HJT Did Not Produce a Log

M

Melsdad

New member
I have followed the steps outlined in the "Before You Post" message. The Registry is backed up and when I double clicked of HJT, it appeared to run but then shut down without opening Notepad. Whatever is ailing my laptop seems to prevent the installation or running of anything that might help solve the problem.

I have tried a number of things before finding this forum. In this forum I have learned that many of the things that I have done, I shouldn't have and I apologize. I will refrain from doing anything further until I hear from you.

Thank you.
 
Hello Melsdad

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.



Please download RootRepeal one of these locations and save it to your desktop
Here
Here
Here
  • Open
    rootRepealDesktopIcon.png
    on your desktop.
  • Click the
    reportTab.png
    tab.
  • Click the
    btnScan.png
    button.
  • Check just these boxes:
  • post-75503-1250480183.gif
  • Push Ok
  • Check the box for your main system drive (Usually C:, and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the
    saveReport.png
    button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.
 
RootRepeal Results

Hi Ken545:

Thanks for agreeing to help me out!

I had no problem installing RootRepeal on the infected computer. I did this by downloading onto another PC and transferring it to the desktop of the target computer. Because I don't really know what is going on, I try to stay disconnected from the net whenever possible on the infected computer.

When I tried to run RootRepeal, I got an Error Message as follows:

RootRepeal Error
Error - Invalid PE Image Found!

I was able to continue but did not get a choice for checking any boxes but there were tabs that corresponded to the categories you mentioned. I.e.: Drivers, Processes, etc.
I ran a scan on each of these tabs and am attaching the results. At some point I did get a notification to the effect the 1 hidden service had been found. Sorry but I don't remember exactly when.

I generated four files, one for each category you requested. It appears that I can only attach one file to this message. Should I consoldiate the four files I have to a single file and send it, or send additional messages for Processes, SSDT, and Hidden Services?

Again many thanks,
 
Good Morning,

I found exactly what I needed to know with RootRepeal. This program checks for Rootkit infections and what is found was max++ Rootkit This rootkit will prevent most or all security scanners and programs from running. Its a bit difficult to remove so we will do it one step at a time.

Download and run Win32kDiag:
  1. Download Win32kDiag from any of the following locations and save it to your Desktop.
  2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
 
Win32KDiag Report

Hello:

I had not expected the process would take as long as it did but it worked as advertised!

The results are attached in a ZIP file as the size for a txt file exceeded the guidelines..

Thanks.
 
Melsdad,

I don't know how you attached it but the log wont open, it just wants me to run the program.

Open it on your own computer and post the log, take as many replies as you need to post them all.
 
Trying Again with Win32kDiag.txt

Sorry about that. I must have compressed the wrong file. The original still exceeds the guideline for a .txt so I have zipped this one as well. I think I have got this right this time!

I appreciate your patience.
 
Great , got that one.

Next step. Make sure you still have Win32kdiag.exe on your desktop, if not redownload it.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r
 
Ran program without a hitch. Results follow:

Running from: C:\Documents and Settings\Melanie Lewis\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Melanie Lewis\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB938127-v2-IE7\KB938127-v2-IE7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB938127-v2-IE7\KB938127-v2-IE7

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\$hf_mig$\KB956844\KB956844

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB956844\KB956844

Found mount point : C:\WINDOWS\$hf_mig$\KB971961\KB971961

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB971961\KB971961

Found mount point : C:\WINDOWS\$hf_mig$\KB971961-IE8\KB971961-IE8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB971961-IE8\KB971961-IE8

Found mount point : C:\WINDOWS\$hf_mig$\KB972260-IE7\KB972260-IE7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB972260-IE7\KB972260-IE7

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP194.tmp\ZAP194.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP194.tmp\ZAP194.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP299.tmp\ZAP299.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP299.tmp\ZAP299.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Found mount point : C:\WINDOWS\ie8updates\ie8updates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ie8updates\ie8updates

