Search results redirecting, Spybot/HJT crash mid-scan w/permissions change

[CALauer85]

Hi,

Since last night, whenever I use a search engine like Google or Yahoo, nearly all search results I click on redirect to a random ad site. I've tried running Spybot S&D and Ad-Aware, but shortly after starting a scan the program closes, then gives the error "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item" when trying to reopen the program. Unfortunately HijackThis does the same thing when running a scan, so I do not have any HJT logs to provide.

I am running Vista Home Premium, any help getting my search engines back and anti-spyware scanners working again will be greatly appreciated! :thanks:

 

[Blade81]

Hi,

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

 

[CALauer85]

Running from: C:\Users\Cal85\Desktop\Win32kDiag.exe

Log file at : C:\Users\Cal85\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3F93.tmp\ZAP3F93.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8F54.tmp\ZAP8F54.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Driver Cache\AMD64\AMD64

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\OEM\OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\inf\en-US\en-US

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\OPTIONS\CABS\CABS

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\OPTIONS\Install\Install

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\pss\pss

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\DataStore\Logs\Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.16926_en-us_2185ec15e486221c\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.16926_en-us_2185ec15e486221c

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.21125_en-us_220e60b8fda4dbd1\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.21125_en-us_220e60b8fda4dbd1

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.18330_en-us_235b5913e1ba36f4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.18330_en-us_235b5913e1ba36f4

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.22520_en-us_23efc7b0facfb7f4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.22520_en-us_23efc7b0facfb7f4

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.18111_en-us_25586d03decf6ab4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.18111_en-us_25586d03decf6ab4

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.22223_en-us_25d93a76f7f3591d\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.22223_en-us_25d93a76f7f3591d

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.16926_en-us_dd0695ced5a51138\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.16926_en-us_dd0695ced5a51138

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.21125_en-us_dd8f0a71eec3caed\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.21125_en-us_dd8f0a71eec3caed

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.18330_en-us_dedc02ccd2d92610\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.18330_en-us_dedc02ccd2d92610

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.22520_en-us_df707169ebeea710\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.22520_en-us_df707169ebeea710

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.18111_en-us_e0d916bccfee59d0\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.18111_en-us_e0d916bccfee59d0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.22223_en-us_e159e42fe9124839\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.22223_en-us_e159e42fe9124839

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.16926_none_abfdf271d96f105d\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.16926_none_abfdf271d96f105d

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.21125_none_ac866714f28dca12\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.21125_none_ac866714f28dca12

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.18330_none_add35f6fd6a32535\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.18330_none_add35f6fd6a32535

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.22520_none_ae67ce0cefb8a635\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.22520_none_ae67ce0cefb8a635

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.18111_none_afd0735fd3b858f5\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.18111_none_afd0735fd3b858f5

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.22223_none_b05140d2ecdc475e\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.22223_none_b05140d2ecdc475e

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\System32\cngaudit.dll

[2] 2006-11-02 01:46:03 11776 C:\Windows\System32\cngaudit(219).dll (Microsoft Corporation)

[1] 2006-11-02 01:46:03 61952 C:\Windows\System32\cngaudit.dll ()

[1] 2006-11-02 01:46:03 11776 C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll (Microsoft Corporation)



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-11-04 13:55:20 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-11-04 13:54:34 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-11-04 13:54:34 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-11-04 13:54:34 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

[1] 2009-11-04 13:55:36 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl ()



Found mount point : C:\Windows\Temp\PCTBD520746\PCTBD520746

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\tracing\tracing

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Mount point destination : \Device\__max++>\^



Finished!

 

[Blade81]

Hi again,

• Download The Avenger by Swandog46 from here.
• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  

  Files to move:
  C:\Windows\System32\cngaudit(219).dll|C:\Windows\System32\cngaudit.dll

• In the avenger window, click the Paste Script from Clipboard,
  
  button.
• Click the Execute button.
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
• Please post this log in your next reply.

