Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    World's Largest Spam Botnet Finds a New Way to Avoid Detection... For Now

Featured Deal: Pay What You Want: The 2018 Machine Learning Bundle Deal

Photo

Need some help. i suspect Tapi.nfo

Started by w3azl3 , Aug 28 2009 07:07 PM

  • This topic is locked This topic is locked
23 replies to this topic

#1 w3azl3

w3azl3

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:05:41 AM

Posted 28 August 2009 - 07:07 PM

Hello,

This is my 2nd thread the first Blade helped me out alot on, the link to my previous post is here

http://www.bleepingcomputer.com/forums/ind...p;#entry1403721

i will post my RootRepeal first then my Win32k log

ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/08/28 18:00 Program Version: Version 1.3.5.0 Windows Version: Windows XP Media Center Edition SP3 ================================================== Drivers ------------------- Name: ACPI.sys Image Path: ACPI.sys Address: 0xF733D000 Size: 187776 File Visible: - Signed: - Status: - Name: ACPI_HAL Image Path: \Driver\ACPI_HAL Address: 0x804D7000 Size: 2260992 File Visible: - Signed: - Status: - Name: afd.sys Image Path: C:\WINDOWS\System32\drivers\afd.sys Address: 0xF6E28000 Size: 138496 File Visible: - Signed: - Status: - Name: aswTdi.SYS Image Path: C:\WINDOWS\System32\Drivers\aswTdi.SYS Address: 0xF75A4000 Size: 41664 File Visible: - Signed: - Status: - Name: atapi.sys Image Path: atapi.sys Address: 0xF72CF000 Size: 98304 File Visible: - Signed: - Status: - Name: atapi.sys Image Path: atapi.sys Address: 0x00000000 Size: 0 File Visible: - Signed: - Status: - Name: ATMFD.DLL Image Path: C:\WINDOWS\System32\ATMFD.DLL Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: - Status: - Name: BOOTVID.dll Image Path: C:\WINDOWS\system32\BOOTVID.dll Address: 0xF78B4000 Size: 12288 File Visible: - Signed: - Status: - Name: Cdfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS Address: 0xF75F4000 Size: 63744 File Visible: - Signed: - Status: - Name: cdrom.sys Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys Address: 0xF7504000 Size: 62976 File Visible: - Signed: - Status: - Name: CLASSPNP.SYS Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS Address: 0xF74E4000 Size: 53248 File Visible: - Signed: - Status: - Name: disk.sys Image Path: disk.sys Address: 0xF74D4000 Size: 36352 File Visible: - Signed: - Status: - Name: DLACDBHM.SYS Image Path: C:\WINDOWS\System32\Drivers\DLACDBHM.SYS Address: 0xF79AC000 Size: 5568 File Visible: - Signed: - Status: - Name: DLARTL_N.SYS Image Path: C:\WINDOWS\System32\Drivers\DLARTL_N.SYS Address: 0xF7814000 Size: 22624 File Visible: - Signed: - Status: - Name: dmio.sys Image Path: dmio.sys Address: 0xF72E7000 Size: 153344 File Visible: - Signed: - Status: - Name: dmload.sys Image Path: dmload.sys Address: 0xF79A8000 Size: 5888 File Visible: - Signed: - Status: - Name: DRVMCDB.SYS Image Path: DRVMCDB.SYS Address: 0xF7287000 Size: 87104 File Visible: - Signed: - Status: - Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xF6CAD000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF79D8000 Size: 8192 File Visible: No Signed: - Status: - Name: Dxapi.sys Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys Address: 0xF6ED3000 Size: 12288 File Visible: - Signed: - Status: - Name: dxg.sys Image Path: C:\WINDOWS\System32\drivers\dxg.sys Address: 0xBF000000 Size: 73728 File Visible: - Signed: - Status: - Name: dxgthk.sys Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys Address: 0xF7B60000 Size: 4096 File Visible: - Signed: - Status: - Name: e100b325.sys Image Path: C:\WINDOWS\system32\DRIVERS\e100b325.sys Address: 0xF70D1000 Size: 155648 File Visible: - Signed: - Status: - Name: fltmgr.sys Image Path: fltmgr.sys Address: 0xF72AF000 Size: 129792 File Visible: - Signed: - Status: - Name: framebuf.dll Image Path: C:\WINDOWS\System32\framebuf.dll Address: 0xBFF50000 Size: 12288 File Visible: - Signed: - Status: - Name: Fs_Rec.SYS Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS Address: 0xF79BE000 Size: 7936 File Visible: - Signed: - Status: - Name: FStarForce.sys Image Path: C:\WINDOWS\system32\DRIVERS\FStarForce.sys Address: 0xF77EC000 Size: 28672 File Visible: - Signed: - Status: - Name: ftdisk.sys Image Path: ftdisk.sys Address: 0xF730D000 Size: 125056 File Visible: - Signed: - Status: - Name: GEARAspiWDM.sys Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys Address: 0xF7944000 Size: 9984 File Visible: - Signed: - Status: - Name: hal.dll Image Path: C:\WINDOWS\system32\hal.dll Address: 0x806FF000 Size: 134400 File Visible: - Signed: - Status: - Name: HDAudBus.sys Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys Address: 0xF711B000 Size: 163840 File Visible: - Signed: - Status: - Name: HIDCLASS.SYS Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS Address: 0xF75E4000 Size: 36864 File Visible: - Signed: - Status: - Name: HIDPARSE.SYS Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS Address: 0xF7894000 Size: 28672 File Visible: - Signed: - Status: - Name: hidusb.sys Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys Address: 0xF6FB4000 Size: 10368 File Visible: - Signed: - Status: - Name: i2omgmt.SYS Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS Address: 0xF7153000 Size: 8576 File Visible: - Signed: - Status: - Name: imapi.sys Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys Address: 0xF7524000 Size: 42112 File Visible: - Signed: - Status: - Name: ipfltdrv.sys Image Path: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys Address: 0xF75B4000 Size: 32896 File Visible: - Signed: - Status: - Name: ipnat.sys Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys Address: 0xF6E99000 Size: 152832 File Visible: - Signed: - Status: - Name: ipsec.sys Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys Address: 0xF6F40000 Size: 75264 File Visible: - Signed: - Status: - Name: isapnp.sys Image Path: isapnp.sys Address: 0xF74A4000 Size: 37248 File Visible: - Signed: - Status: - Name: kbdclass.sys Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys Address: 0xF77D4000 Size: 24576 File Visible: - Signed: - Status: - Name: kbdhid.sys Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys Address: 0xF6FAC000 Size: 14592 File Visible: - Signed: - Status: - Name: KDCOM.DLL Image Path: C:\WINDOWS\system32\KDCOM.DLL Address: 0xF79A4000 Size: 8192 File Visible: - Signed: - Status: - Name: ks.sys Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys Address: 0xF70AE000 Size: 143360 File Visible: - Signed: - Status: - Name: KSecDD.sys Image Path: KSecDD.sys Address: 0xF7270000 Size: 92288 File Visible: - Signed: - Status: - Name: mouclass.sys Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys Address: 0xF77DC000 Size: 23040 File Visible: - Signed: - Status: - Name: mouhid.sys Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys Address: 0xF715F000 Size: 12160 File Visible: - Signed: - Status: - Name: MountMgr.sys Image Path: MountMgr.sys Address: 0xF74B4000 Size: 42368 File Visible: - Signed: - Status: - Name: Mpfp.sys Image Path: C:\WINDOWS\System32\Drivers\Mpfp.sys Address: 0xF6E72000 Size: 159744 File Visible: - Signed: - Status: - Name: mrxsmb.sys Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys Address: 0xF6D8D000 Size: 455296 File Visible: - Signed: - Status: - Name: Msfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS Address: 0xF782C000 Size: 19072 File Visible: - Signed: - Status: - Name: msgpc.sys Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys Address: 0xF7564000 Size: 35072 File Visible: - Signed: - Status: - Name: mssmbios.sys Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys Address: 0xF797C000 Size: 15488 File Visible: - Signed: - Status: - Name: Mup.sys Image Path: Mup.sys Address: 0xF719C000 Size: 105344 File Visible: - Signed: - Status: - Name: NDIS.sys Image Path: NDIS.sys Address: 0xF71B6000 Size: 182656 File Visible: - Signed: - Status: - Name: ndistapi.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys Address: 0xF7958000 Size: 10112 File Visible: - Signed: - Status: - Name: ndisuio.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys Address: 0xF6779000 Size: 14592 File Visible: - Signed: - Status: - Name: ndiswan.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys Address: 0xF7097000 Size: 91520 File Visible: - Signed: - Status: - Name: NDProxy.SYS Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS Address: 0xF7584000 Size: 40576 File Visible: - Signed: - Status: - Name: netbios.sys Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys Address: 0xF75C4000 Size: 34688 File Visible: - Signed: - Status: - Name: netbt.sys Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys Address: 0xF6E4A000 Size: 162816 File Visible: - Signed: - Status: - Name: Npfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS Address: 0xF783C000 Size: 30848 File Visible: - Signed: - Status: - Name: Ntfs.sys Image Path: Ntfs.sys Address: 0xF71E3000 Size: 574976 File Visible: - Signed: - Status: - Name: ntoskrnl.exe Image Path: C:\WINDOWS\system32\ntoskrnl.exe Address: 0x804D7000 Size: 2260992 File Visible: - Signed: - Status: - Name: Null.SYS Image Path: C:\WINDOWS\System32\Drivers\Null.SYS Address: 0xF7BB6000 Size: 2944 File Visible: - Signed: - Status: - Name: PartMgr.sys Image Path: PartMgr.sys Address: 0xF772C000 Size: 19712 File Visible: - Signed: - Status: - Name: pci.sys Image Path: pci.sys Address: 0xF732C000 Size: 68224 File Visible: - Signed: - Status: - Name: PCI_PNP3994 Image Path: \Driver\PCI_PNP3994 Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: pciide.sys Image Path: pciide.sys Address: 0xF7A6C000 Size: 3328 File Visible: - Signed: - Status: - Name: PCIIDEX.SYS Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Address: 0xF7724000 Size: 28672 File Visible: - Signed: - Status: - Name: PnpManager Image Path: \Driver\PnpManager Address: 0x804D7000 Size: 2260992 File Visible: - Signed: - Status: - Name: psched.sys Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys Address: 0xF7086000 Size: 69120 File Visible: - Signed: - Status: - Name: ptilink.sys Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys Address: 0xF77AC000 Size: 17792 File Visible: - Signed: - Status: - Name: PxHelp20.sys Image Path: PxHelp20.sys Address: 0xF7734000 Size: 20000 File Visible: - Signed: - Status: - Name: rasacd.sys Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys Address: 0xF7143000 Size: 8832 File Visible: - Signed: - Status: - Name: rasl2tp.sys Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys Address: 0xF7534000 Size: 51328 File Visible: - Signed: - Status: - Name: raspppoe.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys Address: 0xF7544000 Size: 41472 File Visible: - Signed: - Status: - Name: raspptp.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys Address: 0xF7554000 Size: 48384 File Visible: - Signed: - Status: - Name: raspti.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys Address: 0xF77BC000 Size: 16512 File Visible: - Signed: - Status: - Name: RAW Image Path: \FileSystem\RAW Address: 0x804D7000 Size: 2260992 File Visible: - Signed: - Status: - Name: rdbss.sys Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys Address: 0xF6DFD000 Size: 175744 File Visible: - Signed: - Status: - Name: RDPCDD.sys Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys Address: 0xF79C2000 Size: 4224 File Visible: - Signed: - Status: - Name: rdpdr.sys Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys Address: 0xF702E000 Size: 196224 File Visible: - Signed: - Status: - Name: redbook.sys Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys Address: 0xF7514000 Size: 57600 File Visible: - Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xF640B000 Size: 49152 File Visible: No Signed: - Status: - Name: SCSIPORT.SYS Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS Address: 0xF736B000 Size: 98304 File Visible: - Signed: - Status: - Name: spih.sys Image Path: spih.sys Address: 0xF7383000 Size: 1048576 File Visible: No Signed: - Status: - Name: sptd Image Path: \Driver\sptd Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: sr.sys Image Path: sr.sys Address: 0xF729D000 Size: 73472 File Visible: - Signed: - Status: - Name: srv.sys Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys Address: 0xF658B000 Size: 333824 File Visible: - Signed: - Status: - Name: swenum.sys Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys Address: 0xF79B2000 Size: 4352 File Visible: - Signed: - Status: - Name: tcpip.sys Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys Address: 0xF6EE7000 Size: 361600 File Visible: - Signed: - Status: - Name: TDI.SYS Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS Address: 0xF779C000 Size: 20480 File Visible: - Signed: - Status: - Name: termdd.sys Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys Address: 0xF7574000 Size: 40704 File Visible: - Signed: - Status: - Name: update.sys Image Path: C:\WINDOWS\system32\DRIVERS\update.sys Address: 0xF6FD0000 Size: 384768 File Visible: - Signed: - Status: - Name: usbccgp.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys Address: 0xF7874000 Size: 32128 File Visible: - Signed: - Status: - Name: USBD.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS Address: 0xF79BA000 Size: 8192 File Visible: - Signed: - Status: - Name: usbehci.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys Address: 0xF7774000 Size: 30208 File Visible: - Signed: - Status: - Name: usbhub.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys Address: 0xF7594000 Size: 59520 File Visible: - Signed: - Status: - Name: USBPORT.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS Address: 0xF70F7000 Size: 147456 File Visible: - Signed: - Status: - Name: usbprint.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbprint.sys Address: 0xF7884000 Size: 25856 File Visible: - Signed: - Status: - Name: usbuhci.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys Address: 0xF776C000 Size: 20608 File Visible: - Signed: - Status: - Name: vga.sys Image Path: C:\WINDOWS\System32\drivers\vga.sys Address: 0xF781C000 Size: 20992 File Visible: - Signed: - Status: - Name: VIDEOPRT.SYS Image Path: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS Address: 0xF6F94000 Size: 81920 File Visible: - Signed: - Status: - Name: VolSnap.sys Image Path: VolSnap.sys Address: 0xF74C4000 Size: 52352 File Visible: - Signed: - Status: - Name: wanatw4.sys Image Path: C:\WINDOWS\system32\DRIVERS\wanatw4.sys Address: 0xF77C4000 Size: 20512 File Visible: - Signed: - Status: - Name: watchdog.sys Image Path: C:\WINDOWS\System32\watchdog.sys Address: 0xF7744000 Size: 20480 File Visible: - Signed: - Status: - Name: Win32k Image Path: \Driver\Win32k Address: 0xBF800000 Size: 1847296 File Visible: - Signed: - Status: - Name: win32k.sys Image Path: C:\WINDOWS\System32\win32k.sys Address: 0xBF800000 Size: 1847296 File Visible: - Signed: - Status: - Name: win32k.sys:1 Image Path: C:\WINDOWS\win32k.sys:1 Address: 0xF789C000 Size: 20480 File Visible: No Signed: - Status: - Name: win32k.sys:2 Image Path: C:\WINDOWS\win32k.sys:2 Address: 0xF6D25000 Size: 61440 File Visible: No Signed: - Status: - Name: WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS Address: 0xF79A6000 Size: 8192 File Visible: - Signed: - Status: - Name: WMIxWDM Image Path: \Driver\WMIxWDM Address: 0x804D7000 Size: 2260992 File Visible: - Signed: - Status: - Name: ws2ifsl.sys Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys Address: 0xF7082000 Size: 12032 File Visible: - Signed: - Status: -

