSxS\FileMaps\program_files_common_files_d7a65bb2f0e854e7.cdf-ms"
6: Move File: Source = [l:278{139}]"\SystemRoot\WinSxS\Temp\PendingRenames\b9cbb4a1007dc8016a000000c007f00f.program_files_common_files_microsoft_shared_818c5a0e45020fba.cdf-ms", Destination = [l:190{95}]"\SystemRoot\WinSxS\FileMaps\program_files_common_files_microsoft_shared_818c5a0e45020fba.cdf-ms"
7: Move File: Source = [l:286{143}]"\SystemRoot\WinSxS\Temp\PendingRenames\e940b5a1007dc8016b000000c007f00f.program_files_common_files_microsoft_shared_ink_3c86e3db0b3b254c.cdf-ms", Destination = [l:198{99}]"\SystemRoot\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_3c86e3db0b3b254c.cdf-ms"
8: Move File: Source = [l:292{146}]"\SystemRoot\WinSxS\Temp\PendingRenames\098fb5a1007dc8016c000000c007f00f.program_file
2008-03-02 22:31:44, Info CSI s_common_files_microsoft_shared_ink_en_7a951cedcb9a5105.cdf-ms", Destination = [l:204{102}]"\SystemRoot\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_en_7a951cedcb9a5105.cdf-ms"
9: Set File Information: File = [l:114{57}]"\??\C:\Program Files\Common Files\Microsoft Shared\Ink\en", Attributes = 00000080
....
2008-03-02 22:34:58, Info CSI 000000bb Ignoring duplicate ownership for directory [l:58{29}]"\??\C:\Windows\System32\de-DE" in component Microsoft-Windows-mlang.Resources, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"de-DE", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2008-03-02 22:34:58, Info CSI 000000bc Ignoring duplicate ownership for directory [l:58{29}]"\??\C:\Windows\System32\lt-LT" in component Microsoft-Windows-mlang.Resources, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"lt-LT", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2008-03-02 22:34:59, Info CSI 000000bd Ignoring duplicate ownership for directory [l:58{29}]"\??\C:\Windows\System32\lv-LV" in component Microsoft-Windows-mlang.Resources, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"lv-LV", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2008-03-02 22:34:59, Info CSI 000000be Ignoring duplicate ownership for directory [l:58{29}]"\??\C:\Windows\System32\ja-JP" in component Microsoft-Windows-mlang.Resources, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"ja-JP", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2008-03-02 22:34:59, Info CSI 000000bf Ignoring duplicate ownership for directory [l:58{29}]"\??\C:\Windows\System32\he-IL" in component Microsoft-Windows-mlang.Resources, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"he-IL", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2008-03-02 22:34:59, Info CSI 000000c0 Ignoring duplicate ownership for directory [l:58{29}]"\??\C:\Windows\System32\uk-UA" in component Microsoft-Windows-mlang.Resources, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"uk-UA", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2008-03-02 22:35:00, Info CSI 000000c1 Ignoring duplicate ownership for directory [l:58{29}]"\??\C:\Windows\System32\sl-SI" in component Microsoft-Windows-mlang.Resources, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"sl-SI", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2008-03-02 22:35:00, Info CSI 000000c2 Ignoring duplicate ownership for directory [l:58{29}]"\??\C:\Windows\System32\en-US" in component Microsoft-Windows-mlang.Resources, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-us", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2008-03-02 22:35:00, Info CSI 000000c3 Ignoring duplicate ownership for directory [l:58{29}]"\??\C:\Windows\System32\zh-CN" in component Microsoft-Windows-mlang.Resources, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"zh-CN", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2008-03-02 22:35:00, Info CSI 000000c4 Ignoring duplicate ownership for directory [l:58{29}]"\??\C:\Windows\System32\zh-HK" in component Microsoft-Windows-mlang.Resources, Version = 6.0.6000.16386, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"zh-HK", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
...
