Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Google Develops AI That Can Separate Voices in a Crowd

Featured Deal: Get 96% off the MCSA SQL Server Training Deal

max++ or multiple trojans

Started by kbears , Oct 08 2009 10:35 PM

This topic is locked

25 replies to this topic

#1 kbears

Members
23 posts
OFFLINE

Local time:06:52 AM

Posted 08 October 2009 - 10:35 PM

Hi,

I've been trying to fight off a trojan/malware issue for the past couple days using similar scenarios referenced in these forums are a variety of malware tools. So far unsuccessful - I was able to get back the "this file cannot be opened" issue that many people have been reporting lately and gotten to a state where I'm able to run most programs, but can't seem to isolate anything to remove or do next... the issue is still there because some basic things like disk cleanup still won't run (I can select disk C: to clean and then it immediately quits).

I had turned off my BitDefender active scanning to use MalwareBytes, but now am unable to reactive that as well. Clicking BitDefenders "fix" button to reactivate the real time scanner has no apparent result... the program doesn't freeze but nothing happens, leaving me with closing the window as the only option and the issue remains unresolved... I haven't been able to find a way around this yet.

Below are Hijack This logs... last 3 times trying to run GMER have resulted in BSOD... originally that was the only malware program I COULD get to run...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:37 PM, on 10/8/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Scott\Documents\Desktop\s0qb75fv.exe
C:\Program Files\BitDefender\BitDefender 2008\seccenter.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 5571 bytes

Thanks for your help.

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 Buckeye_Sam

Malware Expert

Members
17,382 posts
OFFLINE

Gender:Male
Location:Pickerington, Ohio
Local time:06:52 AM

Posted 09 October 2009 - 05:05 PM

Hello!

My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Make sure that you save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If I have helped you in any way, please consider a donation to help me continue the fight against malware.

Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!

========================================================

#3 kbears

Topic Starter

Members
23 posts
OFFLINE

Local time:06:52 AM

Posted 10 October 2009 - 07:53 AM

Sam,

Many thanks for your help. When I ran ComboFix it caused my Firefox to shut down, which itself didn't surprise me at all, but when I went to reopen Firefox to send you the log, it gave a "Illegal operation on a registry key that has been marked for deletion." message. Internet Explorer returned the same thing. I rebooted expecting to need to reinstall, but both programs worked fine after reboot. Here's the ComboFix log.

ComboFix 09-10-08.04 - Scott 10/10/2009 7:37.3.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.1076 [GMT -5:00]
Running from: c:\users\Scott\Documents\Desktop\ComboFix.exe
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 )))))))))))))))))))))))))))))))
.

2009-10-10 12:44 . 2009-10-10 12:44 -------- d-----w- c:\users\Scott\AppData\Local\temp
2009-10-10 12:44 . 2009-10-10 12:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-10 12:44 . 2009-10-10 12:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-09 03:44 . 2009-10-09 03:44 -------- d-----w- C:\RootkitNO
2009-10-09 03:39 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 03:39 . 2009-10-09 03:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 03:39 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 00:13 . 2009-10-09 05:43 -------- d-----w- c:\program files\Java
2009-10-09 00:13 . 2009-10-09 00:13 -------- d-----w- c:\program files\Java(5)
2009-10-08 22:24 . 2009-10-01 15:29 195440 ----a-w- c:\windows\system32\MpSigStub.exe
2009-10-08 16:32 . 2009-10-08 16:32 -------- d--h--w- c:\windows\PIF
2009-10-08 13:39 . 2009-10-09 02:30 -------- d-----w- c:\users\Scott\AppData\Local\temp(26)
2009-10-08 13:37 . 2009-10-08 13:37 -------- d-----w- C:\$RECYCLE(0).BIN
2009-10-06 08:37 . 2009-10-06 17:20 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-10-06 08:37 . 2009-10-09 03:47 -------- d-----w- c:\program files\UnHackMe
2009-10-06 01:13 . 2009-10-06 01:13 35 ----a-w- c:\users\Scott\AppData\Roaming\SetValue.bat
2009-10-06 00:52 . 2009-10-09 05:45 -------- d-----w- c:\users\Scott\AppData\Local\Runscanner.net
2009-10-05 22:40 . 2009-10-06 08:38 2 --shatr- c:\windows\winstart.bat
2009-10-05 22:39 . 2009-10-05 22:39 -------- d-----w- c:\program files\Greatis
2009-10-05 06:01 . 2009-10-05 06:01 117760 ----a-w- c:\users\Scott\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-10-05 06:01 . 2009-10-05 06:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-10-05 06:00 . 2009-10-09 02:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-05 06:00 . 2009-10-05 06:00 -------- d-----w- c:\users\Scott\AppData\Roaming\SUPERAntiSpyware.com
2009-10-05 02:22 . 2009-10-05 09:51 -------- d-----w- c:\program files\Enigma Software Group
2009-10-05 00:07 . 2009-10-06 00:47 -------- d-----w- C:\rsit
2009-10-04 22:30 . 2009-10-05 06:27 15 ----a-w- c:\windows\system32\settings.dat
2009-10-04 16:23 . 2009-10-09 02:54 -------- d-----w- c:\program files\Sophos
2009-10-04 16:18 . 2009-10-04 16:18 -------- d-----w- c:\users\Scott\AppData\Roaming\Malwarebytes
2009-10-04 16:17 . 2009-10-04 16:17 -------- d-----w- c:\programdata\Malwarebytes
2009-10-04 16:13 . 2009-10-04 16:18 -------- d-----w- c:\programdata\avg8
2009-10-04 15:57 . 2009-10-04 15:57 -------- d-----w- c:\users\Scott\AppData\Roaming\AVG8
2009-10-04 13:48 . 2009-10-04 22:37 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-04 13:46 . 2009-10-04 15:54 -------- d-----w- c:\programdata\Lavasoft
2009-10-04 13:15 . 2009-10-09 02:37 -------- d-----w- c:\program files\Trend Micro
2009-10-03 23:33 . 2009-10-03 23:33 -------- d-----w- c:\windows\BDOSCAN8
2009-10-02 11:40 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-02 11:40 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-02 11:40 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-02 11:40 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-02 11:40 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-02 11:40 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-02 11:40 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-02 11:40 . 2009-08-07 00:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-02 11:40 . 2009-08-06 23:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-09-24 01:16 . 2009-09-24 01:17 -------- d-----w- c:\windows\system32\ca-ES
2009-09-24 01:16 . 2009-09-24 01:17 -------- d-----w- c:\windows\system32\eu-ES
2009-09-24 01:15 . 2009-09-24 01:17 -------- d-----w- c:\windows\system32\vi-VN
2009-09-24 00:56 . 2009-09-24 00:56 -------- d-----w- c:\windows\system32\EventProviders
2009-09-17 12:03 . 2009-04-11 05:03 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-09-17 12:03 . 2009-04-11 06:28 1081344 ----a-w- c:\windows\system32\SLCExt.dll
2009-09-17 12:03 . 2009-04-11 06:27 3408896 ----a-w- c:\windows\system32\SLsvc.exe
2009-09-17 12:01 . 2009-04-11 06:28 375808 ----a-w- c:\windows\system32\winhttp.dll
2009-09-17 12:00 . 2009-04-11 06:28 114688 ----a-w- c:\windows\system32\imm32.dll
2009-09-17 11:59 . 2009-04-11 06:28 218624 ----a-w- c:\windows\system32\wdscore.dll
2009-09-17 11:59 . 2009-04-11 06:27 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2009-09-17 11:59 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-10 12:05 . 2009-03-15 19:50 41662 ----a-w- c:\programdata\nvModes.dat
2009-10-10 12:04 . 2007-08-05 17:24 81984 ----a-w- c:\windows\system32\bdod.bin
2009-10-09 03:11 . 2008-06-12 21:31 -------- d-----w- c:\program files\TestGen
2009-10-09 02:37 . 2008-09-24 01:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-09 02:37 . 2007-05-29 07:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-09 00:44 . 2007-08-07 20:27 1356 ----a-w- c:\users\Scott\AppData\Local\d3d9caps.dat
2009-10-09 00:13 . 2009-02-11 00:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 01:13 . 2009-10-06 01:13 691 ----a-w- c:\users\Scott\AppData\Roaming\GetValue.vbs
2009-09-24 01:30 . 2007-11-01 14:39 -------- d-----w- c:\programdata\NVIDIA
2009-09-24 01:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-24 01:18 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-24 01:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-24 01:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-09-24 01:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-09-24 01:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-24 01:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-04 23:04 . 2009-09-04 23:04 -------- d-----w- c:\program files\SoftLogica
2009-09-04 03:44 . 2009-09-03 23:59 -------- d-----w- c:\program files\R-Undelete
2009-09-03 13:48 . 2007-05-29 07:47 -------- d-----w- c:\programdata\Microsoft Help
2009-08-31 03:25 . 2009-08-31 03:12 -------- d-----w- c:\program files\A-FF Find and Mount
2009-08-31 02:25 . 2009-08-31 02:25 -------- d-----w- c:\program files\EASEUS
2009-08-31 02:24 . 2009-08-31 02:20 -------- d-----w- c:\program files\Recuva
2009-08-31 01:29 . 2009-08-31 01:29 -------- d-----w- c:\programdata\ParetoLogic
2009-08-31 01:28 . 2009-08-31 01:28 -------- d-----w- c:\programdata\Cached Installations
2009-08-29 00:27 . 2009-09-03 00:05 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-03 00:05 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-14 16:27 . 2009-09-09 11:35 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 11:35 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 11:35 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 11:35 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 11:35 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 11:35 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 11:35 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 11:35 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 11:35 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 11:35 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 11:35 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-07-21 21:52 . 2009-09-10 13:29 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-09-10 13:29 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-09-10 13:29 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-09-10 13:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 13:54 . 2009-08-12 13:19 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-12 13:19 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-12 13:19 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-12 13:19 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-12 13:19 7680 ----a-w- c:\windows\system32\spwmp.dll
2008-04-20 17:55 . 2008-04-20 17:55 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