*************************************************
Log file is located at: C:\Documents and Settings\Heidi Diaz\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\aolshare\aolshare

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP94D.tmp\ZAP94D.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9C2.tmp\ZAP9C2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA7.tmp\ZAPA7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\17400AB28230347339DBAF1833357A38\3.1.21022\3.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-10 05:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\1201b6f74bae1015eceeea43baed9814\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\root\root

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Adobe\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-703702550-2982333712-3504602965-1006\S-1-5-21-703702550-2982333712-3504602965-1006

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\{4E3254D7-522A-412A-9296-3F4767B3A2CB}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{F1C15684-ECB6-4FBC-ACB7-3C90046CAE64}\{F1C15684-ECB6-4FBC-ACB7-3C90046CAE64}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-703702550-2982333712-3504602965-500\S-1-5-21-703702550-2982333712-3504602965-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\config\systemprofile\Application Data\twain_32\user.ds

[1] 2009-08-28 18:46:29 912 C:\WINDOWS\system32\config\systemprofile\Application Data\twain_32\user.ds ()

[1] 2009-08-26 12:16:41 0 C:\WINDOWS\system32\lowsec\user.ds ()

[1] 2009-08-28 17:11:18 0 C:\WINDOWS\system32\twain_32\user.ds ()



Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-703702550-2982333712-3504602965-500\S-1-5-21-703702550-2982333712-3504602965-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-10 05:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()

[1] 2004-08-10 05:00:00 10752 C:\i386\dumprep.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-10 05:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-10 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\LogFiles\LogFiles

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx

[1] 2009-02-02 22:07:18 3866528 C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx ()



Cannot access: C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe

[1] 2009-02-02 22:07:18 240544 C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe ()



Found mount point : C:\WINDOWS\system32\Macromed\Shockwave 10\Xtras\Xtras

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\wbem\Logs\FrameWork.log

[1] 2009-08-28 16:56:07 257 C:\WINDOWS\system32\wbem\Logs\FrameWork.log ()

[1] 2006-06-17 17:02:54 2366 C:\i386\FrameWork.log ()



Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\Temp\Cookies\index.dat

[1] 2008-12-25 21:47:31 88983 C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat ()

[1] 2009-08-28 16:55:33 49152 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ()

[1] 2009-08-28 16:55:33 49152 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat ()

[1] 2009-07-08 13:26:21 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009070820090709\index.dat ()

[1] 2009-07-10 08:11:31 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009071020090711\index.dat ()

[1] 2009-08-25 12:18:50 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009082520090826\index.dat ()

[1] 2009-08-28 16:56:23 1802240 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat ()

[1] 2009-08-28 18:46:29 16384 C:\WINDOWS\Temp\Cookies\index.dat ()

[1] 2009-08-28 18:46:29 16384 C:\WINDOWS\Temp\History\History.IE5\index.dat ()

[1] 2009-08-28 18:46:29 32768 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat ()

[1] 2006-06-11 22:06:35 16384 C:\i386\index.dat ()



Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\Temp\History\History.IE5\index.dat

[1] 2008-12-25 21:47:31 88983 C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat ()

[1] 2009-08-28 16:55:33 49152 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ()

[1] 2009-08-28 16:55:33 49152 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat ()

[1] 2009-07-08 13:26:21 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009070820090709\index.dat ()

[1] 2009-07-10 08:11:31 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009071020090711\index.dat ()

[1] 2009-08-25 12:18:50 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009082520090826\index.dat ()

[1] 2009-08-28 16:56:23 1802240 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat ()

[1] 2009-08-28 18:46:29 16384 C:\WINDOWS\Temp\Cookies\index.dat ()

[1] 2009-08-28 18:46:29 16384 C:\WINDOWS\Temp\History\History.IE5\index.dat ()

[1] 2009-08-28 18:46:29 32768 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat ()

[1] 2006-06-11 22:06:35 16384 C:\i386\index.dat ()



Found mount point : C:\WINDOWS\Temp\MCE00000\MCE00000

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00001\MCE00001

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00002\MCE00002

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00003\MCE00003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00004\MCE00004

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00005\MCE00005

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00006\MCE00006

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00007\MCE00007

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00008\MCE00008

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00009\MCE00009

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0000a\MCE0000a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0000b\MCE0000b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0000c\MCE0000c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0000d\MCE0000d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0000e\MCE0000e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0000f\MCE0000f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00010\MCE00010

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00011\MCE00011

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00012\MCE00012

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00013\MCE00013

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00014\MCE00014

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00015\MCE00015

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00016\MCE00016

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00017\MCE00017

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00018\MCE00018

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00019\MCE00019

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0001a\MCE0001a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0001b\MCE0001b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0001c\MCE0001c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0001d\MCE0001d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0001e\MCE0001e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0001f\MCE0001f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00020\MCE00020

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00021\MCE00021

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00022\MCE00022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00023\MCE00023

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00024\MCE00024

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00025\MCE00025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00026\MCE00026