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the Open box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

 

[CALauer85]

Avenger Log, Win32kDiag log in next post:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\Windows\System32\cngaudit(219).dll|C:\Windows\System32\cngaudit.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

 

[CALauer85]

Win32kDiag Log, Avenger Log in previous post:

Running from: C:\Users\Cal85\Desktop\win32kdiag.exe

Log file at : C:\Users\Cal85\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\AppPatch\Custom\Custom

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3F93.tmp\ZAP3F93.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3F93.tmp\ZAP3F93.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8F54.tmp\ZAP8F54.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8F54.tmp\ZAP8F54.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\temp\temp

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\tmp\tmp

Found mount point : C:\Windows\Driver Cache\AMD64\AMD64

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Driver Cache\AMD64\AMD64

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ehome\CreateDisc\style\style

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\Globalization

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Help\Corporate\Corporate

Found mount point : C:\Windows\Help\OEM\OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Help\OEM\OEM

Found mount point : C:\Windows\i386\i386

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\i386\i386

Found mount point : C:\Windows\inf\en-US\en-US

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\inf\en-US\en-US

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Microsoft.NET\authman\authman

Found mount point : C:\Windows\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Minidump\Minidump

Found mount point : C:\Windows\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\msdownld.tmp\msdownld.tmp

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\nap\configuration\configuration

Found mount point : C:\Windows\OPTIONS\CABS\CABS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\OPTIONS\CABS\CABS

Found mount point : C:\Windows\OPTIONS\Install\Install

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\OPTIONS\Install\Install

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Panther\setup.exe\setup.exe

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PLA\Templates\Templates

Found mount point : C:\Windows\pss\pss

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\pss\pss

Found mount point : C:\Windows\registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\registration\CRMLog\CRMLog

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SchCache\SchCache

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\security\templates\templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\Windows\SoftwareDistribution\DataStore\Logs\Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\DataStore\Logs\Logs

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.16926_en-us_2185ec15e486221c\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.16926_en-us_2185ec15e486221c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.16926_en-us_2185ec15e486221c\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.16926_en-us_2185ec15e486221c

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.21125_en-us_220e60b8fda4dbd1\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.21125_en-us_220e60b8fda4dbd1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.21125_en-us_220e60b8fda4dbd1\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.21125_en-us_220e60b8fda4dbd1

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.18330_en-us_235b5913e1ba36f4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.18330_en-us_235b5913e1ba36f4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.18330_en-us_235b5913e1ba36f4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.18330_en-us_235b5913e1ba36f4

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.22520_en-us_23efc7b0facfb7f4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.22520_en-us_23efc7b0facfb7f4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.22520_en-us_23efc7b0facfb7f4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.22520_en-us_23efc7b0facfb7f4

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.18111_en-us_25586d03decf6ab4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.18111_en-us_25586d03decf6ab4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.18111_en-us_25586d03decf6ab4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.18111_en-us_25586d03decf6ab4

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.22223_en-us_25d93a76f7f3591d\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.22223_en-us_25d93a76f7f3591d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.22223_en-us_25d93a76f7f3591d\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.22223_en-us_25d93a76f7f3591d

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.16926_en-us_dd0695ced5a51138\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.16926_en-us_dd0695ced5a51138

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.16926_en-us_dd0695ced5a51138\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.16926_en-us_dd0695ced5a51138

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.21125_en-us_dd8f0a71eec3caed\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.21125_en-us_dd8f0a71eec3caed

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.21125_en-us_dd8f0a71eec3caed\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.21125_en-us_dd8f0a71eec3caed

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.18330_en-us_dedc02ccd2d92610\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.18330_en-us_dedc02ccd2d92610

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.18330_en-us_dedc02ccd2d92610\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.18330_en-us_dedc02ccd2d92610

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.22520_en-us_df707169ebeea710\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.22520_en-us_df707169ebeea710

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.22520_en-us_df707169ebeea710\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.22520_en-us_df707169ebeea710

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.18111_en-us_e0d916bccfee59d0\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.18111_en-us_e0d916bccfee59d0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.18111_en-us_e0d916bccfee59d0\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.18111_en-us_e0d916bccfee59d0

