Hi all, I think I maybe infected with a rootkit. When I try to start programs I get "Acess denied" errors. I scanned my computer with AVG and it found a trojan and healed/removed it. I have tried to run malwarebytes anti-malware but after a few seconds of scanning it just disappears. So then I tried to run Hijackthis but again this just disappears afew seconds in to scanning. I have backed up my registry with erunt. I'm on a HP Laptop running Windows 7 RC. Any help would be greatly appreciated.

Thanks,

Hi,

Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says Error deleting file, please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Hi and thanks for helping me with this. Unfortunately I am unable to start this program. I get an error stating that it is not a valid Win32 application. :confused:

Hi,

While downloading the file, name it as iEXplore.exe and try running it after that.

See also if you're able to run GMER:

Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.

I still couldn't get exehelper to run however GMER ran below is the log it created:

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-26 13:46:10
Windows 6.1.7100
Running: l2nrk1lf.exe; Driver: C:\Users\Tom\AppData\Local\Temp\pwloikow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2CAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2C104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2C3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C14634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C14898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2C1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2C958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2C6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2CF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C2D1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13B1 8283B549 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8285B6B2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !
.text peauth.sys 99735C9E 27 Bytes [F8, D1, AB, 16, 2E, B2, 59, ...]
.text peauth.sys 99735CC2 27 Bytes [F8, D1, AB, 16, 2E, B2, 59, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\winsvc32.exe[2664] USER32.dll!InvalidateRect + F 767357E0 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\435DB6B0.x86.dll
.text C:\Windows\winsvc32.exe[2664] GDI32.dll!GetLayout + 1EC 765F74AC 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\435DB6B0.x86.dll
.text C:\Windows\winsvc32.exe[2664] GDI32.dll!D3DKMTQueryAllocationResidency + 61 765FF956 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\435DB6B0.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2992] USER32.dll!InvalidateRect + F 767357E0 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\435DB6B0.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2992] GDI32.dll!GetLayout + 1EC 765F74AC 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\435DB6B0.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2992] GDI32.dll!D3DKMTQueryAllocationResidency + 61 765FF956 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\435DB6B0.x86.dll
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[4000] kernel32.dll!SetUnhandledExceptionFilter 766930AA 5 Bytes JMP 6A8A5629 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[4000] GDI32.dll!GetLayout + 1EC 765F74AC 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\435DB6B0.x86.dll
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[4000] GDI32.dll!D3DKMTQueryAllocationResidency + 61 765FF956 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\435DB6B0.x86.dll
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[4000] USER32.dll!InvalidateRect + F 767357E0 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\435DB6B0.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\winsvc32.exe[2664] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\435DB6B0.x86.dll
IAT C:\Windows\winsvc32.exe[2664] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\435DB6B0.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2992] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\435DB6B0.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2992] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\435DB6B0.x86.dll
IAT C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[4000] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\435DB6B0.x86.dll
IAT C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[4000] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\435DB6B0.x86.dll
IAT C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[4000] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74F84A2D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[4000] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74F84A2D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[4000] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74F84A2D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[4000] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74F84A2D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[4000] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [74F84A2D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[4000] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74F84A2D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[4000] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [74F84A2D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\Windows\system32\wininit.exe [432] 0x35670000
Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\Windows\system32\services.exe [552] 0x35670000
Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [796] 0x35670000
Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [848] 0x35670000
Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [972] 0x35670000
Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1120] 0x35670000
Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1272] 0x35670000
Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\Windows\System32\spoolsv.exe [1460] 0x35670000
Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1488] 0x35670000
Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1612] 0x35670000
Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1664] 0x35670000
Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1700] 0x35670000
Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\Windows\system32\lxcecoms.exe [1740] 0x35670000
Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\PROGRA~1\AVG\AVG8\avgnsx.exe [2028] 0x35670000
Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\Windows\winsvc32.exe [2664] 0x35670000
Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [2992] 0x35670000
Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\Program Files\Windows Media Player\wmpnetwk.exe [3292] 0x35670000
Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [3580] 0x35670000
Library \\?\globalroot\Device\__max++>\435DB6B0.x86.dll (*** hidden *** ) @ C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE [4000] 0x35670000

---- EOF - GMER 1.0.15 ----

I have to go out now but will be back in approximately 4 hours.

Thanks,

Hi,


Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.

@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >LogIt.txt
START LogIt.txt
DEL %0

Double-click on fixes.bat file to execute it. If all goes well, you should end up with LogIt.txt contents. Please post it back here.

I made he fixes.bat file as per your instructions and when I double clicked on it nothing happened. I then tried to run it again and got an error "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Hi,

Download this (http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe) file. Copy it to your c:\windows\system32 folder. Drag'n'drop cmd.exe file there to this file you copied. Attempt the batch again.

It will not run, again it says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

:confused:

Hi,

Show hidden files
-----------------
1. Open Folder Options by clicking the Start button, clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
2. Click the View tab.
3. Under Advanced settings, click Show hidden files and folders, and then click OK.

Please upload following files to VirusTotal (http://www.virustotal.com) if you can find them and post back links to the results:
c:\windows\system32\halmacpi.dll
C:\Windows\system32\apphelp.dll


Delete this file:
C:\Windows\winsvc32.exe

Hi,

results for c:\windows\system32\halmacpi.dll (http://www.virustotal.com/analisis/d7c2cf5df383509c26be82a39763c703200c300deaf92f3ac6a510b6979c8fd8-1254046399)


results for C:\Windows\system32\apphelp.dll (http://www.virustotal.com/analisis/10b29f248aad498826156337a6b4d2e67e759f9abb44c5de16e5a9e14bfb4a0b-1254046837)


I tried to delete the file C:\Windows\winsvc32.exe and got the following message:

The action can't be completed because the file is open in another program.

Close the file and try again.

winsvc32
File description: Bitlocker Drive Encryption Servicing Utility

Company: Microsoft Corporation
File version:6.0.6000.16386
Date created: 22/06/2009 13:39
Size: 1104KB

Hi,

Turn off UAC:
1. Click or right click on Flag icon in notification area (system tray), and then Open Action Center.
2. Click on User Account Control settings link.
3. Slide the slider bar to the lowest value (towards Never Notify), with description showing Never notify me.
4. Click OK to make the change effective.
5. Restart the computer to turn off User Access Control.

Please download a fresh copy of Win32kdiag to your desktop. Right click the file and select "run as administrator". See if it works that way.

Ok I got Win32kdiag to run, below is the log file it created:

Log file is located at: C:\Users\Tom\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP47E8.tmp\ZAP47E8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9137.tmp\ZAP9137.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\CSC\v2.0.6\namespace\namespace

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\DigitalLocker\en-US\en-US

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\MCT\MCT-AU\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\MCT\MCT-CA\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\MCT\MCT-ZA\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\OEM\OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\inf\PNRPSvc\0000\0000

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\inf\PNRPSvc\0409\0409

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\RemotePackages\RemoteApps\RemoteApps

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\RemotePackages\RemoteDesktops\RemoteDesktops

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\audit\audit

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Caches\Caches

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files\Icon Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\DivX\DivX Codec\DivX Codec

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\servicing\SQM\SQM

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\10c510d99262f3d69d00319f2c10e33d\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.23_none_97d5896e7560765a\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.23_none_97d5896e7560765a

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\10c510d99262f3d69d00319f2c10e33d\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.4114_none_d31e04150597a6d7\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.4114_none_d31e04150597a6d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\SelfUpdate\Handler\Handler

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\System32\cleanmgr.exe

[1] 2009-04-22 06:18:49 212480 C:\Windows\System32\cleanmgr.exe ()

Please save this (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe) file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the Open box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
%userprofile%\desktop\win32kdiag.exe -f -r

See if you're able to run that batch I asked you to create earlier.