------- Sigcheck -------

[7] 2006-11-02 . 7F15B4953378C8B5161D65C26D5FED4D . 11776 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

c:\windows\system32\cngaudit.dll ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-10-08_13.36.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-29 07:19 . 2009-10-10 12:06 27418 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-10 12:06 67302 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-08-06 03:44 . 2009-10-10 12:06 12604 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3741249358-2648225050-3460918513-1000_UserData.bin
+ 2007-06-24 02:10 . 2009-10-09 02:49 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-06-24 02:10 . 2009-10-06 07:35 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-06-24 02:10 . 2009-10-09 02:49 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-24 02:10 . 2009-10-06 07:35 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-06-24 02:10 . 2009-10-09 02:49 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-06-24 02:10 . 2009-10-06 07:35 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-10-08 00:59 . 2009-10-08 00:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-10 12:04 . 2009-10-10 12:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-10-08 00:59 . 2009-10-08 00:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-10-10 12:04 . 2009-10-10 12:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-07-29 02:41 . 2009-10-10 00:33 277008 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-09-01 02:31 . 2009-09-01 02:30 149280 c:\windows\System32\javaws.exe
+ 2009-10-09 00:14 . 2009-10-09 00:13 149280 c:\windows\System32\javaws.exe
- 2009-09-01 02:31 . 2009-09-01 02:30 145184 c:\windows\System32\javaw.exe
+ 2009-10-09 00:14 . 2009-10-09 00:13 145184 c:\windows\System32\javaw.exe
+ 2009-10-09 00:14 . 2009-10-09 00:13 145184 c:\windows\System32\java.exe
- 2009-09-01 02:31 . 2009-09-01 02:30 145184 c:\windows\System32\java.exe
+ 2007-08-06 03:50 . 2009-10-09 00:11 262144 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\usrclass.dat
- 2007-08-06 03:50 . 2009-10-05 23:12 262144 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2006-11-02 10:22 . 2009-10-10 02:41 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2006-11-02 10:22 . 2009-10-08 01:12 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-10-09 00:13 . 2009-10-09 00:13 1757696 c:\windows\Installer\19d1701.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-09-15 368640]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-09 149280]

c:\users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(

:1c,74,14,37,b6,3c,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{3E1165D4-6501-4D5C-B527-FD0719E2BFBF}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AF3360B3-52FB-47E0-B472-39F5E0A261E2}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6466F7C8-9789-4F93-B00F-3F85CFE814FB}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{2346F100-EA86-48A7-B581-AAFCBAC9515D}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9EF3943E-DCE5-480B-ADBE-BDF50FFDB414}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{118BCD34-FAA4-4805-883F-0965C17EE6F0}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{18788314-AE77-4043-9DEC-9D26366AE739}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{2F7B0B5A-A1DF-4DAD-ADB5-1D4B72C4A094}"= UDP:c:\windows\System32\migwiz\migwiz.exe:Windows Easy Transfer
"{76BBF3E5-0566-4738-9629-73AB9A90BB94}"= TCP:c:\windows\System32\migwiz\migwiz.exe:Windows Easy Transfer
"TCP Query User{BCD06403-94D0-4EDE-B23A-CF203E98EF7E}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{BD636B27-5BBD-47CC-9DC6-06382AA4EEBA}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{18E49E14-DBD5-45BE-B4A8-D00545FDAADE}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{148BE02D-1156-4DCF-8B67-66B3EF6DB01C}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{6B3282F5-5B85-415D-AE4A-C64CF6DDCDF6}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{D42E466D-19E2-4BDD-BE99-E3EB35A492B7}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-17 c:\windows\Tasks\HPCeeScheduleForScott.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-05-29 21:23]

2009-10-10 c:\windows\Tasks\User_Feed_Synchronization-{C4B58F9A-CC2C-4F4F-818B-10DC91A429DD}.job
- c:\windows\system32\msfeedssync.exe [2009-09-10 20:13]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\yun1q0f2.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\yun1q0f2.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-10 07:44
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-10-10 7:47
ComboFix-quarantined-files.txt 2009-10-10 12:47
ComboFix2.txt 2009-10-08 13:39

Pre-Run: 83,129,872,384 bytes free
Post-Run: 83,030,282,240 bytes free

254 --- E O F --- 2009-10-09 00:16

#4 Buckeye_Sam

Malware Expert

Members
17,382 posts
OFFLINE

Gender:Male
Location:Pickerington, Ohio
Local time:06:52 AM

Posted 10 October 2009 - 08:36 AM

Please download and run Win32kDiag:

Download Win32kDiag from any of the following locations and save it to your Desktop.
Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Download and run a batch file (peek.bat):

Download peek.bat from the download link below and save it to your Desktop.
- Download peek.bat
Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.

==========

Please post the following logs in your next reply:

* Win32kDiag.txt
* Log.txt

#5 kbears

Topic Starter

Members
23 posts
OFFLINE

Local time:06:52 AM

Posted 10 October 2009 - 11:23 PM

Sam,

Here's the logs you requested. Thanks again for your help.

Volume in drive C has no label.
Volume Serial Number is 2256-DBBA

Directory of C:\WINDOWS\ERDNT\cache

04/11/2009 01:28 AM 177,152 scecli.dll

Directory of C:\WINDOWS\ERDNT\cache

04/11/2009 01:28 AM 592,896 netlogon.dll
2 File(s) 770,048 bytes

Directory of C:\WINDOWS\System32

04/11/2009 01:28 AM 177,152 scecli.dll

Directory of C:\WINDOWS\System32

04/11/2009 01:28 AM 592,896 netlogon.dll
2 File(s) 770,048 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6

11/02/2006 04:46 AM 11,776 cngaudit.dll
1 File(s) 11,776 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e

11/02/2006 04:46 AM 176,640 scecli.dll
1 File(s) 176,640 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12

01/18/2008 11:36 PM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e

04/11/2009 01:28 AM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783

11/02/2006 04:46 AM 559,616 netlogon.dll
1 File(s) 559,616 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857

01/18/2008 11:35 PM 592,384 netlogon.dll
1 File(s) 592,384 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3

04/11/2009 01:28 AM 592,896 netlogon.dll
1 File(s) 592,896 bytes

Total Files Listed:
11 File(s) 3,827,712 bytes
0 Dir(s) 83,045,195,776 bytes free

Running from: C:\Users\Scott\Documents\Desktop\Win32kDiag.exe

Log file at : C:\Users\Scott\Documents\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...

Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6F43.tmp\ZAP6F43.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA14.tmp\ZAPA14.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEADB.tmp\ZAPEADB.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109AB0090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\pss\pss

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\sdl\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\sdl\Download\0d63ad61699d69b23bd1e321b9bd69a0\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16699_none_f0498ecc6e94a1be\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16699_none_f0498ecc6e94a1be

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\sdl\Download\0d63ad61699d69b23bd1e321b9bd69a0\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.20855_none_f0fa6c058795698f\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.20855_none_f0fa6c058795698f

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\sdl\Download\0d63ad61699d69b23bd1e321b9bd69a0\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18088_none_f2399d146bb3fd67\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18088_none_f2399d146bb3fd67

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\sdl\Download\0d63ad61699d69b23bd1e321b9bd69a0\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22200_none_f311b8d58497f018\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22200_none_f311b8d58497f018

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\sdl\Download\5e8afc6cdd7d86bccbeda75ec36037ee\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.0.6000.20822_en-us_58398760f4e11a84\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.0.6000.20822_en-us_58398760f4e11a84

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\sdl\Download\5e8afc6cdd7d86bccbeda75ec36037ee\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6000.16680_none_69ec6cd815163c56\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6000.16680_none_69ec6cd815163c56

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\sdl\Download\5e8afc6cdd7d86bccbeda75ec36037ee\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6000.20822_none_6ab8eba52e01644f\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6000.20822_none_6ab8eba52e01644f

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\sdl\Download\5e8afc6cdd7d86bccbeda75ec36037ee\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6001.18062_none_6bea4bea122ac813\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6001.18062_none_6bea4bea122ac813

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\sdl\Download\5e8afc6cdd7d86bccbeda75ec36037ee\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6001.22166_none_6c77e9dd2b44cd39\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6001.22166_none_6c77e9dd2b44cd39

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\sdl\Download\9298ca2f0df372ea0b2244727b26f909\x86_microsoft-windows-kernelstreaming_31bf3856ad364e35_6.0.6000.16651_none_5565745f98e52f68\x86_microsoft-windows-kernelstreaming_31bf3856ad364e35_6.0.6000.16651_none_5565745f98e52f68

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\sdl\Download\9298ca2f0df372ea0b2244727b26f909\x86_microsoft-windows-kernelstreaming_31bf3856ad364e35_6.0.6000.20788_none_55d5a36cb214d466\x86_microsoft-windows-kernelstreaming_31bf3856ad364e35_6.0.6000.20788_none_55d5a36cb214d466

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\sdl\Download\b3dda9b0e17d4f5d4d92aaf5fe91fd05\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6000.16710_none_9be9c78e2d9d5d54\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6000.16710_none_9be9c78e2d9d5d54

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\sdl\Download\b3dda9b0e17d4f5d4d92aaf5fe91fd05\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6000.20867_none_9c4456c346dd3a34\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6000.20867_none_9c4456c346dd3a34

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\sdl\Download\b3dda9b0e17d4f5d4d92aaf5fe91fd05\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6001.18098_none_9d81873e2afd9b5e\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6001.18098_none_9d81873e2afd9b5e

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\sdl\Download\b3dda9b0e17d4f5d4d92aaf5fe91fd05\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6001.22211_none_9e5aa34943e0a766\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6001.22211_none_9e5aa34943e0a766

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\sdl\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\sdl\ScanFile\ScanFile

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\0409\0409

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\Branding\en-US\en-US

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\catroot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\com\dmp\dmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\Journal\Journal

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\1

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\10

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\12

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\13

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\14

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\17

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\18

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\19

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\2

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\21

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\22

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\23

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\25

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\27

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\29

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\3

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\30

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\31

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\34

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\35

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\36

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\37

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\38

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\40

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\41

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\42

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\43

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\44

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\46

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\47

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\49

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\5

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\51

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\52

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\53

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\54

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\55

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\56

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\57

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\58

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\6

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\60

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\61

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\63

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\8

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\9

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\host\host

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\muffin\muffin

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpp413aa.inf_70b6109e\I386\I386

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DRVSTORE\DRVSTORE

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\GroupPolicy\User\User

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\GroupPolicyUsers\GroupPolicyUsers

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\LogFiles\Firewall\Firewall

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-10-10 07:50:19 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-10-10 07:50:12 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-10-10 07:50:12 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-10-10 07:50:12 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

[1] 2009-10-10 07:51:18 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl ()

Found mount point : C:\Windows\System32\MUI\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\setup\en-US\en-US

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\SMI\Manifests\Manifests

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\spool\drivers\IA64\IA64

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\spool\drivers\x64\x64

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\spool\SERVERS\Familyroomhp\Familyroomhp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\spool\SERVERS\Oracle\Oracle

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\spool\SERVERS\Scott\Scott

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\spool\SERVERS\Trinity\Trinity

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\Tasks\Event Viewer Tasks\Event Viewer Tasks

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System\System

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\SyncCenter

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\Tasks\Microsoft\Windows\WindowsCalendar\WindowsCalendar

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\Tasks\Microsoft\Windows Defender\Windows Defender

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\wbem\MOF\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\wbem\MOF\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\WDI\{533a67eb-9fb5-473d-b884-958cf4b9c4a3}\{533a67eb-9fb5-473d-b884-958cf4b9c4a3}

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\WDI\{67144949-5132-4859-8036-a737b43825d8}\{67144949-5132-4859-8036-a737b43825d8}

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\WDI\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\WDI\{ecfb03d1-58ee-4cc7-a1b5-9bc6febcb915}\{ecfb03d1-58ee-4cc7-a1b5-9bc6febcb915}

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\WDI\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\winevt\TraceFormat\TraceFormat

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\tracing\tracing

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe

[1] 2006-11-02 04:45:54 216064 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6000.16386_none_6dd05aa63fde4065\WerFault.exe (Microsoft Corporation)

[1] 2008-01-18 23:33:36 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18000_none_70071ca23cc95139\WerFault.exe (Microsoft Corporation)

[1] 2008-01-18 23:33:36 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe (Microsoft Corporation)

[1] 2008-09-19 23:00:16 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFault.exe (Microsoft Corporation)

[1] 2009-04-11 01:28:11 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe ()

Finished!