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.22223_en-us_e159e42fe9124839\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.22223_en-us_e159e42fe9124839

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.22223_en-us_e159e42fe9124839\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.22223_en-us_e159e42fe9124839

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.16926_none_abfdf271d96f105d\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.16926_none_abfdf271d96f105d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.16926_none_abfdf271d96f105d\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.16926_none_abfdf271d96f105d

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.21125_none_ac866714f28dca12\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.21125_none_ac866714f28dca12

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.21125_none_ac866714f28dca12\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.21125_none_ac866714f28dca12

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.18330_none_add35f6fd6a32535\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.18330_none_add35f6fd6a32535

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.18330_none_add35f6fd6a32535\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.18330_none_add35f6fd6a32535

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.22520_none_ae67ce0cefb8a635\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.22520_none_ae67ce0cefb8a635

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.22520_none_ae67ce0cefb8a635\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.22520_none_ae67ce0cefb8a635

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.18111_none_afd0735fd3b858f5\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.18111_none_afd0735fd3b858f5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.18111_none_afd0735fd3b858f5\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.18111_none_afd0735fd3b858f5

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.22223_none_b05140d2ecdc475e\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.22223_none_b05140d2ecdc475e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.22223_none_b05140d2ecdc475e\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.22223_none_b05140d2ecdc475e

Found mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.16939_none_11456c7e25131982\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.16939_none_11456c7e25131982

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.16939_none_11456c7e25131982\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.16939_none_11456c7e25131982

Found mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.21142_none_11bd0f793e3f571e\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.21142_none_11bd0f793e3f571e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.21142_none_11bd0f793e3f571e\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.21142_none_11bd0f793e3f571e

Found mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.18344_none_131bd9c6224647b1\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.18344_none_131bd9c6224647b1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.18344_none_131bd9c6224647b1\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.18344_none_131bd9c6224647b1

Found mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.22544_none_13a578773b63e4a2\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.22544_none_13a578773b63e4a2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.22544_none_13a578773b63e4a2\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.22544_none_13a578773b63e4a2

Found mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6002.18124_none_1517ed6c1f5c621a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6002.18124_none_1517ed6c1f5c621a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6002.18124_none_1517ed6c1f5c621a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6002.18124_none_1517ed6c1f5c621a

Found mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6002.22247_none_158eeb3d388785cb\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6002.22247_none_158eeb3d388785cb

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\Download\a99eb937227b1356499ce4c07f79734a\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6002.22247_none_158eeb3d388785cb\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6002.22247_none_158eeb3d388785cb

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Found mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile

Found mount point : C:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Sun\Java\Deployment\Deployment

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-11-07 00:00:19 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-11-06 23:59:31 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-11-06 23:59:31 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-11-06 23:59:31 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

[1] 2009-11-07 00:00:35 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl ()



Found mount point : C:\Windows\Temp\PCTBD520746\PCTBD520746

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Temp\PCTBD520746\PCTBD520746

Found mount point : C:\Windows\tracing\tracing

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\tracing\tracing

Found mount point : C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes

Found mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames



Finished!

 

[Blade81]

Hi again,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

 

[CALauer85]

DDS.txt log below, Attach.txt attached as directed by DDS scan:


DDS (Ver_09-10-26.01) - NTFSx86
Run by Cal85 at 5:03:56.14 on Sun 11/08/2009
Internet Explorer: 7.0.6000.16916
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1014.378 [GMT -8:00]

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\sttray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\SpybotSD\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\WerCon.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Cal85\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-6815
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-6815
uInternet Settings,ProxyOverride = <local>;*.local
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-6815
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\spybotsd\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [SpybotSD TeaTimer] c:\spybotsd\TeaTimer.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\spybotsd\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.30.16/ttinst.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
Notify: igfxcui - igfxdev.dll
mASetup: {B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\cal85\appdata\roaming\mozilla\firefox\profiles\trwel9xe.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-30 64160]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybotsd\SDWinSec.exe [2009-10-30 1153368]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [2009-9-10 23096]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-9-10 16640]