It ran but I thing the program crashed or something, below is the log file it created:

Log file is located at: C:\Users\Tom\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\AppPatch\Custom\Custom

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP47E8.tmp\ZAP47E8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP47E8.tmp\ZAP47E8.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9137.tmp\ZAP9137.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9137.tmp\ZAP9137.tmp

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\temp\temp

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\tmp\tmp

Found mount point : C:\Windows\CSC\v2.0.6\namespace\namespace

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\CSC\v2.0.6\namespace\namespace

Found mount point : C:\Windows\DigitalLocker\en-US\en-US

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\DigitalLocker\en-US\en-US

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ehome\CreateDisc\style\style

Found mount point : C:\Windows\Globalization\MCT\MCT-AU\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\MCT\MCT-AU\RSSFeed\RSSFeed

Found mount point : C:\Windows\Globalization\MCT\MCT-CA\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\MCT\MCT-CA\RSSFeed\RSSFeed

Found mount point : C:\Windows\Globalization\MCT\MCT-ZA\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\MCT\MCT-ZA\RSSFeed\RSSFeed

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Help\Corporate\Corporate

Found mount point : C:\Windows\Help\OEM\OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Help\OEM\OEM

Found mount point : C:\Windows\inf\PNRPSvc\0000\0000

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\inf\PNRPSvc\0000\0000

Found mount point : C:\Windows\inf\PNRPSvc\0409\0409

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\inf\PNRPSvc\0409\0409

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Microsoft.NET\authman\authman

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ModemLogs\ModemLogs

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Panther\setup.exe\setup.exe

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\Windows\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PIF\PIF

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PLA\Templates\Templates

Found mount point : C:\Windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Registration\CRMLog\CRMLog

Found mount point : C:\Windows\RemotePackages\RemoteApps\RemoteApps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\RemotePackages\RemoteApps\RemoteApps

Found mount point : C:\Windows\RemotePackages\RemoteDesktops\RemoteDesktops

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\RemotePackages\RemoteDesktops\RemoteDesktops

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SchCache\SchCache

Found mount point : C:\Windows\security\audit\audit

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\security\audit\audit

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\security\templates\templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temp

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Caches\Caches

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Caches\Caches

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files\Icon Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files\Icon Files

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\DivX\DivX Codec\DivX Codec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\DivX\DivX Codec\DivX Codec

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Found mount point : C:\Windows\servicing\SQM\SQM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\servicing\SQM\SQM

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\Windows\SoftwareDistribution\Download\10c510d99262f3d69d00319f2c10e33d\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.23_none_97d5896e7560765a\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.23_none_97d5896e7560765a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\10c510d99262f3d69d00319f2c10e33d\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.23_none_97d5896e7560765a\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.23_none_97d5896e7560765a

Found mount point : C:\Windows\SoftwareDistribution\Download\10c510d99262f3d69d00319f2c10e33d\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.4114_none_d31e04150597a6d7\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.4114_none_d31e04150597a6d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\10c510d99262f3d69d00319f2c10e33d\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.4114_none_d31e04150597a6d7\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.4114_none_d31e04150597a6d7

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Found mount point : C:\Windows\SoftwareDistribution\SelfUpdate\Handler\Handler

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\SelfUpdate\Handler\Handler

Cannot access: C:\Windows\System32\cleanmgr.exe

Attempting to restore permissions of : C:\Windows\System32\cleanmgr.exe

[1] 2009-04-22 06:18:49 212480 C:\Windows\System32\cleanmgr.exe (Microsoft Corporation)


The batch file still won't run. :confused:

Apparently it hadn't finished so here is the complete log file:

Log file is located at: C:\Users\Tom\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\AppPatch\Custom\Custom

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP47E8.tmp\ZAP47E8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP47E8.tmp\ZAP47E8.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9137.tmp\ZAP9137.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9137.tmp\ZAP9137.tmp

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\temp\temp

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\tmp\tmp

Found mount point : C:\Windows\CSC\v2.0.6\namespace\namespace

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\CSC\v2.0.6\namespace\namespace

Found mount point : C:\Windows\DigitalLocker\en-US\en-US

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\DigitalLocker\en-US\en-US

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ehome\CreateDisc\style\style

Found mount point : C:\Windows\Globalization\MCT\MCT-AU\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\MCT\MCT-AU\RSSFeed\RSSFeed

Found mount point : C:\Windows\Globalization\MCT\MCT-CA\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\MCT\MCT-CA\RSSFeed\RSSFeed

Found mount point : C:\Windows\Globalization\MCT\MCT-ZA\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\MCT\MCT-ZA\RSSFeed\RSSFeed

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Help\Corporate\Corporate

Found mount point : C:\Windows\Help\OEM\OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Help\OEM\OEM

Found mount point : C:\Windows\inf\PNRPSvc\0000\0000

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\inf\PNRPSvc\0000\0000

Found mount point : C:\Windows\inf\PNRPSvc\0409\0409

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\inf\PNRPSvc\0409\0409

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Microsoft.NET\authman\authman

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ModemLogs\ModemLogs

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Panther\setup.exe\setup.exe

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\Windows\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PIF\PIF

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PLA\Templates\Templates

Found mount point : C:\Windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Registration\CRMLog\CRMLog

Found mount point : C:\Windows\RemotePackages\RemoteApps\RemoteApps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\RemotePackages\RemoteApps\RemoteApps

Found mount point : C:\Windows\RemotePackages\RemoteDesktops\RemoteDesktops

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\RemotePackages\RemoteDesktops\RemoteDesktops

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SchCache\SchCache

Found mount point : C:\Windows\security\audit\audit

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\security\audit\audit

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\security\templates\templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temp

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Caches\Caches

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Caches\Caches

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files\Icon Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files\Icon Files

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\DivX\DivX Codec\DivX Codec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\DivX\DivX Codec\DivX Codec

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Found mount point : C:\Windows\servicing\SQM\SQM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\servicing\SQM\SQM

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\Windows\SoftwareDistribution\Download\10c510d99262f3d69d00319f2c10e33d\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.23_none_97d5896e7560765a\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.23_none_97d5896e7560765a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\10c510d99262f3d69d00319f2c10e33d\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.23_none_97d5896e7560765a\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.23_none_97d5896e7560765a

Found mount point : C:\Windows\SoftwareDistribution\Download\10c510d99262f3d69d00319f2c10e33d\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.4114_none_d31e04150597a6d7\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.4114_none_d31e04150597a6d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\10c510d99262f3d69d00319f2c10e33d\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.4114_none_d31e04150597a6d7\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.4114_none_d31e04150597a6d7

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Found mount point : C:\Windows\SoftwareDistribution\SelfUpdate\Handler\Handler

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\SelfUpdate\Handler\Handler

Cannot access: C:\Windows\System32\cleanmgr.exe

Attempting to restore permissions of : C:\Windows\System32\cleanmgr.exe

[1] 2009-04-22 06:18:49 212480 C:\Windows\System32\cleanmgr.exe (Microsoft Corporation)

[1] 2009-04-22 06:18:49 212480 C:\Windows\winsxs\x86_microsoft-windows-cleanmgr_31bf3856ad364e35_6.1.7100.0_none_de372ec2b2a1a27c\cleanmgr.exe (Microsoft Corporation)



Cannot access: C:\Windows\System32\cmd.exe

Attempting to restore permissions of : C:\Windows\System32\cmd.exe

[1] 2009-04-22 06:18:51 301568 C:\Windows\System32\cmd.exe (Microsoft Corporation)

[1] 2009-04-22 06:18:51 301568 C:\Windows\winsxs\x86_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7100.0_none_fbffbf1e6f725ab8\cmd.exe (Microsoft Corporation)



Cannot access: C:\Windows\System32\cngaudit.dll

Attempting to restore permissions of : C:\Windows\System32\cngaudit.dll

[1] 2009-04-22 06:20:04 61952 C:\Windows\System32\cngaudit.dll ()

[1] 2009-04-22 06:20:04 12288 C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7100.0_none_5956e38684aa4f03\cngaudit.dll (Microsoft Corporation)



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-09-27 10:48:32 72 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-09-27 10:48:11 72 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-09-27 10:48:11 72 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()



Found mount point : C:\Windows\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Found mount point : C:\Windows\Temp\_avast4_\_avast4_

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Temp\_avast4_\_avast4_

Found mount point : C:\Windows\Vss\Writers\Application\Application

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Vss\Writers\Application\Application

Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Found mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames



Finished!

