Rootkit Infection! Can't run Spybot or any other antivirus programs -

**elitefwd** · 2009-09-27, 17:28

Hi Everyone,

I think I may have a rootkit infection on my Vaio running Windows 7 RC. When I try to start Spybot or some other antivirus programs, it runs for a few secs and then disappears. When I click the shortcut after, it does not open and gives an error. I have also tried to run malwarebyte anti-malware. This also disappears after a few secs.

I tried to run HijackThis as per the instructions but it disapears after scanning a for a few seconds and then the shortcut doesnt work anymore.

Please would anyone be able to help me? It would be very much appreciated.

**Blade81** · 2009-10-02, 07:00

Hi,

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

**elitefwd** · 2009-10-03, 10:44

Hi,

Sorry for the late reply. Just got back from Uni today.

I have run the Win32Diag file and got the following Log:

Running from: H:\Users\BENCY\Desktop\Win32kDiag.exe

Log file at : H:\Users\BENCY\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'H:\Windows'...

Found mount point : H:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP47E8.tmp\ZAP47E8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9137.tmp\ZAP9137.tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\CSC\v2.0.6\namespace\namespace

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\DigitalLocker\en-US\en-US

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Downloaded Program Files\Downloaded Program Files

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\FPSoftware\FPSoftware

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Globalization\MCT\MCT-AU\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Globalization\MCT\MCT-CA\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Globalization\MCT\MCT-ZA\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\inf\PNRPSvc\0000\0000

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\inf\PNRPSvc\0409\0409

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\000021091A0090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109A10090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\321cebba\e60eef48\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\321cebba\e60eef48\uploads\uploads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\321cebba\e60eef48\vwguploads\vwguploads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\51176d71\b78cc70b\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\51176d71\b78cc70b\uploads\uploads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\5b3beb17\18948d33\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\RemotePackages\RemoteApps\RemoteApps

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\RemotePackages\RemoteDesktops\RemoteDesktops

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\security\audit\audit

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\LocalLow

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Caches\Caches

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files\Icon Files

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\servicing\SQM\SQM

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\SoftwareDistribution\SelfUpdate\Handler\Handler

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: H:\Windows\System32\cngaudit.dll

Thanks again Blade81,
elitefwd

**Blade81** · 2009-10-03, 12:40

Hi,

Looks like the program wasn't run long enough. Please run it again and give it more time to complete

**elitefwd** · 2009-10-03, 13:39

Sorry about that. It looked like it had finished.

Here's the full log.

Running from: H:\Users\BENCY\Desktop\Win32kDiag.exe

Log file at : H:\Users\BENCY\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'H:\Windows'...

Found mount point : H:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP47E8.tmp\ZAP47E8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9137.tmp\ZAP9137.tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\CSC\v2.0.6\namespace\namespace

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\DigitalLocker\en-US\en-US

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Downloaded Program Files\Downloaded Program Files

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\FPSoftware\FPSoftware

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Globalization\MCT\MCT-AU\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Globalization\MCT\MCT-CA\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Globalization\MCT\MCT-ZA\RSSFeed\RSSFeed

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\inf\PNRPSvc\0000\0000

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\inf\PNRPSvc\0409\0409

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\000021091A0090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\00002109A10090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\321cebba\e60eef48\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\321cebba\e60eef48\uploads\uploads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\321cebba\e60eef48\vwguploads\vwguploads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\51176d71\b78cc70b\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\51176d71\b78cc70b\uploads\uploads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\5b3beb17\18948d33\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\RemotePackages\RemoteApps\RemoteApps

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\RemotePackages\RemoteDesktops\RemoteDesktops

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\security\audit\audit

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\LocalLow

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Caches\Caches

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files\Icon Files

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\servicing\SQM\SQM

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\SoftwareDistribution\SelfUpdate\Handler\Handler

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: H:\Windows\System32\cngaudit.dll

[1] 2009-04-22 06:20:04 61952 H:\Windows\System32\cngaudit.dll ()

[2] 2009-04-22 06:20:04 12288 H:\Windows\System32\logevent.dll (Microsoft Corporation)

[1] 2009-04-22 06:20:04 12288 H:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7100.0_none_5956e38684aa4f03\cngaudit.dll (Microsoft Corporation)

Cannot access: H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-10-03 03:14:41 72 H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()

Cannot access: H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-10-03 03:09:34 72 H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()

Cannot access: H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-10-03 03:09:50 72 H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()

Cannot access: H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-10-03 03:09:50 72 H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()

Cannot access: H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl

[1] 2009-10-03 09:04:07 0 H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl ()

Cannot access: H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl

[1] 2009-10-03 03:14:30 72 H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl ()

Cannot access: H:\Windows\System32\WerFault.exe

[1] 2009-04-22 06:19:39 360448 H:\Windows\System32\WerFault.exe ()

[1] 2009-04-22 06:19:39 360448 H:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7100.0_none_e0fa150391df2282\WerFault.exe ()

Found mount point : H:\Windows\Temp\dmiwu\dmiwu

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\Vss\Writers\Application\Application

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\winsxs\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : H:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Mount point destination : \Device\__max++>\^

Cannot access: H:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7100.0_none_e0fa150391df2282\WerFault.exe

[1] 2009-04-22 06:19:39 360448 H:\Windows\System32\WerFault.exe ()

[1] 2009-04-22 06:19:39 360448 H:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7100.0_none_e0fa150391df2282\WerFault.exe ()

Found mount point : H:\Windows\XSxS\Manifests\Manifests

Mount point destination : \Device\__max++>\^

Finished!

There, Hope thats right :D

**Blade81** · 2009-10-03, 14:24

Yes, that went fine

Reboot system and press F8 before the Windows' loading screen to access boot menu.

Select "Repair Your Computer" option to start Recovery Environment.

Follow steps under "Starting Recovery Environment from the Advanced Boot Options (F8) Menu" here.

Click Command Prompt on the system recovery options window to access command prompt. Give following command & and press ENTER making sure that spelling is exactly as shown:

copy /y H:\Windows\System32\logevent.dll H:\windows\system32\cngaudit.dll

If all went well you should get "1 file(s) copied." message. After that give command exit (press ENTER) to exit command prompt. Click restart on system recovery options window. When back to normal mode, run win32kdiag and attach its log to your reply.

**elitefwd** · 2009-10-03, 15:40

Hi Blade81,

I followed your instructions but it says that "The system cannot find the drive specified."

Should I still attach a new log file?

Elitefwd

**Blade81** · 2009-10-03, 16:04

I followed your instructions but it says that "The system cannot find the drive specified."

What part says that? When you try the command in command prompt?

**elitefwd** · 2009-10-03, 16:06

Yes, when i type it into the cmd prompt, it gives that error

Elitefwd

**Blade81** · 2009-10-03, 16:18

Hi,

What letter does it show when you open command prompt (for example H:\>)?
If it's other than H then replace H: in command with the correct letter.

Thread: Rootkit Infection! Can't run Spybot or any other antivirus programs -

Thread Tools

Display

Rootkit Infection! Can't run Spybot or any other antivirus programs -

Posting Permissions