=============== Created Last 30 ================

2009-11-04 22:03:54 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2009-10-31 02:18:48 0 d-----w- c:\windows\pss
2009-10-30 23:16:27 0 d-----w- C:\SpybotSD
2009-10-30 22:44:13 0 d-----w- c:\program files\SpybotSD
2009-10-30 22:00:48 528 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-10-30 21:58:46 1544 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-30 21:43:26 0 ----a-w- c:\windows\win32k.sys
2009-10-30 10:02:56 0 d-----w- c:\programdata\SITEguard
2009-10-30 10:01:09 0 d-----w- c:\program files\common files\iS3
2009-10-30 10:01:08 0 d-----w- c:\programdata\STOPzilla!
2009-10-30 09:33:06 0 d---a-w- c:\programdata\TEMP
2009-10-30 08:09:01 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-30 08:08:21 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-30 08:08:04 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-30 08:08:04 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-29 22:21:01 44768 ----a-w- c:\windows\system32\wups2(167).dll
2009-10-28 04:54:05 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 04:54:04 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-10-28 04:54:04 4096 ----a-w- c:\windows\system32\msdxm.ocx
2009-10-28 04:54:04 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-10-28 04:53:58 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-23 23:56:59 0 d-----w- c:\users\cal85\MarioKart
2009-10-21 21:23:48 0 d-----w- c:\programdata\Yahoo!
2009-10-21 21:23:40 0 d-----w- c:\program files\Yahoo!
2009-10-14 03:12:10 3502152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 03:12:10 3467864 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 03:08:03 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-10-14 03:08:02 217088 ----a-w- c:\windows\system32\psisrndr.ax
2009-10-14 03:07:59 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-10-14 03:07:50 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-10-14 03:07:48 80896 ----a-w- c:\windows\system32\MSNP.ax
2009-10-14 03:07:48 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2009-10-14 03:07:37 177152 ----a-w- c:\windows\system32\mpg2splt.ax
2009-10-14 03:07:35 68608 ----a-w- c:\windows\system32\Mpeg2Data.ax
2009-10-14 02:53:01 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 02:52:54 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 02:52:46 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-12 08:17:09 108 ----a-w- c:\users\cal85\appdata\roaming\wklnhst.dat

==================== Find3M ====================

2009-11-03 04:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-09-30 09:12:09 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-26 05:10:09 130280 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-11 07:29:34 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-09-11 07:29:34 86016 ----a-w- c:\windows\inf\infstor.dat
2009-09-11 07:29:34 51200 ----a-w- c:\windows\inf\infpub.dat
2009-09-10 17:38:29 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-29 03:41:42 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40:31 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-29 02:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 23:31:54 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 14:02:34 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:57:38 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 13:57:36 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 13:56:05 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-27 11:24:10 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 09:51:45 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-14 16:42:08 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-08-14 16:40:56 103936 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:40:52 15360 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:25:18 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:25:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:25:15 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:25:14 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:25:10 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:25:10 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:25:10 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 14:23:53 22016 ----a-w- c:\windows\system32\netiougc.exe
2009-01-08 03:56:42 174 --sha-w- c:\program files\desktop.ini
2008-06-11 15:29:03 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-10-20 02:59:29 16384 --sha-w- c:\windows\temp\cookies\index.dat
2007-10-20 02:59:32 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2007-10-20 02:59:29 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 5:06:33.44 ===============

 

[Blade81]

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitTorrent


I'd like you to read this thread.

Please go to Control Panel > Programs and Features and uninstall the programs listed above (in red).


After that:

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

 

[CALauer85]

Uninstalled BitTorrent as instructed (thanks for the info post!). ComboFix log below, new DDS log is in the next post:

ComboFix 09-11-08.03 - Cal85 11/08/2009 16:38.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1014.461 [GMT -8:00]
Running from: c:\users\Cal85\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2876608432-483462828-314405990-500
c:\users\Cal85\Documents\registry1030.reg
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))
.

