PDA

View Full Version : Rootkit Infection! Can't run Spybot or any other antivirus programs -



elitefwd
2009-09-27, 18:28
Hi Everyone,

I think I may have a rootkit infection on my Vaio running Windows 7 RC. When I try to start Spybot or some other antivirus programs, it runs for a few secs and then disappears. When I click the shortcut after, it does not open and gives an error. I have also tried to run malwarebyte anti-malware. This also disappears after a few secs.

I tried to run HijackThis as per the instructions but it disapears after scanning a for a few seconds and then the shortcut doesnt work anymore.

Please would anyone be able to help me? It would be very much appreciated.

Blade81
2009-10-02, 08:00
Hi,

Please save this (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe) file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

elitefwd
2009-10-03, 11:44
Hi,

Sorry for the late reply. Just got back from Uni today.

I have run the Win32Diag file and got the following Log:


Running from: H:\Users\BENCY\Desktop\Win32kDiag.exe

Log file at : H:\Users\BENCY\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'H:\Windows'...



Found mount point : H:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP47E8.tmp\ZAP47E8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9137.tmp\ZAP9137.tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\CSC\v2.0.6\namespace\namespace

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\DigitalLocker\en-US\en-US

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Downloaded Program Files\Downloaded Program Files

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\FPSoftware\FPSoftware

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Globalization\MCT\MCT-AU\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Globalization\MCT\MCT-CA\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Globalization\MCT\MCT-ZA\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\inf\PNRPSvc\0000\0000

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\inf\PNRPSvc\0409\0409

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\000021091A0090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109A10090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\321cebba\e60eef48\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\321cebba\e60eef48\uploads\uploads

Mount point destination : \Device\__max++>\^


Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\321cebba\e60eef48\vwguploads\vwguploads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\51176d71\b78cc70b\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\51176d71\b78cc70b\uploads\uploads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\5b3beb17\18948d33\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\RemotePackages\RemoteApps\RemoteApps

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\RemotePackages\RemoteDesktops\RemoteDesktops

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\security\audit\audit

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\LocalLow

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Caches\Caches

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files\Icon Files

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\servicing\SQM\SQM

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\SoftwareDistribution\SelfUpdate\Handler\Handler

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: H:\Windows\System32\cngaudit.dll

Thanks again Blade81,
elitefwd

Blade81
2009-10-03, 13:40
Hi,

Looks like the program wasn't run long enough. Please run it again and give it more time to complete :)

elitefwd
2009-10-03, 14:39
Sorry about that. It looked like it had finished.

Here's the full log.



Running from: H:\Users\BENCY\Desktop\Win32kDiag.exe

Log file at : H:\Users\BENCY\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'H:\Windows'...



Found mount point : H:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP47E8.tmp\ZAP47E8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9137.tmp\ZAP9137.tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\CSC\v2.0.6\namespace\namespace

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\DigitalLocker\en-US\en-US

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Downloaded Program Files\Downloaded Program Files

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\FPSoftware\FPSoftware

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Globalization\MCT\MCT-AU\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Globalization\MCT\MCT-CA\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Globalization\MCT\MCT-ZA\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\inf\PNRPSvc\0000\0000

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\inf\PNRPSvc\0409\0409

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\000021091A0090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109A10090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\321cebba\e60eef48\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\321cebba\e60eef48\uploads\uploads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\321cebba\e60eef48\vwguploads\vwguploads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\51176d71\b78cc70b\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\51176d71\b78cc70b\uploads\uploads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\5b3beb17\18948d33\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\RemotePackages\RemoteApps\RemoteApps

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\RemotePackages\RemoteDesktops\RemoteDesktops

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\security\audit\audit

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\LocalLow

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Caches\Caches

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files\Icon Files

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\servicing\SQM\SQM

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\SoftwareDistribution\SelfUpdate\Handler\Handler

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: H:\Windows\System32\cngaudit.dll

