View Full Version : Rootkit Infection! Can't run Spybot or any other antivirus programs -
elitefwd
2009-09-27, 18:28
Hi Everyone,
I think I may have a rootkit infection on my Vaio running Windows 7 RC. When I try to start Spybot or some other antivirus programs, it runs for a few secs and then disappears. When I click the shortcut after, it does not open and gives an error. I have also tried to run malwarebyte anti-malware. This also disappears after a few secs.
I tried to run HijackThis as per the instructions but it disapears after scanning a for a few seconds and then the shortcut doesnt work anymore.
Please would anyone be able to help me? It would be very much appreciated.
Hi,
Please save this (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe) file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
elitefwd
2009-10-03, 11:44
Hi,
Sorry for the late reply. Just got back from Uni today.
I have run the Win32Diag file and got the following Log:
Running from: H:\Users\BENCY\Desktop\Win32kDiag.exe
Log file at : H:\Users\BENCY\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'H:\Windows'...
Found mount point : H:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP47E8.tmp\ZAP47E8.tmp
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9137.tmp\ZAP9137.tmp
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\CSC\v2.0.6\namespace\namespace
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\DigitalLocker\en-US\en-US
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Downloaded Program Files\Downloaded Program Files
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ehome\CreateDisc\style\style
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\FPSoftware\FPSoftware
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Globalization\MCT\MCT-AU\RSSFeed\RSSFeed
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Globalization\MCT\MCT-CA\RSSFeed\RSSFeed
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Globalization\MCT\MCT-ZA\RSSFeed\RSSFeed
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Help\Corporate\Corporate
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\inf\PNRPSvc\0000\0000
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\inf\PNRPSvc\0409\0409
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Installer\$PatchCache$\Managed\000021091A0090400000000000F01FEC\12.0.6425\12.0.6425
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.6425\12.0.6425
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.6425\12.0.6425
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.6425\12.0.6425
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109A10090400000000000F01FEC\12.0.6425\12.0.6425
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\LiveKernelReports\LiveKernelReports
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Microsoft.NET\authman\authman
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\321cebba\e60eef48\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\321cebba\e60eef48\uploads\uploads
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\321cebba\e60eef48\vwguploads\vwguploads
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\51176d71\b78cc70b\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\51176d71\b78cc70b\uploads\uploads
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\5b3beb17\18948d33\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Panther\setup.exe\setup.exe
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\PLA\Templates\Templates
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\RemotePackages\RemoteApps\RemoteApps
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\RemotePackages\RemoteDesktops\RemoteDesktops
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\SchCache\SchCache
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\security\audit\audit
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\security\templates\templates
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\LocalLow
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\Desktop\Desktop
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\Documents\Documents
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\Downloads\Downloads
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\Favorites\Favorites
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\Links\Links
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\Music\Music
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\Pictures\Pictures
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\Videos\Videos
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Caches\Caches
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files\Icon Files
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\Documents\Documents
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\Links\Links
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\Music\Music
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\Videos\Videos
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\servicing\SQM\SQM
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\SoftwareDistribution\SelfUpdate\Handler\Handler
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Cannot access: H:\Windows\System32\cngaudit.dll
Thanks again Blade81,
elitefwd
Hi,
Looks like the program wasn't run long enough. Please run it again and give it more time to complete :)
elitefwd
2009-10-03, 14:39
Sorry about that. It looked like it had finished.
Here's the full log.
Running from: H:\Users\BENCY\Desktop\Win32kDiag.exe
Log file at : H:\Users\BENCY\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'H:\Windows'...