#6 Buckeye_Sam

Malware Expert

Members
17,382 posts
OFFLINE

Gender:Male
Location:Pickerington, Ohio
Local time:06:52 AM

Posted 11 October 2009 - 08:33 AM

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

We need to scan the system with this special tool.

Please download Junction.zip and save it.
Unzip it and put junction.exe in the Windows directory (C:\Windows).
Go to Start => Run... => Copy and paste the following command in the run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

#7 kbears

Topic Starter

Members
23 posts
OFFLINE

Local time:06:52 AM

Posted 11 October 2009 - 01:22 PM

Sam,

For some reason the run command prompt you gave me wasn't working... saying that network path was unavailable, but I took the liberty to run win32diag with the -f and -r attributes through its local address.

Running from: C:\Users\Scott\Documents\Desktop\win32kdiag.exe

Log file at : C:\Users\Scott\Documents\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...

Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\AppPatch\Custom\Custom

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6F43.tmp\ZAP6F43.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6F43.tmp\ZAP6F43.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA14.tmp\ZAPA14.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA14.tmp\ZAPA14.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEADB.tmp\ZAPEADB.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEADB.tmp\ZAPEADB.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\temp\temp

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\tmp\tmp

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ehome\CreateDisc\style\style

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\Globalization

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Help\Corporate\Corporate

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109AB0090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109AB0090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Microsoft.NET\authman\authman

Found mount point : C:\Windows\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Minidump\Minidump

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\nap\configuration\configuration

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PLA\Templates\Templates

Found mount point : C:\Windows\pss\pss

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\pss\pss

Found mount point : C:\Windows\registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\registration\CRMLog\CRMLog

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SchCache\SchCache

Found mount point : C:\Windows\sdl\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\sdl\AuthCabs\Downloaded\Downloaded

Found mount point : C:\Windows\sdl\Download\0d63ad61699d69b23bd1e321b9bd69a0\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16699_none_f0498ecc6e94a1be\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16699_none_f0498ecc6e94a1be

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\sdl\Download\0d63ad61699d69b23bd1e321b9bd69a0\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16699_none_f0498ecc6e94a1be\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16699_none_f0498ecc6e94a1be

Found mount point : C:\Windows\sdl\Download\0d63ad61699d69b23bd1e321b9bd69a0\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.20855_none_f0fa6c058795698f\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.20855_none_f0fa6c058795698f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\sdl\Download\0d63ad61699d69b23bd1e321b9bd69a0\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.20855_none_f0fa6c058795698f\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.20855_none_f0fa6c058795698f

Found mount point : C:\Windows\sdl\Download\0d63ad61699d69b23bd1e321b9bd69a0\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18088_none_f2399d146bb3fd67\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18088_none_f2399d146bb3fd67

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\sdl\Download\0d63ad61699d69b23bd1e321b9bd69a0\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18088_none_f2399d146bb3fd67\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18088_none_f2399d146bb3fd67

Found mount point : C:\Windows\sdl\Download\0d63ad61699d69b23bd1e321b9bd69a0\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22200_none_f311b8d58497f018\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22200_none_f311b8d58497f018

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\sdl\Download\0d63ad61699d69b23bd1e321b9bd69a0\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22200_none_f311b8d58497f018\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22200_none_f311b8d58497f018

Found mount point : C:\Windows\sdl\Download\5e8afc6cdd7d86bccbeda75ec36037ee\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.0.6000.20822_en-us_58398760f4e11a84\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.0.6000.20822_en-us_58398760f4e11a84

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\sdl\Download\5e8afc6cdd7d86bccbeda75ec36037ee\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.0.6000.20822_en-us_58398760f4e11a84\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.0.6000.20822_en-us_58398760f4e11a84

Found mount point : C:\Windows\sdl\Download\5e8afc6cdd7d86bccbeda75ec36037ee\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6000.16680_none_69ec6cd815163c56\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6000.16680_none_69ec6cd815163c56

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\sdl\Download\5e8afc6cdd7d86bccbeda75ec36037ee\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6000.16680_none_69ec6cd815163c56\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6000.16680_none_69ec6cd815163c56

Found mount point : C:\Windows\sdl\Download\5e8afc6cdd7d86bccbeda75ec36037ee\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6000.20822_none_6ab8eba52e01644f\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6000.20822_none_6ab8eba52e01644f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\sdl\Download\5e8afc6cdd7d86bccbeda75ec36037ee\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6000.20822_none_6ab8eba52e01644f\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6000.20822_none_6ab8eba52e01644f

Found mount point : C:\Windows\sdl\Download\5e8afc6cdd7d86bccbeda75ec36037ee\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6001.18062_none_6bea4bea122ac813\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6001.18062_none_6bea4bea122ac813

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\sdl\Download\5e8afc6cdd7d86bccbeda75ec36037ee\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6001.18062_none_6bea4bea122ac813\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6001.18062_none_6bea4bea122ac813

Found mount point : C:\Windows\sdl\Download\5e8afc6cdd7d86bccbeda75ec36037ee\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6001.22166_none_6c77e9dd2b44cd39\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6001.22166_none_6c77e9dd2b44cd39

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\sdl\Download\5e8afc6cdd7d86bccbeda75ec36037ee\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6001.22166_none_6c77e9dd2b44cd39\x86_microsoft-windows-shell32_31bf3856ad364e35_6.0.6001.22166_none_6c77e9dd2b44cd39

Found mount point : C:\Windows\sdl\Download\9298ca2f0df372ea0b2244727b26f909\x86_microsoft-windows-kernelstreaming_31bf3856ad364e35_6.0.6000.16651_none_5565745f98e52f68\x86_microsoft-windows-kernelstreaming_31bf3856ad364e35_6.0.6000.16651_none_5565745f98e52f68

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\sdl\Download\9298ca2f0df372ea0b2244727b26f909\x86_microsoft-windows-kernelstreaming_31bf3856ad364e35_6.0.6000.16651_none_5565745f98e52f68\x86_microsoft-windows-kernelstreaming_31bf3856ad364e35_6.0.6000.16651_none_5565745f98e52f68

Found mount point : C:\Windows\sdl\Download\9298ca2f0df372ea0b2244727b26f909\x86_microsoft-windows-kernelstreaming_31bf3856ad364e35_6.0.6000.20788_none_55d5a36cb214d466\x86_microsoft-windows-kernelstreaming_31bf3856ad364e35_6.0.6000.20788_none_55d5a36cb214d466

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\sdl\Download\9298ca2f0df372ea0b2244727b26f909\x86_microsoft-windows-kernelstreaming_31bf3856ad364e35_6.0.6000.20788_none_55d5a36cb214d466\x86_microsoft-windows-kernelstreaming_31bf3856ad364e35_6.0.6000.20788_none_55d5a36cb214d466

Found mount point : C:\Windows\sdl\Download\b3dda9b0e17d4f5d4d92aaf5fe91fd05\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6000.16710_none_9be9c78e2d9d5d54\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6000.16710_none_9be9c78e2d9d5d54

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\sdl\Download\b3dda9b0e17d4f5d4d92aaf5fe91fd05\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6000.16710_none_9be9c78e2d9d5d54\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6000.16710_none_9be9c78e2d9d5d54

Found mount point : C:\Windows\sdl\Download\b3dda9b0e17d4f5d4d92aaf5fe91fd05\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6000.20867_none_9c4456c346dd3a34\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6000.20867_none_9c4456c346dd3a34

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\sdl\Download\b3dda9b0e17d4f5d4d92aaf5fe91fd05\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6000.20867_none_9c4456c346dd3a34\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6000.20867_none_9c4456c346dd3a34

Found mount point : C:\Windows\sdl\Download\b3dda9b0e17d4f5d4d92aaf5fe91fd05\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6001.18098_none_9d81873e2afd9b5e\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6001.18098_none_9d81873e2afd9b5e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\sdl\Download\b3dda9b0e17d4f5d4d92aaf5fe91fd05\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6001.18098_none_9d81873e2afd9b5e\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6001.18098_none_9d81873e2afd9b5e

Found mount point : C:\Windows\sdl\Download\b3dda9b0e17d4f5d4d92aaf5fe91fd05\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6001.22211_none_9e5aa34943e0a766\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6001.22211_none_9e5aa34943e0a766

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\sdl\Download\b3dda9b0e17d4f5d4d92aaf5fe91fd05\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6001.22211_none_9e5aa34943e0a766\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6001.22211_none_9e5aa34943e0a766

Found mount point : C:\Windows\sdl\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\sdl\PostRebootEventCache\PostRebootEventCache

Found mount point : C:\Windows\sdl\ScanFile\ScanFile

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\sdl\ScanFile\ScanFile

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\security\templates\templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Found mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile

Found mount point : C:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Sun\Java\Deployment\Deployment

Found mount point : C:\Windows\System32\0409\0409

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\0409\0409

Found mount point : C:\Windows\System32\Branding\en-US\en-US

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\Branding\en-US\en-US

Found mount point : C:\Windows\System32\catroot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\catroot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}

Found mount point : C:\Windows\System32\com\dmp\dmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\com\dmp\dmp

Found mount point : C:\Windows\System32\config\Journal\Journal

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\Journal\Journal

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\0

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\1

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\10

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\10

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\12

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\12

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\13

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\13

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\14

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\14

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\17

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\17

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\18

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\18

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\19

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\19

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\2

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\21

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\21

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\22

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\22

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\23

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\23

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\25

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\25

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\27

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\27

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\29

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\29

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\3

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\30

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\30

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\31

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\31

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\34

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\34

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\35

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\35

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\36

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\36

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\37

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\37

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\38

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\38

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\40

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\40

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\41

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\41

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\42

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\42

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\43

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\43

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\44

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\44

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\46

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\46

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\47

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\47

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\49

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\49

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\5

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\51

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\51

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\52

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\52

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\53

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\53

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\54

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\54

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\55

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\55

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\56

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\56

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\57

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\57

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\58

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\58

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\6

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\60

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\60

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\61

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\61

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\63

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\63

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\8

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\9

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\9

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\host\host

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\host\host

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\muffin\muffin

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\muffin\muffin

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpp413aa.inf_70b6109e\I386\I386

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\DriverStore\FileRepository\hpp413aa.inf_70b6109e\I386\I386

Found mount point : C:\Windows\System32\DRVSTORE\DRVSTORE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\DRVSTORE\DRVSTORE

Found mount point : C:\Windows\System32\GroupPolicy\User\User

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\GroupPolicy\User\User

Found mount point : C:\Windows\System32\GroupPolicyUsers\GroupPolicyUsers

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\GroupPolicyUsers\GroupPolicyUsers

Found mount point : C:\Windows\System32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\inetsrv\inetsrv

Found mount point : C:\Windows\System32\LogFiles\Firewall\Firewall

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\LogFiles\Firewall\Firewall

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

Found mount point : C:\Windows\System32\MUI\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\MUI\dispspec\dispspec

Found mount point : C:\Windows\System32\setup\en-US\en-US

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\setup\en-US\en-US

Found mount point : C:\Windows\System32\SMI\Manifests\Manifests

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\SMI\Manifests\Manifests

Found mount point : C:\Windows\System32\spool\drivers\IA64\IA64

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\spool\drivers\IA64\IA64

Found mount point : C:\Windows\System32\spool\drivers\x64\x64

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\spool\drivers\x64\x64

Found mount point : C:\Windows\System32\spool\SERVERS\Familyroomhp\Familyroomhp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\spool\SERVERS\Familyroomhp\Familyroomhp