2009-11-09 00:50 . 2009-11-09 00:55 4096 d-----w- c:\users\Cal85\AppData\Local\temp
2009-11-09 00:50 . 2009-11-09 00:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-30 23:16 . 2009-10-30 23:16 8192 d-----w- C:\SpybotSD
2009-10-30 22:44 . 2009-10-30 22:46 8192 d-----w- c:\program files\SpybotSD
2009-10-30 21:50 . 2009-10-30 21:50 -------- d-----w- c:\users\Cal85\AppData\Local\Threat Expert
2009-10-30 21:43 . 2009-11-07 07:48 0 ----a-w- c:\windows\win32k.sys
2009-10-30 10:02 . 2009-10-30 21:50 -------- d-----w- c:\programdata\SITEguard
2009-10-30 10:01 . 2009-10-30 10:01 -------- d-----w- c:\program files\Common Files\iS3
2009-10-30 10:01 . 2009-10-30 22:12 -------- d-----w- c:\programdata\STOPzilla!
2009-10-30 08:09 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-30 08:09 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-30 08:09 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-30 08:08 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-30 08:08 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-30 08:08 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-30 08:08 . 2009-08-07 02:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-30 08:08 . 2009-08-07 01:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-29 22:21 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-29 22:21 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2(167).dll
2009-10-28 04:54 . 2009-09-10 15:29 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 04:54 . 2009-09-10 17:40 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-10-28 04:54 . 2009-09-10 17:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-10-28 04:53 . 2009-09-10 15:29 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-23 23:56 . 2009-10-26 07:40 -------- d-----w- c:\users\Cal85\MarioKart
2009-10-21 21:26 . 2009-10-21 21:26 -------- d-----w- c:\users\Cal85\AppData\Local\Yahoo
2009-10-21 21:23 . 2009-10-21 21:26 -------- d-----w- c:\programdata\Yahoo!
2009-10-21 21:23 . 2009-05-27 02:50 607472 ----a-w- c:\programdata\Yahoo!\YUpdater\yupdater.exe
2009-10-21 21:23 . 2009-10-21 21:23 -------- d-----w- c:\program files\Yahoo!
2009-10-14 03:12 . 2009-08-05 14:28 3502152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 03:12 . 2009-08-05 14:28 3467864 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 03:08 . 2009-08-31 15:16 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-10-14 03:07 . 2009-08-31 15:21 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-10-14 03:07 . 2009-08-31 15:17 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-10-14 02:53 . 2009-09-04 12:38 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 02:52 . 2009-09-14 09:50 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 02:52 . 2009-04-02 11:50 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-12 08:17 . 2009-10-12 08:17 -------- d-----w- c:\users\Cal85\AppData\Roaming\Template

