Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Redirect and Anti-Virus shutdown


  • This topic is locked This topic is locked
6 replies to this topic

#1 cameron25

cameron25

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 30 August 2009 - 12:49 AM

Sorry I can't post the virus name because I have no idea what it is.

My problem consists of a search engine redirect virus and a virus that shuts down anti-virus software.

So far I have tried Spybot, Ad-Aware, and the free trial of Vipre and Norton 360. All of which are shutdown after about 15 seconds.

I have a bought StopZilla program but long story short my dad doesn't like it so it usually isn't on, so instead we have Avira which so far I personally think is worthless. Anyways, the Stopzilla doesn't work but it will work in safemode and it finds a virus called Win32k or something like that. Sorry I will have to scan again and see what it is. It hasn't seemed to remove it yet though.

The Avira program however runs fine and will scan but not find anything.

Also I did successfully ( i think ) remove something i think was a virus, it was msa.exe.

Also I tried the DDS scan report and the Root Repeal and Hijack This. All of which were shutdown as soon as they started scanning. I do have a report from the Avira Scan but im not sure if it includes what is needed. Anyways I will post it.

Any help is GREATLY APPRECIATED!

Also I have Windows XP

Edit: I scanned again in safe mode with Stopzilla and it found even more of the virus Win32k.stream. Here is a section from another post on bleeping computer, I had the exact same problem except i never had any vundo. But here it is "Hello, My machine is infected currently with Win32K.Stream as reported by Stopzilla it originally also had a Vundo.f but that seems to be gone now. Anyway if I try and run Malwarebytes,Highjackthis or anything that could help identify or remove the infection the program will start to run then stop no errors until I try and run it again then I get " Windows can not acces the specified device, path, or file. You may not have the Appropriate permissions to access them" so I'm at a lost. Read all the posts I could find, but nothing is helping Stopzilla says it removing the files but after reboot they are back."

Attached Files


Edited by cameron25, 30 August 2009 - 01:14 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:45 AM

Posted 02 September 2009 - 09:58 PM

Hello cameron25 ,

Sorry to burst you bubble, but Stopzilla is not good and Aviar AnitVir is a very highly rated antivirus product.

Stopzilla is a resource hog and I don't recommend it. I've seen it being pushed by malware - which means, malware causes to display popups where it asks to install Stopzilla. This doesn't make sense and that's why it makes Stopzilla a questionable application.


Can you run any program exe's?


I think you have a very nasty rootkit on this computer, but we need to dig deeper.

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
    [field name="Additional Instructions" lines=20]
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
*********************

Download and run Win32kDiag:*********************

Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
Please post back with:
  • Win32kDiag.txt
  • Content of the log.txt

Edited by SifuMike, 02 September 2009 - 10:18 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 cameron25

cameron25
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 07 September 2009 - 10:17 PM

Here's the reports. Also when I tried using the Root Repeal it didn't work and it left an un-removable icon on my desktop. When I try to delete it says "Windows cannot access the specified device, path, or file. You may not have the appopriate permissions to access the item." Also, after scanning with the GMER for a while i realized it had disappeared and now I can't open it or delete it. Same message "Windows cannot access...".


Win32kDiag

Log file is located at: C:\Documents and Settings\Craig Schluter\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4B6.tmp\ZAP4B6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP593.tmp\ZAP593.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5B7.tmp\ZAP5B7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP606.tmp\ZAP606.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe








Log

Volume in drive C has no label.
Volume Serial Number is E47C-32A0

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/12/2004 08:04 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/12/2004 08:02 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/12/2004 07:57 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 06:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 06:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 06:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 06:11 PM 62,976 eventlog.dll
3 File(s) 651,264 bytes

Total Files Listed:
9 File(s) 1,938,944 bytes
0 Dir(s) 115,313,524,736 bytes free

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:45 AM

Posted 07 September 2009 - 11:36 PM

Hi cameron25,

Please tell me the antivirus you are using.

You got a Rootkit on this computer.

We will need to take this cleanup in phases. You are not clean until I tell you so - even if it appears that everything is running fine!

Let's begin....

==========

Step 1

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

==========

Step 2

Please do this:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y
  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE[: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy was not successful.
  • Exit the Command Prompt window.
==========

Step 3

:( Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.
Certain misuses of this program can prevent your system from ever starting again.
For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision.
We can accept no responsibility for damage caused by misuse of the program.
:(
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
==========

With your next post please provide:

* Win32kDiag.txt
* Avenger.txt

Edited by SifuMike, 07 September 2009 - 11:45 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 cameron25

cameron25
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 09 September 2009 - 10:42 PM

Thank you for the help so far.
The google redirect is gone but I know you said it might not be gone yet so I will continue to follow your directions.
Also I am using Avira AntiVir Personal - Free Antivirus.