Found mount point : C:\Windows\System32\spool\SERVERS\Oracle\Oracle

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\spool\SERVERS\Oracle\Oracle

Found mount point : C:\Windows\System32\spool\SERVERS\Scott\Scott

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\spool\SERVERS\Scott\Scott

Found mount point : C:\Windows\System32\spool\SERVERS\Trinity\Trinity

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\spool\SERVERS\Trinity\Trinity

Found mount point : C:\Windows\System32\Tasks\Event Viewer Tasks\Event Viewer Tasks

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\Tasks\Event Viewer Tasks\Event Viewer Tasks

Found mount point : C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System\System

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System\System

Found mount point : C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\SyncCenter

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\SyncCenter

Found mount point : C:\Windows\System32\Tasks\Microsoft\Windows\WindowsCalendar\WindowsCalendar

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\Tasks\Microsoft\Windows\WindowsCalendar\WindowsCalendar

Found mount point : C:\Windows\System32\Tasks\Microsoft\Windows Defender\Windows Defender

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\Tasks\Microsoft\Windows Defender\Windows Defender

Found mount point : C:\Windows\System32\wbem\MOF\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\wbem\MOF\bad\bad

Found mount point : C:\Windows\System32\wbem\MOF\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\wbem\MOF\good\good

Found mount point : C:\Windows\System32\WDI\{533a67eb-9fb5-473d-b884-958cf4b9c4a3}\{533a67eb-9fb5-473d-b884-958cf4b9c4a3}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\WDI\{533a67eb-9fb5-473d-b884-958cf4b9c4a3}\{533a67eb-9fb5-473d-b884-958cf4b9c4a3}

Found mount point : C:\Windows\System32\WDI\{67144949-5132-4859-8036-a737b43825d8}\{67144949-5132-4859-8036-a737b43825d8}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\WDI\{67144949-5132-4859-8036-a737b43825d8}\{67144949-5132-4859-8036-a737b43825d8}

Found mount point : C:\Windows\System32\WDI\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\WDI\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}

Found mount point : C:\Windows\System32\WDI\{ecfb03d1-58ee-4cc7-a1b5-9bc6febcb915}\{ecfb03d1-58ee-4cc7-a1b5-9bc6febcb915}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\WDI\{ecfb03d1-58ee-4cc7-a1b5-9bc6febcb915}\{ecfb03d1-58ee-4cc7-a1b5-9bc6febcb915}

Found mount point : C:\Windows\System32\WDI\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\WDI\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}

Found mount point : C:\Windows\System32\winevt\TraceFormat\TraceFormat

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\winevt\TraceFormat\TraceFormat

Found mount point : C:\Windows\tracing\tracing

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\tracing\tracing

Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Found mount point : C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes

Found mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Cannot access: C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe

Attempting to restore permissions of : C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe

Finished!

And here's the junction log....

Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com

\\?\c:\\Documents and Settings: JUNCTION
Print Name : C:\Users
Substitute Name: C:\Users

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\System Volume Information: Access is denied.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...\\?\c:\\ProgramData\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData

\\?\c:\\ProgramData\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop

\\?\c:\\ProgramData\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents

\\?\c:\\ProgramData\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites

\\?\c:\\ProgramData\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\ProgramData\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\008677263dfc19e1834b00e05d45f9d0_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\01fba27970b482e81c9e52ed040d123e_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\03fbb115b06aa8a9770cfb668cd8bcba_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\043a30af0ed73bca0c3b4c3fbcbd6782_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\05a5d03642187ed0794bbbdb25334eb6_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\0689b36ba5bec67cd03f96046c473066_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\06a74bc396e9909f2babb7bf25907905_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\081c9c2cf0618cc49ff659684a6f4b91_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08331ed3d69c98674c2c097dfa714d48_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\0953d630a18cefd5848131fbb334c787_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\0f50de568bd15ecb6eb4076b7ef7f0b4_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\166d42c060bd55f5ab0546541493b4d1_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\187c2f5fece791ae52ac3f3981fd2c61_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\18b8f95817736c6a6628b48c8d7a88d5_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\19f5933482b503ed27f31e34b4ccbbe8_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\1c02fec3ce48bdc5a1e83c46384e1e3a_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\1eeb1de59a14e5392a5a882f55d1893d_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\1fe65c91bf6f6af63926824a4cddf064_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\201358271e180d62d9d98f517098fb37_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\28540589b3b195f0c894be65d55896ab_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2e008385821dfcaafc21beed61c7500e_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\34a34b190cc183a4875d4c7d51366a44_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\34a955d7ccde610947ce3a413bc9f40e_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\34c3f887c493d086ca37b5cc57b49d80_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\35ae0ae679f936abf588cd33ab64e393_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\3672d69ec4c3bf7e0fc684993d315ae5_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\3b519c294282d2e57901b944c2214569_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\3c12f804bc3846ef9f16a952bdf454ba_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\3e979d21e3eceffc0025051c5aca5c61_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\3f2fea1cfa9215a89266c0b79874e6fc_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\481cc83942d97d40eda56e2b5311b8fe_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\487ecbc025c2a954421f54e905672d1c_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\4a3f63a62f5b2bfada3c51685fba711e_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\51654ac302a580e8e6429e6f90a3ab3f_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\56d7806a59dd8deee7152759f73ac956_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\5950c7cc41596a05767a30754661e4f2_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\59f1e467606fb67a7f000018ab9723d7_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\5e0bb04525255e8bfc3658a119e164e0_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\5f8c0a141b29ebe5d213399f44d6f9ea_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\6349c32f8d269f443199473c749c73c8_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\63fb8765522f4e5b4df89f791d9ff492_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\6472232769b83c82e4349e934b4a97d4_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\657b366143c600cd5a1ac70b2553922b_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\66dacd3437c204e1fe2b6dddb164fc85_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\686b87822fe2af863cb8b8ca147f76e9_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\6a1524a5b558458a2cd86fbf2cd76061_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\6aa8add0c47a2e89a99a609c82ab1772_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\6d3ac2efb65623fdd663eca3b9b1321d_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\6dcca20c53cd59cf02dee5ce36f237f5_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\6ef5b84bbc6c963d20736afe46cab47c_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\70e10bdfd384cda8d5f7783db647a686_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\71560f81f412d31341e94909192ed102_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\748025d361a63b8ac8ab047458b1a879_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\78ea8f78c0d0d03bba3f6aab21c5f646_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\7997d1b233276533d5d14eac0179d3e7_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\7a68cec2a4556eb86dce1506df3fc693_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\7b2d69c06f7d2458c1a52fc39a5a2ec5_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\7ff16dcba1ad4d7ef75a9be9c160d5d7_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\81715891855ca394385e5f0de610e6a9_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\81cb9c3d8fcd9df17858d0411f2fdad0_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\81e7446fd069b59a4d7a87d1fbdada0e_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\83a2cf73ec2f9ba307dc671a9cdc067d_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8522cc6b904293f818398505723d53bf_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\85871d00e6404293e7fe804728a820d1_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\85cf42fb5420d86c3b3058fccf07b743_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\85db08f9178a679ebdaab0770328ea91_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8971812884ab37152bb1685b01c407f8_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8a0cda2a8d129615ce17f66a96ac0b0f_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8ed96fe2444b5e7f443431c8aafc70b6_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\906ead33c1bd1d9e32f691a9b7a36316_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\92f0b466f49764889ea0d359f0b471ed_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9348373c81b0e562c49955d30974c284_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\95a2bf2566d8e036128ce62eb001fd18_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9683d85cd4dbd0dc43056a080519ea4b_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\970bea40eec904916ff7026e679f684c_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9e2008dac5d300c6444b781752f2fa2c_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\acaf755e6d6ecf9e93f41c475874d5f7_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\afd336e387986e63ef8c408e91ce0176_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\b0a008389ff875f54d63d37381988061_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\b9baa33914f9edef964d318a4a535423_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\bd32456f24cbc2efe557d611e09a919b_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\bf17a92dc6abb51935c1731a07857aee_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\c21a603be618d5cab39fd81570f89f80_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\c4edc7afa261935296cff06157f3c6cc_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\c64f1cb44835e5b04be654100605b45e_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\c8efa4d04a0d29d40184453780952d88_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\c8f826d3decb8c75d5d182b1af100d71_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\cab7fc968ddbd3565fcf08427a916220_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\cf88949eac3cdd62123d1a62599a2a89_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\cfb0466f620790fe6ad653dfb4acd939_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\d05e9d1e8cfcf44acdde0b5f66614765_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\d12c1bfc9ed57b9273702c72470bb33b_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\d3188563ad341db98829479c11722ff1_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\d5321e164747a428424113f4ee328384_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\d7f3f6ad72a407c6e81dd878349ee79b_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\de63c950740db30dcb72ef11f9be5404_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\df34ab79f1db8c8bdc0bf6166d3916f4_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\e10b1780a0e63e51a768cb81b95fac54_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\e937c2ac507b1f2b1d69cd980743fcd6_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\e9e208857ac1483725509788dce4472f_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ec9b6f0a7ac276962fa985f9ac582f4f_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\eec06df573dfbb8a00396c93ebae2971_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\eec7e263916028dbc1ddc085d1800fab_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f091c20af68c188bfec9d2dbcdead232_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f1d12363fe5c4a8af935b997d36c635a_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f3a4d5fdf03953700d92910b839cf944_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f489131cc781a97f4d08cc4e52d8dfb8_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f54e3c24faf23e7be6660e535f3d51db_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f55e6fbae45f14f94bb275e1557090ff_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f5df1de3dda6ea7652df93aa93ee4176_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f9ccc9e1fd8e7952e6ea451a7dc8275f_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fa7b244b0331dbd5333fe6e3cdcd27c9_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\faa5bd1b41e34e99f8d189a48ff55c0f_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fdb21729ff58423343c0a7165da98080_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

...

...

...