Just tried the batch file again and it ran, below is the logfile:

Volume in drive C has no label.
Volume Serial Number is D8DE-BEEE

Directory of C:\WINDOWS\System32

22/04/2009 06:21 175,616 scecli.dll

Directory of C:\WINDOWS\System32

22/04/2009 06:21 561,152 netlogon.dll

Directory of C:\WINDOWS\System32

22/04/2009 06:20 61,952 cngaudit.dll
3 File(s) 798,720 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7100.0_none_5956e38684aa4f03

22/04/2009 06:20 12,288 cngaudit.dll
1 File(s) 12,288 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7100.0_none_a900dabd2e31405b

22/04/2009 06:21 175,616 scecli.dll
1 File(s) 175,616 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7100.0_none_6eaaafa48d0fb9a0

22/04/2009 06:21 561,152 netlogon.dll
1 File(s) 561,152 bytes

Total Files Listed:
6 File(s) 1,547,776 bytes
0 Dir(s) 13,777,342,464 bytes free

Hi,

Start GMER. Click >>>, select files tab and browse to C:\Windows\System32\cngaudit.dll file. Kill the file by highlighting it and pressing kill button in GMER. Reboot.

Then create a batch file with following contents (creation steps are otherwise same as with that other batch):

copy /y C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7100.0_none_5956e38684aa4f03\cngaudit.dll c:\windows\system32\cngaudit.dll


Run the batch.

After that, run Win32kDiag again and post back its report.

I've started Gmer but I can't seem to locate C:\Windows from it? :sad:

From the file tab I have a list of folders in the left hand pane.

At the top I have

C:\

then followed by lots of foldersbut no windows folder.

Hi,

Do you have BitLocker active? If yes, please disable it and try to run GMER again.

I don't have bitlocker on.

Ok. Seems likely that we have to use recovery environment here. Do you have Win7 RC media available?

First, let's make a file copy to other location so that you don't have to type so much on upcoming part.

Create a batch with following contents:

xcopy /y C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7100.0_none_5956e38684aa4f03\cngaudit.dll c:\cngaudit.dll


When that's done, make sure that c:\cngaudit.dll file exists. After that, please follow method two here (http://www.sevenforums.com/tutorials/668-system-recovery-options.html) to access system recovery options. Click Command Prompt (http://www.sevenforums.com/tutorials/682-command-prompt-startup.html). Give following command & and press ENTER making sure that spelling is exactly as shown:

copy /y c:\cngaudit.dll c:\windows\system32\cngaudit.dll

If all went well you should get "1 file(s) copied." message. After that give command exit (press ENTER) to exit command prompt. Click restart on system recovery options window. When back to normal mode, run win32kdiag.

Also, please upload C:\Windows\winsvc32.exe file here (http://www.bleepingcomputer.com/submit-malware.php?channel=76). Kindly include a link to this topic.

I don't have a windows 7 RC disk with me. Doesn't the recovery console get installed when you install windows 7?

Do I run the batch file I just created?:confused:

You can run the batch part now but that other part needs access to recovery environment.


Doesn't the recovery console get installed when you install windows 7?
Not by default. See if you can create recovery disk by following instructions here (http://forums.techarena.in/guides-tutorials/1114725.htm) and then use it to access recovery environment.

I created and ran the batch file, I then created a recovery disc and copied the cng audit file. For some reason in the recovery environment my C: drive became my D: drive so I changed the c: to d: in the text you told me to enter.

I then ran win32kdiag which created the following log file:

Log file is located at: C:\Users\Tom\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP47E8.tmp\ZAP47E8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9137.tmp\ZAP9137.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\CSC\v2.0.6\namespace\namespace

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\DigitalLocker\en-US\en-US

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\MCT\MCT-AU\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\MCT\MCT-CA\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\MCT\MCT-ZA\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\OEM\OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\inf\PNRPSvc\0000\0000

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\inf\PNRPSvc\0409\0409

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\RemotePackages\RemoteApps\RemoteApps

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\RemotePackages\RemoteDesktops\RemoteDesktops

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\audit\audit

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Caches\Caches

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\DivX\DivX Codec\DivX Codec

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\servicing\SQM\SQM

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\10c510d99262f3d69d00319f2c10e33d\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.23_none_97d5896e7560765a\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.23_none_97d5896e7560765a

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\10c510d99262f3d69d00319f2c10e33d\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.4114_none_d31e04150597a6d7\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.4114_none_d31e04150597a6d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\SelfUpdate\Handler\Handler

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\_avast4_\_avast4_

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Vss\Writers\Application\Application

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Mount point destination : \Device\__max++>\^



Finished!

I uploaded c:\windows\winsvc32.exe to the website as you instructed.

Thanks for the sample :)

Please save this (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe) file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the Open box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
%userprofile%\desktop\win32kdiag.exe -f -r

After that, launch Malwarebytes' A-M (MBAM), update its definitions and run a quick scan (let it delete all findings). Post the report back here.

Note: If you get permission error from MBAM, follow the instructions in post #9 to download unlocker (if you don't have the file anymore). Then drag 'n' drop MBAM exe file to it.

Results of Win32kdiag.exe log file:

Running from: C:\Users\Tom\Desktop\win32kdiag.exe

Log file at : C:\Users\Tom\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\AppPatch\Custom\Custom

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP47E8.tmp\ZAP47E8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP47E8.tmp\ZAP47E8.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9137.tmp\ZAP9137.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9137.tmp\ZAP9137.tmp

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\temp\temp

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\tmp\tmp

Found mount point : C:\Windows\CSC\v2.0.6\namespace\namespace

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\CSC\v2.0.6\namespace\namespace

Found mount point : C:\Windows\DigitalLocker\en-US\en-US

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\DigitalLocker\en-US\en-US

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ehome\CreateDisc\style\style

Found mount point : C:\Windows\Globalization\MCT\MCT-AU\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\MCT\MCT-AU\RSSFeed\RSSFeed

Found mount point : C:\Windows\Globalization\MCT\MCT-CA\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\MCT\MCT-CA\RSSFeed\RSSFeed

Found mount point : C:\Windows\Globalization\MCT\MCT-ZA\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\MCT\MCT-ZA\RSSFeed\RSSFeed

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Help\Corporate\Corporate

Found mount point : C:\Windows\Help\OEM\OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Help\OEM\OEM

Found mount point : C:\Windows\inf\PNRPSvc\0000\0000

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\inf\PNRPSvc\0000\0000

Found mount point : C:\Windows\inf\PNRPSvc\0409\0409

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\inf\PNRPSvc\0409\0409

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Microsoft.NET\authman\authman

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ModemLogs\ModemLogs

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Panther\setup.exe\setup.exe

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\Windows\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PIF\PIF

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PLA\Templates\Templates

Found mount point : C:\Windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Registration\CRMLog\CRMLog

Found mount point : C:\Windows\RemotePackages\RemoteApps\RemoteApps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\RemotePackages\RemoteApps\RemoteApps

Found mount point : C:\Windows\RemotePackages\RemoteDesktops\RemoteDesktops

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\RemotePackages\RemoteDesktops\RemoteDesktops