Win32KDiag


Log file is located at: C:\Documents and Settings\Craig Schluter\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB956844\KB956844

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB956844\KB956844

Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Found mount point : C:\WINDOWS\$hf_mig$\KB971961-IE8\KB971961-IE8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB971961-IE8\KB971961-IE8

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4B6.tmp\ZAP4B6.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4B6.tmp\ZAP4B6.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP593.tmp\ZAP593.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP593.tmp\ZAP593.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5B7.tmp\ZAP5B7.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5B7.tmp\ZAP5B7.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP606.tmp\ZAP606.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP606.tmp\ZAP606.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-12 07:57:42 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 18:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 18:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\41de1a081a084b9d6fc0b5c225e4fbe5\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\41de1a081a084b9d6fc0b5c225e4fbe5\backup\backup

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe

[1] 2005-02-24 21:35:05 718048 C:\WINDOWS\$hf_mig$\KB898461\update\update.exe (Microsoft Corporation)

[1] 2008-11-15 11:18:04 755576 C:\WINDOWS\$hf_mig$\KB923561\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 19:22:59 716000 C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 05:18:51 755576 C:\WINDOWS\$hf_mig$\KB938464-v2\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 19:22:59 716000 C:\WINDOWS\$hf_mig$\KB944338-v2\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 05:20:44 755576 C:\WINDOWS\$hf_mig$\KB946648\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB950760\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB950762\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:18 755576 C:\WINDOWS\$hf_mig$\KB950974\update\update.exe (Microsoft Corporation)

[1] 2007-12-03 09:25:31 755576 C:\WINDOWS\$hf_mig$\KB951066\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 05:18:51 755576 C:\WINDOWS\$hf_mig$\KB951376-v2\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:18 755576 C:\WINDOWS\$hf_mig$\KB951748\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:18 755576 C:\WINDOWS\$hf_mig$\KB951978\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:18 755576 C:\WINDOWS\$hf_mig$\KB952004\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 05:18:51 755576 C:\WINDOWS\$hf_mig$\KB952287\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB952954\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB954459\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 05:18:51 755576 C:\WINDOWS\$hf_mig$\KB954600\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 05:18:51 755576 C:\WINDOWS\$hf_mig$\KB955069\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB955839\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 01:38:29 755576 C:\WINDOWS\$hf_mig$\KB956572\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\$hf_mig$\KB956744\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 01:38:29 755576 C:\WINDOWS\$hf_mig$\KB956802\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 05:18:51 755576 C:\WINDOWS\$hf_mig$\KB956803\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 07:02:04 755576 C:\WINDOWS\$hf_mig$\KB957097\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 05:18:51 755576 C:\WINDOWS\$hf_mig$\KB958644\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 05:18:51 755576 C:\WINDOWS\$hf_mig$\KB958687\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:18 755576 C:\WINDOWS\$hf_mig$\KB959426\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB960225\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB960803\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\$hf_mig$\KB960859\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\$hf_mig$\KB961371\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:18 755576 C:\WINDOWS\$hf_mig$\KB961373\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 01:38:29 755576 C:\WINDOWS\$hf_mig$\KB961501\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:18 755576 C:\WINDOWS\$hf_mig$\KB961503\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 01:38:29 755576 C:\WINDOWS\$hf_mig$\KB967715\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 01:38:29 755576 C:\WINDOWS\$hf_mig$\KB968537\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:18 755576 C:\WINDOWS\$hf_mig$\KB969897\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB969897-IE8\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB969898\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:18 755576 C:\WINDOWS\$hf_mig$\KB970238\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB971180-IE8\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\$hf_mig$\KB971557\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 01:38:29 755576 C:\WINDOWS\$hf_mig$\KB971633\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\$hf_mig$\KB971657\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\$hf_mig$\KB972260-IE8\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 07:02:04 755576 C:\WINDOWS\$hf_mig$\KB973346\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\$hf_mig$\KB973354\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\$hf_mig$\KB973507\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\$hf_mig$\KB973815\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 07:02:04 755576 C:\WINDOWS\$hf_mig$\KB973869\update\update.exe (Microsoft Corporation)

