Jump to content

MBAM & HijackThis Inaccessable


fahdzilla

Recommended Posts

Hi.

My computer's sick.

I opened MBAM and started a scan, but the program crashed seconds later. When I tried to reopen it, a window popped up saying, "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

So I reinstalled MBAM, and it opened fine. But when I started another scan, the program crashed again! When I tried to reopen it, the same window appeared.

I downloaded, installed, and opened HijackThis and clicked on 'Do a system scan and save a logfile;' unfortunately, all my system managed to do was crash. The same window popped up, too.

Link to post
Share on other sites

Hi JSntgRvr ;)

The content of Win32kDiag.txt has been pasted below and attached.

Thanks for helping me.

Running from: C:\Users\fahd\Desktop\Win32kDiag.exe

Log file at : C:\Users\fahd\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...

Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP72B8.tmp\ZAP72B8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ConfigSetRoot\ConfigSetRoot

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\OEM\OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Mozilla\Firefox\Firefox

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Crypto\Keys\Keys

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\System32\cngaudit.dll

[1] 2006-11-02 02:46:03 61952 C:\Windows\System32\cngaudit.dll ()

[2] 2006-11-02 02:46:03 11776 C:\Windows\System32\logevent.dll (Microsoft Corporation)

[1] 2006-11-02 02:46:03 11776 C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll (Microsoft Corporation)

Win32kDiag.txt

Link to post
Share on other sites

Hi, fahdzilla ;)

Please follow these steps:

Step 1

Click on Start->Run, copy and paste the following command into the "Run" box (including the quotation marks), and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here in your next reply. Please allow enough time for this application to complete the scan.

"C:\Users\fahd\Desktop\Win32kDiag.exe" -f -r

Step 2

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" .

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

Link to post
Share on other sites

Hi again.

ComboFix doesn't seem to be working. A security warning pops up when I double click on Combo-Fix.exe, and I click 'Run.' Then, a small window pops up:

ComboFixPopup.gif

The bar seems to reach the end. And then, nothing.

By the way, my background's gone black and the thumbnails of my photos in my 'Pictures' folder are blank. Did we do this or is the malware responsible?

The content of Win32kDiag.txt has been pasted below. I let it finish this time ;)

Running from: C:\Users\fahd\Desktop\Win32kDiag.exe

Log file at : C:\Users\fahd\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...

Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\AppPatch\Custom\Custom

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ehome\CreateDisc\style\style

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\Globalization

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Microsoft.NET\authman\authman

Cannot access: C:\Windows\System32\cngaudit.dll

Attempting to restore permissions of : C:\Windows\System32\cngaudit.dll

[1] 2006-11-02 02:46:03 61952 C:\Windows\System32\cngaudit.dll ()

[2] 2006-11-02 02:46:03 11776 C:\Windows\System32\logevent.dll (Microsoft Corporation)

[1] 2006-11-02 02:46:03 11776 C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll (Microsoft Corporation)

[1] 2006-11-02 02:46:03 11776 C:\System Volume Information\SystemRestore\FRStaging\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll (Microsoft Corporation)

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-09-28 23:16:31 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-09-28 23:15:58 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-09-28 23:16:05 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-09-28 23:16:05 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMuroc System Trace.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMuroc System Trace.etl

[1] 2009-09-28 23:16:19 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMuroc System Trace.etl ()

Found mount point : C:\Windows\tracing\tracing

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\tracing\tracing

Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Found mount point : C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes

Found mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Finished!

Link to post
Share on other sites

Hi, fahdzilla ;)

Click on Win32kDiag.exe once again. Allow enough time for the application to finish and post the Win32kDiag.txt

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Link to post
Share on other sites

Hello.

The content of Win32kDiag.txt has been pasted below.

Running from: C:\Users\fahd\Desktop\Win32kDiag.exe

Log file at : C:\Users\fahd\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...

Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP72B8.tmp\ZAP72B8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ConfigSetRoot\ConfigSetRoot

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\OEM\OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Mozilla\Firefox\Firefox

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Crypto\Keys\Keys

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.16870_none_a418a0745fdd652a\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.16870_none_a418a0745fdd652a

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.21067_none_a4b3e75378eccda6\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.21067_none_a4b3e75378eccda6

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18272_none_a600dfae5d0228c9\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18272_none_a600dfae5d0228c9

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.22450_none_a69e1da376115b2a\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.22450_none_a69e1da376115b2a

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.18051_none_a7fbf30a5a1929db\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.18051_none_a7fbf30a5a1929db

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.22152_none_a886901f7335e2fc\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.22152_none_a886901f7335e2fc

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6000.16870_none_389b60c97fc740bd\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6000.16870_none_389b60c97fc740bd

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6000.21067_none_3936a7a898d6a939\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6000.21067_none_3936a7a898d6a939

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6001.18272_none_3a83a0037cec045c\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6001.18272_none_3a83a0037cec045c

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6001.22450_none_3b20ddf895fb36bd\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6001.22450_none_3b20ddf895fb36bd

