castingguy2005 Posted August 18, 2009 ID:111721 Share Posted August 18, 2009 I have had this problem before, you would think I would learn! Was compromised on FB. got a blue screen of death when I tried adding a friend (it was a name I knew). Can only boot in safe mode, laptop crashes when to restore to a last known recovery point. MBAM will not run, HJT will not run and Rootrpeal crashed partway through the scan.I ran root repeal again and was able to screen capture the files it had found. There were several 'UAC' files in there...screen capture is attached. aborted_root_repeal_scan.doc Link to post Share on other sites More sharing options...
SpySentinel Posted August 19, 2009 ID:111916 Share Posted August 19, 2009 Hi castingguy2005, Welcome to Malwarebytes Step #1Open RootRepeal, click the Drivers tab and select Scan. Right click and select Wipe File on:Any thing with UAC in it or eventlog.dllReboot your machinePlease post a new RootRepeal log as well.Step #2Please try to run MBAM now Link to post Share on other sites More sharing options...
castingguy2005 Posted August 19, 2009 Author ID:111998 Share Posted August 19, 2009 I have had this problem before, you would think I would learn! Was compromised on FB. got a blue screen of death when I tried adding a friend (it was a name I knew). Can only boot in safe mode, laptop crashes when to restore to a last known recovery point. MBAM will not run, HJT will not run and Rootrpeal crashed partway through the scan.I ran root repeal again and was able to screen capture the files it had found. There were several 'UAC' files in there...screen capture is attached. I ran Rootpeal again and it crashes still during the scan. Link to post Share on other sites More sharing options...
castingguy2005 Posted August 19, 2009 Author ID:111999 Share Posted August 19, 2009 I ran rootrepeal again and it crashed while scanning Link to post Share on other sites More sharing options...
SpySentinel Posted August 19, 2009 ID:112096 Share Posted August 19, 2009 Please download Win32kDiag.exe by AD to the desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply: Link to post Share on other sites More sharing options...
castingguy2005 Posted August 20, 2009 Author ID:112436 Share Posted August 20, 2009 Please bear with me. Both my computers are down now so I ahve to download at work, bring it home then install and reply.....Do install this WIN32 in safe mode? I cannot boot in normal mode. Link to post Share on other sites More sharing options...
SpySentinel Posted August 20, 2009 ID:112646 Share Posted August 20, 2009 No worries, this infection is nasty.Go ahead and run it in safe mode Link to post Share on other sites More sharing options...
Staff screen317 Posted August 20, 2009 Staff ID:112814 Share Posted August 20, 2009 castingguy2005,SpySentinel will be away for a bit and I will be taking over for him. Please follow his most recent set of instructions and we'll continue from there.-screen317 Link to post Share on other sites More sharing options...
castingguy2005 Posted August 20, 2009 Author ID:112835 Share Posted August 20, 2009 thanks! I am running Win32k.exe now. I will post as soon as it is done. Link to post Share on other sites More sharing options...