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 00:14 . 2009-10-12 08:17 108 ----a-w- c:\users\Cal85\AppData\Roaming\wklnhst.dat
2009-11-03 04:42 . 2009-10-03 04:10 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-31 00:01 . 2009-09-30 22:52 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-10-30 22:35 . 2009-09-30 22:52 8192 d-----w- c:\program files\Spybot - Search & Destroy
2009-10-30 22:00 . 2009-10-30 22:00 528 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-10-30 22:00 . 2009-10-30 21:58 1544 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-30 07:47 . 2007-05-31 17:57 -------- d-----w- c:\program files\NetZero
2009-10-30 07:47 . 2006-06-12 00:01 -------- d-----w- c:\program files\SIFXINST
2009-10-19 09:12 . 2009-09-30 09:11 3695616 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-10-19 09:12 . 2009-09-30 09:11 2353992 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-10-14 10:24 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-09-30 09:11 . 2009-09-30 09:11 525792 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\64\DIFxAPI.dll
2009-09-30 09:11 . 2009-09-30 09:11 303976 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2009-09-30 09:11 . 2009-09-30 09:11 664936 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-09-30 09:11 . 2009-09-30 09:11 562552 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-09-30 09:11 . 2009-09-30 09:11 566632 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-09-30 09:11 . 2009-09-30 09:11 640760 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-09-30 09:11 . 2009-09-30 09:11 520024 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-09-30 09:11 . 2009-09-30 09:11 1028432 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-09-30 09:09 . 2009-09-30 09:09 4096 dc-h--w- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-30 09:08 . 2009-09-30 09:08 -------- d-----w- c:\program files\Lavasoft
2009-09-29 23:38 . 2009-07-31 05:55 4096 d-----w- c:\program files\Digsby
2009-09-29 05:23 . 2007-10-19 04:42 74168 ----a-w- c:\users\Cal85\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-26 05:10 . 2009-07-31 06:07 130280 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-23 22:02 . 2009-09-23 22:00 4096 d-----w- c:\program files\iTunes
2009-09-23 22:00 . 2009-09-23 22:00 -------- d-----w- c:\program files\iPod
2009-09-23 22:00 . 2007-10-20 03:44 -------- d-----w- c:\program files\Common Files\Apple
2009-09-23 21:51 . 2009-09-23 21:51 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-23 11:22 . 2007-10-20 06:40 8192 d-----w- c:\program files\Trillian
2009-09-14 06:56 . 2007-05-31 17:46 8192 d-----w- c:\programdata\Microsoft Help
2009-09-12 02:55 . 2007-10-20 03:49 -------- d-----w- c:\users\Cal85\AppData\Roaming\Apple Computer
2009-09-11 07:37 . 2009-09-11 07:35 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-11 07:33 . 2009-09-11 07:32 4096 d-----w- c:\program files\QuickTime
2009-09-10 17:38 . 2009-10-14 03:13 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 11:13 . 2009-09-10 10:55 4096 d-----w- c:\programdata\RapidSolution
2009-09-10 11:02 . 2009-09-10 11:02 8192 d-----w- c:\program files\PixiePack Codec Pack
2009-09-10 10:59 . 2009-09-10 10:59 566552 ----a-w- c:\programdata\RapidSolution\Tunebite\WebRipDLLs\MusicLoad.dll
2009-09-10 10:59 . 2009-09-10 10:59 242968 ----a-w- c:\programdata\RapidSolution\Tunebite\WebRipDLLs\PlgSoundclick.dll
2009-09-10 10:59 . 2009-09-10 10:59 156952 ----a-w- c:\programdata\RapidSolution\Tunebite\WebRipDLLs\PlgIJigg.dll
2009-09-10 10:59 . 2009-09-10 10:59 156952 ----a-w- c:\programdata\RapidSolution\Tunebite\WebRipDLLs\PlgPandora.dll
2009-09-10 10:59 . 2009-09-10 10:59 136472 ----a-w- c:\programdata\RapidSolution\Tunebite\WebRipDLLs\PlgLastfm.dll
2009-09-10 10:55 . 2009-09-10 10:55 -------- d-----w- c:\program files\RapidSolution
2009-09-03 17:37 . 2009-09-10 09:40 16640 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys
2009-08-29 03:41 . 2009-09-05 06:23 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40 . 2009-09-05 06:23 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-29 02:42 . 2009-08-29 02:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-29 02:42 . 2009-08-29 02:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 23:31 . 2009-09-05 06:23 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 22:45 . 2009-09-10 09:59 23096 ----a-w- c:\windows\system32\drivers\DrmRAudio.sys
2009-08-27 14:02 . 2009-10-14 03:13 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:57 . 2009-10-14 03:13 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 13:57 . 2009-10-14 03:13 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 13:56 . 2009-10-14 03:13 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-27 11:24 . 2009-10-14 03:13 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 09:51 . 2009-10-14 03:13 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-14 17:16 . 2009-09-09 05:08 213592 ----a-w- c:\windows\system32\drivers\netio.sys
2009-08-14 16:42 . 2009-09-09 05:08 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-08-14 16:40 . 2009-09-09 05:08 103936 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:40 . 2009-09-09 05:08 15360 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:25 . 2009-09-09 05:08 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:25 . 2009-09-09 05:08 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:25 . 2009-09-09 05:08 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:25 . 2009-09-09 05:08 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:25 . 2009-09-09 05:08 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:25 . 2009-09-09 05:08 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:25 . 2009-09-09 05:08 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 14:24 . 2009-09-09 05:08 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 14:23 . 2009-09-09 05:08 22016 ----a-w- c:\windows\system32\netiougc.exe
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\spybotsd\TeaTimer.exe" [2009-01-26 2144088]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-04 133912]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-04 138008]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-04 154392]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-04-03 638976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-01-30 303104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-05-04 40072]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [9/30/2009 1:12 AM 64160]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\SpybotSD\SDWinSec.exe [10/30/2009 2:44 PM 1153368]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 6:49 AM 1028432]
S3 DrmRAudio;DrmRAudio;c:\windows\System32\drivers\DrmRAudio.sys [9/10/2009 1:59 AM 23096]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 2:25 AM 2589184]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\System32\drivers\WsAudio_DeviceS(1).sys [9/10/2009 1:40 AM 16640]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-11-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 09:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-6815
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Cal85\AppData\Roaming\Mozilla\Firefox\Profiles\trwel9xe.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)
AddRemove-Disney's Toontown Online - c:\progra~1\Disney\DISNEY~1\Toontown\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-08 16:54
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8BAABE07]<<
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 31 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\SigmaTel\C-Major Audio\WDM\STacSV.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-09 17:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-09 01:05