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00027\MCE00027

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00028\MCE00028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00029\MCE00029

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0002a\MCE0002a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0002b\MCE0002b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0002c\MCE0002c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0002d\MCE0002d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0002e\MCE0002e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0002f\MCE0002f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00030\MCE00030

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00031\MCE00031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00032\MCE00032

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00033\MCE00033

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00034\MCE00034

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00035\MCE00035

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00036\MCE00036

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00037\MCE00037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00038\MCE00038

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00039\MCE00039

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0003a\MCE0003a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0003b\MCE0003b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0003c\MCE0003c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0003d\MCE0003d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0003e\MCE0003e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0003f\MCE0003f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00040\MCE00040

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00041\MCE00041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00042\MCE00042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00043\MCE00043

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00044\MCE00044

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00045\MCE00045

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00046\MCE00046

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00047\MCE00047

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00048\MCE00048

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00049\MCE00049

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0004a\MCE0004a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0004b\MCE0004b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0004c\MCE0004c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0004d\MCE0004d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0004e\MCE0004e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0004f\MCE0004f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00050\MCE00050

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00051\MCE00051

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00052\MCE00052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00053\MCE00053

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00054\MCE00054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00055\MCE00055

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00056\MCE00056

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00057\MCE00057

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00058\MCE00058

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00059\MCE00059

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0005a\MCE0005a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0005b\MCE0005b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0005c\MCE0005c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0005d\MCE0005d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0005e\MCE0005e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0005f\MCE0005f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00060\MCE00060

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00061\MCE00061

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00062\MCE00062

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00063\MCE00063

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00064\MCE00064

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00065\MCE00065

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00066\MCE00066

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00067\MCE00067

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00068\MCE00068

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00069\MCE00069

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0006a\MCE0006a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0006b\MCE0006b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\SEE2ECD.tmp\SEE2ECD.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\SEEAF.tmp\SEEAF.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\DRZPJX7R\desktop.ini

[1] 2005-08-16 04:39:16 227 C:\WINDOWS\assembly\Desktop.ini ()

[1] 2004-08-10 05:00:00 2 C:\WINDOWS\desktop.ini ()

[1] 2005-08-16 04:41:00 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()

[1] 2005-08-16 04:42:12 67 C:\WINDOWS\Fonts\desktop.ini ()

[1] 2005-08-16 04:41:00 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()

[1] 2005-08-16 21:11:46 170 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini ()

[1] 2005-08-16 04:50:28 122 C:\WINDOWS\system32\config\systemprofile\Favorites\Desktop.ini ()

[1] 2006-05-10 20:47:05 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()

[1] 2006-06-11 22:02:30 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()

[1] 2006-06-11 22:02:30 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\89YZO12R\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C06F4QY2\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TD2N5TAF\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UTP2D7MK\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZCEI4B1X\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()

[1] 2005-08-16 04:50:28 84 C:\WINDOWS\system32\config\systemprofile\My Documents\desktop.ini ()

[1] 2005-08-16 04:50:28 189 C:\WINDOWS\system32\config\systemprofile\My Documents\My Music\Desktop.ini ()

[1] 2005-08-16 04:50:28 191 C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\Desktop.ini ()

[1] 2005-08-16 04:50:28 150 C:\WINDOWS\system32\config\systemprofile\Recent\Desktop.ini ()

[1] 2005-08-16 04:41:02 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()

[1] 2005-08-16 04:43:08 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()

[1] 2005-08-16 04:50:24 542 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()

[1] 2005-08-16 04:43:10 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()

[1] 2005-08-16 04:50:30 234 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()

[1] 2005-08-16 04:43:08 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()

[1] 2004-08-10 05:00:00 2 C:\WINDOWS\system32\desktop.ini ()

[1] 2004-08-10 05:00:00 65 C:\WINDOWS\Tasks\desktop.ini ()

[1] 2009-07-04 08:18:17 145 C:\WINDOWS\Temp\History\History.IE5\desktop.ini ()

[1] 2009-07-04 08:18:17 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\DRZPJX7R\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IN24NM9F\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WAG9F543\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y0ZZVW4L\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\i386\desktop.ini ()



Cannot access: C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IN24NM9F\desktop.ini

[1] 2005-08-16 04:39:16 227 C:\WINDOWS\assembly\Desktop.ini ()

[1] 2004-08-10 05:00:00 2 C:\WINDOWS\desktop.ini ()

[1] 2005-08-16 04:41:00 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()

[1] 2005-08-16 04:42:12 67 C:\WINDOWS\Fonts\desktop.ini ()

[1] 2005-08-16 04:41:00 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()

[1] 2005-08-16 21:11:46 170 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini ()

[1] 2005-08-16 04:50:28 122 C:\WINDOWS\system32\config\systemprofile\Favorites\Desktop.ini ()

[1] 2006-05-10 20:47:05 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()

[1] 2006-06-11 22:02:30 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()

[1] 2006-06-11 22:02:30 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\89YZO12R\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C06F4QY2\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TD2N5TAF\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UTP2D7MK\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZCEI4B1X\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()

[1] 2005-08-16 04:50:28 84 C:\WINDOWS\system32\config\systemprofile\My Documents\desktop.ini ()

[1] 2005-08-16 04:50:28 189 C:\WINDOWS\system32\config\systemprofile\My Documents\My Music\Desktop.ini ()

[1] 2005-08-16 04:50:28 191 C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\Desktop.ini ()

[1] 2005-08-16 04:50:28 150 C:\WINDOWS\system32\config\systemprofile\Recent\Desktop.ini ()

[1] 2005-08-16 04:41:02 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()

[1] 2005-08-16 04:43:08 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()

[1] 2005-08-16 04:50:24 542 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()

[1] 2005-08-16 04:43:10 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()

[1] 2005-08-16 04:50:30 234 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()

[1] 2005-08-16 04:43:08 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()

[1] 2004-08-10 05:00:00 2 C:\WINDOWS\system32\desktop.ini ()

[1] 2004-08-10 05:00:00 65 C:\WINDOWS\Tasks\desktop.ini ()

[1] 2009-07-04 08:18:17 145 C:\WINDOWS\Temp\History\History.IE5\desktop.ini ()

[1] 2009-07-04 08:18:17 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\DRZPJX7R\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IN24NM9F\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WAG9F543\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y0ZZVW4L\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\i386\desktop.ini ()



Cannot access: C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat

[1] 2008-12-25 21:47:31 88983 C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat ()

[1] 2009-08-28 16:55:33 49152 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ()

[1] 2009-08-28 16:55:33 49152 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat ()

[1] 2009-07-08 13:26:21 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009070820090709\index.dat ()

[1] 2009-07-10 08:11:31 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009071020090711\index.dat ()

[1] 2009-08-25 12:18:50 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009082520090826\index.dat ()

[1] 2009-08-28 16:56:23 1802240 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat ()

[1] 2009-08-28 18:46:29 16384 C:\WINDOWS\Temp\Cookies\index.dat ()

[1] 2009-08-28 18:46:29 16384 C:\WINDOWS\Temp\History\History.IE5\index.dat ()

[1] 2009-08-28 18:46:29 32768 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat ()

[1] 2006-06-11 22:06:35 16384 C:\i386\index.dat ()



Cannot access: C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WAG9F543\desktop.ini

[1] 2005-08-16 04:39:16 227 C:\WINDOWS\assembly\Desktop.ini ()

[1] 2004-08-10 05:00:00 2 C:\WINDOWS\desktop.ini ()

[1] 2005-08-16 04:41:00 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()

[1] 2005-08-16 04:42:12 67 C:\WINDOWS\Fonts\desktop.ini ()

[1] 2005-08-16 04:41:00 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()

[1] 2005-08-16 21:11:46 170 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini ()

[1] 2005-08-16 04:50:28 122 C:\WINDOWS\system32\config\systemprofile\Favorites\Desktop.ini ()

[1] 2006-05-10 20:47:05 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()

[1] 2006-06-11 22:02:30 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()

[1] 2006-06-11 22:02:30 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\89YZO12R\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C06F4QY2\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TD2N5TAF\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UTP2D7MK\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZCEI4B1X\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()

[1] 2005-08-16 04:50:28 84 C:\WINDOWS\system32\config\systemprofile\My Documents\desktop.ini ()

[1] 2005-08-16 04:50:28 189 C:\WINDOWS\system32\config\systemprofile\My Documents\My Music\Desktop.ini ()

[1] 2005-08-16 04:50:28 191 C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\Desktop.ini ()

[1] 2005-08-16 04:50:28 150 C:\WINDOWS\system32\config\systemprofile\Recent\Desktop.ini ()

[1] 2005-08-16 04:41:02 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()

[1] 2005-08-16 04:43:08 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()

[1] 2005-08-16 04:50:24 542 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()

[1] 2005-08-16 04:43:10 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()

[1] 2005-08-16 04:50:30 234 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()

[1] 2005-08-16 04:43:08 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()

[1] 2004-08-10 05:00:00 2 C:\WINDOWS\system32\desktop.ini ()

[1] 2004-08-10 05:00:00 65 C:\WINDOWS\Tasks\desktop.ini ()

[1] 2009-07-04 08:18:17 145 C:\WINDOWS\Temp\History\History.IE5\desktop.ini ()

[1] 2009-07-04 08:18:17 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\DRZPJX7R\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IN24NM9F\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WAG9F543\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y0ZZVW4L\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\i386\desktop.ini ()



Cannot access: C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y0ZZVW4L\desktop.ini

[1] 2005-08-16 04:39:16 227 C:\WINDOWS\assembly\Desktop.ini ()

[1] 2004-08-10 05:00:00 2 C:\WINDOWS\desktop.ini ()

[1] 2005-08-16 04:41:00 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()

[1] 2005-08-16 04:42:12 67 C:\WINDOWS\Fonts\desktop.ini ()

[1] 2005-08-16 04:41:00 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()

[1] 2005-08-16 21:11:46 170 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini ()

[1] 2005-08-16 04:50:28 122 C:\WINDOWS\system32\config\systemprofile\Favorites\Desktop.ini ()

[1] 2006-05-10 20:47:05 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()

[1] 2006-06-11 22:02:30 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()

[1] 2006-06-11 22:02:30 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\89YZO12R\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C06F4QY2\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TD2N5TAF\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UTP2D7MK\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZCEI4B1X\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()