castingguy2005 Posted August 20, 2009 Author ID:112849 Share Posted August 20, 2009 Here is my win32kdiag log file.Searching 'C:\WINDOWS'...Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1AE.tmp\ZAP1AE.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20E.tmp\ZAP20E.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7E2.tmp\ZAP7E2.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8EF.tmp\ZAP8EF.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\temp\tempMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\assembly\tmp\tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Config\ConfigMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Connection Wizard\Connection WizardMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\CSC\d1\d1Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\CSC\d2\d2Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\CSC\d3\d3Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\CSC\d4\d4Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\CSC\d5\d5Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\CSC\d6\d6Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\CSC\d7\d7Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\CSC\d8\d8Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ERDNT\ERDNTMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ftpcache\ftpcacheMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\chsime\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\CHTIME\Applets\AppletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imejp\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imejp98\imejp98Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imjp8_1\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imkr6_1\applets\appletsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dictsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\ime\shared\res\resMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\java\classes\classesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\java\trustlib\trustlibMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind LogsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind LogsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET FilesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\msapps\msinfo\msinfoMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\occache\occacheMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLESMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFFMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumpsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batchMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe[1] 2004-08-10 06:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPointMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFilesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUsMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\pchealth\helpctr\Logs\helpctr.log[1] 2009-08-20 12:31:27 2758 C:\WINDOWS\pchealth\helpctr\Logs\helpctr.log ()Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFSMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\NewsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\TempMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\PIF\PIFMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLogMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceStateMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\DownloadedMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backupMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backupMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backupMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backupMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backupMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backupMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backupMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\Sun\Java\Deployment\DeploymentMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDelMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1025\1025Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1028\1028Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1031\1031Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1037\1037Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1041\1041Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1042\1042Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\1054\1054Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\2052\2052Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\3076\3076Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmiMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINEMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2282983233-801452963-4151238568-1006\S-1-5-21-2282983233-801452963-4151238568-1006Mount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\system32\AVR09.exe[1] 2009-08-17 21:28:20 0 C:\WINDOWS\system32\AVR09.exe ()Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ACE\ACEMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch1\ch1Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch2\ch2Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch3\ch3Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch4\ch4Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch5\ch5Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\instch_gdql_d_cache\instch_gdql_d_cacheMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\{4E3254D7-522A-412A-9296-3F4767B3A2CB}Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-2282983233-801452963-4151238568-500\S-1-5-21-2282983233-801452963-4151238568-500Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media PlayerMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMCMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\CertificatesMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLsMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\SymantecMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\3d659d7ba08e\3d659d7ba08eMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD BurningMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2282983233-801452963-4151238568-500\S-1-5-21-2282983233-801452963-4151238568-500Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500Mount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICEMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\CacheMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\tempMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHoodMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHoodMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\system32\critical_warning.html[1] 2009-08-17 21:44:26 831 C:\WINDOWS\system32\critical_warning.html ()Found mount point : C:\WINDOWS\system32\dhcp\dhcpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\drivers\disdn\disdnMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\system32\eventlog.dll[1] 2004-08-10 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)[1] 2008-04-13 20:11:53 60928 C:\WINDOWS\system32\eventlog.dll ()[1] 2004-08-10 06:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)Found mount point : C:\WINDOWS\system32\export\exportMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmpMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNTMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNTMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNTMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDFMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\Macromed\update\updateMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspecMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnupMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcustMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhwMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemregMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\oobe\sample\sampleMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\ShellExt\ShellExtMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERSMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\system32\tapi.nfo[1] 2009-08-17 20:32:47 24576 C:\WINDOWS\system32\tapi.nfo ()Found mount point : C:\WINDOWS\system32\wbem\mof\bad\badMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\wbem\mof\good\goodMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\system32\wbem\snmp\snmpMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\system32\winhelper.dll[1] 2009-08-17 21:27:53 20992 C:\WINDOWS\system32\winhelper.dll ()Found mount point : C:\WINDOWS\system32\wins\winsMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\system32\winupdate.exe[1] 2009-08-17 20:33:59 49664 C:\WINDOWS\system32\winupdate.exe ()Found mount point : C:\WINDOWS\system32\xircom\xircomMount point destination : \Device\__max++>\^Cannot access: C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job[1] 2009-08-17 20:35:54 236 C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job ()Cannot access: C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job[1] 2009-08-17 21:30:15 270 C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job ()Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTempMount point destination : \Device\__max++>\^Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2Mount point destination : \Device\__max++>\^Finished! Link to post Share on other sites More sharing options...
Staff screen317 Posted August 21, 2009 Staff ID:113162 Share Posted August 21, 2009 Please delete your copy of Win32kDiag.Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here."%userprofile%\desktop\win32kdiag.exe" -f -r See it MBAM will run after that.-screen317 Link to post Share on other sites More sharing options...