l:168{84}]"\SystemRoot\WinSxS\FileMaps\program_files_movie_maker_shared_6e8b81cf8981ea58.cdf-ms"
11: Move File: Source = [l:278{139}]"\SystemRoot\WinSxS\Temp\PendingRenames\b97a831e017dc801e30e0000c007f00f.program_files_common_files_microsoft_shared_818c5a0e45020fba.cdf-ms", Destination = [l:190{95}]"\SystemRoot\WinSxS\FileMaps\program_files_common_files_microsoft_shared_818c5a0e45020fba.cdf-ms"
12: Move File: Source = [l:292{146}]"\SystemRoot\WinSxS\Temp\PendingRenames\298c841e017dc801e40e0000c007f00f.program_files_common_files_microsoft_shared_msinfo_817ad0c7c1c8e490.cdf-ms", Destination = [l:204{102}]"\SystemRoot\WinSxS\FileMaps\program_files_common_files_microsoft_shared_msinfo_817ad0c7c1c8e490.cdf-ms"
13: Set File Information: File = [l:114{57}]"\??\C:\Program Files\Common Files\Microsoft Shared\MSInfo", Attributes = 00000080
14: Move File: Source = [l:206{103}]"\SystemRoot\WinSxS\Temp\PendingRenames\09dda81e017dc801e50e0000c007f00f.$$_temp_401038c9a18c18c0.cdf-ms", Destination = [l:118{59}]"\SystemRoot\WinSxS\FileMaps\$$_temp_401038c9a18c18c0.cdf-ms"
15: Create Directory: Directory = [l:50{25}]"\??\C:\Windows\Temp\~msdt", Attributes = 00000080
16: Create Directory: Directory = [l:62{31}]"\??\C:\Windows\Temp\~msdt\tools", Attributes = 00000080
2008-03-02 22:35:15, Info CSI
17: Move File: Source = [l:304{152}]"\SystemRoot\WinSxS\Temp\PendingRenames\39be141f017dc801e60e0000c007f00f.program_files_common_files_speechengines_microsoft_tts20_01244a1856097a63.cdf-ms", Destination = [l:216{108}]"\SystemRoot\WinSxS\FileMaps\program_files_common_files_speechengines_microsoft_tts20_01244a1856097a63.cdf-ms"
....
2008-03-02 22:38:43, Info CSI e = [l:94{47}]"\??\C:\ProgramData\Microsoft\Search\Data\Config", Attributes = 00000080
19: Set File Information: File = [l:62{31}]"\??\C:\Windows\Inf\wsearchidxpi", Attributes = 00000080
20: Set File Information: File = [l:72{36}]"\??\C:\Windows\Inf\wsearchidxpi\0000", Attributes = 00000080
21: Set File Information: File = [l:56{28}]"\??\C:\Windows\Inf\UGatherer", Attributes = 00000080
22: Set File Information: File = [l:66{33}]"\??\C:\Windows\Inf\UGatherer\0000", Attributes = 00000080
23: Set File Information: File = [l:54{27}]"\??\C:\Windows\Inf\UGTHRSVC", Attributes = 00000080
24: Set File Information: File = [l:64{32}]"\??\C:\Windows\Inf\UGTHRSVC\0000", Attributes = 00000080
POQ 57 ends.
2008-03-02 22:38:43, Info CSI 0000013a [SR] Verify complete
2008-03-02 22:38:44, Info CSI 0000013b [SR] Verifying 41 (0x00000029) components
2008-03-02 22:38:44, Info CSI 0000013c [SR] Beginning Verify and Repair transaction
2008-03-02 22:38:45, Info CSI 0000013d Repair results created:
POQ 58 starts:
POQ 58 ends.
2008-03-02 22:38:45, Info CSI 0000013e [SR] Verify complete
2008-03-02 22:38:45, Info CSI 0000013f [SR] Repairing 0 components
2008-03-02 22:38:45, Info CSI 00000140 [SR] Beginning Verify and Repair transaction
2008-03-02 22:38:45, Info CSI 00000141 Repair results created:
POQ 59 starts:
POQ 59 ends.
2008-03-02 22:38:45, Info CSI 00000142 [SR] Repair complete
-_-
It's not a loaded machine, so... simple backup and reformat is an option. Just trying the last ditch effort to make it viable. But, no, I haven't done that yet, in case you're seriously wondering. It is still on the same Vista install it got in October. My personal guess is it got a fried OS update pile near Feb 14th.
chkdsk, uninstall, reinstall firefox, cclean/hijack (et al) and nothing is different. It would -run- as it is, but... obviously in some oddball neutered form. I would like to be fairly certain that it wasn't a hack/keylog, but I'm having him change all his PWds anyways to his online haunts (from another machine)
I'm thinking this is just an exercise in futility. Personally, I would have already taken the cute, plastic box back and made a scene to return the defective OS called Vista, but, alas, it is neither my computer nor would anyone accept it back.
So, I'm reinstalling the vapid OS once again and hoping it will stay intact for a few more months. It would have been nice to find out, however, what caused it to epic fail like this so as to avoid such a thing in the future. The board, cpu and mem test out just fine under memtest, cpu burn and 3dmark and nothing about the combination of hardware is out of the ordinary. Nor was it even fiddled with, overclocked, run in high temps, etc. (It might not be my computer, but I do know where it's been.)