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\occache\occache

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\3f62db0dd41de1740f8addce0cc500ec\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\3f62db0dd41de1740f8addce0cc500ec\update\update.exe

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\97f18c7ac91916468f96bb79c87bff6c\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\97f18c7ac91916468f96bb79c87bff6c\update\update.exe

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\c6bdb40c9241b85d304fd5cdfbebec2f\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\c6bdb40c9241b85d304fd5cdfbebec2f\update\update.exe

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\backup\backup

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\update\update.exe

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\d51648e96c60b005ac5ef56d831670cb\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\d51648e96c60b005ac5ef56d831670cb\update\update.exe

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\fbadf956b1f29cd6cc8927434ddbc900\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\fbadf956b1f29cd6cc8927434ddbc900\update\update.exe

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0838e3ca46c974d22be0ec664b800381\0838e3ca46c974d22be0ec664b800381

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0838e3ca46c974d22be0ec664b800381\0838e3ca46c974d22be0ec664b800381

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\Adobe\Shockwave 11\Shockwave 11

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Adobe\Shockwave 11\Shockwave 11

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Collab\Collab

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Collab\Collab

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Preferences\Preferences

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Preferences\Preferences

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\AL4N7HGP\AL4N7HGP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\AL4N7HGP\AL4N7HGP

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Google\Plugin\Plugin

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Google\Plugin\Plugin

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-2544761690-2588165671-2829143654-1003\S-1-5-21-2544761690-2588165671-2829143654-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-2544761690-2588165671-2829143654-1003\S-1-5-21-2544761690-2588165671-2829143654-1003

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\a07feceff0a4\a07feceff0a4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\a07feceff0a4\a07feceff0a4

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2544761690-2588165671-2829143654-1003\S-1-5-21-2544761690-2588165671-2829143654-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2544761690-2588165671-2829143654-1003\S-1-5-21-2544761690-2588165671-2829143654-1003

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Sqm\Sqm

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Sqm\Sqm

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\CCWin\Address Book\Address Book

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\CCWin\Address Book\Address Book

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 06:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Cannot access: C:\WINDOWS\system32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\cs\cs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\cs\cs

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\da\da

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\da\da

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\de\de

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\de\de

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\el\el

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\el\el

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\en\en

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\en\en

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\en-gb\en-gb

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\en-gb\en-gb

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\es\es

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\es\es

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\fi\fi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\fi\fi

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\fr\fr

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\fr\fr

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\HTML\HTML

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\HTML\HTML

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\it\it

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\it\it

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\ja\ja

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\ja\ja

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\ko\ko

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\ko\ko

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\nl\nl

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\nl\nl

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\no\no

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\no\no

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\pl\pl

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\pl\pl

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\pt-br\pt-br

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\pt-br\pt-br

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\ru\ru

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\ru\ru

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\sv\sv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\sv\sv

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\th\th

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\th\th

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\tr\tr

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\tr\tr

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\zh-cn\zh-cn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\zh-cn\zh-cn

Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\zh-tw\zh-tw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\zh-tw\zh-tw

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\cs\cs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\cs\cs

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\da\da

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\da\da

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\de\de

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\de\de

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\el\el

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\el\el

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\en\en

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\en\en

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\en-gb\en-gb

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\en-gb\en-gb

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\es\es

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\es\es

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\fi\fi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\fi\fi

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\fr\fr

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\fr\fr

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\HTML\HTML

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\HTML\HTML

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\it\it

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\it\it

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\ja\ja

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\ja\ja

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\ko\ko

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\ko\ko

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\nl\nl

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\nl\nl

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\no\no

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\no\no

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\pl\pl

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\pl\pl

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\pt-br\pt-br

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\pt-br\pt-br

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\ru\ru

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\ru\ru

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\sv\sv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\sv\sv

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\th\th

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\th\th

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\tr\tr

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\tr\tr

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\zh-cn\zh-cn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\zh-cn\zh-cn

Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\zh-tw\zh-tw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\zh-tw\zh-tw