castingguy2005 Posted August 21, 2009 Author ID:113221 Share Posted August 21, 2009 Here is my Win32kdiag log.I tried to run MBAM and it wouldn't run.Removing all found mount points.Attempting to reset file permissions.WARNING: Could not get backup privileges!Searching 'C:\WINDOWS'...Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1AE.tmp\ZAP1AE.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1AE.tmp\ZAP1AE.tmpFound mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20E.tmp\ZAP20E.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20E.tmp\ZAP20E.tmpFound mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7E2.tmp\ZAP7E2.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7E2.tmp\ZAP7E2.tmpFound mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8EF.tmp\ZAP8EF.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8EF.tmp\ZAP8EF.tmpFound mount point : C:\WINDOWS\assembly\temp\tempMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\temp\tempFound mount point : C:\WINDOWS\assembly\tmp\tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\tmp\tmpFound mount point : C:\WINDOWS\Config\ConfigMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Config\ConfigFound mount point : C:\WINDOWS\Connection Wizard\Connection WizardMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Connection Wizard\Connection WizardFound mount point : C:\WINDOWS\CSC\d1\d1Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\CSC\d1\d1Found mount point : C:\WINDOWS\CSC\d2\d2Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\CSC\d2\d2Found mount point : C:\WINDOWS\CSC\d3\d3Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\CSC\d3\d3Found mount point : C:\WINDOWS\CSC\d4\d4Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\CSC\d4\d4Found mount point : C:\WINDOWS\CSC\d5\d5Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\CSC\d5\d5Found mount point : C:\WINDOWS\CSC\d6\d6Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\CSC\d6\d6Found mount point : C:\WINDOWS\CSC\d7\d7Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\CSC\d7\d7Found mount point : C:\WINDOWS\CSC\d8\d8Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\CSC\d8\d8Found mount point : C:\WINDOWS\ERDNT\ERDNTMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ERDNT\ERDNTFound mount point : C:\WINDOWS\ftpcache\ftpcacheMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ftpcache\ftpcacheFound mount point : C:\WINDOWS\ime\chsime\applets\appletsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ime\chsime\applets\appletsFound mount point : C:\WINDOWS\ime\CHTIME\Applets\AppletsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\AppletsFound mount point : C:\WINDOWS\ime\imejp\applets\appletsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ime\imejp\applets\appletsFound mount point : C:\WINDOWS\ime\imejp98\imejp98Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ime\imejp98\imejp98Found mount point : C:\WINDOWS\ime\imjp8_1\applets\appletsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\appletsFound mount point : C:\WINDOWS\ime\imkr6_1\applets\appletsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\appletsFound mount point : C:\WINDOWS\ime\imkr6_1\dicts\dictsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dictsFound mount point : C:\WINDOWS\ime\shared\res\resMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ime\shared\res\resFound mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729Found mount point : C:\WINDOWS\java\classes\classesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\java\classes\classesFound mount point : C:\WINDOWS\java\trustlib\trustlibMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\java\trustlib\trustlibFound mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind LogsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind LogsFound mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind LogsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind LogsFound mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET FilesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET FilesFound mount point : C:\WINDOWS\msapps\msinfo\msinfoMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\msapps\msinfo\msinfoFound mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmpFound mount point : C:\WINDOWS\occache\occacheMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\occache\occacheFound mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLESMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLESFound mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFFMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFFFound mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumpsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumpsFound mount point : C:\WINDOWS\pchealth\helpctr\batch\batchMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\pchealth\helpctr\batch\batchCannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exeAttempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe[1] 2004-08-10 06:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe (Microsoft Corporation)[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPointMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPointFound mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFilesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFilesFound mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUsCannot access: C:\WINDOWS\pchealth\helpctr\Logs\helpctr.logAttempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\Logs\helpctr.log[1] 2009-08-20 12:31:27 2758 C:\WINDOWS\pchealth\helpctr\Logs\helpctr.log ()Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFSMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFSFound mount point : C:\WINDOWS\pchealth\helpctr\System\News\NewsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\NewsFound mount point : C:\WINDOWS\pchealth\helpctr\Temp\TempMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\TempFound mount point : C:\WINDOWS\PIF\PIFMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PIF\PIFFound mount point : C:\WINDOWS\Registration\CRMLog\CRMLogMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLogFound mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceStateMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceStateFound mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\DownloadedMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\DownloadedFound mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backupMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backupFound mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backupMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backupFound mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backupMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backupFound mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backupMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backupFound mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backupMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backupFound mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backupMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backupFound mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backupMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backupFound mount point : C:\WINDOWS\Sun\Java\Deployment\DeploymentMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Sun\Java\Deployment\DeploymentFound mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDelMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDelFound mount point : C:\WINDOWS\system32\1025\1025Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1025\1025Found mount point : C:\WINDOWS\system32\1028\1028Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1028\1028Found mount point : C:\WINDOWS\system32\1031\1031Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1031\1031Found mount point : C:\WINDOWS\system32\1037\1037Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1037\1037Found mount point : C:\WINDOWS\system32\1041\1041Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1041\1041Found mount point : C:\WINDOWS\system32\1042\1042Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1042\1042Found mount point : C:\WINDOWS\system32\1054\1054Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1054\1054Found mount point : C:\WINDOWS\system32\2052\2052Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\2052\2052Found mount point : C:\WINDOWS\system32\3076\3076Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\3076\3076Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmiMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmiFound mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINEMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINEFound mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2282983233-801452963-4151238568-1006\S-1-5-21-2282983233-801452963-4151238568-1006Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2282983233-801452963-4151238568-1006\S-1-5-21-2282983233-801452963-4151238568-1006Cannot access: C:\WINDOWS\system32\AVR09.exeAttempting to restore permissions of : C:\WINDOWS\system32\AVR09.exe[1] 2009-08-17 21:28:20 0 C:\WINDOWS\system32\AVR09.exe ()Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ACE\ACEMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ACE\ACEFound mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch1\ch1Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch1\ch1Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch2\ch2Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch2\ch2Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch3\ch3Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch3\ch3Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch4\ch4Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch4\ch4Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch5\ch5Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch5\ch5Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\instch_gdql_d_cache\instch_gdql_d_cacheMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\instch_gdql_d_cache\instch_gdql_d_cacheFound mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\{4E3254D7-522A-412A-9296-3F4767B3A2CB}Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\{4E3254D7-522A-412A-9296-3F4767B3A2CB}Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-2282983233-801452963-4151238568-500\S-1-5-21-2282983233-801452963-4151238568-500Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-2282983233-801452963-4151238568-500\S-1-5-21-2282983233-801452963-4151238568-500Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media PlayerMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media PlayerFound mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMCMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMCFound mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\CertificatesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\CertificatesFound mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLsFound mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLsFound mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\SymantecMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\SymantecFound mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\3d659d7ba08e\3d659d7ba08eMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\3d659d7ba08e\3d659d7ba08eFound mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD BurningMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD BurningFound mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2282983233-801452963-4151238568-500\S-1-5-21-2282983233-801452963-4151238568-500Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2282983233-801452963-4151238568-500\S-1-5-21-2282983233-801452963-4151238568-500Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICEMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICEFound mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\CacheMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\CacheFound mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\tempMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\tempFound mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHoodMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHoodFound mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHoodMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHoodCannot access: C:\WINDOWS\system32\critical_warning.htmlAttempting to restore permissions of : C:\WINDOWS\system32\critical_warning.html[1] 2009-08-17 21:44:26 831 C:\WINDOWS\system32\critical_warning.html ()Found mount point : C:\WINDOWS\system32\dhcp\dhcpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\dhcp\dhcpFound mount point : C:\WINDOWS\system32\drivers\disdn\disdnMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdnCannot access: C:\WINDOWS\system32\eventlog.dllAttempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll[1] 2004-08-10 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)[1] 2008-04-13 20:11:53 60928 C:\WINDOWS\system32\eventlog.dll ()[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)[1] 2004-08-10 06:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)Found