.\\?\c:\\Users\All Users: UNKNOWN MICROSOFT REPARSE POINT

\\?\c:\\Users\Default User: JUNCTION
Print Name : C:\Users\Default
Substitute Name: C:\Users\Default

\\?\c:\\Users\All Users\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData

\\?\c:\\Users\All Users\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop

\\?\c:\\Users\All Users\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents

\\?\c:\\Users\All Users\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites

\\?\c:\\Users\All Users\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\Users\All Users\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

.
Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\008677263dfc19e1834b00e05d45f9d0_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\01fba27970b482e81c9e52ed040d123e_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\03fbb115b06aa8a9770cfb668cd8bcba_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\043a30af0ed73bca0c3b4c3fbcbd6782_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\05a5d03642187ed0794bbbdb25334eb6_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\0689b36ba5bec67cd03f96046c473066_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\06a74bc396e9909f2babb7bf25907905_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\081c9c2cf0618cc49ff659684a6f4b91_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\08331ed3d69c98674c2c097dfa714d48_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\0953d630a18cefd5848131fbb334c787_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\0f50de568bd15ecb6eb4076b7ef7f0b4_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\166d42c060bd55f5ab0546541493b4d1_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\187c2f5fece791ae52ac3f3981fd2c61_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\18b8f95817736c6a6628b48c8d7a88d5_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\19f5933482b503ed27f31e34b4ccbbe8_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\1c02fec3ce48bdc5a1e83c46384e1e3a_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\1eeb1de59a14e5392a5a882f55d1893d_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\1fe65c91bf6f6af63926824a4cddf064_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\201358271e180d62d9d98f517098fb37_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\28540589b3b195f0c894be65d55896ab_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\2e008385821dfcaafc21beed61c7500e_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\34a34b190cc183a4875d4c7d51366a44_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\34a955d7ccde610947ce3a413bc9f40e_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\34c3f887c493d086ca37b5cc57b49d80_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\35ae0ae679f936abf588cd33ab64e393_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\3672d69ec4c3bf7e0fc684993d315ae5_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\3b519c294282d2e57901b944c2214569_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\3c12f804bc3846ef9f16a952bdf454ba_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\3e979d21e3eceffc0025051c5aca5c61_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\3f2fea1cfa9215a89266c0b79874e6fc_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\481cc83942d97d40eda56e2b5311b8fe_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\487ecbc025c2a954421f54e905672d1c_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\4a3f63a62f5b2bfada3c51685fba711e_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\51654ac302a580e8e6429e6f90a3ab3f_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\56d7806a59dd8deee7152759f73ac956_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\5950c7cc41596a05767a30754661e4f2_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\59f1e467606fb67a7f000018ab9723d7_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\5e0bb04525255e8bfc3658a119e164e0_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\5f8c0a141b29ebe5d213399f44d6f9ea_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\6349c32f8d269f443199473c749c73c8_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\63fb8765522f4e5b4df89f791d9ff492_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\6472232769b83c82e4349e934b4a97d4_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\657b366143c600cd5a1ac70b2553922b_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\66dacd3437c204e1fe2b6dddb164fc85_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\686b87822fe2af863cb8b8ca147f76e9_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\6a1524a5b558458a2cd86fbf2cd76061_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\6aa8add0c47a2e89a99a609c82ab1772_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\6d3ac2efb65623fdd663eca3b9b1321d_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\6dcca20c53cd59cf02dee5ce36f237f5_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\6ef5b84bbc6c963d20736afe46cab47c_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\70e10bdfd384cda8d5f7783db647a686_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\71560f81f412d31341e94909192ed102_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\748025d361a63b8ac8ab047458b1a879_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\78ea8f78c0d0d03bba3f6aab21c5f646_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\7997d1b233276533d5d14eac0179d3e7_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\7a68cec2a4556eb86dce1506df3fc693_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\7b2d69c06f7d2458c1a52fc39a5a2ec5_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\7ff16dcba1ad4d7ef75a9be9c160d5d7_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\81715891855ca394385e5f0de610e6a9_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\81cb9c3d8fcd9df17858d0411f2fdad0_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\81e7446fd069b59a4d7a87d1fbdada0e_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\83a2cf73ec2f9ba307dc671a9cdc067d_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\8522cc6b904293f818398505723d53bf_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\85871d00e6404293e7fe804728a820d1_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\85cf42fb5420d86c3b3058fccf07b743_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\85db08f9178a679ebdaab0770328ea91_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\8971812884ab37152bb1685b01c407f8_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\8a0cda2a8d129615ce17f66a96ac0b0f_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\8ed96fe2444b5e7f443431c8aafc70b6_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\906ead33c1bd1d9e32f691a9b7a36316_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\92f0b466f49764889ea0d359f0b471ed_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\9348373c81b0e562c49955d30974c284_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\95a2bf2566d8e036128ce62eb001fd18_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\9683d85cd4dbd0dc43056a080519ea4b_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\970bea40eec904916ff7026e679f684c_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\9e2008dac5d300c6444b781752f2fa2c_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\acaf755e6d6ecf9e93f41c475874d5f7_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\afd336e387986e63ef8c408e91ce0176_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\b0a008389ff875f54d63d37381988061_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\b9baa33914f9edef964d318a4a535423_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\bd32456f24cbc2efe557d611e09a919b_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\bf17a92dc6abb51935c1731a07857aee_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\c21a603be618d5cab39fd81570f89f80_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\c4edc7afa261935296cff06157f3c6cc_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\c64f1cb44835e5b04be654100605b45e_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\c8efa4d04a0d29d40184453780952d88_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\c8f826d3decb8c75d5d182b1af100d71_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\cab7fc968ddbd3565fcf08427a916220_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\cf88949eac3cdd62123d1a62599a2a89_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\cfb0466f620790fe6ad653dfb4acd939_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\d05e9d1e8cfcf44acdde0b5f66614765_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\d12c1bfc9ed57b9273702c72470bb33b_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\d3188563ad341db98829479c11722ff1_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\d5321e164747a428424113f4ee328384_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\d7f3f6ad72a407c6e81dd878349ee79b_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\de63c950740db30dcb72ef11f9be5404_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\df34ab79f1db8c8bdc0bf6166d3916f4_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\e10b1780a0e63e51a768cb81b95fac54_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\e937c2ac507b1f2b1d69cd980743fcd6_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\e9e208857ac1483725509788dce4472f_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\ec9b6f0a7ac276962fa985f9ac582f4f_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\eec06df573dfbb8a00396c93ebae2971_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\eec7e263916028dbc1ddc085d1800fab_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\f091c20af68c188bfec9d2dbcdead232_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\f1d12363fe5c4a8af935b997d36c635a_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\f3a4d5fdf03953700d92910b839cf944_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\f489131cc781a97f4d08cc4e52d8dfb8_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\f54e3c24faf23e7be6660e535f3d51db_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\f55e6fbae45f14f94bb275e1557090ff_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\f5df1de3dda6ea7652df93aa93ee4176_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\f9ccc9e1fd8e7952e6ea451a7dc8275f_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\fa7b244b0331dbd5333fe6e3cdcd27c9_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\faa5bd1b41e34e99f8d189a48ff55c0f_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\fdb21729ff58423343c0a7165da98080_f7a7a373-b58d-47bf-b590-bf857dee9833: Access is denied.

.\\?\c:\\Users\Default\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming
Substitute Name: C:\Users\Default\AppData\Roaming

\\?\c:\\Users\Default\Local Settings: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\My Documents: JUNCTION
Print Name : C:\Users\Default\Documents
Substitute Name: C:\Users\Default\Documents

\\?\c:\\Users\Default\NetHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Default\PrintHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Default\Recent: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Default\SendTo: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Default\Start Menu: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Default\Templates: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\AppData\Local\History: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files

\\?\c:\\Users\Default\Documents\My Music: JUNCTION
Print Name : C:\Users\Default\Music
Substitute Name: C:\Users\Default\Music

\\?\c:\\Users\Default\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Default\Pictures
Substitute Name: C:\Users\Default\Pictures

\\?\c:\\Users\Default\Documents\My Videos: JUNCTION
Print Name : C:\Users\Default\Videos
Substitute Name: C:\Users\Default\Videos

\\?\c:\\Users\Public\Documents\My Music: JUNCTION
Print Name : C:\Users\Public\Music
Substitute Name: C:\Users\Public\Music

\\?\c:\\Users\Public\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Public\Pictures
Substitute Name: C:\Users\Public\Pictures

\\?\c:\\Users\Public\Documents\My Videos: JUNCTION
Print Name : C:\Users\Public\Videos
Substitute Name: C:\Users\Public\Videos

\\?\c:\\Users\Scott\Application Data: JUNCTION
Print Name : C:\Users\Scott\AppData\Roaming
Substitute Name: C:\Users\Scott\AppData\Roaming

\\?\c:\\Users\Scott\Cookies: JUNCTION
Print Name : C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Scott\Local Settings: JUNCTION
Print Name : C:\Users\Scott\AppData\Local
Substitute Name: C:\Users\Scott\AppData\Local

\\?\c:\\Users\Scott\My Documents: JUNCTION
Print Name : C:\Users\Scott\Documents
Substitute Name: C:\Users\Scott\Documents

\\?\c:\\Users\Scott\NetHood: JUNCTION
Print Name : C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Scott\PrintHood: JUNCTION
Print Name : C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Scott\Recent: JUNCTION
Print Name : C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Scott\SendTo: JUNCTION
Print Name : C:\Users\Scott\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Scott\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Scott\Start Menu: JUNCTION
Print Name : C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Scott\Templates: JUNCTION
Print Name : C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Scott\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Scott\AppData\Local
Substitute Name: C:\Users\Scott\AppData\Local

\\?\c:\\Users\Scott\AppData\Local\History: JUNCTION
Print Name : C:\Users\Scott\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Scott\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Scott\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Scott\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Scott\AppData\Local\Microsoft\Windows\Temporary Internet Files

...

...

...

..\\?\c:\\Users\Scott\Documents\My Music: JUNCTION
Print Name : C:\Users\Scott\Music
Substitute Name: C:\Users\Scott\Music

\\?\c:\\Users\Scott\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Scott\Pictures
Substitute Name: C:\Users\Scott\Pictures

\\?\c:\\Users\Scott\Documents\My Videos: JUNCTION
Print Name : C:\Users\Scott\Videos
Substitute Name: C:\Users\Scott\Videos

.

...

...

...

...

...

...\\?\c:\\Windows\AppPatch\Custom\Custom: MOUNT POINT
Substitute Name: \Device\__max++>\^

..\\?\c:\\Windows\ehome\CreateDisc\style\style: MOUNT POINT
Substitute Name: \Device\__max++>\^

.

\\?\c:\\Windows\Globalization\Globalization: MOUNT POINT
Substitute Name: \Device\__max++>\^

...

.\\?\c:\\Windows\Microsoft.NET\authman\authman: MOUNT POINT
Substitute Name: \Device\__max++>\^

..

...

...

...

...

...

...

\\?\c:\\Windows\System32\0409\0409: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\Windows\System32\Branding\en-US\en-US: MOUNT POINT
Substitute Name: \Device\__max++>\^

...\\?\c:\\Windows\System32\config\systemprofile\Application Data: JUNCTION
Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming
Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming

\\?\c:\\Windows\System32\config\systemprofile\Local Settings: JUNCTION
Print Name : C:\Windows\system32\config\systemprofile\AppData\Local
Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local

\\?\c:\\Windows\System32\config\systemprofile\My Documents: JUNCTION
Print Name : C:\Windows\system32\config\systemprofile\Documents
Substitute Name: C:\Windows\system32\config\systemprofile\Documents

\\?\c:\\Windows\System32\config\systemprofile\NetHood: JUNCTION
Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Windows\System32\config\systemprofile\PrintHood: JUNCTION
Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Windows\System32\config\systemprofile\Recent: JUNCTION
Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Windows\System32\config\systemprofile\SendTo: JUNCTION
Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Windows\System32\config\systemprofile\Start Menu: JUNCTION
Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Windows\System32\config\systemprofile\Templates: JUNCTION
Print Name : C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Application Data: JUNCTION
Print Name : C:\Windows\system32\config\systemprofile\AppData\Local
Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local

\\?\c:\\Windows\System32\config\systemprofile\AppData\Local\History: JUNCTION
Print Name : C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History

\\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files

\\?\c:\\Windows\System32\config\systemprofile\Documents\My Music: JUNCTION
Print Name : C:\Windows\system32\config\systemprofile\Music
Substitute Name: C:\Windows\system32\config\systemprofile\Music

\\?\c:\\Windows\System32\config\systemprofile\Documents\My Pictures: JUNCTION
Print Name : C:\Windows\system32\config\systemprofile\Pictures
Substitute Name: C:\Windows\system32\config\systemprofile\Pictures

\\?\c:\\Windows\System32\config\systemprofile\Documents\My Videos: JUNCTION
Print Name : C:\Windows\system32\config\systemprofile\Videos
Substitute Name: C:\Windows\system32\config\systemprofile\Videos

...