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Found mount point : C:\WINDOWS\Temp\IXP000.TMP\IXP000.TMP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\IXP000.TMP\IXP000.TMP

Found mount point : C:\WINDOWS\Temp\IXP001.TMP\IXP001.TMP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\IXP001.TMP\IXP001.TMP

Found mount point : C:\WINDOWS\Temp\IXP00205.tmp\IXP00205.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\IXP00205.tmp\IXP00205.tmp

Found mount point : C:\WINDOWS\Temp\vmgr10b8.tmp\vmgr10b8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\vmgr10b8.tmp\vmgr10b8.tmp

Found mount point : C:\WINDOWS\Temp\vmgr1198.tmp\vmgr1198.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\vmgr1198.tmp\vmgr1198.tmp

Found mount point : C:\WINDOWS\Temp\vmgr207a.tmp\vmgr207a.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\vmgr207a.tmp\vmgr207a.tmp

Found mount point : C:\WINDOWS\Temp\vmgr20bb.tmp\vmgr20bb.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\vmgr20bb.tmp\vmgr20bb.tmp

Found mount point : C:\WINDOWS\Temp\vmgr239d.tmp\vmgr239d.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\vmgr239d.tmp\vmgr239d.tmp

Found mount point : C:\WINDOWS\Temp\vmgr472d.tmp\vmgr472d.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\vmgr472d.tmp\vmgr472d.tmp

Found mount point : C:\WINDOWS\Temp\vmgr50d0.tmp\vmgr50d0.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\vmgr50d0.tmp\vmgr50d0.tmp

Found mount point : C:\WINDOWS\Temp\vmgr5a46.tmp\vmgr5a46.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\vmgr5a46.tmp\vmgr5a46.tmp

Found mount point : C:\WINDOWS\Temp\vmgr5a9c.tmp\vmgr5a9c.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\vmgr5a9c.tmp\vmgr5a9c.tmp

Found mount point : C:\WINDOWS\Temp\vmgr6cb4.tmp\vmgr6cb4.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\vmgr6cb4.tmp\vmgr6cb4.tmp

Found mount point : C:\WINDOWS\Temp\vmgr7833.tmp\vmgr7833.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\vmgr7833.tmp\vmgr7833.tmp

Found mount point : C:\WINDOWS\Temp\vmgr7d91.tmp\vmgr7d91.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\vmgr7d91.tmp\vmgr7d91.tmp

Found mount point : C:\WINDOWS\Temp\vmgr7e37.tmp\vmgr7e37.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\vmgr7e37.tmp\vmgr7e37.tmp

Found mount point : C:\WINDOWS\Temp\VSW0\VSW0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW0\VSW0

Found mount point : C:\WINDOWS\Temp\VSW1\VSW1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW1\VSW1

Found mount point : C:\WINDOWS\Temp\VSW10\VSW10

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW10\VSW10

Found mount point : C:\WINDOWS\Temp\VSW11\VSW11

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW11\VSW11

Found mount point : C:\WINDOWS\Temp\VSW12\VSW12

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW12\VSW12

Found mount point : C:\WINDOWS\Temp\VSW13\VSW13

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW13\VSW13

Found mount point : C:\WINDOWS\Temp\VSW14\VSW14

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW14\VSW14

Found mount point : C:\WINDOWS\Temp\VSW15\VSW15

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW15\VSW15

Found mount point : C:\WINDOWS\Temp\VSW16\VSW16

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW16\VSW16

Found mount point : C:\WINDOWS\Temp\VSW17\VSW17

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW17\VSW17

Found mount point : C:\WINDOWS\Temp\VSW18\VSW18

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW18\VSW18

Found mount point : C:\WINDOWS\Temp\VSW19\VSW19

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW19\VSW19

Found mount point : C:\WINDOWS\Temp\VSW2\VSW2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW2\VSW2

