MB, Symantec AV, RootRepeal, and HJT don't run

[ddtamu87]

Reposting - I missed the note about not posting for first 48 hours

I'm experiencing similar problems to others - MB, Symantec AV, RootRepeal, and HJT don't run.

I ran Win32KDiag.exe and the log is attached.

This thing seems pretty nasty. I'm unable to do anything in Normal mode - Safe mode is working now, but I've had several blue screens. I've disabled the wireless and pulled the machine from all other drives.

Thanks in advance for your attention.

Win32kDiag.txt

[screen317]

Hi ddtamu87 and welcome to Malwarebytes.

Please don't attach logs. Post them in the forum instead.

Please delete your copy of Win32kDiag.

Please save this file to your Desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
  

-screen317

[ddtamu87]

Hi... and thank you for your help. Here is the Win32KDiag log:

Log file is located at: C:\Documents and Settings\drew.decker\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP158.tmp\ZAP158.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP158.tmp\ZAP158.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP19B.tmp\ZAP19B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP19B.tmp\ZAP19B.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP25B.tmp\ZAP25B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP25B.tmp\ZAP25B.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP27C.tmp\ZAP27C.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP27C.tmp\ZAP27C.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP36.tmp\ZAP36.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP36.tmp\ZAP36.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA3.tmp\ZAPA3.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA3.tmp\ZAPA3.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\000021094B0090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\000021094B0090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\50512592984F2284DAAF236CED4E1F41\8.0.6\8.0.6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\50512592984F2284DAAF236CED4E1F41\8.0.6\8.0.6

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\52CB9D6ECBD08634E8A4D7EE0866C19D\8.0.148\8.0.148

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\52CB9D6ECBD08634E8A4D7EE0866C19D\8.0.148\8.0.148

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA33010000ABE7000000000030\8.0.0\8.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA33010000ABE7000000000030\8.0.0\8.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\AC1F0757D610CA645B68DC4746E5BF25\8.0.211\8.0.211

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\AC1F0757D610CA645B68DC4746E5BF25\8.0.211\8.0.211

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\FC62732BFB866A144ABE271FF278EF50\8.0.63\8.0.63

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\FC62732BFB866A144ABE271FF278EF50\8.0.63\8.0.63

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-04 05:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 18:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 18:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-130364077-2244277236-1776565416-1219\S-1-5-21-130364077-2244277236-1776565416-1219

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-130364077-2244277236-1776565416-1219\S-1-5-21-130364077-2244277236-1776565416-1219

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-625597413-4118759219-816618645-1006\S-1-5-21-625597413-4118759219-816618645-1006

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-625597413-4118759219-816618645-1006\S-1-5-21-625597413-4118759219-816618645-1006

Found mount point : C:\WINDOWS\system32\BioAPIFFDB\BioAPIFFDB

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\BioAPIFFDB\BioAPIFFDB

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch1\ch1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch1\ch1

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch2\ch2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch2\ch2

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch3\ch3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch3\ch3

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch4\ch4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch4\ch4

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch5\ch5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch5\ch5

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch6\ch6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch6\ch6

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\instch_gdql_d_cache\instch_gdql_d_cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\instch_gdql_d_cache\instch_gdql_d_cache

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-625597413-4118759219-816618645-500\S-1-5-21-625597413-4118759219-816618645-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-625597413-4118759219-816618645-500\S-1-5-21-625597413-4118759219-816618645-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-625597413-4118759219-816618645-500\S-1-5-21-625597413-4118759219-816618645-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-625597413-4118759219-816618645-500\S-1-5-21-625597413-4118759219-816618645-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Real\Msg\Msg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Real\Msg\Msg

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Real\RealPlayer\ErrorLogs\ErrorLogs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Real\RealPlayer\ErrorLogs\ErrorLogs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\65a107743d81\65a107743d81

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\65a107743d81\65a107743d81

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-625597413-4118759219-816618645-500\S-1-5-21-625597413-4118759219-816618645-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-625597413-4118759219-816618645-500\S-1-5-21-625597413-4118759219-816618645-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 05:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 18:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 18:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 18:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Macromed\update\update

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\Test\Test

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Test\Test

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\gis21e4e14\gis21e4e14

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis21e4e14\gis21e4e14

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\cs\cs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\cs\cs

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\da\da

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\da\da

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\de\de

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\de\de

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\el\el

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\el\el

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\en\en

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\en\en

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\en-gb\en-gb

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\en-gb\en-gb

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\es\es

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\es\es

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\fi\fi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\fi\fi