mount point : C:\WINDOWS\system32\export\exportMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\export\exportFound mount point : C:\WINDOWS\system32\FxsTmp\FxsTmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\FxsTmp\FxsTmpFound mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNTMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNTFound mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNTMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNTFound mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNTMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNTFound mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDFMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDFFound mount point : C:\WINDOWS\system32\Macromed\update\updateMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\Macromed\update\updateFound mount point : C:\WINDOWS\system32\mui\dispspec\dispspecMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspecFound mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnupMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnupFound mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcustMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcustFound mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhwMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhwFound mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemregMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemregFound mount point : C:\WINDOWS\system32\oobe\sample\sampleMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\sample\sampleFound mount point : C:\WINDOWS\system32\ShellExt\ShellExtMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExtFound mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERSMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERSCannot access: C:\WINDOWS\system32\tapi.nfoAttempting to restore permissions of : C:\WINDOWS\system32\tapi.nfo[1] 2009-08-17 20:32:47 24576 C:\WINDOWS\system32\tapi.nfo ()Found mount point : C:\WINDOWS\system32\wbem\mof\bad\badMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\badFound mount point : C:\WINDOWS\system32\wbem\mof\good\goodMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wbem\mof\good\goodFound mount point : C:\WINDOWS\system32\wbem\snmp\snmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmpCannot access: C:\WINDOWS\system32\winhelper.dllAttempting to restore permissions of : C:\WINDOWS\system32\winhelper.dll[1] 2009-08-17 21:27:53 20992 C:\WINDOWS\system32\winhelper.dll ()Found mount point : C:\WINDOWS\system32\wins\winsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wins\winsCannot access: C:\WINDOWS\system32\winupdate.exeAttempting to restore permissions of : C:\WINDOWS\system32\winupdate.exe[1] 2009-08-17 20:33:59 49664 C:\WINDOWS\system32\winupdate.exe (Microsoft Corporation)Found mount point : C:\WINDOWS\system32\xircom\xircomMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\xircom\xircomCannot access: C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.jobAttempting to restore permissions of : C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job[1] 2009-08-17 20:35:54 236 C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job ()Cannot access: C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.jobAttempting to restore permissions of : C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job[1] 2009-08-17 21:30:15 270 C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job ()Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTempMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTempFound mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2Finished! Link to post Share on other sites More sharing options...
Staff screen317 Posted August 21, 2009 Staff ID:113231 Share Posted August 21, 2009 Hi,Navigate to Start --> Run, and enter the following:cmd.exePress Enter.Type this command in the black box that appears (exactly as shown):copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll "%userprofile%\desktop"Press Enter.After it completes, type exit and press Enter.Next, we need to execute an Avenger2 script.Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.Please download The Avenger2 by SwanDog46.Unzip avenger.exe to your desktop.Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"Files to move:"%userprofile%\desktop\eventlog.dll" | C:\WINDOWS\system32\eventlog.dllNow start The Avenger2 by double clicking avenger.exe on your desktop.Read the prompt that appears, and press OK.Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".Press the "Execute" button.You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.Note: It is possible that Avenger will reboot your system TWICE.Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.Next, try running MBAM.-screen317 Link to post Share on other sites More sharing options...
castingguy2005 Posted August 22, 2009 Author ID:113283 Share Posted August 22, 2009 I ran the above avenger, it rebooted. Was I to reboot in safe mode? Or am I to let boot up normally? And do I log on to my machine ( I have several user accounts for my kids)? I did not get the command prompt window... Link to post Share on other sites More sharing options...
castingguy2005 Posted August 22, 2009 Author ID:113291 Share Posted August 22, 2009 I tried to let it reboot normally, I got the blue screen of death. I tried to run avenger again and let it reboot in safe mode, I still got no log file or command prompt. I tired to run avenger again and it said that ther was a reboot already in queue and asked if I want ot continue or reboot. I chose reboot. It rebooted, I made it go into safe mode, still no log.I am sure I am doing something wrong here. MBAM will not run Link to post Share on other sites More sharing options...
Staff screen317 Posted August 22, 2009 Staff ID:113546 Share Posted August 22, 2009 See if this file exists:C:\Avenger.txtPost it if it does. Link to post Share on other sites More sharing options...
castingguy2005 Posted August 23, 2009 Author ID:113624 Share Posted August 23, 2009 Here is the avenger.txt fileLogfile of The Avenger Version 2.0, © by Swandog46http://swandog46.geekstogo.comPlatform: Windows XP*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:Rootkit scan active.No rootkits found!Error: file move operations must be within volumes.File move operation ""C:\Documents and Settings\Administrator\desktop\eventlog.dll"|C:\WINDOWS\system32\eventlog.dll" failed!Status: 0xc000003e (STATUS_DATA_ERROR)Completed script processing.*******************Finished! Terminate. Link to post Share on other sites More sharing options...