[1] 2007-07-27 10:41:48 755576 C:\WINDOWS\SoftwareDistribution\Download\06c06c7b51bc17c7102b0619a1cb08c2\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 19:22:59 716000 C:\WINDOWS\SoftwareDistribution\Download\41de1a081a084b9d6fc0b5c225e4fbe5\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\7e2110c803604799bad6cc14ba892658\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\SoftwareDistribution\Download\97fe76a20161cb86e78057600e7c82a0\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 07:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\SoftwareDistribution\Download\f393f65782d41e425cfd1141aa65e1b5\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 07:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\fbadf956b1f29cd6cc8927434ddbc900\update\update.exe ()



Cannot access: C:\WINDOWS\SoftwareDistribution\Download\fbadf956b1f29cd6cc8927434ddbc900\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\fbadf956b1f29cd6cc8927434ddbc900\update\update.exe

[1] 2005-02-24 21:35:05 718048 C:\WINDOWS\$hf_mig$\KB898461\update\update.exe (Microsoft Corporation)

[1] 2008-11-15 11:18:04 755576 C:\WINDOWS\$hf_mig$\KB923561\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 19:22:59 716000 C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 05:18:51 755576 C:\WINDOWS\$hf_mig$\KB938464-v2\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 19:22:59 716000 C:\WINDOWS\$hf_mig$\KB944338-v2\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 05:20:44 755576 C:\WINDOWS\$hf_mig$\KB946648\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB950760\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB950762\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:18 755576 C:\WINDOWS\$hf_mig$\KB950974\update\update.exe (Microsoft Corporation)

[1] 2007-12-03 09:25:31 755576 C:\WINDOWS\$hf_mig$\KB951066\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 05:18:51 755576 C:\WINDOWS\$hf_mig$\KB951376-v2\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:18 755576 C:\WINDOWS\$hf_mig$\KB951748\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:18 755576 C:\WINDOWS\$hf_mig$\KB951978\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:18 755576 C:\WINDOWS\$hf_mig$\KB952004\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 05:18:51 755576 C:\WINDOWS\$hf_mig$\KB952287\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB952954\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB954459\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 05:18:51 755576 C:\WINDOWS\$hf_mig$\KB954600\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 05:18:51 755576 C:\WINDOWS\$hf_mig$\KB955069\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB955839\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 01:38:29 755576 C:\WINDOWS\$hf_mig$\KB956572\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\$hf_mig$\KB956744\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 01:38:29 755576 C:\WINDOWS\$hf_mig$\KB956802\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 05:18:51 755576 C:\WINDOWS\$hf_mig$\KB956803\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 07:02:04 755576 C:\WINDOWS\$hf_mig$\KB957097\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 05:18:51 755576 C:\WINDOWS\$hf_mig$\KB958644\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 05:18:51 755576 C:\WINDOWS\$hf_mig$\KB958687\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:18 755576 C:\WINDOWS\$hf_mig$\KB959426\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB960225\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB960803\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\$hf_mig$\KB960859\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\$hf_mig$\KB961371\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:18 755576 C:\WINDOWS\$hf_mig$\KB961373\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 01:38:29 755576 C:\WINDOWS\$hf_mig$\KB961501\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:18 755576 C:\WINDOWS\$hf_mig$\KB961503\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 01:38:29 755576 C:\WINDOWS\$hf_mig$\KB967715\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 01:38:29 755576 C:\WINDOWS\$hf_mig$\KB968537\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:18 755576 C:\WINDOWS\$hf_mig$\KB969897\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB969897-IE8\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB969898\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:18 755576 C:\WINDOWS\$hf_mig$\KB970238\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\$hf_mig$\KB971180-IE8\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\$hf_mig$\KB971557\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 01:38:29 755576 C:\WINDOWS\$hf_mig$\KB971633\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\$hf_mig$\KB971657\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\$hf_mig$\KB972260-IE8\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 07:02:04 755576 C:\WINDOWS\$hf_mig$\KB973346\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\$hf_mig$\KB973354\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\$hf_mig$\KB973507\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\$hf_mig$\KB973815\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 07:02:04 755576 C:\WINDOWS\$hf_mig$\KB973869\update\update.exe (Microsoft Corporation)

[1] 2007-07-27 10:41:48 755576 C:\WINDOWS\SoftwareDistribution\Download\06c06c7b51bc17c7102b0619a1cb08c2\update\update.exe (Microsoft Corporation)