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.18051_none_3c7eb35f7a03056e\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.18051_none_3c7eb35f7a03056e

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.22152_none_3d095074931fbe8f\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.22152_none_3d095074931fbe8f

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6000.16870_none_e4a4f2ddb3dfbcec\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6000.16870_none_e4a4f2ddb3dfbcec: 3

Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6000.21067_none_e54039bcccef2568\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6000.21067_none_e54039bcccef2568: 3

Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6001.18272_none_e68d3217b104808b\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6001.18272_none_e68d3217b104808b: 3

Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6001.22450_none_e72a700cca13b2ec\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6001.22450_none_e72a700cca13b2ec: 3

Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6002.18051_none_e8884573ae1b819d\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6002.18051_none_e8884573ae1b819d: 3

Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6002.22152_none_e912e288c7383abe\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6002.22152_none_e912e288c7383abe: 3

Found mount point : C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6000.16870_none_7a810285659cf00c\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6000.16870_none_7a810285659cf00c

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6000.21067_none_7b1c49647eac5888\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6000.21067_none_7b1c49647eac5888

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6001.18272_none_7c6941bf62c1b3ab\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6001.18272_none_7c6941bf62c1b3ab

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6001.22450_none_7d067fb47bd0e60c\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6001.22450_none_7d067fb47bd0e60c

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.18051_none_7e64551b5fd8b4bd\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.18051_none_7e64551b5fd8b4bd

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.22152_none_7eeef23078f56dde\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.22152_none_7eeef23078f56dde

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6000.16870_none_1fe460c0585503b5\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6000.16870_none_1fe460c0585503b5: 3

Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6000.21067_none_207fa79f71646c31\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6000.21067_none_207fa79f71646c31: 3

Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6001.18272_none_21cc9ffa5579c754\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6001.18272_none_21cc9ffa5579c754: 3

Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6001.22450_none_2269ddef6e88f9b5\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6001.22450_none_2269ddef6e88f9b5: 3

Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6002.18051_none_23c7b3565290c866\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6002.18051_none_23c7b3565290c866: 3

Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6002.22152_none_2452506b6bad8187\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6002.22152_none_2452506b6bad8187: 3

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\System32\cngaudit.dll

[1] 2006-11-02 02:46:03 61952 C:\Windows\System32\cngaudit.dll ()

[2] 2006-11-02 02:46:03 11776 C:\Windows\System32\logevent.dll (Microsoft Corporation)

[1] 2006-11-02 02:46:03 11776 C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll (Microsoft Corporation)

[1] 2006-11-02 02:46:03 11776 C:\System Volume Information\SystemRestore\FRStaging\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll (Microsoft Corporation)

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-10-01 03:03:45 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-10-01 03:02:59 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-10-01 03:03:32 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-10-01 03:03:32 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMuroc System Trace.etl

[1] 2009-10-01 03:03:49 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMuroc System Trace.etl ()

Cannot access: C:\Windows\System32\WerFault.exe

[1] 2008-01-18 20:33:36 217088 C:\Windows\System32\WerFault.exe ()

[1] 2006-11-02 02:45:54 216064 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6000.16386_none_6dd05aa63fde4065\WerFault.exe (Microsoft Corporation)

[1] 2008-01-18 20:33:36 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18000_none_70071ca23cc95139\WerFault.exe ()

[1] 2008-01-18 20:33:36 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe ()

[1] 2008-09-19 21:00:16 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFault.exe (Microsoft Corporation)

Found mount point : C:\Windows\tracing\tracing

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18000_none_70071ca23cc95139\WerFault.exe

[1] 2008-01-18 20:33:36 217088 C:\Windows\System32\WerFault.exe ()

[1] 2006-11-02 02:45:54 216064 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6000.16386_none_6dd05aa63fde4065\WerFault.exe (Microsoft Corporation)

[1] 2008-01-18 20:33:36 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18000_none_70071ca23cc95139\WerFault.exe ()

[1] 2008-01-18 20:33:36 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe ()

[1] 2008-09-19 21:00:16 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFault.exe (Microsoft Corporation)

Cannot access: C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe

[1] 2008-01-18 20:33:36 217088 C:\Windows\System32\WerFault.exe ()

[1] 2006-11-02 02:45:54 216064 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6000.16386_none_6dd05aa63fde4065\WerFault.exe (Microsoft Corporation)

[1] 2008-01-18 20:33:36 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18000_none_70071ca23cc95139\WerFault.exe ()

[1] 2008-01-18 20:33:36 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe ()

[1] 2008-09-19 21:00:16 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFault.exe (Microsoft Corporation)

Finished!

The content of Results.log has been pasted below.

GMER 1.0.15.15087 - http://www.gmer.net

Rootkit quick scan 2009-10-03 16:12:29

Windows 6.0.6001 Service Pack 1

Running: tredwofq.exe; Driver: C:\Users\fahd\AppData\Local\Temp\kxldypob.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 855171F8

AttachedDevice \Driver\tdx \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service system32\drivers\kbiwkmptxdnqnn.sys (*** hidden *** ) [sYSTEM] kbiwkmprtpspef <-- ROOTKIT !!!