\\?\c:\\Windows\System32\DriverStore\FileRepository\hpp413aa.inf_70b6109e\I386\I386: MOUNT POINT
Substitute Name: \Device\__max++>\^

...

...

...

...

...

...\\?\c:\\Windows\System32\inetsrv\inetsrv: MOUNT POINT
Substitute Name: \Device\__max++>\^

Failed to open \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup: Access is denied.

\\?\c:\\Windows\System32\MUI\dispspec\dispspec: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\Windows\System32\setup\en-US\en-US: MOUNT POINT
Substitute Name: \Device\__max++>\^

..

\\?\c:\\Windows\tracing\tracing: MOUNT POINT
Substitute Name: \Device\__max++>\^

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.\\?\c:\\Windows\winsxs\Temp\PendingDeletes\PendingDeletes: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\Windows\winsxs\Temp\PendingRenames\PendingRenames: MOUNT POINT
Substitute Name: \Device\__max++>\^

..

...

...

...

...

...

...

...

...

...

...

...

...

#8 Buckeye_Sam

Malware Expert

Members
17,382 posts
OFFLINE

Gender:Male
Location:Pickerington, Ohio
Local time:06:52 AM

Posted 11 October 2009 - 01:52 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

FCopy::
c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll | c:\windows\system32\cngaudit.dll

Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

#9 kbears

Topic Starter

Members
23 posts
OFFLINE

Local time:06:52 AM

Posted 11 October 2009 - 02:20 PM

Sam,

Just an FYI... Firefox and IE both gave the same "Illegal operation on a registry key that has been marked for deletion." after combofix ran, but was fine on reboot.

ComboFix 09-10-10.02 - Scott 10/11/2009 14:04.4.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.908 [GMT -5:00]
Running from: c:\users\Scott\Documents\Desktop\ComboFix.exe
Command switches used :: c:\users\Scott\Documents\Desktop\CFScript.txt
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll --> c:\windows\system32\cngaudit.dll
.
((((((((((((((((((((((((( Files Created from 2009-09-11 to 2009-10-11 )))))))))))))))))))))))))))))))
.

2009-10-11 19:10 . 2009-10-11 19:10 -------- d-----w- c:\users\Scott\AppData\Local\temp
2009-10-11 19:10 . 2009-10-11 19:10 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-11 19:10 . 2009-10-11 19:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-11 19:04 . 2006-11-02 09:46 11776 ----a-w- c:\windows\system32\cngaudit.dll
2009-10-09 03:44 . 2009-10-09 03:44 -------- d-----w- C:\RootkitNO
2009-10-09 03:39 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 03:39 . 2009-10-09 03:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 03:39 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 00:13 . 2009-10-09 05:43 -------- d-----w- c:\program files\Java
2009-10-09 00:13 . 2009-10-09 00:13 -------- d-----w- c:\program files\Java(5)
2009-10-08 22:24 . 2009-10-01 15:29 195440 ----a-w- c:\windows\system32\MpSigStub.exe
2009-10-08 16:32 . 2009-10-08 16:32 -------- d--h--w- c:\windows\PIF
2009-10-08 13:39 . 2009-10-09 02:30 -------- d-----w- c:\users\Scott\AppData\Local\temp(26)
2009-10-08 13:37 . 2009-10-08 13:37 -------- d-----w- C:\$RECYCLE(0).BIN
2009-10-06 08:37 . 2009-10-06 17:20 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-10-06 08:37 . 2009-10-09 03:47 -------- d-----w- c:\program files\UnHackMe
2009-10-06 01:13 . 2009-10-06 01:13 35 ----a-w- c:\users\Scott\AppData\Roaming\SetValue.bat
2009-10-06 00:52 . 2009-10-09 05:45 -------- d-----w- c:\users\Scott\AppData\Local\Runscanner.net
2009-10-05 22:40 . 2009-10-06 08:38 2 --shatr- c:\windows\winstart.bat
2009-10-05 22:39 . 2009-10-05 22:39 -------- d-----w- c:\program files\Greatis
2009-10-05 06:01 . 2009-10-05 06:01 117760 ----a-w- c:\users\Scott\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-10-05 06:01 . 2009-10-05 06:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-10-05 06:00 . 2009-10-09 02:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-05 06:00 . 2009-10-05 06:00 -------- d-----w- c:\users\Scott\AppData\Roaming\SUPERAntiSpyware.com
2009-10-05 02:22 . 2009-10-05 09:51 -------- d-----w- c:\program files\Enigma Software Group
2009-10-05 00:07 . 2009-10-06 00:47 -------- d-----w- C:\rsit
2009-10-04 22:30 . 2009-10-05 06:27 15 ----a-w- c:\windows\system32\settings.dat
2009-10-04 16:23 . 2009-10-09 02:54 -------- d-----w- c:\program files\Sophos
2009-10-04 16:18 . 2009-10-04 16:18 -------- d-----w- c:\users\Scott\AppData\Roaming\Malwarebytes
2009-10-04 16:17 . 2009-10-04 16:17 -------- d-----w- c:\programdata\Malwarebytes
2009-10-04 16:13 . 2009-10-04 16:18 -------- d-----w- c:\programdata\avg8
2009-10-04 15:57 . 2009-10-04 15:57 -------- d-----w- c:\users\Scott\AppData\Roaming\AVG8
2009-10-04 13:48 . 2009-10-11 18:15 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-04 13:46 . 2009-10-04 15:54 -------- d-----w- c:\programdata\Lavasoft
2009-10-04 13:15 . 2009-10-09 02:37 -------- d-----w- c:\program files\Trend Micro
2009-10-03 23:33 . 2009-10-03 23:33 -------- d-----w- c:\windows\BDOSCAN8
2009-10-02 11:40 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-02 11:40 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-02 11:40 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-02 11:40 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-02 11:40 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-02 11:40 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-02 11:40 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-02 11:40 . 2009-08-07 00:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-02 11:40 . 2009-08-06 23:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-09-24 01:16 . 2009-09-24 01:17 -------- d-----w- c:\windows\system32\ca-ES
2009-09-24 01:16 . 2009-09-24 01:17 -------- d-----w- c:\windows\system32\eu-ES
2009-09-24 01:15 . 2009-09-24 01:17 -------- d-----w- c:\windows\system32\vi-VN
2009-09-24 00:56 . 2009-09-24 00:56 -------- d-----w- c:\windows\system32\EventProviders
2009-09-17 12:03 . 2009-04-11 05:03 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-09-17 12:03 . 2009-04-11 06:28 1081344 ----a-w- c:\windows\system32\SLCExt.dll
2009-09-17 12:03 . 2009-04-11 06:27 3408896 ----a-w- c:\windows\system32\SLsvc.exe
2009-09-17 12:01 . 2009-04-11 06:28 375808 ----a-w- c:\windows\system32\winhttp.dll
2009-09-17 12:00 . 2009-04-11 06:28 114688 ----a-w- c:\windows\system32\imm32.dll
2009-09-17 11:59 . 2009-04-11 06:28 218624 ----a-w- c:\windows\system32\wdscore.dll
2009-09-17 11:59 . 2009-04-11 06:27 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2009-09-17 11:59 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 18:18 . 2007-07-24 20:58 95616 ----a-w- c:\windows\junction.exe
2009-10-11 12:25 . 2009-03-15 19:50 41662 ----a-w- c:\programdata\nvModes.dat
2009-10-10 12:50 . 2007-08-05 17:24 81984 ----a-w- c:\windows\system32\bdod.bin
2009-10-09 03:11 . 2008-06-12 21:31 -------- d-----w- c:\program files\TestGen
2009-10-09 02:37 . 2008-09-24 01:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-09 02:37 . 2007-05-29 07:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-09 00:44 . 2007-08-07 20:27 1356 ----a-w- c:\users\Scott\AppData\Local\d3d9caps.dat
2009-10-09 00:13 . 2009-02-11 00:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 01:13 . 2009-10-06 01:13 691 ----a-w- c:\users\Scott\AppData\Roaming\GetValue.vbs
2009-09-24 01:30 . 2007-11-01 14:39 -------- d-----w- c:\programdata\NVIDIA
2009-09-24 01:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-24 01:18 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-24 01:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-24 01:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-09-24 01:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-09-24 01:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-24 01:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-04 23:04 . 2009-09-04 23:04 -------- d-----w- c:\program files\SoftLogica
2009-09-04 03:44 . 2009-09-03 23:59 -------- d-----w- c:\program files\R-Undelete
2009-09-03 13:48 . 2007-05-29 07:47 -------- d-----w- c:\programdata\Microsoft Help
2009-08-31 03:25 . 2009-08-31 03:12 -------- d-----w- c:\program files\A-FF Find and Mount
2009-08-31 02:25 . 2009-08-31 02:25 -------- d-----w- c:\program files\EASEUS
2009-08-31 02:24 . 2009-08-31 02:20 -------- d-----w- c:\program files\Recuva
2009-08-31 01:29 . 2009-08-31 01:29 -------- d-----w- c:\programdata\ParetoLogic
2009-08-31 01:28 . 2009-08-31 01:28 -------- d-----w- c:\programdata\Cached Installations
2009-08-29 00:27 . 2009-09-03 00:05 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-03 00:05 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-14 16:27 . 2009-09-09 11:35 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 11:35 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 11:35 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 11:35 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 11:35 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 11:35 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 11:35 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 11:35 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 11:35 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 11:35 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 11:35 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-07-21 21:52 . 2009-09-10 13:29 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-09-10 13:29 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-09-10 13:29 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-09-10 13:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 13:54 . 2009-08-12 13:19 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-12 13:19 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-12 13:19 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-12 13:19 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-12 13:19 7680 ----a-w- c:\windows\system32\spwmp.dll
2008-04-20 17:55 . 2008-04-20 17:55 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-08_13.36.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-29 07:19 . 2009-10-10 12:51 27418 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-10 12:51 67302 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-08-06 03:44 . 2009-10-10 12:51 12604 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3741249358-2648225050-3460918513-1000_UserData.bin
+ 2007-06-24 02:10 . 2009-10-09 02:49 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-06-24 02:10 . 2009-10-06 07:35 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-06-24 02:10 . 2009-10-09 02:49 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-24 02:10 . 2009-10-06 07:35 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-06-24 02:10 . 2009-10-09 02:49 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-06-24 02:10 . 2009-10-06 07:35 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-10 12:50 . 2009-10-10 12:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-10-08 00:59 . 2009-10-08 00:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-10 12:50 . 2009-10-10 12:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-10-08 00:59 . 2009-10-08 00:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-07-29 02:41 . 2009-10-11 12:25 277296 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-10-09 00:14 . 2009-10-09 00:13 149280 c:\windows\System32\javaws.exe
- 2009-09-01 02:31 . 2009-09-01 02:30 149280 c:\windows\System32\javaws.exe
- 2009-09-01 02:31 . 2009-09-01 02:30 145184 c:\windows\System32\javaw.exe
+ 2009-10-09 00:14 . 2009-10-09 00:13 145184 c:\windows\System32\javaw.exe
- 2009-09-01 02:31 . 2009-09-01 02:30 145184 c:\windows\System32\java.exe
+ 2009-10-09 00:14 . 2009-10-09 00:13 145184 c:\windows\System32\java.exe
- 2007-08-06 03:50 . 2009-10-05 23:12 262144 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2007-08-06 03:50 . 2009-10-09 00:11 262144 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\usrclass.dat
- 2006-11-02 10:22 . 2009-10-08 01:12 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2006-11-02 10:22 . 2009-10-10 17:57 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-10-09 00:13 . 2009-10-09 00:13 1757696 c:\windows\Installer\19d1701.msi
+ 2009-10-11 19:03 . 2009-10-11 19:03 6471680 c:\windows\ERDNT\Hiv-backup\schema.dat
- 2009-10-08 13:28 . 2009-10-08 13:28 6471680 c:\windows\ERDNT\Hiv-backup\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-09-15 368640]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-09 149280]