Pre-Run: 46,688,362,496 bytes free
Post-Run: 46,369,546,240 bytes free

- - End Of File - - 0D1F0924419DF0D646816E2FFE06556B

 

[CALauer85]

Fresh DDS log, ComboFix log in previous post:


DDS (Ver_09-10-26.01) - NTFSx86
Run by Cal85 at 17:17:56.56 on Sun 11/08/2009
Internet Explorer: 7.0.6000.16916
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1014.240 [GMT -8:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\sttray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\SpybotSD\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Windows\system32\WerCon.exe
C:\Users\Cal85\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-6815
uInternet Settings,ProxyOverride = <local>;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\spybotsd\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
uRun: [SpybotSD TeaTimer] c:\spybotsd\TeaTimer.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\spybotsd\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.30.16/ttinst.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
Notify: igfxcui - igfxdev.dll
mASetup: {B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\cal85\appdata\roaming\mozilla\firefox\profiles\trwel9xe.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-30 64160]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybotsd\SDWinSec.exe [2009-10-30 1153368]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [2009-9-10 23096]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-9-10 16640]

=============== Created Last 30 ================

2009-11-09 00:34:24 98816 ----a-w- c:\windows\sed.exe
2009-11-09 00:34:24 77312 ----a-w- c:\windows\MBR.exe
2009-11-09 00:34:24 267264 ----a-w- c:\windows\PEV.exe
2009-11-09 00:34:24 161792 ----a-w- c:\windows\SWREG.exe
2009-11-04 22:03:54 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2009-10-31 02:18:48 0 d-----w- c:\windows\pss
2009-10-30 23:16:27 0 d-----w- C:\SpybotSD
2009-10-30 22:44:13 0 d-----w- c:\program files\SpybotSD
2009-10-30 22:00:48 528 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-10-30 21:58:46 1544 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-30 21:43:26 0 ----a-w- c:\windows\win32k.sys
2009-10-30 10:02:56 0 d-----w- c:\programdata\SITEguard
2009-10-30 10:01:09 0 d-----w- c:\program files\common files\iS3
2009-10-30 10:01:08 0 d-----w- c:\programdata\STOPzilla!
2009-10-30 09:33:06 0 d---a-w- c:\programdata\TEMP
2009-10-30 08:09:01 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-30 08:08:21 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-30 08:08:04 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-30 08:08:04 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-29 22:21:01 44768 ----a-w- c:\windows\system32\wups2(167).dll
2009-10-28 04:54:05 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 04:54:04 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-10-28 04:54:04 4096 ----a-w- c:\windows\system32\msdxm.ocx
2009-10-28 04:54:04 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-10-28 04:53:58 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-23 23:56:59 0 d-----w- c:\users\cal85\MarioKart
2009-10-21 21:23:48 0 d-----w- c:\programdata\Yahoo!
2009-10-21 21:23:40 0 d-----w- c:\program files\Yahoo!
2009-10-14 03:12:10 3502152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 03:12:10 3467864 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 03:08:03 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-10-14 03:08:02 217088 ----a-w- c:\windows\system32\psisrndr.ax
2009-10-14 03:07:59 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-10-14 03:07:50 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-10-14 03:07:48 80896 ----a-w- c:\windows\system32\MSNP.ax
2009-10-14 03:07:48 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2009-10-14 03:07:37 177152 ----a-w- c:\windows\system32\mpg2splt.ax
2009-10-14 03:07:35 68608 ----a-w- c:\windows\system32\Mpeg2Data.ax
2009-10-14 02:53:01 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 02:52:54 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 02:52:46 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-12 08:17:09 108 ----a-w- c:\users\cal85\appdata\roaming\wklnhst.dat