[1] 2005-08-16 04:50:28 84 C:\WINDOWS\system32\config\systemprofile\My Documents\desktop.ini ()

[1] 2005-08-16 04:50:28 189 C:\WINDOWS\system32\config\systemprofile\My Documents\My Music\Desktop.ini ()

[1] 2005-08-16 04:50:28 191 C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\Desktop.ini ()

[1] 2005-08-16 04:50:28 150 C:\WINDOWS\system32\config\systemprofile\Recent\Desktop.ini ()

[1] 2005-08-16 04:41:02 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()

[1] 2005-08-16 04:43:08 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()

[1] 2005-08-16 04:50:24 542 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()

[1] 2005-08-16 04:43:10 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()

[1] 2005-08-16 04:50:30 234 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()

[1] 2005-08-16 04:43:08 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()

[1] 2004-08-10 05:00:00 2 C:\WINDOWS\system32\desktop.ini ()

[1] 2004-08-10 05:00:00 65 C:\WINDOWS\Tasks\desktop.ini ()

[1] 2009-07-04 08:18:17 145 C:\WINDOWS\Temp\History\History.IE5\desktop.ini ()

[1] 2009-07-04 08:18:17 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\DRZPJX7R\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IN24NM9F\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WAG9F543\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y0ZZVW4L\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\i386\desktop.ini ()



Found mount point : C:\WINDOWS\Temp\WERa67b.dir00\WERa67b.dir00

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\~nsu.tmp\~nsu.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_c8be176f\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_c8be176f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790

Mount point destination : \Device\__max++>\^

Finished!

Attached Files


Edited by SifuMike, 29 August 2009 - 09:54 PM.
insert logs

BC AdBot (Login to Remove)

 

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:41 AM

Posted 29 August 2009 - 09:57 PM

Hello w3azl3,


This is a nasty Rootkit! :)

We will need to take this cleanup in phases. You are not clean until I tell you so - even if it appears that everything is running fine!

Let's begin....

==========

Step 1

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text)"%userprofile%\desktop\win32kdiag.exe" -f -r
into the "Open" box, and click OK.
When it's finished, there will be a log called Win32kDiag.txt on your desktop.
Please open it with notepad and post the contents here.

==========

Step 2

Please do this:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).


    copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy was not successful.
  • Exit the Command Prompt window.
==========

Step 3

:( Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.
Certain misuses of this program can prevent your system from ever starting again.
For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision.
We can accept no responsibility for damage caused by misuse of the program. :(
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
==========

With your next post please provide:

* Win32kDiag.txt
* Avenger.txt
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!


Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 w3azl3

w3azl3
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:05:41 AM

Posted 29 August 2009 - 11:41 PM

Hello SifuMike Thanks for helping me.

The two logs youve asked for are here starting with Win32k

Log file is located at: C:\Documents and Settings\Heidi Diaz\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\aolshare\aolshare

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\aolshare\aolshare

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP94D.tmp\ZAP94D.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP94D.tmp\ZAP94D.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9C2.tmp\ZAP9C2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9C2.tmp\ZAP9C2.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA7.tmp\ZAPA7.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA7.tmp\ZAPA7.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\17400AB28230347339DBAF1833357A38\3.1.21022\3.1.21022

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\17400AB28230347339DBAF1833357A38\3.1.21022\3.1.21022

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\occache\occache

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-10 05:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\1201b6f74bae1015eceeea43baed9814\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\1201b6f74bae1015eceeea43baed9814\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\root\root

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\root\root

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\Adobe\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Adobe\update\update

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-703702550-2982333712-3504602965-1006\S-1-5-21-703702550-2982333712-3504602965-1006

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-703702550-2982333712-3504602965-1006\S-1-5-21-703702550-2982333712-3504602965-1006

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\{4E3254D7-522A-412A-9296-3F4767B3A2CB}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\{4E3254D7-522A-412A-9296-3F4767B3A2CB}

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{F1C15684-ECB6-4FBC-ACB7-3C90046CAE64}\{F1C15684-ECB6-4FBC-ACB7-3C90046CAE64}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{F1C15684-ECB6-4FBC-ACB7-3C90046CAE64}\{F1C15684-ECB6-4FBC-ACB7-3C90046CAE64}

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-703702550-2982333712-3504602965-500\S-1-5-21-703702550-2982333712-3504602965-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-703702550-2982333712-3504602965-500\S-1-5-21-703702550-2982333712-3504602965-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Cannot access: C:\WINDOWS\system32\config\systemprofile\Application Data\twain_32\user.ds

Attempting to restore permissions of : C:\WINDOWS\system32\config\systemprofile\Application Data\twain_32\user.ds

[1] 2009-08-29 17:11:28 1254 C:\WINDOWS\system32\config\systemprofile\Application Data\twain_32\user.ds ()

[1] 2009-08-26 12:16:41 0 C:\WINDOWS\system32\lowsec\user.ds ()

[1] 2009-08-29 23:06:25 0 C:\WINDOWS\system32\twain_32\user.ds ()



Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-703702550-2982333712-3504602965-500\S-1-5-21-703702550-2982333712-3504602965-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-703702550-2982333712-3504602965-500\S-1-5-21-703702550-2982333712-3504602965-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-10 05:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\system32\dumprep.exe (Microsoft Corporation)

[1] 2004-08-10 05:00:00 10752 C:\i386\dumprep.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-10 05:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-10 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\LogFiles\LogFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\LogFiles\LogFiles

Cannot access: C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx

Attempting to restore permissions of : C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx

[1] 2009-02-02 22:07:18 3866528 C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx ()



Cannot access: C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe

Attempting to restore permissions of : C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe

[1] 2009-02-02 22:07:18 240544 C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe (Adobe Systems, Inc.)



Found mount point : C:\WINDOWS\system32\Macromed\Shockwave 10\Xtras\Xtras

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Macromed\Shockwave 10\Xtras\Xtras

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Macromed\update\update

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Cannot access: C:\WINDOWS\system32\wbem\Logs\FrameWork.log

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\Logs\FrameWork.log

[1] 2009-08-29 17:11:28 724 C:\WINDOWS\system32\wbem\Logs\FrameWork.log ()

[1] 2006-06-17 17:02:54 2366 C:\i386\FrameWork.log ()



Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Cannot access: C:\WINDOWS\Temp\Cookies\index.dat

Attempting to restore permissions of : C:\WINDOWS\Temp\Cookies\index.dat

[1] 2008-12-25 21:47:31 88983 C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat ()

[1] 2009-08-29 17:10:53 49152 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ()

[1] 2009-08-29 17:10:53 49152 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat ()

[1] 2009-07-08 13:26:21 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009070820090709\index.dat ()

[1] 2009-07-10 08:11:31 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009071020090711\index.dat ()

[1] 2009-08-25 12:18:50 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009082520090826\index.dat ()

[1] 2009-08-29 17:10:53 1802240 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat ()

[1] 2009-08-29 17:11:27 16384 C:\WINDOWS\Temp\Cookies\index.dat ()

[1] 2009-08-29 17:11:27 16384 C:\WINDOWS\Temp\History\History.IE5\index.dat ()

[1] 2009-08-29 17:11:27 32768 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat ()

[1] 2006-06-11 22:06:35 16384 C:\i386\index.dat ()



Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Cannot access: C:\WINDOWS\Temp\History\History.IE5\index.dat

Attempting to restore permissions of : C:\WINDOWS\Temp\History\History.IE5\index.dat

[1] 2008-12-25 21:47:31 88983 C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat ()

[1] 2009-08-29 17:10:53 49152 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ()

[1] 2009-08-29 17:10:53 49152 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat ()

[1] 2009-07-08 13:26:21 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009070820090709\index.dat ()

[1] 2009-07-10 08:11:31 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009071020090711\index.dat ()

[1] 2009-08-25 12:18:50 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009082520090826\index.dat ()

[1] 2009-08-29 17:10:53 1802240 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat ()

[1] 2009-08-29 17:11:27 16384 C:\WINDOWS\Temp\Cookies\index.dat ()

[1] 2009-08-29 17:11:27 16384 C:\WINDOWS\Temp\History\History.IE5\index.dat ()

[1] 2009-08-29 17:11:27 32768 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat ()

[1] 2006-06-11 22:06:35 16384 C:\i386\index.dat ()



Found mount point : C:\WINDOWS\Temp\MCE00000\MCE00000

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00000\MCE00000

Found mount point : C:\WINDOWS\Temp\MCE00001\MCE00001

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00001\MCE00001

Found mount point : C:\WINDOWS\Temp\MCE00002\MCE00002

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00002\MCE00002

Found mount point : C:\WINDOWS\Temp\MCE00003\MCE00003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00003\MCE00003

Found mount point : C:\WINDOWS\Temp\MCE00004\MCE00004

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00004\MCE00004

Found mount point : C:\WINDOWS\Temp\MCE00005\MCE00005

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00005\MCE00005

Found mount point : C:\WINDOWS\Temp\MCE00006\MCE00006

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00006\MCE00006

Found mount point : C:\WINDOWS\Temp\MCE00007\MCE00007

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00007\MCE00007

Found mount point : C:\WINDOWS\Temp\MCE00008\MCE00008

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00008\MCE00008

Found mount point : C:\WINDOWS\Temp\MCE00009\MCE00009

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00009\MCE00009

Found mount point : C:\WINDOWS\Temp\MCE0000a\MCE0000a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0000a\MCE0000a

Found mount point : C:\WINDOWS\Temp\MCE0000b\MCE0000b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0000b\MCE0000b

Found mount point : C:\WINDOWS\Temp\MCE0000c\MCE0000c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0000c\MCE0000c

Found mount point : C:\WINDOWS\Temp\MCE0000d\MCE0000d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0000d\MCE0000d

Found mount point : C:\WINDOWS\Temp\MCE0000e\MCE0000e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0000e\MCE0000e

Found mount point : C:\WINDOWS\Temp\MCE0000f\MCE0000f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0000f\MCE0000f