Staff screen317 Posted August 23, 2009 Staff ID:113892 Share Posted August 23, 2009 Hi,Let's try that again.Next, we need to execute an Avenger2 script.Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.Please download The Avenger2 by SwanDog46.Unzip avenger.exe to your desktop.Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"Files to move:"C:\Documents and Settings\Administrator\desktop\eventlog.dll" | C:\WINDOWS\system32\eventlog.dllNow start The Avenger2 by double clicking avenger.exe on your desktop.Read the prompt that appears, and press OK.Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".Press the "Execute" button.You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.Note: It is possible that Avenger will reboot your system TWICE.Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.Next, try running MBAM and ComboFix (get a fresh copy).-screen317 Link to post Share on other sites More sharing options...
castingguy2005 Posted August 24, 2009 Author ID:113942 Share Posted August 24, 2009 OK, so I ran the avenger again and I got a prompt saying that "it appears that there is a reboot already in queue for avenger, do you want to continue ot run the script or reboot now?" I chose to run the current script (the one you posted). Again, I do not know if you wanted me to reboot in normal mode or safe mode. I let it reboot in normal mode and it just got stuck in the 'Windows is starting up' blue screen. So I waited about 10 minutes to see if it would boot but it didnt, so I powered it off.so I restarted in safe mode and ran the avenger again.I got the same prompt about there being a reboot already i queue, I chose to run the script and tried to reboot in safe mode...and it got hung up on the same screen 'Windows is starting up...'I did a hardboot and was able to get to my desktop and then it froze up. I could not get anything to work or even get the cursor to move.WHAT AM I DOING WRONG?! Link to post Share on other sites More sharing options...
Staff screen317 Posted August 24, 2009 Staff ID:113945 Share Posted August 24, 2009 Okay next time you are prompted about a reboot being in queue, reboot first (to Normal Mode).Then try running the script again.Unless you still can't run things? Can you? Can you run things in Safe Mode? Link to post Share on other sites More sharing options...
castingguy2005 Posted August 24, 2009 Author ID:113948 Share Posted August 24, 2009 I tried rebooting in normal mode when it prompted me there was a reboot in queue and it just got hung up on the 'windows is starting up screen' I cannot run anything in normal mode because it ether gets stuck on the 'windows is starting up screen' or I get the blue screen of death.I can run the avenger script, but I get the aforementioned results.I cannot run anything in safe mode: Not MBAM, not HJT, not Rootrepeal. Link to post Share on other sites More sharing options...
castingguy2005 Posted August 24, 2009 Author ID:113949 Share Posted August 24, 2009 there is no avenger.txt file at C:\ either.I was able to reboot in safe mode and get some functionality again. Link to post Share on other sites More sharing options...
castingguy2005 Posted August 24, 2009 Author ID:113953 Share Posted August 24, 2009 I let it reboot in normal mode when I got the prompt about a reboot in queue, it got past the 'windows is starting up screen' and when I tried to logon I got a pop window from Googleupdater that said "the exception breakpoint. A brakpoint has been reached (ox80000003) occurred in the application. OK ot terminate program, Cancel to debug.either option gives me a blue screen of death when I logon Link to post Share on other sites More sharing options...
Staff screen317 Posted August 24, 2009 Staff ID:113958 Share Posted August 24, 2009 I tried rebooting in normal mode when it prompted me there was a reboot in queue andWhen this happens, reboot back into Safe Mode and see if it will proceed. Link to post Share on other sites More sharing options...
Staff screen317 Posted August 24, 2009 Staff ID:113959 Share Posted August 24, 2009 Try this from Safe Mode with Networking.Please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixHowever, do not download it from the links on that page. Download it from here instead:When the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
Recommended Posts