Found mount point : C:\WINDOWS\Temp\VSW20\VSW20

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW20\VSW20

Found mount point : C:\WINDOWS\Temp\VSW21\VSW21

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW21\VSW21

Found mount point : C:\WINDOWS\Temp\VSW22\VSW22

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW22\VSW22

Found mount point : C:\WINDOWS\Temp\VSW23\VSW23

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW23\VSW23

Found mount point : C:\WINDOWS\Temp\VSW24\VSW24

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW24\VSW24

Found mount point : C:\WINDOWS\Temp\VSW25\VSW25

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW25\VSW25

Found mount point : C:\WINDOWS\Temp\VSW26\VSW26

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW26\VSW26

Found mount point : C:\WINDOWS\Temp\VSW27\VSW27

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW27\VSW27

Found mount point : C:\WINDOWS\Temp\VSW28\VSW28

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW28\VSW28

Found mount point : C:\WINDOWS\Temp\VSW29\VSW29

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW29\VSW29

Found mount point : C:\WINDOWS\Temp\VSW3\VSW3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW3\VSW3

Found mount point : C:\WINDOWS\Temp\VSW30\VSW30

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW30\VSW30

Found mount point : C:\WINDOWS\Temp\VSW31\VSW31

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW31\VSW31

Found mount point : C:\WINDOWS\Temp\VSW32\VSW32

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW32\VSW32

Found mount point : C:\WINDOWS\Temp\VSW33\VSW33

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW33\VSW33

Found mount point : C:\WINDOWS\Temp\VSW34\VSW34

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW34\VSW34

Found mount point : C:\WINDOWS\Temp\VSW35\VSW35

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW35\VSW35

Found mount point : C:\WINDOWS\Temp\VSW36\VSW36

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW36\VSW36

Found mount point : C:\WINDOWS\Temp\VSW37\VSW37

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW37\VSW37

Found mount point : C:\WINDOWS\Temp\VSW38\VSW38

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW38\VSW38

Found mount point : C:\WINDOWS\Temp\VSW39\VSW39

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW39\VSW39

Found mount point : C:\WINDOWS\Temp\VSW4\VSW4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW4\VSW4

Found mount point : C:\WINDOWS\Temp\VSW40\VSW40

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW40\VSW40

Found mount point : C:\WINDOWS\Temp\VSW41\VSW41

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW41\VSW41

Found mount point : C:\WINDOWS\Temp\VSW42\VSW42

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW42\VSW42

Found mount point : C:\WINDOWS\Temp\VSW43\VSW43

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW43\VSW43

Found mount point : C:\WINDOWS\Temp\VSW44\VSW44

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW44\VSW44

Found mount point : C:\WINDOWS\Temp\VSW45\VSW45

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW45\VSW45

Found mount point : C:\WINDOWS\Temp\VSW46\VSW46

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW46\VSW46

Found mount point : C:\WINDOWS\Temp\VSW47\VSW47

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW47\VSW47

Found mount point : C:\WINDOWS\Temp\VSW48\VSW48

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW48\VSW48

Found mount point : C:\WINDOWS\Temp\VSW49\VSW49

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW49\VSW49

Found mount point : C:\WINDOWS\Temp\VSW5\VSW5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW5\VSW5

Found mount point : C:\WINDOWS\Temp\VSW50\VSW50

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW50\VSW50

Found mount point : C:\WINDOWS\Temp\VSW51\VSW51

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW51\VSW51

Found mount point : C:\WINDOWS\Temp\VSW52\VSW52

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW52\VSW52

Found mount point : C:\WINDOWS\Temp\VSW53\VSW53

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW53\VSW53

Found mount point : C:\WINDOWS\Temp\VSW54\VSW54

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW54\VSW54

Found mount point : C:\WINDOWS\Temp\VSW55\VSW55

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW55\VSW55

Found mount point : C:\WINDOWS\Temp\VSW56\VSW56

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW56\VSW56

Found mount point : C:\WINDOWS\Temp\VSW57\VSW57

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW57\VSW57

Found mount point : C:\WINDOWS\Temp\VSW58\VSW58

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW58\VSW58

Found mount point : C:\WINDOWS\Temp\VSW59\VSW59

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW59\VSW59

Found mount point : C:\WINDOWS\Temp\VSW6\VSW6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW6\VSW6