Found mount point : C:\WINDOWS\Temp\MCE00010\MCE00010

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00010\MCE00010

Found mount point : C:\WINDOWS\Temp\MCE00011\MCE00011

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00011\MCE00011

Found mount point : C:\WINDOWS\Temp\MCE00012\MCE00012

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00012\MCE00012

Found mount point : C:\WINDOWS\Temp\MCE00013\MCE00013

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00013\MCE00013

Found mount point : C:\WINDOWS\Temp\MCE00014\MCE00014

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00014\MCE00014

Found mount point : C:\WINDOWS\Temp\MCE00015\MCE00015

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00015\MCE00015

Found mount point : C:\WINDOWS\Temp\MCE00016\MCE00016

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00016\MCE00016

Found mount point : C:\WINDOWS\Temp\MCE00017\MCE00017

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00017\MCE00017

Found mount point : C:\WINDOWS\Temp\MCE00018\MCE00018

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00018\MCE00018

Found mount point : C:\WINDOWS\Temp\MCE00019\MCE00019

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00019\MCE00019

Found mount point : C:\WINDOWS\Temp\MCE0001a\MCE0001a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0001a\MCE0001a

Found mount point : C:\WINDOWS\Temp\MCE0001b\MCE0001b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0001b\MCE0001b

Found mount point : C:\WINDOWS\Temp\MCE0001c\MCE0001c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0001c\MCE0001c

Found mount point : C:\WINDOWS\Temp\MCE0001d\MCE0001d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0001d\MCE0001d

Found mount point : C:\WINDOWS\Temp\MCE0001e\MCE0001e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0001e\MCE0001e

Found mount point : C:\WINDOWS\Temp\MCE0001f\MCE0001f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0001f\MCE0001f

Found mount point : C:\WINDOWS\Temp\MCE00020\MCE00020

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00020\MCE00020

Found mount point : C:\WINDOWS\Temp\MCE00021\MCE00021

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00021\MCE00021

Found mount point : C:\WINDOWS\Temp\MCE00022\MCE00022

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00022\MCE00022

Found mount point : C:\WINDOWS\Temp\MCE00023\MCE00023

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00023\MCE00023

Found mount point : C:\WINDOWS\Temp\MCE00024\MCE00024

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00024\MCE00024

Found mount point : C:\WINDOWS\Temp\MCE00025\MCE00025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00025\MCE00025

Found mount point : C:\WINDOWS\Temp\MCE00026\MCE00026

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00026\MCE00026

Found mount point : C:\WINDOWS\Temp\MCE00027\MCE00027

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00027\MCE00027

Found mount point : C:\WINDOWS\Temp\MCE00028\MCE00028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00028\MCE00028

Found mount point : C:\WINDOWS\Temp\MCE00029\MCE00029

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00029\MCE00029

Found mount point : C:\WINDOWS\Temp\MCE0002a\MCE0002a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0002a\MCE0002a

Found mount point : C:\WINDOWS\Temp\MCE0002b\MCE0002b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0002b\MCE0002b

Found mount point : C:\WINDOWS\Temp\MCE0002c\MCE0002c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0002c\MCE0002c

Found mount point : C:\WINDOWS\Temp\MCE0002d\MCE0002d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0002d\MCE0002d

Found mount point : C:\WINDOWS\Temp\MCE0002e\MCE0002e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0002e\MCE0002e

Found mount point : C:\WINDOWS\Temp\MCE0002f\MCE0002f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0002f\MCE0002f

Found mount point : C:\WINDOWS\Temp\MCE00030\MCE00030

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00030\MCE00030

Found mount point : C:\WINDOWS\Temp\MCE00031\MCE00031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00031\MCE00031

Found mount point : C:\WINDOWS\Temp\MCE00032\MCE00032

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00032\MCE00032

Found mount point : C:\WINDOWS\Temp\MCE00033\MCE00033

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00033\MCE00033

Found mount point : C:\WINDOWS\Temp\MCE00034\MCE00034

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00034\MCE00034

Found mount point : C:\WINDOWS\Temp\MCE00035\MCE00035

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00035\MCE00035

Found mount point : C:\WINDOWS\Temp\MCE00036\MCE00036

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00036\MCE00036

Found mount point : C:\WINDOWS\Temp\MCE00037\MCE00037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00037\MCE00037

Found mount point : C:\WINDOWS\Temp\MCE00038\MCE00038

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00038\MCE00038

Found mount point : C:\WINDOWS\Temp\MCE00039\MCE00039

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00039\MCE00039

Found mount point : C:\WINDOWS\Temp\MCE0003a\MCE0003a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0003a\MCE0003a

Found mount point : C:\WINDOWS\Temp\MCE0003b\MCE0003b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0003b\MCE0003b

Found mount point : C:\WINDOWS\Temp\MCE0003c\MCE0003c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0003c\MCE0003c

Found mount point : C:\WINDOWS\Temp\MCE0003d\MCE0003d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0003d\MCE0003d

Found mount point : C:\WINDOWS\Temp\MCE0003e\MCE0003e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0003e\MCE0003e

Found mount point : C:\WINDOWS\Temp\MCE0003f\MCE0003f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0003f\MCE0003f

Found mount point : C:\WINDOWS\Temp\MCE00040\MCE00040

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00040\MCE00040

Found mount point : C:\WINDOWS\Temp\MCE00041\MCE00041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00041\MCE00041

Found mount point : C:\WINDOWS\Temp\MCE00042\MCE00042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00042\MCE00042

Found mount point : C:\WINDOWS\Temp\MCE00043\MCE00043

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00043\MCE00043

Found mount point : C:\WINDOWS\Temp\MCE00044\MCE00044

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00044\MCE00044

Found mount point : C:\WINDOWS\Temp\MCE00045\MCE00045

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00045\MCE00045

Found mount point : C:\WINDOWS\Temp\MCE00046\MCE00046

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00046\MCE00046

Found mount point : C:\WINDOWS\Temp\MCE00047\MCE00047

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00047\MCE00047

Found mount point : C:\WINDOWS\Temp\MCE00048\MCE00048

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00048\MCE00048

Found mount point : C:\WINDOWS\Temp\MCE00049\MCE00049

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00049\MCE00049

Found mount point : C:\WINDOWS\Temp\MCE0004a\MCE0004a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0004a\MCE0004a

Found mount point : C:\WINDOWS\Temp\MCE0004b\MCE0004b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0004b\MCE0004b

Found mount point : C:\WINDOWS\Temp\MCE0004c\MCE0004c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0004c\MCE0004c

Found mount point : C:\WINDOWS\Temp\MCE0004d\MCE0004d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0004d\MCE0004d

Found mount point : C:\WINDOWS\Temp\MCE0004e\MCE0004e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0004e\MCE0004e

Found mount point : C:\WINDOWS\Temp\MCE0004f\MCE0004f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0004f\MCE0004f

Found mount point : C:\WINDOWS\Temp\MCE00050\MCE00050

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00050\MCE00050

Found mount point : C:\WINDOWS\Temp\MCE00051\MCE00051

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00051\MCE00051

Found mount point : C:\WINDOWS\Temp\MCE00052\MCE00052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00052\MCE00052

Found mount point : C:\WINDOWS\Temp\MCE00053\MCE00053

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00053\MCE00053

Found mount point : C:\WINDOWS\Temp\MCE00054\MCE00054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00054\MCE00054

Found mount point : C:\WINDOWS\Temp\MCE00055\MCE00055

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00055\MCE00055

Found mount point : C:\WINDOWS\Temp\MCE00056\MCE00056

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00056\MCE00056

Found mount point : C:\WINDOWS\Temp\MCE00057\MCE00057

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00057\MCE00057

Found mount point : C:\WINDOWS\Temp\MCE00058\MCE00058

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00058\MCE00058

Found mount point : C:\WINDOWS\Temp\MCE00059\MCE00059

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00059\MCE00059

Found mount point : C:\WINDOWS\Temp\MCE0005a\MCE0005a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0005a\MCE0005a

Found mount point : C:\WINDOWS\Temp\MCE0005b\MCE0005b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0005b\MCE0005b

Found mount point : C:\WINDOWS\Temp\MCE0005c\MCE0005c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0005c\MCE0005c

Found mount point : C:\WINDOWS\Temp\MCE0005d\MCE0005d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0005d\MCE0005d

Found mount point : C:\WINDOWS\Temp\MCE0005e\MCE0005e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0005e\MCE0005e

Found mount point : C:\WINDOWS\Temp\MCE0005f\MCE0005f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0005f\MCE0005f

Found mount point : C:\WINDOWS\Temp\MCE00060\MCE00060

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00060\MCE00060

Found mount point : C:\WINDOWS\Temp\MCE00061\MCE00061

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00061\MCE00061

Found mount point : C:\WINDOWS\Temp\MCE00062\MCE00062

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00062\MCE00062

Found mount point : C:\WINDOWS\Temp\MCE00063\MCE00063

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00063\MCE00063

Found mount point : C:\WINDOWS\Temp\MCE00064\MCE00064

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00064\MCE00064

Found mount point : C:\WINDOWS\Temp\MCE00065\MCE00065

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00065\MCE00065

Found mount point : C:\WINDOWS\Temp\MCE00066\MCE00066

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00066\MCE00066

Found mount point : C:\WINDOWS\Temp\MCE00067\MCE00067

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00067\MCE00067

Found mount point : C:\WINDOWS\Temp\MCE00068\MCE00068

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00068\MCE00068

Found mount point : C:\WINDOWS\Temp\MCE00069\MCE00069

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00069\MCE00069

Found mount point : C:\WINDOWS\Temp\MCE0006a\MCE0006a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0006a\MCE0006a

Found mount point : C:\WINDOWS\Temp\MCE0006b\MCE0006b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0006b\MCE0006b

Found mount point : C:\WINDOWS\Temp\SEE2ECD.tmp\SEE2ECD.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\SEE2ECD.tmp\SEE2ECD.tmp

Found mount point : C:\WINDOWS\Temp\SEEAF.tmp\SEEAF.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\SEEAF.tmp\SEEAF.tmp

Found mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Cannot access: C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\DRZPJX7R\desktop.ini

Attempting to restore permissions of : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\DRZPJX7R\desktop.ini

[1] 2005-08-16 04:39:16 227 C:\WINDOWS\assembly\Desktop.ini ()

[1] 2004-08-10 05:00:00 2 C:\WINDOWS\desktop.ini ()

[1] 2005-08-16 04:41:00 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()

[1] 2005-08-16 04:42:12 67 C:\WINDOWS\Fonts\desktop.ini ()