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SchCache\SchCache

Found mount point : C:\Windows\security\audit\audit

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\security\audit\audit

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\security\templates\templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temp

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Caches\Caches

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Caches\Caches

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\DivX\DivX Codec\DivX Codec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\DivX\DivX Codec\DivX Codec

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Found mount point : C:\Windows\servicing\SQM\SQM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\servicing\SQM\SQM

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\Windows\SoftwareDistribution\Download\10c510d99262f3d69d00319f2c10e33d\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.23_none_97d5896e7560765a\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.23_none_97d5896e7560765a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\10c510d99262f3d69d00319f2c10e33d\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.23_none_97d5896e7560765a\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.23_none_97d5896e7560765a

Found mount point : C:\Windows\SoftwareDistribution\Download\10c510d99262f3d69d00319f2c10e33d\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.4114_none_d31e04150597a6d7\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.4114_none_d31e04150597a6d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\10c510d99262f3d69d00319f2c10e33d\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.4114_none_d31e04150597a6d7\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7100.4114_none_d31e04150597a6d7

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Found mount point : C:\Windows\SoftwareDistribution\SelfUpdate\Handler\Handler

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\SelfUpdate\Handler\Handler

Found mount point : C:\Windows\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Found mount point : C:\Windows\Temp\_avast4_\_avast4_

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Temp\_avast4_\_avast4_

Found mount point : C:\Windows\Vss\Writers\Application\Application

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Vss\Writers\Application\Application

Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Found mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames



Finished!

Below is the Mbam log file:

Malwarebytes' Anti-Malware 1.41
Database version: 2866
Windows 6.1.7100

28/09/2009 15:02:13
mbam-log-2009-09-28 (15-01-59).txt

Scan type: Quick Scan
Objects scanned: 100240
Time elapsed: 8 minute(s), 29 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
C:\Windows\winsvc32.exe (Backdoor.Bot) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsvc32 (Backdoor.Bot) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poprock (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\logevent.dll (Trojan.Sirefef) -> No action taken.
C:\Windows\msa.exe (Trojan.Agent) -> No action taken.
C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> No action taken.
C:\Windows\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken.
C:\Windows\win32k.sys (Trojan.Dropper) -> No action taken.
C:\Windows\winsvc32.exe (Backdoor.Bot) -> No action taken.

I assume those findings were nuked though the report shows "no action taken".

Let's get some further details of your system's situation next.


Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Yeah I removed infected files.

Contents of OTL.txt:

OTL logfile created on: 28/09/2009 15:21:06 - Run 1
OTL by OldTimer - Version 3.0.16.0 Folder = C:\Users\Tom\Desktop
Ultimate Edition (Version = 6.1.7100) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7100.0)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.71 Gb Available Physical Memory | 85.50% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 99.88% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 55.80 Gb Total Space | 12.84 Gb Free Space | 23.02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOM-LAPTOP
Current User Name: Tom
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Windows\System32\AEADISRV.EXE (Andrea Electronics Corporation)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\Windows\System32\lxcecoms.exe ( )
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Windows\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)
PRC - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
PRC - C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
PRC - C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Windows\System32\igfxtray.exe (Intel Corporation)
PRC - C:\Windows\System32\hkcmd.exe (Intel Corporation)
PRC - C:\Windows\System32\igfxpers.exe (Intel Corporation)
PRC - C:\Program Files\Lexmark 4300 Series\lxcemon.exe (Lexmark International, Inc.)
PRC - C:\Program Files\Lexmark 4300 Series\ezprint.exe (Lexmark International Inc.)
PRC - C:\Windows\System32\igfxsrvc.exe (Intel Corporation)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
PRC - C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe (Siber Systems)
PRC - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe (Creative Technology Ltd)
PRC - C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe ()
PRC - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (Nero AG)
PRC - C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (Nero AG)
PRC - C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
PRC - C:\Users\Tom\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (AEADIFilters [Auto | Running]) -- C:\Windows\System32\AEADISRV.EXE (Andrea Electronics Corporation)
SRV - (AppIDSvc [On_Demand | Stopped]) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation)
SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (avg8emc [Auto | Stopped]) -- C:\Program Files\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
SRV - (avg8wd [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (AxInstSV [On_Demand | Stopped]) -- C:\Windows\System32\AxInstSV.dll (Microsoft Corporation)
SRV - (BDESVC [Unknown | Stopped]) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (defragsvc [On_Demand | Stopped]) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation)
SRV - (Dhcp [Auto | Running]) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation)
SRV - (ehRecvr [On_Demand | Stopped]) -- C:\Windows\ehome\ehRecvr.exe (Microsoft Corporation)
SRV - (ehSched [On_Demand | Stopped]) -- C:\Windows\ehome\ehsched.exe (Microsoft Corporation)
SRV - (eventlog [Auto | Running]) -- C:\Windows\System32\wevtsvc.dll (Microsoft Corporation)
SRV - (FontCache [On_Demand | Stopped]) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (HomeGroupListener [On_Demand | Running]) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation)
SRV - (HomeGroupProvider [On_Demand | Running]) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (lxce_device [Auto | Running]) -- C:\Windows\System32\lxcecoms.exe ( )
SRV - (Microsoft Office Groove Audit Service [On_Demand | Stopped]) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (NBService [On_Demand | Stopped]) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (Nero AG)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (NMIndexingService [On_Demand | Running]) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (Nero AG)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (p2pimsvc [On_Demand | Running]) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc [On_Demand | Stopped]) -- C:\Windows\System32\peerdistsvc.dll (Microsoft Corporation)
SRV - (PNRPAutoReg [On_Demand | Stopped]) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation)
SRV - (PNRPsvc [On_Demand | Running]) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (Power [Auto | Running]) -- C:\Windows\System32\umpo.dll (Microsoft Corporation)
SRV - (RpcEptMapper [Unknown | Running]) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation)
SRV - (SensrSvc [On_Demand | Stopped]) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (sppsvc [Auto | Stopped]) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation)
SRV - (sppuinotify [On_Demand | Stopped]) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation)
SRV - (Themes [Auto | Running]) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation)
SRV - (WbioSrvc [On_Demand | Stopped]) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation)
SRV - (WinDefend [Auto | Running]) -- C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation)
SRV - (WMPNetworkSvc [Auto | Running]) -- C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
SRV - (WwanSvc [On_Demand | Stopped]) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (1394ohci [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\1394ohci.sys (Microsoft Corporation)
DRV - (AcpiPmi [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation)
DRV - (ADIHdAudAddService [On_Demand | Running]) -- C:\Windows\System32\drivers\ADIHdAud.sys (Analog Devices, Inc.)
DRV - (adp94xx [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.)
DRV - (adpahci [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.)
DRV - (adpu320 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (AgereSoftModem [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\AGRSM.sys (LSI Corp)
DRV - (aic78xx [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.)
DRV - (aliide [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (AmdPPM [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation)
DRV - (amdsata [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\amdsata.sys (AMD)
DRV - (amdsbs [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.)
DRV - (amdxata [Boot | Running]) -- C:\Windows\system32\DRIVERS\amdxata.sys (AMD)
DRV - (AppID [On_Demand | Stopped]) -- C:\Windows\system32\drivers\appid.sys (Microsoft Corporation)
DRV - (arc [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\arc.sys (Adaptec, Inc.)
DRV - (arcsas [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.)
DRV - (ATSwpWDF [On_Demand | Running]) -- C:\Windows\System32\Drivers\ATSwpWDF.sys (AuthenTec, Inc.)
DRV - (AvgLdx86 [System | Running]) -- C:\Windows\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86 [System | Running]) -- C:\Windows\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgTdiX [System | Running]) -- C:\Windows\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (b06bdrv [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation)
DRV - (b57nd60x [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\b57nd60x.sys (Broadcom Corporation)
DRV - (BrFiltLo [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.)
DRV - (Brserid [On_Demand | Stopped]) -- C:\Windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.)
DRV - (BrSerWdm [On_Demand | Stopped]) -- C:\Windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm [On_Demand | Stopped]) -- C:\Windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer [On_Demand | Stopped]) -- C:\Windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.)
DRV - (cmdide [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (CNG [Boot | Running]) -- C:\Windows\System32\Drivers\cng.sys (Microsoft Corporation)
DRV - (CompositeBus [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\CompositeBus.sys (Microsoft Corporation)
DRV - (discache [System | Running]) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation)
DRV - (ebdrv [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation)
DRV - (ElbyCDIO [System | Running]) -- C:\Windows\System32\Drivers\ElbyCDIO.sys (Elaborate Bytes AG)
DRV - (elxstor [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\elxstor.sys (Emulex)
DRV - (FsDepends [On_Demand | Stopped]) -- C:\Windows\System32\drivers\FsDepends.sys (Microsoft Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (hcw85cir [On_Demand | Stopped]) -- C:\Windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (HidBatt [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\HidBatt.sys (Microsoft Corporation)
DRV - (HpSAMD [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company)
DRV - (hwpolicy [Boot | Running]) -- C:\Windows\System32\drivers\hwpolicy.sys (Microsoft Corporation)
DRV - (iaStorV [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\iaStorV.sys (Intel Corporation)
DRV - (igfx [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\igdkmd32.sys (Intel Corporation)
DRV - (iirsp [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (KSecPkg [Boot | Running]) -- C:\Windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation)
DRV - (LSI_FC [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation)
DRV - (LSI_SAS [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation)
DRV - (LSI_SAS2 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation)
DRV - (LSI_SCSI [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation)
DRV - (megasas [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\megasas.sys (LSI Corporation)
DRV - (MegaSR [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.)
DRV - (mshidkmdf [On_Demand | Stopped]) -- C:\Windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation)
DRV - (MTConfig [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation)
DRV - (NdisCap [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\ndiscap.sys (Microsoft Corporation)
DRV - (netw5v32 [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\netw5v32.sys (Intel Corporation)
DRV - (nfrd960 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\nfrd960.sys (IBM Corporation)
DRV - (nvraid [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation)
DRV - (nvstor [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation)
DRV - (pcw [Boot | Running]) -- C:\Windows\System32\drivers\pcw.sys (Microsoft Corporation)
DRV - (ql2300 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\ql2300.sys (QLogic Corporation)
DRV - (ql40xx [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation)
DRV - (RasAgileVpn [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\AgileVpn.sys (Microsoft Corporation)
DRV - (rdpbus [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\rdpbus.sys (Microsoft Corporation)
DRV - (RDPREFMP [System | Running]) -- C:\Windows\System32\drivers\rdprefmp.sys (Microsoft Corporation)
DRV - (rdyboost [Boot | Running]) -- C:\Windows\System32\drivers\rdyboost.sys (Microsoft Corporation)
DRV - (s3cap [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\vms3cap.sys (Microsoft Corporation)
DRV - (scfilter [Unknown | Stopped]) -- C:\Windows\System32\DRIVERS\scfilter.sys (Microsoft Corporation)
DRV - (secdrv [Auto | Running]) -- C:\Windows\System32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SiSRaid2 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.)
DRV - (SiSRaid4 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems)
DRV - (sptd [Boot | Stopped]) -- C:\Windows\System32\Drivers\sptd.sys (Duplex Secure Ltd.)
DRV - (stexstor [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\stexstor.sys (Promise Technology)
DRV - (storflt [Boot | Running]) -- C:\Windows\system32\DRIVERS\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\storvsc.sys (Microsoft Corporation)
DRV - (SynTP [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\SynTP.sys (Synaptics, Inc.)
DRV - (TPM [On_Demand | Running]) -- C:\Windows\System32\drivers\tpm.sys (Microsoft Corporation)
DRV - (UmPass [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\umpass.sys (Microsoft Corporation)
DRV - (VClone [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\VClone.sys (Elaborate Bytes AG)
DRV - (vdrvroot [Boot | Running]) -- C:\Windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation)
DRV - (vhdmp [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation)
DRV - (viaide [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.)
DRV - (vmbus [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\vmbus.sys (Microsoft Corporation)
DRV - (VMBusHID [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\VMBusHID.sys (Microsoft Corporation)
DRV - (vsmraid [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (vwifibus [On_Demand | Stopped]) -- C:\Windows\System32\drivers\vwifibus.sys (Microsoft Corporation)
DRV - (WfpLwf [System | Running]) -- C:\Windows\System32\DRIVERS\wfplwf.sys (Microsoft Corporation)
DRV - (WIMMount [On_Demand | Stopped]) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation)
DRV - (WinUsb [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\WinUsb.sys (Microsoft Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: clickbank@geminussoft.com:1.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15
FF - prefs.js..extensions.enabledItems: support@lastpass.com:1.51.4
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a}:1.30
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/04/22 09:55:53 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/09/21 20:27:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/10 22:41:34 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/10 22:41:33 | 00,000,000 | ---D | M]