c:\users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(

:1c,74,14,37,b6,3c,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{3E1165D4-6501-4D5C-B527-FD0719E2BFBF}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AF3360B3-52FB-47E0-B472-39F5E0A261E2}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6466F7C8-9789-4F93-B00F-3F85CFE814FB}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{2346F100-EA86-48A7-B581-AAFCBAC9515D}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9EF3943E-DCE5-480B-ADBE-BDF50FFDB414}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{118BCD34-FAA4-4805-883F-0965C17EE6F0}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{18788314-AE77-4043-9DEC-9D26366AE739}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{2F7B0B5A-A1DF-4DAD-ADB5-1D4B72C4A094}"= UDP:c:\windows\System32\migwiz\migwiz.exe:Windows Easy Transfer
"{76BBF3E5-0566-4738-9629-73AB9A90BB94}"= TCP:c:\windows\System32\migwiz\migwiz.exe:Windows Easy Transfer
"TCP Query User{BCD06403-94D0-4EDE-B23A-CF203E98EF7E}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{BD636B27-5BBD-47CC-9DC6-06382AA4EEBA}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{18E49E14-DBD5-45BE-B4A8-D00545FDAADE}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{148BE02D-1156-4DCF-8B67-66B3EF6DB01C}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{6B3282F5-5B85-415D-AE4A-C64CF6DDCDF6}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{D42E466D-19E2-4BDD-BE99-E3EB35A492B7}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-17 c:\windows\Tasks\HPCeeScheduleForScott.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-05-29 21:23]

2009-10-11 c:\windows\Tasks\User_Feed_Synchronization-{C4B58F9A-CC2C-4F4F-818B-10DC91A429DD}.job
- c:\windows\system32\msfeedssync.exe [2009-09-10 20:13]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\yun1q0f2.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\yun1q0f2.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-11 14:10
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-10-11 14:13
ComboFix-quarantined-files.txt 2009-10-11 19:13
ComboFix2.txt 2009-10-10 12:47
ComboFix3.txt 2009-10-08 13:39

Pre-Run: 81,886,511,104 bytes free
Post-Run: 81,807,773,696 bytes free

260 --- E O F --- 2009-10-09 00:16

#10 Buckeye_Sam

Malware Expert

Members
17,382 posts
OFFLINE

Gender:Male
Location:Pickerington, Ohio
Local time:06:52 AM

Posted 12 October 2009 - 06:33 AM

Your Combofix log looks pretty good to me, but could you run the win32kdiag command once more.

For some reason the run command prompt you gave me wasn't working... saying that network path was unavailable, but I took the liberty to run win32diag with the -f and -r attributes through its local address.

How is your computer behaving now? Any problems?

#11 kbears

Topic Starter

Members
23 posts
OFFLINE

Local time:06:52 AM

Posted 12 October 2009 - 08:01 AM

Sam,

Things are better, but I still can't get disk cleanup to run... there actually was a small improvement though.. it use to quit immediately after i selected a disk to cleanup, now it shows the collecting information bar for about a second then quits. There's all those references to device max++ in the win32 log still... are those concerning? Also, I can't reactivate the "real time" scanning through BitDefender... when I chose the "fix" button in that software to turn the virus protection back on, it doesn't do anything at all. I don't know if that's a programming problem when I need to reinstall, or a virus issue.

Here's the win32diag log...

Running from: C:\Users\Scott\Documents\Desktop\Win32kDiag.exe

Log file at : C:\Users\Scott\Documents\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...

Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\0409\0409

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\Branding\en-US\en-US

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpp413aa.inf_70b6109e\I386\I386

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-10-11 14:17:03 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

[1] 2009-10-11 14:18:12 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl ()

Found mount point : C:\Windows\System32\MUI\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\setup\en-US\en-US

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\tracing\tracing

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Mount point destination : \Device\__max++>\^

Finished!

#12 kbears

Topic Starter

Members
23 posts
OFFLINE

Local time:06:52 AM

Posted 12 October 2009 - 08:54 AM

A little update... I uninstalled/reinstalled BD2008 to try to get that working... at startup Windows told me it had blocked some startup programs from running... it listed bdagent.exe and ieshow.exe both listed in the Bitdefender folder...I think both of these are legit Bitdefender exe's... but I still can't get the real time protection to enable after reinstall.

#13 kbears

Topic Starter

Members
23 posts
OFFLINE

Local time:06:52 AM

Posted 12 October 2009 - 09:02 AM

One more update: Strangely stopping the process Bitdefender Communicator suddenly enabled the real tiime protection... something still seems fishy here to me, but it may have been chance that this coincided w/ the virus issues.

#14 Buckeye_Sam

Malware Expert

Members
17,382 posts
OFFLINE

Gender:Male
Location:Pickerington, Ohio
Local time:06:52 AM

Posted 13 October 2009 - 07:39 AM

#15 kbears

Topic Starter

Members
23 posts
OFFLINE

Local time:06:52 AM

Posted 13 October 2009 - 05:00 PM

Win32diag:

Running from: C:\Users\Scott\Documents\Desktop\Win32kDiag.exe

Log file at : C:\Users\Scott\Documents\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...

Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\AppPatch\Custom\Custom

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ehome\CreateDisc\style\style

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\Globalization

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Microsoft.NET\authman\authman

Found mount point : C:\Windows\System32\0409\0409

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\0409\0409

Found mount point : C:\Windows\System32\Branding\en-US\en-US

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\Branding\en-US\en-US

Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpp413aa.inf_70b6109e\I386\I386

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\DriverStore\FileRepository\hpp413aa.inf_70b6109e\I386\I386

Found mount point : C:\Windows\System32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\inetsrv\inetsrv

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

Found mount point : C:\Windows\System32\MUI\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\MUI\dispspec\dispspec

Found mount point : C:\Windows\System32\setup\en-US\en-US

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\setup\en-US\en-US

Found mount point : C:\Windows\tracing\tracing

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\tracing\tracing

Found mount point : C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes

Found mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Finished!

Combofix:

ComboFix 09-10-13.01 - Scott 10/13/2009 16:46.6.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.1130 [GMT -5:00]
Running from: c:\users\Scott\Documents\Desktop\ComboFix.exe
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))
.