[1] 2005-08-16 04:41:00 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()

[1] 2005-08-16 21:11:46 170 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini ()

[1] 2005-08-16 04:50:28 122 C:\WINDOWS\system32\config\systemprofile\Favorites\Desktop.ini ()

[1] 2006-05-10 20:47:05 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()

[1] 2006-06-11 22:02:30 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()

[1] 2006-06-11 22:02:30 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\89YZO12R\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C06F4QY2\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TD2N5TAF\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UTP2D7MK\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZCEI4B1X\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()

[1] 2005-08-16 04:50:28 84 C:\WINDOWS\system32\config\systemprofile\My Documents\desktop.ini ()

[1] 2005-08-16 04:50:28 189 C:\WINDOWS\system32\config\systemprofile\My Documents\My Music\Desktop.ini ()

[1] 2005-08-16 04:50:28 191 C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\Desktop.ini ()

[1] 2005-08-16 04:50:28 150 C:\WINDOWS\system32\config\systemprofile\Recent\Desktop.ini ()

[1] 2005-08-16 04:41:02 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()

[1] 2005-08-16 04:43:08 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()

[1] 2005-08-16 04:50:24 542 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()

[1] 2005-08-16 04:43:10 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()

[1] 2005-08-16 04:50:30 234 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()

[1] 2005-08-16 04:43:08 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()

[1] 2004-08-10 05:00:00 2 C:\WINDOWS\system32\desktop.ini ()

[1] 2004-08-10 05:00:00 65 C:\WINDOWS\Tasks\desktop.ini ()

[1] 2009-07-04 08:18:17 145 C:\WINDOWS\Temp\History\History.IE5\desktop.ini ()

[1] 2009-07-04 08:18:17 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\DRZPJX7R\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IN24NM9F\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WAG9F543\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y0ZZVW4L\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\i386\desktop.ini ()



Cannot access: C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IN24NM9F\desktop.ini

Attempting to restore permissions of : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IN24NM9F\desktop.ini

[1] 2005-08-16 04:39:16 227 C:\WINDOWS\assembly\Desktop.ini ()

[1] 2004-08-10 05:00:00 2 C:\WINDOWS\desktop.ini ()

[1] 2005-08-16 04:41:00 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()

[1] 2005-08-16 04:42:12 67 C:\WINDOWS\Fonts\desktop.ini ()

[1] 2005-08-16 04:41:00 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()

[1] 2005-08-16 21:11:46 170 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini ()

[1] 2005-08-16 04:50:28 122 C:\WINDOWS\system32\config\systemprofile\Favorites\Desktop.ini ()

[1] 2006-05-10 20:47:05 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()

[1] 2006-06-11 22:02:30 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()

[1] 2006-06-11 22:02:30 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\89YZO12R\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C06F4QY2\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TD2N5TAF\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UTP2D7MK\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZCEI4B1X\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()

[1] 2005-08-16 04:50:28 84 C:\WINDOWS\system32\config\systemprofile\My Documents\desktop.ini ()

[1] 2005-08-16 04:50:28 189 C:\WINDOWS\system32\config\systemprofile\My Documents\My Music\Desktop.ini ()

[1] 2005-08-16 04:50:28 191 C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\Desktop.ini ()

[1] 2005-08-16 04:50:28 150 C:\WINDOWS\system32\config\systemprofile\Recent\Desktop.ini ()

[1] 2005-08-16 04:41:02 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()

[1] 2005-08-16 04:43:08 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()

[1] 2005-08-16 04:50:24 542 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()

[1] 2005-08-16 04:43:10 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()

[1] 2005-08-16 04:50:30 234 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()

[1] 2005-08-16 04:43:08 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()

[1] 2004-08-10 05:00:00 2 C:\WINDOWS\system32\desktop.ini ()

[1] 2004-08-10 05:00:00 65 C:\WINDOWS\Tasks\desktop.ini ()

[1] 2009-07-04 08:18:17 145 C:\WINDOWS\Temp\History\History.IE5\desktop.ini ()

[1] 2009-07-04 08:18:17 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\DRZPJX7R\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IN24NM9F\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WAG9F543\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y0ZZVW4L\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\i386\desktop.ini ()



Cannot access: C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat

Attempting to restore permissions of : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat

[1] 2008-12-25 21:47:31 88983 C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat ()

[1] 2009-08-29 17:10:53 49152 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ()

[1] 2009-08-29 17:10:53 49152 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat ()

[1] 2009-07-08 13:26:21 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009070820090709\index.dat ()

[1] 2009-07-10 08:11:31 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009071020090711\index.dat ()

[1] 2009-08-25 12:18:50 32768 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009082520090826\index.dat ()

[1] 2009-08-29 17:10:53 1802240 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat ()

[1] 2009-08-29 17:11:27 16384 C:\WINDOWS\Temp\Cookies\index.dat ()

[1] 2009-08-29 17:11:27 16384 C:\WINDOWS\Temp\History\History.IE5\index.dat ()

[1] 2009-08-29 17:11:27 32768 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat ()

[1] 2006-06-11 22:06:35 16384 C:\i386\index.dat ()



Cannot access: C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WAG9F543\desktop.ini

Attempting to restore permissions of : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WAG9F543\desktop.ini

[1] 2005-08-16 04:39:16 227 C:\WINDOWS\assembly\Desktop.ini ()

[1] 2004-08-10 05:00:00 2 C:\WINDOWS\desktop.ini ()

[1] 2005-08-16 04:41:00 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()

[1] 2005-08-16 04:42:12 67 C:\WINDOWS\Fonts\desktop.ini ()

[1] 2005-08-16 04:41:00 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()

[1] 2005-08-16 21:11:46 170 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini ()

[1] 2005-08-16 04:50:28 122 C:\WINDOWS\system32\config\systemprofile\Favorites\Desktop.ini ()

[1] 2006-05-10 20:47:05 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()

[1] 2006-06-11 22:02:30 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()

[1] 2006-06-11 22:02:30 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\89YZO12R\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C06F4QY2\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TD2N5TAF\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UTP2D7MK\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZCEI4B1X\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()

[1] 2005-08-16 04:50:28 84 C:\WINDOWS\system32\config\systemprofile\My Documents\desktop.ini ()

[1] 2005-08-16 04:50:28 189 C:\WINDOWS\system32\config\systemprofile\My Documents\My Music\Desktop.ini ()

[1] 2005-08-16 04:50:28 191 C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\Desktop.ini ()

[1] 2005-08-16 04:50:28 150 C:\WINDOWS\system32\config\systemprofile\Recent\Desktop.ini ()

[1] 2005-08-16 04:41:02 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()

[1] 2005-08-16 04:43:08 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()

[1] 2005-08-16 04:50:24 542 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()

[1] 2005-08-16 04:43:10 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()

[1] 2005-08-16 04:50:30 234 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()

[1] 2005-08-16 04:43:08 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()

[1] 2004-08-10 05:00:00 2 C:\WINDOWS\system32\desktop.ini ()

[1] 2004-08-10 05:00:00 65 C:\WINDOWS\Tasks\desktop.ini ()

[1] 2009-07-04 08:18:17 145 C:\WINDOWS\Temp\History\History.IE5\desktop.ini ()

[1] 2009-07-04 08:18:17 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\DRZPJX7R\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IN24NM9F\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WAG9F543\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y0ZZVW4L\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\i386\desktop.ini ()



Cannot access: C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y0ZZVW4L\desktop.ini

Attempting to restore permissions of : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y0ZZVW4L\desktop.ini

[1] 2005-08-16 04:39:16 227 C:\WINDOWS\assembly\Desktop.ini ()

[1] 2004-08-10 05:00:00 2 C:\WINDOWS\desktop.ini ()

[1] 2005-08-16 04:41:00 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()

[1] 2005-08-16 04:42:12 67 C:\WINDOWS\Fonts\desktop.ini ()

[1] 2005-08-16 04:41:00 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()

[1] 2005-08-16 21:11:46 170 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini ()

[1] 2005-08-16 04:50:28 122 C:\WINDOWS\system32\config\systemprofile\Favorites\Desktop.ini ()

[1] 2006-05-10 20:47:05 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()

[1] 2006-06-11 22:02:30 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()

[1] 2006-06-11 22:02:30 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\89YZO12R\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C06F4QY2\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TD2N5TAF\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UTP2D7MK\desktop.ini ()

[1] 2009-08-24 07:01:36 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZCEI4B1X\desktop.ini ()

[1] 2006-06-11 22:02:30 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()

[1] 2005-08-16 04:50:28 84 C:\WINDOWS\system32\config\systemprofile\My Documents\desktop.ini ()

[1] 2005-08-16 04:50:28 189 C:\WINDOWS\system32\config\systemprofile\My Documents\My Music\Desktop.ini ()

[1] 2005-08-16 04:50:28 191 C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\Desktop.ini ()

[1] 2005-08-16 04:50:28 150 C:\WINDOWS\system32\config\systemprofile\Recent\Desktop.ini ()

[1] 2005-08-16 04:41:02 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()

[1] 2005-08-16 04:43:08 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()

[1] 2005-08-16 04:50:24 542 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()

[1] 2005-08-16 04:43:10 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()

[1] 2005-08-16 04:50:30 234 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()

[1] 2005-08-16 04:43:08 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()

[1] 2004-08-10 05:00:00 2 C:\WINDOWS\system32\desktop.ini ()

[1] 2004-08-10 05:00:00 65 C:\WINDOWS\Tasks\desktop.ini ()

[1] 2009-07-04 08:18:17 145 C:\WINDOWS\Temp\History\History.IE5\desktop.ini ()

[1] 2009-07-04 08:18:17 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\DRZPJX7R\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\IN24NM9F\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WAG9F543\desktop.ini ()

[1] 2009-08-28 16:49:53 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y0ZZVW4L\desktop.ini ()

[1] 2005-08-16 04:33:26 62 C:\i386\desktop.ini ()



Found mount point : C:\WINDOWS\Temp\WERa67b.dir00\WERa67b.dir00

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WERa67b.dir00\WERa67b.dir00

Found mount point : C:\WINDOWS\Temp\~nsu.tmp\~nsu.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\~nsu.tmp\~nsu.tmp

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_c8be176f\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_c8be176f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_c8be176f\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_c8be176f

Found mount point : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790

Finished!