Found mount point : C:\WINDOWS\Temp\VSW60\VSW60

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW60\VSW60

Found mount point : C:\WINDOWS\Temp\VSW61\VSW61

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW61\VSW61

Found mount point : C:\WINDOWS\Temp\VSW62\VSW62

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW62\VSW62

Found mount point : C:\WINDOWS\Temp\VSW63\VSW63

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW63\VSW63

Found mount point : C:\WINDOWS\Temp\VSW64\VSW64

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW64\VSW64

Found mount point : C:\WINDOWS\Temp\VSW65\VSW65

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW65\VSW65

Found mount point : C:\WINDOWS\Temp\VSW66\VSW66

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW66\VSW66

Found mount point : C:\WINDOWS\Temp\VSW67\VSW67

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW67\VSW67

Found mount point : C:\WINDOWS\Temp\VSW68\VSW68

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW68\VSW68

Found mount point : C:\WINDOWS\Temp\VSW69\VSW69

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW69\VSW69

Found mount point : C:\WINDOWS\Temp\VSW7\VSW7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW7\VSW7

Found mount point : C:\WINDOWS\Temp\VSW70\VSW70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW70\VSW70

Found mount point : C:\WINDOWS\Temp\VSW71\VSW71

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW71\VSW71

Found mount point : C:\WINDOWS\Temp\VSW72\VSW72

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW72\VSW72

Found mount point : C:\WINDOWS\Temp\VSW73\VSW73

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW73\VSW73

Found mount point : C:\WINDOWS\Temp\VSW74\VSW74

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW74\VSW74

Found mount point : C:\WINDOWS\Temp\VSW75\VSW75

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW75\VSW75

Found mount point : C:\WINDOWS\Temp\VSW76\VSW76

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW76\VSW76

Found mount point : C:\WINDOWS\Temp\VSW77\VSW77

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW77\VSW77

Found mount point : C:\WINDOWS\Temp\VSW78\VSW78

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW78\VSW78

Found mount point : C:\WINDOWS\Temp\VSW79\VSW79

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW79\VSW79

Found mount point : C:\WINDOWS\Temp\VSW8\VSW8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW8\VSW8

Found mount point : C:\WINDOWS\Temp\VSW80\VSW80

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW80\VSW80

Found mount point : C:\WINDOWS\Temp\VSW81\VSW81

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW81\VSW81

Found mount point : C:\WINDOWS\Temp\VSW82\VSW82

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW82\VSW82

Found mount point : C:\WINDOWS\Temp\VSW83\VSW83

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW83\VSW83

Found mount point : C:\WINDOWS\Temp\VSW84\VSW84

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW84\VSW84

Found mount point : C:\WINDOWS\Temp\VSW85\VSW85

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW85\VSW85

Found mount point : C:\WINDOWS\Temp\VSW86\VSW86

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW86\VSW86

Found mount point : C:\WINDOWS\Temp\VSW87\VSW87

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW87\VSW87

Found mount point : C:\WINDOWS\Temp\VSW88\VSW88

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW88\VSW88

Found mount point : C:\WINDOWS\Temp\VSW89\VSW89

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW89\VSW89

Found mount point : C:\WINDOWS\Temp\VSW9\VSW9

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW9\VSW9

Found mount point : C:\WINDOWS\Temp\VSW90\VSW90

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW90\VSW90

Found mount point : C:\WINDOWS\Temp\VSW91\VSW91

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW91\VSW91

Found mount point : C:\WINDOWS\Temp\VSW92\VSW92

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW92\VSW92

Found mount point : C:\WINDOWS\Temp\VSW93\VSW93

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW93\VSW93

Found mount point : C:\WINDOWS\Temp\VSW94\VSW94

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW94\VSW94

Found mount point : C:\WINDOWS\Temp\VSW95\VSW95

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\VSW95\VSW95

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_6e57c34e\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_6e57c34e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_6e57c34e\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_6e57c34e

Found mount point : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790



Finished!
 