2009-10-13 21:53 . 2009-10-13 21:53 -------- d-----w- c:\users\Scott\AppData\Local\temp
2009-10-13 21:53 . 2009-10-13 21:53 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-13 21:53 . 2009-10-13 21:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-11 19:04 . 2006-11-02 09:46 11776 ------w- c:\windows\system32\cngaudit.dll
2009-10-09 03:44 . 2009-10-09 03:44 -------- d-----w- C:\RootkitNO
2009-10-09 03:39 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 03:39 . 2009-10-09 03:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 03:39 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 00:13 . 2009-10-09 05:43 -------- d-----w- c:\program files\Java
2009-10-09 00:13 . 2009-10-09 00:13 -------- d-----w- c:\program files\Java(5)
2009-10-08 22:24 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-08 16:32 . 2009-10-08 16:32 -------- d--h--w- c:\windows\PIF
2009-10-08 13:39 . 2009-10-09 02:30 -------- d-----w- c:\users\Scott\AppData\Local\temp(26)
2009-10-08 13:37 . 2009-10-08 13:37 -------- d-----w- C:\$RECYCLE(0).BIN
2009-10-06 08:37 . 2009-10-06 17:20 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-10-06 08:37 . 2009-10-09 03:47 -------- d-----w- c:\program files\UnHackMe
2009-10-06 01:13 . 2009-10-06 01:13 35 ----a-w- c:\users\Scott\AppData\Roaming\SetValue.bat
2009-10-06 00:52 . 2009-10-09 05:45 -------- d-----w- c:\users\Scott\AppData\Local\Runscanner.net
2009-10-05 22:40 . 2009-10-06 08:38 2 --shatr- c:\windows\winstart.bat
2009-10-05 22:39 . 2009-10-05 22:39 -------- d-----w- c:\program files\Greatis
2009-10-05 06:01 . 2009-10-05 06:01 117760 ----a-w- c:\users\Scott\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-10-05 06:01 . 2009-10-05 06:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-10-05 06:00 . 2009-10-09 02:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-05 06:00 . 2009-10-05 06:00 -------- d-----w- c:\users\Scott\AppData\Roaming\SUPERAntiSpyware.com
2009-10-05 02:22 . 2009-10-05 09:51 -------- d-----w- c:\program files\Enigma Software Group
2009-10-05 00:07 . 2009-10-06 00:47 -------- d-----w- C:\rsit
2009-10-04 22:30 . 2009-10-05 06:27 15 ----a-w- c:\windows\system32\settings.dat
2009-10-04 16:23 . 2009-10-09 02:54 -------- d-----w- c:\program files\Sophos
2009-10-04 16:18 . 2009-10-04 16:18 -------- d-----w- c:\users\Scott\AppData\Roaming\Malwarebytes
2009-10-04 16:17 . 2009-10-04 16:17 -------- d-----w- c:\programdata\Malwarebytes
2009-10-04 16:13 . 2009-10-04 16:18 -------- d-----w- c:\programdata\avg8
2009-10-04 15:57 . 2009-10-04 15:57 -------- d-----w- c:\users\Scott\AppData\Roaming\AVG8
2009-10-04 13:48 . 2009-10-11 18:15 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-04 13:46 . 2009-10-04 15:54 -------- d-----w- c:\programdata\Lavasoft
2009-10-04 13:15 . 2009-10-09 02:37 -------- d-----w- c:\program files\Trend Micro
2009-10-03 23:33 . 2009-10-03 23:33 -------- d-----w- c:\windows\BDOSCAN8
2009-10-02 11:40 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-02 11:40 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-02 11:40 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-02 11:40 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-02 11:40 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-02 11:40 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-02 11:40 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-02 11:40 . 2009-08-07 00:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-02 11:40 . 2009-08-06 23:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-09-24 01:16 . 2009-09-24 01:17 -------- d-----w- c:\windows\system32\ca-ES
2009-09-24 01:16 . 2009-09-24 01:17 -------- d-----w- c:\windows\system32\eu-ES
2009-09-24 01:15 . 2009-09-24 01:17 -------- d-----w- c:\windows\system32\vi-VN
2009-09-24 00:56 . 2009-09-24 00:56 -------- d-----w- c:\windows\system32\EventProviders
2009-09-17 12:03 . 2009-04-11 05:03 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-09-17 12:03 . 2009-04-11 06:28 1081344 ----a-w- c:\windows\system32\SLCExt.dll
2009-09-17 12:03 . 2009-04-11 06:27 3408896 ----a-w- c:\windows\system32\SLsvc.exe
2009-09-17 12:01 . 2009-04-11 06:28 375808 ----a-w- c:\windows\system32\winhttp.dll
2009-09-17 12:00 . 2009-04-11 06:28 114688 ----a-w- c:\windows\system32\imm32.dll
2009-09-17 11:59 . 2009-04-11 06:28 218624 ----a-w- c:\windows\system32\wdscore.dll
2009-09-17 11:59 . 2009-04-11 06:27 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2009-09-17 11:59 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-13 21:44 . 2009-03-15 19:50 41662 ----a-w- c:\programdata\nvModes.dat
2009-10-13 21:20 . 2007-08-05 17:24 81984 ----a-w- c:\windows\system32\bdod.bin
2009-10-12 13:08 . 2007-08-07 20:27 7620 ----a-w- c:\users\Scott\AppData\Local\d3d9caps.dat
2009-10-12 13:05 . 2008-07-30 16:00 -------- d-----w- c:\program files\Common Files\BitDefender
2009-10-11 18:18 . 2007-07-24 20:58 95616 ----a-w- c:\windows\junction.exe
2009-10-09 03:11 . 2008-06-12 21:31 -------- d-----w- c:\program files\TestGen
2009-10-09 02:37 . 2008-09-24 01:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-09 02:37 . 2007-05-29 07:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-09 00:13 . 2009-02-11 00:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 01:13 . 2009-10-06 01:13 691 ----a-w- c:\users\Scott\AppData\Roaming\GetValue.vbs
2009-09-24 01:30 . 2007-11-01 14:39 -------- d-----w- c:\programdata\NVIDIA
2009-09-24 01:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-24 01:18 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-24 01:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-24 01:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-09-24 01:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-09-24 01:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-24 01:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-04 23:04 . 2009-09-04 23:04 -------- d-----w- c:\program files\SoftLogica
2009-09-04 03:44 . 2009-09-03 23:59 -------- d-----w- c:\program files\R-Undelete
2009-09-03 13:48 . 2007-05-29 07:47 -------- d-----w- c:\programdata\Microsoft Help
2009-08-31 03:25 . 2009-08-31 03:12 -------- d-----w- c:\program files\A-FF Find and Mount
2009-08-31 02:25 . 2009-08-31 02:25 -------- d-----w- c:\program files\EASEUS
2009-08-31 02:24 . 2009-08-31 02:20 -------- d-----w- c:\program files\Recuva
2009-08-31 01:29 . 2009-08-31 01:29 -------- d-----w- c:\programdata\ParetoLogic
2009-08-31 01:28 . 2009-08-31 01:28 -------- d-----w- c:\programdata\Cached Installations
2009-08-29 00:27 . 2009-09-03 00:05 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-03 00:05 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-14 16:27 . 2009-09-09 11:35 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 11:35 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 11:35 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 11:35 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 11:35 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 11:35 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 11:35 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 11:35 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 11:35 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 11:35 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 11:35 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-07-21 21:52 . 2009-09-10 13:29 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-09-10 13:29 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-09-10 13:29 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-09-10 13:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 13:54 . 2009-08-12 13:19 71680 ----a-w- c:\windows\system32\atl.dll
2008-04-20 17:55 . 2008-04-20 17:55 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-08_13.36.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-29 07:19 . 2009-10-13 21:21 28390 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-13 21:21 67318 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-08-06 03:44 . 2009-10-13 21:21 12898 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3741249358-2648225050-3460918513-1000_UserData.bin
+ 2007-06-24 02:10 . 2009-10-13 20:45 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-06-24 02:10 . 2009-10-06 07:35 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-06-24 02:10 . 2009-10-13 20:45 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-24 02:10 . 2009-10-06 07:35 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-06-24 02:10 . 2009-10-13 20:45 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-06-24 02:10 . 2009-10-06 07:35 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-07-30 16:04 . 2009-10-12 13:06 57344 c:\windows\Installer\{C6E8173D-40EE-4998-B659-CA19F1F278BA}\texticon.exe
- 2008-07-30 16:04 . 2008-07-30 16:04 57344 c:\windows\Installer\{C6E8173D-40EE-4998-B659-CA19F1F278BA}\texticon.exe
+ 2008-07-30 16:04 . 2009-10-12 13:06 22486 c:\windows\Installer\{C6E8173D-40EE-4998-B659-CA19F1F278BA}\register_icon.exe
- 2008-07-30 16:04 . 2008-07-30 16:04 22486 c:\windows\Installer\{C6E8173D-40EE-4998-B659-CA19F1F278BA}\register_icon.exe
+ 2008-07-30 16:04 . 2009-10-12 13:06 32768 c:\windows\Installer\{C6E8173D-40EE-4998-B659-CA19F1F278BA}\maintenance_icon.exe
- 2008-07-30 16:04 . 2008-07-30 16:04 32768 c:\windows\Installer\{C6E8173D-40EE-4998-B659-CA19F1F278BA}\maintenance_icon.exe
- 2008-07-30 16:04 . 2008-07-30 16:04 61440 c:\windows\Installer\{C6E8173D-40EE-4998-B659-CA19F1F278BA}\helpicon.exe
+ 2008-07-30 16:04 . 2009-10-12 13:06 61440 c:\windows\Installer\{C6E8173D-40EE-4998-B659-CA19F1F278BA}\helpicon.exe
+ 2008-01-07 22:58 . 2008-01-07 22:58 98304 c:\windows\Installer\$PatchCache$\Managed\D3718E6CEE0489946B95AC911F2F87AB\11.0.17\sch_serv.dll
+ 2009-10-13 21:20 . 2009-10-13 21:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-10-08 00:59 . 2009-10-08 00:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-10-08 00:59 . 2009-10-08 00:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-10-13 21:20 . 2009-10-13 21:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-07-29 02:41 . 2009-10-13 21:44 277906 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 10:33 . 2009-10-07 01:48 598588 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-10-13 15:23 598588 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-10-07 01:48 102194 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-10-13 15:23 102194 c:\windows\System32\perfc009.dat
+ 2009-10-09 00:14 . 2009-10-09 00:13 149280 c:\windows\System32\javaws.exe
- 2009-09-01 02:31 . 2009-09-01 02:30 149280 c:\windows\System32\javaws.exe
+ 2009-10-09 00:14 . 2009-10-09 00:13 145184 c:\windows\System32\javaw.exe
- 2009-09-01 02:31 . 2009-09-01 02:30 145184 c:\windows\System32\javaw.exe
+ 2009-10-09 00:14 . 2009-10-09 00:13 145184 c:\windows\System32\java.exe
- 2009-09-01 02:31 . 2009-09-01 02:30 145184 c:\windows\System32\java.exe
+ 2007-08-06 03:50 . 2009-10-09 00:11 262144 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\usrclass.dat
- 2007-08-06 03:50 . 2009-10-05 23:12 262144 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-25 18:47 . 2008-04-25 18:47 356352 c:\windows\Installer\$PatchCache$\Managed\D3718E6CEE0489946B95AC911F2F87AB\11.0.17\vscan.dll
+ 2008-04-09 19:36 . 2008-04-09 19:36 512000 c:\windows\Installer\$PatchCache$\Managed\D3718E6CEE0489946B95AC911F2F87AB\11.0.17\uiscan.exe
+ 2008-05-24 00:16 . 2008-05-24 00:16 368640 c:\windows\Installer\$PatchCache$\Managed\D3718E6CEE0489946B95AC911F2F87AB\11.0.17\bdagent.exe
- 2006-11-02 10:22 . 2009-10-08 01:12 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2006-11-02 10:22 . 2009-10-13 21:44 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-10-09 00:13 . 2009-10-09 00:13 1757696 c:\windows\Installer\19d1701.msi
+ 2008-04-25 15:10 . 2008-04-25 15:10 1253376 c:\windows\Installer\$PatchCache$\Managed\D3718E6CEE0489946B95AC911F2F87AB\11.0.17\vsserv.exe
+ 2008-04-30 21:08 . 2008-04-30 21:08 1155072 c:\windows\Installer\$PatchCache$\Managed\D3718E6CEE0489946B95AC911F2F87AB\11.0.17\livesrv.exe
- 2009-10-08 13:28 . 2009-10-08 13:28 6471680 c:\windows\ERDNT\Hiv-backup\schema.dat
+ 2009-10-11 19:03 . 2009-10-13 21:45 6471680 c:\windows\ERDNT\Hiv-backup\schema.dat
+ 2009-05-07 21:13 . 2009-10-12 13:06 225727246 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2009-10-12 368640]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-09 149280]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]

c:\users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(

:1c,74,14,37,b6,3c,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{3E1165D4-6501-4D5C-B527-FD0719E2BFBF}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AF3360B3-52FB-47E0-B472-39F5E0A261E2}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6466F7C8-9789-4F93-B00F-3F85CFE814FB}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{2346F100-EA86-48A7-B581-AAFCBAC9515D}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9EF3943E-DCE5-480B-ADBE-BDF50FFDB414}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{118BCD34-FAA4-4805-883F-0965C17EE6F0}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{18788314-AE77-4043-9DEC-9D26366AE739}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{2F7B0B5A-A1DF-4DAD-ADB5-1D4B72C4A094}"= UDP:c:\windows\System32\migwiz\migwiz.exe:Windows Easy Transfer
"{76BBF3E5-0566-4738-9629-73AB9A90BB94}"= TCP:c:\windows\System32\migwiz\migwiz.exe:Windows Easy Transfer
"TCP Query User{BCD06403-94D0-4EDE-B23A-CF203E98EF7E}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{BD636B27-5BBD-47CC-9DC6-06382AA4EEBA}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{18E49E14-DBD5-45BE-B4A8-D00545FDAADE}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{148BE02D-1156-4DCF-8B67-66B3EF6DB01C}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{6B3282F5-5B85-415D-AE4A-C64CF6DDCDF6}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{D42E466D-19E2-4BDD-BE99-E3EB35A492B7}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-17 c:\windows\Tasks\HPCeeScheduleForScott.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-05-29 21:23]

2009-10-13 c:\windows\Tasks\User_Feed_Synchronization-{C4B58F9A-CC2C-4F4F-818B-10DC91A429DD}.job
- c:\windows\system32\msfeedssync.exe [2009-09-10 20:13]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\yun1q0f2.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\yun1q0f2.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-13 16:53
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

[0] 0x00001000

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-10-13 16:56
ComboFix-quarantined-files.txt 2009-10-13 21:56
ComboFix2.txt 2009-10-11 19:13
ComboFix3.txt 2009-10-10 12:47
ComboFix4.txt 2009-10-08 13:39

Pre-Run: 80,982,732,800 bytes free
Post-Run: 80,874,373,120 bytes free

271 --- E O F --- 2009-10-09 00:16