*******************************************

Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP
******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger
******************* Beginning to process script file: Rootkit scan active. Hidden driver "e886372a" found! DisplayName: Microsoft DDE+ server ImagePath: C:\WINDOWS\system32\.e886372a\e886372a.exe Start Type: 2 (Automatic) Rootkit scan completed.
File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully. Completed script processing.
******************* Finished! Terminate.

Attached Files


Edited by SifuMike, 30 August 2009 - 12:12 AM.
insert logs for ease of reading

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:41 AM

Posted 30 August 2009 - 12:08 AM

Hi w3azl3

Please DO NOT attach your logs. They are too hard to read that way.

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :filefind 
eventlog.dll
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply
******************

What antivirus are you using?


Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

Edited by SifuMike, 30 August 2009 - 12:22 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!


Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 w3azl3

w3azl3
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:05:41 AM

Posted 30 August 2009 - 12:11 AM

Ahhh deeply sorry, ill remember that next time

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:41 AM

Posted 30 August 2009 - 12:31 AM

Hi w3azl3,

I think we cross posted. :( Please read my Post #4.

Edited by SifuMike, 30 August 2009 - 12:31 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!


Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 w3azl3

w3azl3
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:05:41 AM

Posted 30 August 2009 - 12:33 AM

lol seems we did :D, was about to edit my post to add in these aswell.

starting with system look

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 01:22 on 30/08/2009 by Heidi Diaz (Administrator - Elevation successful)

========== filefind ==========

Searching for "eventlog.dll"
C:\i386\eventlog.dll --a--- 55808 bytes [11:51 18/06/2006] [09:00 10/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [01:32 26/12/2008] [09:00 10/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll ------ 56320 bytes [19:42 12/09/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll --a--- 56320 bytes [19:42 12/09/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll --a--c 56320 bytes [08:18 16/08/2005] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656

-=End Of File=-









Results of screen317's Security Check version 0.98.9
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
avast! Antivirus