What we are doing is chipping away at this Rootkit and then we will be able to run the tool that will completely remove it.

Next step

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
 
Exhelper Results

Hey Ken545:

I did not receive and error message and obtained the following log:

exeHelper by Raktor - 09
Build 20090925
Run at 18:17:41 on 10/16/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\~.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Interesting enough, I had tried to remove ~.exe without success. I am glad to see it gone.

Regards
 
Hi,

Things are moving along quite well, this next program will remove the Rootkit.


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

CF_download_FF.gif



CF_download_rename.gif


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
Working with ComboFix

Despite the fact that I had exited AVG from the systray, ComboFix reported that AVG was still active. I tried to close ComboFix by clicking on the upper right hand "X" but it would not allow me to do so. I wanted to try to figure out how to shut down AVG completely.

A DOS screen popped up momentarily. I did not get the entire message but it started with "Grep is not recognized...". After the DOS screen closed, I got another warning in Windows. That one said, "ComboFix has detected the presence of rootkit activity and needs to reboot the machine."

The only way out of that appeared to be to acknowledge the message and the machine rebooted. After rebooting, AVG was active again and ComboFix does not seem to be active anymore. At least the Task Manager does not show ComboFix as being a running application.

I will be standing by.

Thanks.
 
Lets try running combofix in Safemode

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode
 
When I tried to run ComboFix in the Safe Mode, I had no visible means of disabling AVG. It told me that it detected the presence of AVG and that I should shut that down before continuing. As I was unable to shut it down I tried to close ComboFix but it would not let me. While it was running I got the Grep message in the Command Mode screen. This time I got it all. It read: "Grep is not recognized to be an internal or external command, operable program or batch file."

I then got the Rootkit warning described before and had to reboot the machine.

Should I uninstall AVG? That seems to be the only way that it will not interfere with ComboFix. Perhaps you know of an alternative way to keep AVG out?

As for Grep, I looked for it in Control Panel as a program to uninstall but Grep is not listed. I did find a Grep entry amongst the running processes in Task Manager. It is listed as grep.cfxxe. If I try to remove it I am warned: "Warning: Terminating a process can cause undesired results including loss of data and system instability. The process will not be given a chance to store its state or data before it is terminated. Are you sure you want to terminate the process?" I chose No.

Regards.
 
You can boot to safemode and then disable AVG. Open up AVG and look for the Resident Shield tab and disable it. Then run CF in Safemode
 
Disabling AVG in Safe Mode

Ken545:

Anything I try to do with AVG in the Safe Mode results in a Command Line Composer Window as shown in the attached AVGSafeMode.jpg.

When I tried to unistall AVG, I got the error message shown in the attached text file and a notification to the effect that the uninstall failed.

I have yet to successfully run ComboFix.
 
Just run CF even if AVG is not disabled or uninstalled . CF needs to be run to remove this rootkit
 
Attempted running ComboFix. The program appears to load, then a command window opened briefly and I received a Window labelled Rootkit!!

The message reads "CoboFix has detected the presence of rootkit activity and needs to reboot the machine".

After rebooting, a command screen openned with the message "Grep is not recognized to be an internal or external command, operable program or batch file."

After a few minutes it flashed another message that I did not catch and the command window disappeared.

There is no evidence tha ComboFix is working, as per the Task Manager though it may be. I will give it a while.
 
Sorry your having so many problems running this.

Drag Combofix to the trash and redownload a fresh copy, make sure you rename it, then do this. Drag Combofix into this program.

Download Inherit and save it to your desk top
Drag each of the exe files that you are unable to run into Inherit.exe (must be the exe - not the shortcut)
Then wait for it to say "OK"
 
You must log in or register to reply here.
Back
Top