[2009/06/21 22:47:26 | 00,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\mozilla\Extensions
[2009/06/21 22:47:26 | 00,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/09/28 14:15:44 | 00,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\mozilla\Firefox\Profiles\ve442xue.default\extensions
[2009/07/02 22:19:54 | 00,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\mozilla\Firefox\Profiles\ve442xue.default\extensions\{1BCA7BD8-8977-11DC-A9BD-548555D89593}
[2009/06/21 22:53:01 | 00,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\mozilla\Firefox\Profiles\ve442xue.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/06/22 14:44:33 | 00,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\mozilla\Firefox\Profiles\ve442xue.default\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
[2009/06/25 13:13:17 | 00,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\mozilla\Firefox\Profiles\ve442xue.default\extensions\{ec9CEB59-8266-438b-91D9-82F56D595E15}
[2009/06/22 14:43:45 | 00,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\mozilla\Firefox\Profiles\ve442xue.default\extensions\clickbank@geminussoft.com
[2009/09/11 12:35:49 | 00,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\mozilla\Firefox\Profiles\ve442xue.default\extensions\support@lastpass.com
[2009/09/28 14:15:44 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/09/10 22:41:33 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/07/06 15:01:50 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
[2009/08/29 18:07:23 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009/08/24 21:17:45 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/08/24 21:17:45 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/05/13 22:55:22 | 01,044,480 | ---- | M] (The OpenSSL Project, http://www.openssl.org/) -- C:\Program Files\mozilla firefox\plugins\libdivx.dll
[2007/04/10 17:21:08 | 00,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\np-mswmp.dll
[2009/07/25 05:23:01 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/05/13 22:54:50 | 01,650,992 | ---- | M] (DivX,Inc.) -- C:\Program Files\mozilla firefox\plugins\npdivx32.dll
[2009/05/27 03:18:22 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\mozilla firefox\plugins\npDivxPlayerPlugin.dll
[2009/08/24 21:17:45 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2006/10/26 20:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL
[2003/07/14 22:56:52 | 00,013,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL
[2009/02/27 12:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/07/28 20:09:14 | 00,144,984 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nppl3260.dll
[2009/08/17 15:01:12 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/08/17 15:01:12 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/08/17 15:01:12 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/08/17 15:01:12 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/08/17 15:01:12 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/08/17 15:01:13 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/08/17 15:01:13 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2009/07/28 20:09:19 | 00,024,576 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprjplug.dll
[2009/07/28 20:09:12 | 00,081,920 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprpjplug.dll
[2009/05/13 22:55:22 | 00,200,704 | ---- | M] (The OpenSSL Project, http://www.openssl.org/) -- C:\Program Files\mozilla firefox\plugins\ssldivx.dll
[2009/08/24 20:10:36 | 00,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2009/08/24 20:10:36 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/08/24 20:10:36 | 00,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2009/08/24 20:10:36 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/08/24 20:10:36 | 00,000,769 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2009/08/24 20:10:36 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/08/24 20:10:36 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/08/24 20:10:36 | 00,000,831 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (331255 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 123haustiereundmehr.com
O1 - Hosts: 11343 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark 4300 Series\ezprint.exe (Lexmark International Inc.)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LXCECATS] C:\Windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.DLL ()
O4 - HKLM..\Run: [lxcemon.exe] C:\Program Files\Lexmark 4300 Series\lxcemon.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [Persistence] C:\Windows\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [VirtualCloneDrive] C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKCU..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe (Creative Technology Ltd)
O4 - HKCU..\Run: [CTSyncU.exe] C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe ()
O4 - HKCU..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\System32\NLAapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\napinsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKLM\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: gistweb.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/20 16:42:25 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{0c37a9b3-5f48-11de-8e49-00170847af7b}\Shell - "" = AutoRun
O33 - MountPoints2\{0c37a9b3-5f48-11de-8e49-00170847af7b}\Shell\AutoRun\command - "" = E:\SETUP.EXE -- File not found
O33 - MountPoints2\{0c37a9b3-5f48-11de-8e49-00170847af7b}\Shell\configure\command - "" = E:\SETUP.EXE -- File not found
O33 - MountPoints2\{0c37a9b3-5f48-11de-8e49-00170847af7b}\Shell\install\command - "" = E:\SETUP.EXE -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/09/28 15:16:04 | 00,518,144 | ---- | C] (OldTimer Tools) -- C:\Users\Tom\Desktop\OTL.exe
[2009/09/28 14:51:27 | 00,000,983 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/28 14:49:22 | 04,045,528 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Tom\Desktop\mbam-setup.exe
[2009/09/28 14:44:50 | 00,047,616 | ---- | C] () -- C:\Users\Tom\Desktop\Win32kDiag.exe
[2009/09/28 11:49:13 | 00,012,288 | ---- | C] (Microsoft Corporation) -- C:\cngaudit.dll
[2009/09/27 21:43:39 | 00,000,140 | ---- | C] () -- C:\Users\Tom\Desktop\sbfix.bat
[2009/09/27 11:26:30 | 00,000,000 | ---D | C] -- C:\Users\Tom\Desktop\rbu
[2009/09/26 20:43:55 | 00,085,504 | ---- | C] () -- C:\Windows\System32\Inherit.exe
[2009/09/26 20:43:11 | 00,085,504 | ---- | C] () -- C:\Users\Tom\Desktop\Inherit.exe
[2009/09/26 19:09:29 | 00,000,000 | ---- | C] () -- C:\temp.exe
[2009/09/26 19:09:25 | 00,139,305 | ---- | C] (JeEzZ) -- C:\temp
[2009/09/26 13:28:33 | 00,288,768 | ---- | C] () -- C:\Users\Tom\Desktop\l2nrk1lf.exe
[2009/09/26 11:06:54 | 00,000,000 | ---D | C] -- C:\Users\Tom\Desktop\sfsdf
[2009/09/23 18:30:38 | 00,161,796 | ---- | C] () -- C:\Users\Tom\Desktop\basic_dog_training_2008.pdf
[2009/09/23 14:34:17 | 00,000,000 | ---- | C] () -- C:\Users\Tom\Desktop\loud.jpg
[2009/09/22 10:30:35 | 00,002,043 | ---- | C] () -- C:\Users\Tom\Desktop\HijackThis.lnk
[2009/09/22 10:30:33 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/09/22 10:28:39 | 00,000,000 | ---D | C] -- C:\Users\Tom\Desktop\reg backup
[2009/09/22 10:28:12 | 00,000,879 | ---- | C] () -- C:\Users\Tom\Desktop\ERUNT.lnk
[2009/09/22 10:28:08 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/09/22 00:04:24 | 03,317,563 | ---- | C] () -- C:\Users\Tom\Desktop\combo- fixit.exe
[2009/09/21 22:24:08 | 00,000,000 | ---D | C] -- C:\Users\Tom\AppData\Local\Microsoft Games
[2009/09/21 20:39:13 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/09/21 20:39:12 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/09/21 20:39:12 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/09/21 17:39:52 | 00,194,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ListSvc.dll
[2009/09/21 17:32:22 | 00,308,160 | ---- | C] (ALWIL Software) -- C:\Users\Tom\Desktop\avast_home_setup.exe
[2009/09/21 17:01:03 | 03,952,480 | -H-- | C] () -- C:\Users\Tom\AppData\Local\IconCache.db
[2009/09/21 16:27:10 | 01,056,768 | ---- | C] () -- C:\Windows\System32\defltbase.sdb
[2009/09/21 14:58:17 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$
[2009/09/21 14:57:06 | 00,108,552 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2009/09/21 14:57:06 | 00,011,952 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
[2009/09/21 14:57:01 | 00,335,240 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgldx86.sys
[2009/09/21 14:57:01 | 00,027,784 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgmfx86.sys
[2009/09/21 14:56:51 | 41,898,764 | ---- | C] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2009/09/21 14:56:50 | 00,113,133 | ---- | C] () -- C:\Windows\System32\drivers\Avg\microavi.avg
[2009/09/21 14:56:49 | 00,463,779 | ---- | C] () -- C:\Windows\System32\drivers\Avg\miniavi.avg
[2009/09/21 14:56:47 | 06,061,540 | ---- | C] () -- C:\Windows\System32\drivers\Avg\avi7.avg
[2009/09/21 14:56:47 | 00,000,000 | ---D | C] -- C:\Windows\System32\drivers\Avg
[2009/09/21 14:56:45 | 00,000,000 | ---D | C] -- C:\ProgramData\avg8
[2009/09/21 14:56:45 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/09/21 14:44:34 | 00,000,000 | ---D | C] -- C:\Users\Tom\AppData\Roaming\AVG8
[2009/09/20 23:08:23 | 00,000,000 | ---D | C] -- C:\Users\Tom\AppData\Roaming\Malwarebytes
[2009/09/20 23:08:17 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/09/20 23:01:30 | 00,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2009/09/20 23:01:30 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/09/20 20:56:48 | 00,000,000 | -H-D | C] -- C:\Windows\PIF
[2009/09/20 20:17:53 | 00,000,000 | ---D | C] -- C:\Program Files\GiPo@Utilities
[2009/09/20 20:17:53 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Gibinsoft Shared
[2009/09/19 21:02:49 | 00,000,000 | ---D | C] -- C:\Users\Tom\Desktop\Tinnitus
[2009/09/18 15:05:36 | 00,010,380 | ---- | C] () -- C:\Users\Tom\Desktop\Tinnitus bl.docx
[2009/09/15 14:00:45 | 00,013,190 | ---- | C] () -- C:\Users\Tom\Desktop\coversmallblog.jpg
[2009/09/15 13:19:47 | 00,199,319 | ---- | C] () -- C:\Users\Tom\Desktop\blog-09-15-2009.xml
[2009/09/12 21:10:51 | 00,012,009 | ---- | C] () -- C:\Users\Tom\Desktop\Internet Marketing Campaign.docx
[2009/09/10 21:58:41 | 00,000,000 | ---D | C] -- C:\Program Files\Safari
[2009/09/09 23:19:32 | 04,120,056 | ---- | C] () -- C:\Users\Tom\Desktop\Death Of Affiliate Marketing on Squidoo.pdf
[2009/09/09 21:56:48 | 00,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2009/09/08 13:40:10 | 02,754,881 | ---- | C] () -- C:\Users\Tom\Desktop\Horrors_of_Vaccination_Exposed.pdf
[2009/09/03 20:51:18 | 00,011,332 | ---- | C] () -- C:\Users\Tom\Desktop\smallme.jpg
[2009/09/03 20:37:13 | 00,000,000 | ---D | C] -- C:\Users\Tom\Desktop\September_number_one_4586hiu38
[2009/09/03 14:16:57 | 00,000,000 | ---D | C] -- C:\Users\Tom\Desktop\September 2009
[2009/08/29 18:07:22 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2009/08/29 18:07:22 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2009/08/29 18:07:22 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2009/08/24 14:57:42 | 01,224,704 | ---- | C] ( ) -- C:\Windows\System32\lxceserv.dll
[2009/08/24 14:57:42 | 00,995,328 | ---- | C] ( ) -- C:\Windows\System32\lxceusb1.dll
[2009/08/24 14:57:42 | 00,413,696 | ---- | C] ( ) -- C:\Windows\System32\lxceinpa.dll
[2009/08/24 14:57:42 | 00,397,312 | ---- | C] ( ) -- C:\Windows\System32\lxceiesc.dll
[2009/08/24 14:57:42 | 00,323,584 | ---- | C] ( ) -- C:\Windows\System32\lxcehcp.dll
[2009/08/24 14:57:42 | 00,274,432 | ---- | C] () -- C:\Windows\System32\lxceinst.dll
[2009/08/24 14:57:41 | 00,696,320 | ---- | C] ( ) -- C:\Windows\System32\lxcehbn3.dll
[2009/08/24 14:57:41 | 00,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxcecomc.dll
[2009/08/24 14:57:41 | 00,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxcepmui.dll
[2009/08/24 14:57:41 | 00,585,728 | ---- | C] ( ) -- C:\Windows\System32\lxcelmpm.dll
[2009/08/24 14:57:41 | 00,421,888 | ---- | C] ( ) -- C:\Windows\System32\lxcecomm.dll
[2009/08/24 14:57:41 | 00,163,840 | ---- | C] ( ) -- C:\Windows\System32\lxceprox.dll
[2009/08/24 14:57:41 | 00,094,208 | ---- | C] ( ) -- C:\Windows\System32\lxcepplc.dll
[2009/06/23 00:30:38 | 00,815,104 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/06/23 00:30:38 | 00,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/06/22 15:12:40 | 00,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/04/22 06:58:02 | 00,000,478 | ---- | C] () -- C:\Windows\win.ini
[2009/04/22 06:58:02 | 00,000,219 | ---- | C] () -- C:\Windows\system.ini
[2009/04/22 04:50:07 | 00,073,216 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/04/22 04:40:32 | 00,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/04/09 21:05:54 | 16,614,648 | ---- | C] () -- C:\Windows\System32\TrueSuiteCoInst.dll
[2007/02/22 18:32:00 | 00,344,064 | ---- | C] () -- C:\Windows\System32\lxcecoin.dll
[2006/03/09 16:58:00 | 01,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/08/18 06:26:46 | 00,040,960 | ---- | C] () -- C:\Windows\System32\lxcevs.dll
[2005/02/24 17:23:52 | 00,061,440 | ---- | C] () -- C:\Windows\System32\lxcecnv4.dll