Service system32\drivers\UACpiwggcilpu.sys (*** hidden *** ) [sYSTEM] UACd.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi, fahdzilla :D

Please download the OTM by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :processes
    explorer.exe

    :files
    C:\Windows\AppPatch\Custom\Custom
    C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp
    C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP72B8.tmp\ZAP72B8.tmp
    C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp
    C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp
    C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp
    C:\Windows\assembly\temp\temp
    C:\Windows\assembly\tmp\tmp
    C:\Windows\ConfigSetRoot\ConfigSetRoot
    C:\Windows\ehome\CreateDisc\style\style
    C:\Windows\Globalization\Globalization
    C:\Windows\Help\Corporate\Corporate
    C:\Windows\Help\OEM\OEM
    C:\Windows\Microsoft.NET\authman\authman
    C:\Windows\ModemLogs\ModemLogs
    C:\Windows\Mozilla\Firefox\Firefox
    C:\Windows\msdownld.tmp\msdownld.tmp
    C:\Windows\nap\configuration\configuration
    C:\Windows\Panther\setup.exe\setup.exe
    C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES
    C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF
    C:\Windows\PLA\Templates\Templates
    C:\Windows\registration\CRMLog\CRMLog
    C:\Windows\SchCache\SchCache
    C:\Windows\security\logs\logs
    C:\Windows\security\templates\templates
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates
    C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop
    C:\Windows\ServiceProfiles\LocalService\Documents\Documents
    C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads
    C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites
    C:\Windows\ServiceProfiles\LocalService\Links\Links
    C:\Windows\ServiceProfiles\LocalService\Music\Music
    C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures
    C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games
    C:\Windows\ServiceProfiles\LocalService\Videos\Videos
    C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
    C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History
    C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files
    C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD
    C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs
    C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Crypto\Keys\Keys
    C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
    C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates
    C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
    C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
    C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies
    C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
    C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
    C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent
    C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates
    C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop
    C:\Windows\ServiceProfiles\NetworkService\Documents\Documents
    C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads
    C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites
    C:\Windows\ServiceProfiles\NetworkService\Links\Links
    C:\Windows\ServiceProfiles\NetworkService\Music\Music
    C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures
    C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games
    C:\Windows\ServiceProfiles\NetworkService\Videos\Videos
    C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs
    C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.16870_none_a418a0745fdd652a\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.16870_none_a418a0745fdd652a
    C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.21067_none_a4b3e75378eccda6\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.21067_none_a4b3e75378eccda6
    C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18272_none_a600dfae5d0228c9\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18272_none_a600dfae5d0228c9
    C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.22450_none_a69e1da376115b2a\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.22450_none_a69e1da376115b2a
    C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.18051_none_a7fbf30a5a1929db\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.18051_none_a7fbf30a5a1929db
    C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.22152_none_a886901f7335e2fc\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.22152_none_a886901f7335e2fc
    C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6000.16870_none_389b60c97fc740bd\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6000.16870_none_389b60c97fc740bd
    C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6000.21067_none_3936a7a898d6a939\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6000.21067_none_3936a7a898d6a939
    C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6001.18272_none_3a83a0037cec045c\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6001.18272_none_3a83a0037cec045c
    C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6001.22450_none_3b20ddf895fb36bd\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6001.22450_none_3b20ddf895fb36bd
    C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.18051_none_3c7eb35f7a03056e\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.18051_none_3c7eb35f7a03056e
    C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.22152_none_3d095074931fbe8f\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.22152_none_3d095074931fbe8f
    C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6000.16870_none_7a810285659cf00c\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6000.16870_none_7a810285659cf00c
    C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6000.21067_none_7b1c49647eac5888\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6000.21067_none_7b1c49647eac5888
    C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6001.18272_none_7c6941bf62c1b3ab\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6001.18272_none_7c6941bf62c1b3ab
    C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6001.22450_none_7d067fb47bd0e60c\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6001.22450_none_7d067fb47bd0e60c
    C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.18051_none_7e64551b5fd8b4bd\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.18051_none_7e64551b5fd8b4bd
    C:\Windows\SoftwareDistribution\Download\f0e7510dbdd98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.22152_none_7eeef23078f56dde\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.22152_none_7eeef23078f56dde
    C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache
    C:\Windows\Sun\Java\Deployment\Deployment
    C:\Windows\tracing\tracing
    C:\Windows\winsxs\InstallTemp\InstallTemp
    C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes
    C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

    :commands
    [emptytemp]
    [start explorer]
    [Reboot]


  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Run GMER once again Locate the following files and delete:

C:\Windows\system32\drivers\kbiwkmptxdnqnn.sys

C:\Windows\system32\drivers\UACpiwggcilpu.sys

Locate the following services, right click and disable:

UACd.sys

kbiwkmprtpspef

Close GMER and click on Combofix. Follow the instructions above.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.