Found mount point : H:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP47E8.tmp\ZAP47E8.tmp
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9137.tmp\ZAP9137.tmp
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\CSC\v2.0.6\namespace\namespace
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\DigitalLocker\en-US\en-US
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Downloaded Program Files\Downloaded Program Files
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ehome\CreateDisc\style\style
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\FPSoftware\FPSoftware
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Globalization\MCT\MCT-AU\RSSFeed\RSSFeed
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Globalization\MCT\MCT-CA\RSSFeed\RSSFeed
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Globalization\MCT\MCT-ZA\RSSFeed\RSSFeed
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Help\Corporate\Corporate
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\inf\PNRPSvc\0000\0000
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\inf\PNRPSvc\0409\0409
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Installer\$PatchCache$\Managed\000021091A0090400000000000F01FEC\12.0.6425\12.0.6425
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.6425\12.0.6425
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.6425\12.0.6425
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.6425\12.0.6425
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109A10090400000000000F01FEC\12.0.6425\12.0.6425
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\LiveKernelReports\LiveKernelReports
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Microsoft.NET\authman\authman
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\321cebba\e60eef48\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\321cebba\e60eef48\uploads\uploads
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\321cebba\e60eef48\vwguploads\vwguploads
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\51176d71\b78cc70b\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\51176d71\b78cc70b\uploads\uploads
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\5b3beb17\18948d33\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Panther\setup.exe\setup.exe
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\PLA\Templates\Templates
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\RemotePackages\RemoteApps\RemoteApps
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\RemotePackages\RemoteDesktops\RemoteDesktops
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\SchCache\SchCache
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\security\audit\audit
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\security\templates\templates
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\LocalLow
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\Desktop\Desktop
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\Documents\Documents
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\Downloads\Downloads
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\Favorites\Favorites
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\Links\Links
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\Music\Music
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\Pictures\Pictures
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\LocalService\Videos\Videos
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Caches\Caches
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files\Icon Files
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\Documents\Documents
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\Links\Links
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\Music\Music
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\ServiceProfiles\NetworkService\Videos\Videos
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\servicing\SQM\SQM
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\SoftwareDistribution\SelfUpdate\Handler\Handler
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Cannot access: H:\Windows\System32\cngaudit.dll
[1] 2009-04-22 06:20:04 61952 H:\Windows\System32\cngaudit.dll ()
[2] 2009-04-22 06:20:04 12288 H:\Windows\System32\logevent.dll (Microsoft Corporation)
[1] 2009-04-22 06:20:04 12288 H:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7100.0_none_5956e38684aa4f03\cngaudit.dll (Microsoft Corporation)
Cannot access: H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
[1] 2009-10-03 03:14:41 72 H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()
Cannot access: H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
[1] 2009-10-03 03:09:34 72 H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()
Cannot access: H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
[1] 2009-10-03 03:09:50 72 H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()
Cannot access: H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
[1] 2009-10-03 03:09:50 72 H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()
Cannot access: H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl
[1] 2009-10-03 09:04:07 0 H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl ()
Cannot access: H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl
[1] 2009-10-03 03:14:30 72 H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl ()
Cannot access: H:\Windows\System32\WerFault.exe
[1] 2009-04-22 06:19:39 360448 H:\Windows\System32\WerFault.exe ()
[1] 2009-04-22 06:19:39 360448 H:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7100.0_none_e0fa150391df2282\WerFault.exe ()
Found mount point : H:\Windows\Temp\dmiwu\dmiwu
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\Vss\Writers\Application\Application
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\winsxs\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Found mount point : H:\Windows\winsxs\Temp\PendingRenames\PendingRenames
Mount point destination : \Device\__max++>\^
Cannot access: H:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7100.0_none_e0fa150391df2282\WerFault.exe
[1] 2009-04-22 06:19:39 360448 H:\Windows\System32\WerFault.exe ()
[1] 2009-04-22 06:19:39 360448 H:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7100.0_none_e0fa150391df2282\WerFault.exe ()
Found mount point : H:\Windows\XSxS\Manifests\Manifests
Mount point destination : \Device\__max++>\^
Finished!
There, Hope thats right :D
Yes, that went fine :)
Reboot system and press F8 before the Windows' loading screen to access boot menu.
Select "Repair Your Computer" option to start Recovery Environment.
Follow steps under "Starting Recovery Environment from the Advanced Boot Options (F8) Menu" here (http://www.nvnews.net/vbulletin/showthread.php?t=137198).
Click Command Prompt on the system recovery options window to access command prompt. Give following command & and press ENTER making sure that spelling is exactly as shown:
copy /y H:\Windows\System32\logevent.dll H:\windows\system32\cngaudit.dll
If all went well you should get "1 file(s) copied." message. After that give command exit (press ENTER) to exit command prompt. Click restart on system recovery options window. When back to normal mode, run win32kdiag and attach its log to your reply.
elitefwd
2009-10-03, 16:40
Hi Blade81,
I followed your instructions but it says that "The system cannot find the drive specified."
Should I still attach a new log file?
Elitefwd
I followed your instructions but it says that "The system cannot find the drive specified."
What part says that? When you try the command in command prompt?
elitefwd
2009-10-03, 17:06
Yes, when i type it into the cmd prompt, it gives that error
Elitefwd
Hi,
What letter does it show when you open command prompt (for example H:\>)?
If it's other than H then replace H: in command with the correct letter.
elitefwd
2009-10-03, 17:23
It says X:\>
Ive replaced it but now it says system cannot find file specified
Hi,
Do you normally have anything as C: drive? See if you're able to enter command
copy /y C:\Windows\System32\logevent.dll C:\windows\system32\cngaudit.dll in recovery environment without getting an error.
elitefwd
2009-10-05, 00:40
I have Vista installed on the C: Drive.
It gives me the same error that it cannot find the file specified.
Elitefwd
Ok. You should find out what is your Win7 drive while in recovery environment. Is D: drive accessible in recovery environment? If it is, please see if it represents Win7. If you can't find out otherwise, create a txt file with name thisIsWin7.txt or something to the root of your Win7 drive (H: in normal mode). You should then be able to locate correct drive in recovery environment.
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.