[1] 2007-03-05 19:22:59 716000 C:\WINDOWS\SoftwareDistribution\Download\41de1a081a084b9d6fc0b5c225e4fbe5\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 05:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\7e2110c803604799bad6cc14ba892658\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\SoftwareDistribution\Download\97fe76a20161cb86e78057600e7c82a0\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 07:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:39:22 755576 C:\WINDOWS\SoftwareDistribution\Download\f393f65782d41e425cfd1141aa65e1b5\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 07:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\fbadf956b1f29cd6cc8927434ddbc900\update\update.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : C:\WINDOWS\system32\Data\Data

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Data\Data

Found mount point : C:\WINDOWS\system32\Defaults\Defaults

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Defaults\Defaults

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-12 07:57:17 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 18:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 18:11:53 62976 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 18:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Cannot access: C:\WINDOWS\system32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe

[1] 2009-08-28 15:38:20 24689600 C:\WINDOWS\system32\MRT.exe (Microsoft Corporation)

[2] 2009-07-29 18:49:14 24281536 C:\System Volume Information\_restore{088F863D-A7DB-4C3E-A6D1-099012195079}\RP121\A0031270.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\CR_4C.tmp\CR_4C.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\CR_4C.tmp\CR_4C.tmp

Found mount point : C:\WINDOWS\Temp\CTZAPXX\Drivers\Drivers

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\CTZAPXX\Drivers\Drivers

Found mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Found mount point : C:\WINDOWS\Temp\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\{435E969D-867E-4364-8E74-3DC8A69C5BDB}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\{435E969D-867E-4364-8E74-3DC8A69C5BDB}

Found mount point : C:\WINDOWS\Temp\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}

Found mount point : C:\WINDOWS\Temp\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}

Found mount point : C:\WINDOWS\Temp\{67AEFC4C-69E4-11D7-85F4-00E018013273}\{67AEFC4C-69E4-11D7-85F4-00E018013273}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\{67AEFC4C-69E4-11D7-85F4-00E018013273}\{67AEFC4C-69E4-11D7-85F4-00E018013273}

Found mount point : C:\WINDOWS\Temp\{7201B853-5833-11D6-A285-00A0CC51B2FE}\{7201B853-5833-11D6-A285-00A0CC51B2FE}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\{7201B853-5833-11D6-A285-00A0CC51B2FE}\{7201B853-5833-11D6-A285-00A0CC51B2FE}

Found mount point : C:\WINDOWS\Temp\{7A900EAB-DA37-4554-AF19-9C337476D05D}\{7A900EAB-DA37-4554-AF19-9C337476D05D}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\{7A900EAB-DA37-4554-AF19-9C337476D05D}\{7A900EAB-DA37-4554-AF19-9C337476D05D}

Found mount point : C:\WINDOWS\Temp\{A1185190-514F-11D6-A285-00A0CC51B2FE}\{A1185190-514F-11D6-A285-00A0CC51B2FE}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\{A1185190-514F-11D6-A285-00A0CC51B2FE}\{A1185190-514F-11D6-A285-00A0CC51B2FE}

Found mount point : C:\WINDOWS\Temp\{AC157741-3285-4D6A-B934-9174587A3493}\{AC157741-3285-4D6A-B934-9174587A3493}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\{AC157741-3285-4D6A-B934-9174587A3493}\{AC157741-3285-4D6A-B934-9174587A3493}

Found mount point : C:\WINDOWS\Temp\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}

Found mount point : C:\WINDOWS\Temp\{CEB481CC-F57C-4397-81A0-DADD22257047}\{CEB481CC-F57C-4397-81A0-DADD22257047}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\{CEB481CC-F57C-4397-81A0-DADD22257047}\{CEB481CC-F57C-4397-81A0-DADD22257047}

Found mount point : C:\WINDOWS\Temp\{DABD554A-7DA6-4763-BF17-D3CAFB55E5A6}\{DABD554A-7DA6-4763-BF17-D3CAFB55E5A6}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\{DABD554A-7DA6-4763-BF17-D3CAFB55E5A6}\{DABD554A-7DA6-4763-BF17-D3CAFB55E5A6}

Found mount point : C:\WINDOWS\Temp\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}

Found mount point : C:\WINDOWS\Temp\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}

Found mount point : C:\WINDOWS\Temp\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}

Found mount point : C:\WINDOWS\Temp\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!






Avenger


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Sep 09 21:33:14 2009

21:33:14: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Sep 09 21:34:10 2009

21:34:10: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:45 AM

Posted 09 September 2009 - 11:36 PM

Hi cameron25,

Looks good so far. :(

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Avira AntiVir Antivirus before running ComboFix, as it will prevent it from running.

To disable Avira Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 09 September 2009 - 11:42 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:45 AM

Posted 17 September 2009 - 09:44 PM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users