==================== Find3M ====================

2009-11-03 04:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-09-30 09:12:09 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-26 05:10:09 130280 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-11 07:29:34 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-09-11 07:29:34 86016 ----a-w- c:\windows\inf\infstor.dat
2009-09-11 07:29:34 51200 ----a-w- c:\windows\inf\infpub.dat
2009-09-10 17:38:29 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-29 03:41:42 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40:31 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-29 02:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 23:31:54 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 14:02:34 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:57:38 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 13:57:36 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 13:56:05 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-27 11:24:10 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 09:51:45 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-14 16:42:08 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-08-14 16:40:56 103936 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:40:52 15360 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:25:18 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:25:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:25:15 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:25:14 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:25:10 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:25:10 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:25:10 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 14:23:53 22016 ----a-w- c:\windows\system32\netiougc.exe
2009-01-08 03:56:42 174 --sha-w- c:\program files\desktop.ini
2008-06-11 15:29:03 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 17:19:24.85 ===============

 

[Blade81]

Hi,

A quick question at this point. Does the redirecting still occur?

 

[CALauer85]

Yes, redirecting is still occurring. I haven't tried scanning with Spybot yet though, I didn't want to do so without being instructed to. Thanks for your help so far, hopefully we'll figure this out soon

 

[Blade81]

Hi,

Check your PM box.

 

[CALauer85]

Zipped log attached, as directed by PM message.

 

[Blade81]

Hi,

Check your PM.

 

[CALauer85]

GMER Log:

GMER 1.0.15.15219 - http://www.gmer.net
Rootkit quick scan 2009-11-10 04:23:12
Windows 6.0.6000
Running: gmer.exe; Driver: C:\Users\Cal85\AppData\Local\Temp\kwtdqfob.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 31: copy of MBR

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\00000860 \Device\Harddisk0\DR0 8BC87E07

---- EOF - GMER 1.0.15 ----

 

[Blade81]

Hi,

Click start->run->write cmd.exe and press enter. In opened command prompt window write following command and press enter:
COPY /Y C:\Windows\system32\drivers\iastor.sys c:\iastor.sys


You should get message "1 file(s) copied.". If you didn't get that message stop following steps below and post back into this topic.

• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  

  Files to move:
  c:\iastor.sys|C:\Windows\system32\drivers\iastor.sys

• In the avenger window, click the Paste Script from Clipboard,
  
  button.
• Click the Execute button.
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
• Please post this log in your next reply.

 

[CALauer85]

Hi,

I was able to successfully copy the .sys file to the C: directory, but the Avenger log says access denied when trying to move it:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not move file "c:\iastor.sys"
File move operation "c:\iastor.sys|C:\Windows\system32\drivers\iastor.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.

 

[Blade81]

Hi,

Please delete your current copy of ComboFix.exe file. Then download a fresh copy of one of these links to your desktop:
Link 1
Link 2

Run the new version and post back the log.