========== Files - Modified Within 30 Days ==========

[2009/09/28 15:16:08 | 00,518,144 | ---- | M] (OldTimer Tools) -- C:\Users\Tom\Desktop\OTL.exe
[2009/09/28 15:13:09 | 00,013,408 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2009/09/28 15:13:09 | 00,013,408 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2009/09/28 15:05:43 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/09/28 15:05:28 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/09/28 15:05:24 | 20,065,23904 | -HS- | M] () -- C:\hiberfil.sys
[2009/09/28 15:04:40 | 03,952,480 | -H-- | M] () -- C:\Users\Tom\AppData\Local\IconCache.db
[2009/09/28 14:51:27 | 00,000,983 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/28 14:50:48 | 04,045,528 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Tom\Desktop\mbam-setup.exe
[2009/09/28 14:44:53 | 00,047,616 | ---- | M] () -- C:\Users\Tom\Desktop\Win32kDiag.exe
[2009/09/28 10:59:15 | 41,898,764 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2009/09/27 21:43:39 | 00,000,140 | ---- | M] () -- C:\Users\Tom\Desktop\sbfix.bat
[2009/09/26 20:43:16 | 00,085,504 | ---- | M] () -- C:\Windows\System32\Inherit.exe
[2009/09/26 20:43:16 | 00,085,504 | ---- | M] () -- C:\Users\Tom\Desktop\Inherit.exe
[2009/09/26 19:09:29 | 00,000,000 | ---- | M] () -- C:\temp.exe
[2009/09/26 19:09:27 | 00,139,305 | ---- | M] (JeEzZ) -- C:\temp
[2009/09/26 13:28:37 | 00,288,768 | ---- | M] () -- C:\Users\Tom\Desktop\l2nrk1lf.exe
[2009/09/26 11:03:26 | 00,113,133 | ---- | M] () -- C:\Windows\System32\drivers\Avg\microavi.avg
[2009/09/23 18:30:38 | 00,161,796 | ---- | M] () -- C:\Users\Tom\Desktop\basic_dog_training_2008.pdf
[2009/09/23 14:35:20 | 00,000,000 | ---- | M] () -- C:\Users\Tom\Desktop\loud.jpg
[2009/09/22 10:30:35 | 00,002,043 | ---- | M] () -- C:\Users\Tom\Desktop\HijackThis.lnk
[2009/09/22 10:28:12 | 00,000,879 | ---- | M] () -- C:\Users\Tom\Desktop\ERUNT.lnk
[2009/09/22 00:04:23 | 03,317,563 | ---- | M] () -- C:\Users\Tom\Desktop\combo- fixit.exe
[2009/09/21 21:02:54 | 00,717,892 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/09/21 21:02:54 | 00,622,546 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/09/21 21:02:54 | 00,108,636 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/09/21 17:32:33 | 00,308,160 | ---- | M] (ALWIL Software) -- C:\Users\Tom\Desktop\avast_home_setup.exe
[2009/09/21 16:33:27 | 01,056,768 | ---- | M] () -- C:\Windows\System32\defltbase.sdb
[2009/09/21 14:57:06 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2009/09/21 14:57:06 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
[2009/09/21 14:57:01 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgldx86.sys
[2009/09/21 14:57:01 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgmfx86.sys
[2009/09/21 14:56:50 | 00,463,779 | ---- | M] () -- C:\Windows\System32\drivers\Avg\miniavi.avg
[2009/09/21 14:56:49 | 06,061,540 | ---- | M] () -- C:\Windows\System32\drivers\Avg\avi7.avg
[2009/09/20 20:00:39 | 00,331,255 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2009/09/19 00:06:43 | 00,010,380 | ---- | M] () -- C:\Users\Tom\Desktop\Tinnitus bl.docx
[2009/09/15 14:00:45 | 00,013,190 | ---- | M] () -- C:\Users\Tom\Desktop\coversmallblog.jpg
[2009/09/15 13:19:49 | 00,199,319 | ---- | M] () -- C:\Users\Tom\Desktop\blog-09-15-2009.xml
[2009/09/12 21:10:51 | 00,012,009 | ---- | M] () -- C:\Users\Tom\Desktop\Internet Marketing Campaign.docx
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/09/08 13:40:17 | 02,754,881 | ---- | M] () -- C:\Users\Tom\Desktop\Horrors_of_Vaccination_Exposed.pdf
[2009/09/06 11:54:42 | 04,120,056 | ---- | M] () -- C:\Users\Tom\Desktop\Death Of Affiliate Marketing on Squidoo.pdf
[2009/09/03 20:51:18 | 00,011,332 | ---- | M] () -- C:\Users\Tom\Desktop\smallme.jpg
[2009/08/31 19:22:29 | 00,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
< End of report >