[1] 2009-04-22 06:20:04 61952 H:\Windows\System32\cngaudit.dll ()

[2] 2009-04-22 06:20:04 12288 H:\Windows\System32\logevent.dll (Microsoft Corporation)

[1] 2009-04-22 06:20:04 12288 H:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7100.0_none_5956e38684aa4f03\cngaudit.dll (Microsoft Corporation)



Cannot access: H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-10-03 03:14:41 72 H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-10-03 03:09:34 72 H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-10-03 03:09:50 72 H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-10-03 03:09:50 72 H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()



Cannot access: H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl

[1] 2009-10-03 09:04:07 0 H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl ()



Cannot access: H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl

[1] 2009-10-03 03:14:30 72 H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl ()



Cannot access: H:\Windows\System32\WerFault.exe

[1] 2009-04-22 06:19:39 360448 H:\Windows\System32\WerFault.exe ()

[1] 2009-04-22 06:19:39 360448 H:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7100.0_none_e0fa150391df2282\WerFault.exe ()



Found mount point : H:\Windows\Temp\dmiwu\dmiwu

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Vss\Writers\Application\Application

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\winsxs\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Mount point destination : \Device\__max++>\^

Cannot access: H:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7100.0_none_e0fa150391df2282\WerFault.exe

[1] 2009-04-22 06:19:39 360448 H:\Windows\System32\WerFault.exe ()

[1] 2009-04-22 06:19:39 360448 H:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7100.0_none_e0fa150391df2282\WerFault.exe ()



Found mount point : H:\Windows\XSxS\Manifests\Manifests

Mount point destination : \Device\__max++>\^



Finished!

There, Hope thats right :D

Blade81
2009-10-03, 15:24
Yes, that went fine :)

Reboot system and press F8 before the Windows' loading screen to access boot menu.

Select "Repair Your Computer" option to start Recovery Environment.

Follow steps under "Starting Recovery Environment from the Advanced Boot Options (F8) Menu" here (http://www.nvnews.net/vbulletin/showthread.php?t=137198).

Click Command Prompt on the system recovery options window to access command prompt. Give following command & and press ENTER making sure that spelling is exactly as shown:

copy /y H:\Windows\System32\logevent.dll H:\windows\system32\cngaudit.dll

If all went well you should get "1 file(s) copied." message. After that give command exit (press ENTER) to exit command prompt. Click restart on system recovery options window. When back to normal mode, run win32kdiag and attach its log to your reply.

elitefwd
2009-10-03, 16:40
Hi Blade81,

I followed your instructions but it says that "The system cannot find the drive specified."

Should I still attach a new log file?

Elitefwd

Blade81
2009-10-03, 17:04
I followed your instructions but it says that "The system cannot find the drive specified."
What part says that? When you try the command in command prompt?

elitefwd
2009-10-03, 17:06
Yes, when i type it into the cmd prompt, it gives that error

Elitefwd

Blade81
2009-10-03, 17:18
Hi,

What letter does it show when you open command prompt (for example H:\>)?
If it's other than H then replace H: in command with the correct letter.

elitefwd
2009-10-03, 17:23
It says X:\>

Ive replaced it but now it says system cannot find file specified

Blade81
2009-10-04, 10:40
Hi,

Do you normally have anything as C: drive? See if you're able to enter command
copy /y C:\Windows\System32\logevent.dll C:\windows\system32\cngaudit.dll in recovery environment without getting an error.

elitefwd
2009-10-05, 00:40
I have Vista installed on the C: Drive.

It gives me the same error that it cannot find the file specified.

Elitefwd

Blade81
2009-10-05, 11:51
Ok. You should find out what is your Win7 drive while in recovery environment. Is D: drive accessible in recovery environment? If it is, please see if it represents Win7. If you can't find out otherwise, create a txt file with name thisIsWin7.txt or something to the root of your Win7 drive (H: in normal mode). You should then be able to locate correct drive in recovery environment.

Blade81
2009-10-13, 20:46
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.