Antivirus up to date! (On Access scanning disabled!)
``````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
HijackThis 2.0.2
CCleaner (remove only)
Java™ 6 Update 14
Java™ 6 Update 3
Java™ 6 Update 6
Java™ 6 Update 7
Java 2 Runtime Environment, SE v1.4.2_03
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent


``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:41 AM

Posted 30 August 2009 - 12:38 AM

Hi w3azl3,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVAST Antivirus and Spybot Teatimer before running ComboFix, as it will prevent it from running.

AVAST will cause BSOD unless you disable it like this:
Posted Image

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent some things from being fixed.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

* Open Spybot Search & Destroy.
* In the Mode menu click "Advanced mode" if not already selected.
* Choose "Yes" at the Warning prompt.
* Expand the "Tools" menu.
* Click "Resident".
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* In the File menu click "Exit" to exit Spybot Search & Destroy.



Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 30 August 2009 - 12:40 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!


Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 w3azl3

w3azl3
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:05:41 AM

Posted 30 August 2009 - 02:20 AM

Ok, i feel that i may have messed up. in my first scan it was going well. i was getting Chkdsk popups, and while trying to cancel them out so i could see combofix i clicked it and it rebooted my comp, while trying again i left and came back to my comp being rebooted again. then it started scanning and deleting things on startup (windows xp did this) so this log i got, i think Mcafee must have been blocking it, but it hasnt been active till after the deletion of several files. (so the computer is definately improving alot!)

anyways heres the combofix file *note this is the only file i got after 3 times of running it*

ComboFix 09-08-29.01 - Heidi Diaz 08/30/2009 2:59.4.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.743 [GMT -4:00]
Running from: c:\documents and settings\Heidi Diaz\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\wiawow32.sys
c:\windows\system32\wiwow64.exe
.
---- Previous Run -------
.
c:\windows\irc.txt
c:\windows\system32\kbiwkmuipyjalu.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmsualmrmt
-------\Service_SKYNETjdjwkrxn
-------\Service_SKYNETopykyjdk
-------\Legacy_ANTIPPRO2009_100
-------\Legacy_faxwzcsvc
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_SYS
-------\Legacy_SYSDRV
-------\Legacy_systemntmi
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_AntipPro2009_100
-------\Service_FaxWZCSVC
-------\Service_sys


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
.

2009-08-30 06:45 . 2009-08-30 06:45 -------- d-sh--w- C:\found.000
2009-08-29 20:25 . 2009-08-29 20:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-08-28 21:56 . 2009-08-28 21:56 0 ----a-w- c:\documents and settings\Heidi Diaz\settings.dat
2009-08-28 20:50 . 2009-08-28 21:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-28 20:30 . 2009-08-28 20:30 -------- d-----w- c:\program files\CCleaner
2009-08-28 19:42 . 2009-08-28 19:42 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-28 03:18 . 2009-08-28 03:18 -------- d-sh--w- c:\windows\system32\config\systemprofile\Application Data\twain_32
2009-08-27 06:59 . 2009-08-27 06:59 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-08-25 22:48 . 2009-08-25 22:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AIM Toolbar
2009-08-25 19:48 . 2009-08-25 19:48 -------- dc-h--r- C:\MSOCache
2009-08-25 15:00 . 2009-08-25 23:09 -------- d-----w- c:\documents and settings\LocalService\Application Data\COMCASTTOOLBAR
2009-08-25 14:19 . 2009-08-25 14:19 -------- d-----w- c:\windows\TEM
2009-08-25 03:23 . 2009-08-25 03:23 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-25 03:19 . 2009-08-25 03:19 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-25 00:04 . 2009-08-25 00:04 -------- d-----w- c:\program files\Alwil Software
2009-08-24 21:30 . 2009-08-24 21:30 -------- dc----w- C:\_OTS
2009-08-24 01:14 . 2009-08-24 01:14 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-08-24 01:13 . 2009-08-24 23:40 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\COMCASTTOOLBAR
2009-08-24 01:13 . 2009-08-24 01:13 161280 ----a-w- c:\windows\sv2.exe
2009-08-22 14:56 . 2009-08-22 14:56 -------- d-----w- c:\docume~1\HEIDID~1\APPLIC~1\Viewpoint
2009-08-22 04:57 . 2009-08-22 04:57 236056 ----a-w- c:\documents and settings\All Users\Application Data\gav\sgav.exe
2009-08-22 00:35 . 2009-08-22 04:57 1363946 ----a-w- c:\documents and settings\All Users\Application Data\gav\GAVBi.exe
2009-08-22 00:33 . 2009-08-22 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\gav
2009-08-16 09:11 . 2009-08-16 09:11 262144 ----a-w- C:\ntuser.dat
2009-08-16 09:10 . 2009-08-16 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-08-15 21:05 . 2009-08-28 20:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-15 21:05 . 2009-08-24 23:50 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-14 20:56 . 2009-08-14 20:56 92056 ----a-w- c:\documents and settings\All Users\Application Data\gav\mgrdll.exe
2009-08-14 20:03 . 2009-08-14 20:03 10404352 ----a-w- c:\documents and settings\All Users\Application Data\gav\gav.exe
2009-08-14 19:48 . 2009-08-14 19:48 128512 ----a-w- c:\documents and settings\All Users\Application Data\gav\QWProtect.dll
2009-08-11 11:10 . 2009-08-11 11:10 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-10 10:02 . 2009-08-11 11:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-07 07:34 . 2009-08-07 07:34 331791 ----a-w- c:\documents and settings\All Users\Application Data\gav\wsdt05.exe
2009-08-05 04:39 . 2009-08-15 06:03 -------- d-----w- c:\docume~1\HEIDID~1\APPLIC~1\FrostWire
2009-08-04 20:29 . 2009-08-04 20:29 -------- d-----w- c:\documents and settings\Heidi Diaz\Local Settings\Application Data\AIM Toolbar
2009-08-04 20:27 . 2009-08-15 04:16 -------- d-----w- c:\program files\AIM Toolbar
2009-08-04 20:27 . 2009-08-04 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM Toolbar
2009-08-02 03:09 . 2009-08-17 06:27 -------- d-----w- c:\docume~1\HEIDID~1\APPLIC~1\Ventrilo
2009-08-02 03:08 . 2009-08-02 03:08 -------- d-----w- c:\program files\Ventrilo
2009-08-02 03:08 . 2009-08-02 03:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-29 22:45 . 2009-07-09 21:31 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-29 21:03 . 2006-05-11 00:42 -------- d-----w- c:\program files\McAfee
2009-08-28 20:41 . 2008-08-24 06:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-28 03:23 . 2008-11-28 05:21 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-08-28 03:18 . 2006-05-11 00:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-25 20:50 . 2009-06-27 22:57 -------- d-----w- c:\program files\Sony Online Entertainment
2009-08-25 20:46 . 2009-06-27 19:51 -------- d-----w- c:\program files\StarWarsGalaxies
2009-08-25 18:49 . 2009-08-25 18:49 8 ----a-w- c:\program files\nrwvd.txt
2009-08-24 23:48 . 2007-11-24 15:52 -------- d-----w- c:\docume~1\HEIDID~1\APPLIC~1\COMCASTTOOLBAR
2009-08-23 23:18 . 2006-06-25 00:04 -------- d-----w- c:\program files\Dl_cats
2009-08-22 20:26 . 2008-10-01 15:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-22 14:46 . 2006-05-11 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-22 14:46 . 2006-05-11 00:36 -------- d-----w- c:\program files\Viewpoint
2009-08-18 03:03 . 2006-10-20 00:16 -------- d-----w- c:\docume~1\HEIDID~1\APPLIC~1\Walgreens
2009-08-16 09:11 . 2007-09-12 23:33 -------- d-----w- c:\docume~1\HEIDID~1\APPLIC~1\Yahoo!
2009-08-16 09:11 . 2006-06-30 00:44 -------- d-----w- c:\program files\Yahoo!
2009-08-16 09:11 . 2007-09-12 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-15 20:14 . 2007-05-09 01:58 -------- d-----w- c:\program files\AIM6
2009-08-15 20:14 . 2006-12-26 14:21 -------- d-----w- c:\program files\LimeWire
2009-08-11 11:01 . 2009-06-11 01:10 -------- d-----w- c:\program files\ATI
2009-08-10 09:56 . 2006-11-21 19:03 -------- d-----w- c:\program files\Google
2009-08-05 11:38 . 2006-05-11 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-10 18:36 . 2009-07-10 18:36 -------- d-----w- c:\program files\Dell Photo AIO Printer 924
2009-07-09 21:33 . 2006-05-11 00:15 98304 ----a-w- c:\windows\DUMP47f5.tmp
2009-07-03 07:14 . 2009-07-03 07:07 1874 ----a-w- c:\windows\jm567890.dat
2009-06-30 04:13 . 2009-06-30 04:13 1 ----a-w- c:\windows\ckms134.dat
2009-06-27 22:57 . 2009-02-04 00:26 27240 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-06-26 20:53 . 2007-04-11 01:20 43 ----a-w- c:\windows\popcinfo.dat
2009-06-22 10:32 . 2009-06-22 10:32 93 ----a-w- c:\windows\system32\SKYNET.dat
2009-06-11 01:17 . 2009-06-11 01:17 0 ----a-w- c:\windows\ativpsrm.bin
2008-07-21 04:32 . 2006-06-25 00:13 88 --sh--r- c:\windows\system32\3DD0985F8F.sys
2009-04-27 15:27 . 2006-12-16 21:14 56 --sh--r- c:\windows\system32\8F5F98D03D.sys
2009-04-10 02:20 . 2009-04-10 02:20 2713 --sh--w- c:\windows\system32\kekilule.dll
2009-04-27 15:27 . 2006-06-25 00:13 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-04-10 02:19 . 2009-04-10 02:19 2713 --sh--w- c:\windows\system32\nuvanifi.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Walgreens PhotoShow Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [2006-04-20 237568]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"tgcmd"="c:\program files\support.com\bin\tgcmd.exe" [2002-04-25 1544192]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080]
"HostManager"="c:\program files\Common Files\AOL\1169237383\ee\AOLSoftware.exe" [2008-06-24 41824]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Heidi Diaz\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-7-31 139776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-10 24576]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [1/1/2009 12:28 PM 9216]
S1 b36848d7;b36848d7;c:\windows\system32\drivers\b36848d7.sys --> c:\windows\system32\drivers\b36848d7.sys [?]
S2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [8/16/2005 4:18 AM 14336]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/29/2008 9:40 PM 210216]
S2 NetLogin;Net Login;c:\windows\svchost.exe --> c:\windows\svchost.exe [?]
S2 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [8/10/2004 5:00 AM 94208]
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-14 14:53]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-14 14:53]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1f088470-6c7c-4e95-8e03-6bd14e5f0443} - (no file)
BHO-{86b1ba0a-9a44-416a-8d31-b30e6de73787} - (no file)
HKCU-Run-Steam - c:\program files\Steam\Steam.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search - ?p=ZKxdm011YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
FF - ProfilePath - c:\docume~1\HEIDID~1\APPLIC~1\Mozilla\Firefox\Profiles\zvn2q1eb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\progra~1\SONYON~1\npsoe.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 03:06
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

c:\windows\system32\.e886372a\e886372a.exe [1572] 0x86BC7020

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
tgcmd = "c:\program files\support.com\bin\tgcmd.exe" /server?cmd.exe" /server
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,RunDLLEntry???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\system32\.e886372a

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\e886372a]
"ImagePath"="c:\windows\system32\.e886372a\e886372a.exe"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-703702550-2982333712-3504602965-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-08-30 3:09
ComboFix-quarantined-files.txt 2009-08-30 07:09

Pre-Run: 81,746,362,368 bytes free
Post-Run: 81,739,714,560 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
319 --- E O F --- 2008-12-27 08:01

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:41 AM

Posted 30 August 2009 - 11:35 AM

Hi w3azl3,

This computer is quite a mess. :(

Looks like comobfix did not install Recovery Console.


Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the each of the following file paths into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\system32\8F5F98D03D.sys
      c:\windows\system32\3DD0985F8F.sys
      c:\windows\system32\sofatnet.exe
      c:\windows\svchost.exe
      c:\windows\sv2.exe
      c:\documents and settings\All Users\Application Data\gav\sgav.exe
      c:\documents and settings\All Users\Application Data\gav\GAVBi.exe
      c:\documents and settings\All Users\Application Data\gav\mgrdll.exe
      c:\documents and settings\All Users\Application Data\gav\gav.exe
      c:\documents and settings\All Users\Application Data\gav\QWProtect.dll
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
  • If Copy to Clipbard does not work, then just copy and paste the output in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.

*****************

Note: If you already have Malwarebytes installed on your computer, then update, run it and post the log.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent some things from being fixed.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

* Open Spybot Search & Destroy.
* In the Mode menu click "Advanced mode" if not already selected.
* Choose "Yes" at the Warning prompt.
* Expand the "Tools" menu.
* Click "Resident".
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* In the File menu click "Exit" to exit Spybot Search & Destroy.



Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 30 August 2009 - 11:56 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!


Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 w3azl3

w3azl3
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:05:41 AM

Posted 30 August 2009 - 12:04 PM

Combofix installed the Recovery Console. that was during the first scan where i clicked it accidently and rebooted

anyways virSCAN is a bit odd as it seems to only take files and i cant seem to type anything in it.

Anyways Malwarebytes is running smoothly and ill have the log for you when its finished

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:41 AM

Posted 30 August 2009 - 12:13 PM

Combofix installed the Recovery Console. that was during the first scan where i clicked it accidently and rebooted

If it installed correclty, when do the boot routine, you should briefly see an option to select Recovery Console.



anyways virSCAN is a bit odd as it seems to only take files and i cant seem to type anything in it.


I said "each of the following file paths" in my speech, "not all of the following file paths".

It only does ONE at time, not all a once.


and i cant seem to type anything in it.



Copy and Paste, dont type. Or use the Browse fuction to find the file to scan.

Edited by SifuMike, 30 August 2009 - 01:26 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!


Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 w3azl3

w3azl3
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:05:41 AM

Posted 30 August 2009 - 03:18 PM

Ahh i hit browse and typed it in there, sorry for the confusion.
anyways im gonna post down the virscan stuff

c:\windows\system32\8F5F98D03D.sys <-http://virscan.org/report/bd02f8ec7644b8d2983e78a7f4a67f52.html

c:\windows\system32\3DD0985F8F.sys<- http://virscan.org/report/f894ac9e52e1d06f...2bca09bfb3.html

c:\windows\system32\sofatnet.exe<-File not Found

c:\windows\svchost.exe <- File not found

c:\windows\sv2.exe <- File not Found

c:\documents and settings\All Users\Application Data\gav\sgav.exe <- File not found

c:\documents and settings\All Users\Application Data\gav\GAVBi.exe <- http://virscan.org/report/52f5a6acc7151407...3d76780eb1.html

c:\documents and settings\All Users\Application Data\gav\mgrdll.exe <- file not found

c:\documents and settings\All Users\Application Data\gav\gav.exe <- file not found

c:\documents and settings\All Users\Application Data\gav\QWProtect.dll <- http://virscan.org/report/2d501da7ab7c845f...cbf9a5a811.html


Malwarebytes


Malwarebytes' Anti-Malware 1.40
Database version: 2718
Windows 5.1.2600 Service Pack 3

8/30/2009 4:10:43 PM
mbam-log-2009-08-30 (16-10-43).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 290317
Time elapsed: 3 hour(s), 15 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 33

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{70fead04-a7fd-4b89-b814-8a8251c90ef7} (Rogue.AntiVirus1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70fead04-a7fd-4b89-b814-8a8251c90ef7} (Rogue.AntiVirus1) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdll (Worm.Autorun) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\msb.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\msc.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmlappsxog.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmsaqoyptb.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\msxml71.dll.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiwow64.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0005002.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0005003.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0005025.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0005029.old (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0005030.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0005032.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0005046.exe (Rogue.TotalSecurity2009) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0005051.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0005055.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0005056.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0005057.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0005069.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0005071.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0005072.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0006201.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0006202.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0006203.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0007272.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0007417.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0007422.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0007423.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0008450.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0008451.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0008452.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0008453.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:41 AM

Posted 30 August 2009 - 04:05 PM

Ahh i hit browse and typed it in there, sorry for the confusion.



If you type it in you will make a mistake and it will not find the file. Better to use eiter copy and Paste or the Browse button and find the file in your computer, then click on it and it loads the file path into the browse windows.

But the way you posted it is OK. :( I have the info I need.

I'llllllllllllllllllllllllll be back! (spoken with an Austrian accent) LOL

Edited by SifuMike, 30 August 2009 - 04:08 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!


Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:41 AM

Posted 30 August 2009 - 04:14 PM

Hi w3azl3,

I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player

If you uninstalled, please navigate to and delete the following folders
C:\Program Files\Viewpoint

*********************

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Please download Java Version 6 Update 15
  • Click the "Free Java Download" button.
  • Click "Free Java Download" again
  • Save the file jxpiinstall.exe to your desktop
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 6 Update 14
    Java 6 Update 3
    Java 6 Update 6
    Java 6 Update 7
    Java 2 Runtime Environment, SE v1.4.2_03

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jxpiinstall.exe to install the newest version.
*********************

You need to disable your AVAST Antivirus and Spybot Teatimer before running ComboFix, as it will prevent it from running.

AVAST will cause BSOD unless you disable it like this:
Posted Image

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent some things from being fixed.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

* Open Spybot Search & Destroy.
* In the Mode menu click "Advanced mode" if not already selected.
* Choose "Yes" at the Warning prompt.
* Expand the "Tools" menu.
* Click "Resident".
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* In the File menu click "Exit" to exit Spybot Search & Destroy.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad: 

File:: 
c:\windows\system32\sofatnet.exe
c:\windows\system32\SKYNET.dat
c:\windows\system32\kekilule.dll
c:\windows\system32\nuvanifi.exe
c:\windows\system32\drivers\b36848d7.sys 
c:\windows\svchost.exe
c:\windows\sv2.exe

Folder:: 
c:\documents and settings\All Users\Application Data\gav

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

Driver:: 
b36848d7
NetLogin
sofatnet
EvdoServer


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!


Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
Back to Virus, Trojan, Spyware, and Malware Removal Logs


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Logs
  4. Privacy Policy
  5. Rules ·