Contents of Extras.txt:

OTL Extras logfile created on: 28/09/2009 15:21:06 - Run 1
OTL by OldTimer - Version 3.0.16.0 Folder = C:\Users\Tom\Desktop
Ultimate Edition (Version = 6.1.7100) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7100.0)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.71 Gb Available Physical Memory | 85.50% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 99.88% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 55.80 Gb Total Space | 12.84 Gb Free Space | 23.02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOM-LAPTOP
Current User Name: Tom
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\Windows\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SystemRoot%\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- C:\PROGRA~1\MICROS~2\OFFICE11\FRONTPG.EXE /dde (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java(TM) 6 Update 15
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8947EEAC-D5EE-4BA1-AF88-08E4E30CF7A9}" = WIN7TS
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{926CC8AE-8414-43DF-8EB4-CF26D9C3C663}" =
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90170409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office FrontPage 2003
"{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}" = iTunes
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9F185C48-595B-401A-A1D6-AAB324890DC4}" = GiPo@MoveOnBoot 1.9.5
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}" = Apple Mobile Device Support
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CF097717-F174-4144-954A-FBC4BF301033}" = Nero 7 Ultra Edition
"{E56D39F8-2A9F-44B4-B068-A72E45A073E6}" = Safari
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG8Uninstall" = AVG Free 8.5
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ERUNT_is1" = ERUNT 1.1j
"FileZilla Client" = FileZilla Client 3.2.5
"Football Manager 2009" = Football Manager 2009
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"IAWP" = IAWP
"InstallShield_{8947EEAC-D5EE-4BA1-AF88-08E4E30CF7A9}" = WIN7TS
"IrfanView" = IrfanView (remove only)
"Lexmark 4300 Series" = Lexmark 4300 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.5.3)" = Mozilla Firefox (3.5.3)
"PlayFLV" = PlayFLV
"RealPlayer 6.0" = RealPlayer
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"VirtualCloneDrive" = VirtualCloneDrive
"WinRAR" = WinRAR
"Xvid_is1" = Xvid 1.2.1 final uninstall

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"AI RoboForm" = AI RoboForm

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 21/09/2009 11:34:17 | Computer Name = Tom-Laptop | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

Error - 21/09/2009 11:34:17 | Computer Name = Tom-Laptop | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

Error - 21/09/2009 11:34:17 | Computer Name = Tom-Laptop | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

Error - 21/09/2009 11:34:17 | Computer Name = Tom-Laptop | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

Error - 21/09/2009 11:34:17 | Computer Name = Tom-Laptop | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

Error - 21/09/2009 11:34:17 | Computer Name = Tom-Laptop | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

Error - 21/09/2009 11:34:17 | Computer Name = Tom-Laptop | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

Error - 21/09/2009 11:34:17 | Computer Name = Tom-Laptop | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

Error - 21/09/2009 11:34:18 | Computer Name = Tom-Laptop | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

Error - 21/09/2009 11:34:18 | Computer Name = Tom-Laptop | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

[ OSession Events ]
Error - 10/08/2009 06:27:34 | Computer Name = Tom-Laptop | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 54
seconds with 0 seconds of active time. This session ended with a crash.

Error - 21/09/2009 09:30:36 | Computer Name = Tom-Laptop | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 46
seconds with 0 seconds of active time. This session ended with a crash.


========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

Hi,

Get updates 9.1.2 and 9.1.3 for Adobe Reader here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).

Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner)

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.



Read the requirements and privacy statement then click on the Accept button.



The program will launch and start to download the latest definition files.



You will be prompted to install an application from Kaspersky. Click Run



Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives



Click on My Computer under Scan.



Once the scan is complete, it will display the results. Click on View Scan Report.



Click on Save Report As....



Change the Files of type to Text file (.txt) before clicking on the Save button.



Save this report to a convenient place.



Copy and paste that information into your topic. How's the system running?



The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

Kaspersky log:

Monday, September 28, 2009
Operating system: Microsoft Professional (build 7100)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, September 28, 2009 15:54:36
Records in database: 2930131
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
E:\
Scan statistics
Objects scanned 90103
Threats found 0
Infected objects found 0
Suspicious objects found 0
Scan duration 01:42:02

No threats found. Scanned area is clean.
Selected area has been scanned.




My computer runs ok but there are a few things not right such as when I startup Microsoft Office Outlook I get an access denied error but I can access the program. Also some of my start menu icons seem to have change to a blank icon if you know what I mean.

when I startup Microsoft Office Outlook I get an access denied error but I can access the program
Hi,

Please see post #28 (http://forums.spybot.info/showpost.php?p=338893&postcount=28). See what exe file shortcut/icon is connected to and "heal" it.


Also some of my start menu icons seem to have change to a blank icon if you know what I mean.
What happens if you click those? Screenshot might help me get even better idea of the situation.

My programs work but things like Word documents seem to have the unknown file icon. Those are word documents in the screenshot.

http://i288.photobucket.com/albums/ll172/tw213/wss.jpg

Right click document and select open with-> choose default program and then set that as Word. See if that helps.

No it was already set to open with Word. :sad:

Just tried to download avast antivirus and when the download completed it 0kb did the same with avg.

Dismiss my last message, I reinstalled firefox and that remedied the download problem. The icons are still not right though.

Could you reinstall Office?

I tried repairing the program by going to the control panel - uninstall program then change but the dialog box just disappears and nothing happens. Any suggestions?

Does it work if you choose "uninstall" -option?

Ok , I'm not getting access denied error any longer in outlook. Just seems to be the problem with the icons. Am I infection free now?

To me it looked otherwise better. See if you're able to first uninstall and then reinstall Office.

Ok I'll try that and let you know. :)

Having trouble uninstalling Office but I'll keep trying :confused:

Hi,

Do you get any error message? Please see if Windows Installer Cleanup Utility (http://support.microsoft.com/kb/290301) helps.

Ok I've managed to uninstall office and all seems to be good. Thank you so much for helping me with this. By the way was it a rootkit?

Glad to hear that sorted thing out :)

Yes, you had one of these new rootkits called max++

Just want to say thank you so much for your time. :bigthumb:

You're welcome :)

Before I forget.. let's uninstall OTL


Double-click OTL.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


You may delete GMER, win32kdiag and generated logs too.

I was just going through programs and command prompt won't start it says I don't have permissions?

What is OTL?

Got command prompt woking by using inherit. :D:

So, looks like we're not ready after all.

Download this (http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe) file to c:\windows\system32 folder. Then drag'n'drop cmd.exe file there to the downloaded file. See if you're able to access command prompt after that.


OTL is a tool I made you download and run earlier.

EDIT: You posted while I was giving a reply :)

I think I just deleted everything off the desktop, don't remember the OTL.exe was that the batch file thing?

Also I don't deem to be able to reinstall my office :confused:

Damn computers.

Hi,

Please give me more info on that Office issue and I'll see if there's something I can do.

When I try to install office 2007 I get an error along the lines of "office 2007 encountered and error during setup".

I managed to install my old office 2003 with no probs but can't seem to get 2007 back on. If you can't think of anything don't worry about it I can use 2003 for now. :bigthumb:

That error doesn't tell me enough I'm afraid. However, you may ask for guiding on http://forums.techguy.org or http://forums.whatthetech.com for example. They have areas for non malware issues there too :)

Ok, I'm sure I'll figure it out, thanks again for all your help! :bigthumb:

You're welcome and good luck with resolving the Office issue :)