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\fr\fr

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\fr\fr

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\HTML\HTML

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\HTML\HTML

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\it\it

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\it\it

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\ja\ja

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\ja\ja

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\ko\ko

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\ko\ko

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\nl\nl

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\nl\nl

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\no\no

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\no\no

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\pl\pl

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\pl\pl

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\pt-br\pt-br

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\pt-br\pt-br

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\ru\ru

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\ru\ru

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\sv\sv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\sv\sv

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\th\th

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\th\th

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\tr\tr

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\tr\tr

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\zh-cn\zh-cn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\zh-cn\zh-cn

Found mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\zh-tw\zh-tw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2d41396\2.4.1536.6592\zh-tw\zh-tw

Found mount point : C:\WINDOWS\Temp\gis636afd\gis636afd

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis636afd\gis636afd

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\cs\cs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\cs\cs

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\da\da

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\da\da

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\de\de

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\de\de

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\el\el

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\el\el

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\en\en

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\en\en

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\en-gb\en-gb

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\en-gb\en-gb

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\es\es

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\es\es

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\fi\fi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\fi\fi

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\fr\fr

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\fr\fr

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\HTML\HTML

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\HTML\HTML

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\it\it

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\it\it

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\ja\ja

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\ja\ja

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\ko\ko

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\ko\ko

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\nl\nl

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\nl\nl

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\no\no

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\no\no

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\pl\pl

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\pl\pl

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\pt-br\pt-br

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\pt-br\pt-br

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\ru\ru

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\ru\ru

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\sv\sv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\sv\sv

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\th\th

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\th\th

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\tr\tr

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\tr\tr

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\zh-cn\zh-cn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\zh-cn\zh-cn

Found mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\zh-tw\zh-tw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis7f7a29b\2.4.1368.5602\zh-tw\zh-tw

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Found mount point : C:\WINDOWS\Temp\GUM10A.tmp\CrashReports\CrashReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\GUM10A.tmp\CrashReports\CrashReports

Found mount point : C:\WINDOWS\Temp\GUM1A.tmp\CrashReports\CrashReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\GUM1A.tmp\CrashReports\CrashReports

Found mount point : C:\WINDOWS\Temp\GUM402.tmp\CrashReports\CrashReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\GUM402.tmp\CrashReports\CrashReports

Found mount point : C:\WINDOWS\Temp\GUM56.tmp\CrashReports\CrashReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\GUM56.tmp\CrashReports\CrashReports

Found mount point : C:\WINDOWS\Temp\GUM683.tmp\CrashReports\CrashReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\GUM683.tmp\CrashReports\CrashReports

Found mount point : C:\WINDOWS\Temp\GUMA8.tmp\CrashReports\CrashReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\GUMA8.tmp\CrashReports\CrashReports

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Finished!

[ddtamu87]

Unfortunately, Combo Fix and HJT will not run

[screen317]

Hi.

We need to execute an Avenger2 script.

Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

1. Please download The Avenger2 by SwanDog46.
   
2. Unzip avenger.exe to your desktop.
   
3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
   

   Files to move:
   C:\WINDOWS\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

   
   

4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
   
5. Read the prompt that appears, and press OK.
   
6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
   
7. Press the "Execute" button.
   
8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
   Note: It is possible that Avenger will reboot your system TWICE.
   
9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
   

Next, try running MBAM and ComboFix.

-screen317

[ddtamu87]

Hi. The Avenger steps worked. The system rebooted in non-safe mode. After login, an Avenger log reporting success was displayed.

Then the system locked up.

On next safe boot, I tried running MBAM (no luck), tried reinstalling MBAM (no luck), tried running ComboFix (no luck), and tried running HJT (no luck).

The only noticeable difference is that Symantec Endpoint Protection started and scanned (and found nothing). However, it didn't run right because the full scan didn't scan everything (and it finished really fast too).

[ddtamu87]

Should I have interrupted the Avenger reboot to boot into Safe mode?

[screen317]

Hi,

Don't worry about Avenger for now.

Delete your copy of ComboFix.

Download the latest version of Combofix, save it to your Desktop, and try running it now. Make sure your security programs are disabled prior to running it.

-screen317

[ddtamu87]

New version of ComboFix downloaded and saved to desktop.

In Safe mode, attempted to run and received no response. Process appears to be running using no CPU when looking via Task Manager.

[screen317]

Hmm. Try running it like this:

Navigate to Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\ComboFix.exe" /killall

Let me know if it runs now.

-screen317

[ddtamu87]

No response when attempting this from the command prompt

[screen317]

Hmm..

Please run Win32kDiag again and post its log.

Next, please run a GMER Rootkit scan:

Download GMER's application from here:

http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe

Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.

This will copy the results to your clipboard.

Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!