Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    World's Largest Spam Botnet Finds a New Way to Avoid Detection... For Now

Featured Deal: Pay What You Want: The 2018 Machine Learning Bundle Deal

Photo

Security Tool will not die!

Started by McClainJa , Oct 14 2009 10:13 AM

  • Please log in to reply
3 replies to this topic

#1 McClainJa

McClainJa

  • Members
  • 30 posts
  • OFFLINE
    •  
  • Local time:05:38 AM

Posted 14 October 2009 - 10:13 AM

Hi, I have been battling the Security Tool Virus for a couple days now, I tried your tutorial on here to no avail. I have attacked this thing with Malware Bytes, Avira Antivir, and Ad-Aware. I can temporarily stop the virus with Malware bytes but it always comes back within a few hours, the program is just missing some key part of the virus. Please help.

BC AdBot (Login to Remove)

 

#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
    •  
  • Location:Cleveland, Ohio
  • Local time:05:38 AM

Posted 14 October 2009 - 08:33 PM

:trumpet:

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

========================================

:flowers:

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


:thumbsup: Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 McClainJa

McClainJa
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
    •  
  • Local time:05:38 AM

Posted 15 October 2009 - 04:18 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/15 11:34
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 00000038
Image Path: \Driver\00000038
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF454A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79D9000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9BF0000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}
Status: Locked to the Windows API!

Path: C:\WINDOWS\mui\mui
Status: Locked to the Windows API!

Path: C:\WINDOWS\occache\occache
Status: Locked to the Windows API!

Path: C:\WINDOWS\Config\Config
Status: Locked to the Windows API!

Path: C:\WINDOWS\Connection Wizard\Connection Wizard
Status: Locked to the Windows API!

Path: C:\WINDOWS\A3W_DATA\A3W_DATA
Status: Locked to the Windows API!

Path: C:\WINDOWS\PIF\PIF
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs
Status: Locked to the Windows API!

Path: C:\WINDOWS\Registration\CRMLog\CRMLog
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\classes\classes
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\trustlib\trustlib
Status: Locked to the Windows API!

Path: C:\WINDOWS\Debug\UserMode\UserMode
Status: Locked to the Windows API!

Path: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\CONFLICT.1
Status: Locked to the Windows API!

Path: C:\WINDOWS\Downloaded Program Files\CONFLICT.2\CONFLICT.2
Status: Locked to the Windows API!

Path: C:\WINDOWS\Downloaded Program Files\CONFLICT.3\CONFLICT.3
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\tmp\tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1025\1025
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1028\1028
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1031\1031
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1037\1037
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1041\1041
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1042\1042
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1054\1054
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\2052\2052
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\3076\3076
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\3com_dmi\3com_dmi
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\export\export
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\wins\wins
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\inetsrv\inetsrv
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\ShellExt\ShellExt
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\QuickTime\QuickTime
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\xircom\xircom
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\dhcp\dhcp
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\FxsTmp\FxsTmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\msapps\msinfo\msinfo
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp98\imejp98
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Sun\Java\Deployment\Deployment
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\mui\dispspec\dispspec
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\oobe\sample\sample
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\wbem\snmp\snmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\spool\PRINTERS\PRINTERS
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\Macromed\update\update
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\disdn\disdn
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\chsime\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\CHTIME\Applets\Applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imjp8_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\dicts\dicts
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\shared\res\res
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP168.tmp\ZAP168.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP19A.tmp\ZAP19A.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP19C.tmp\ZAP19C.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP25C.tmp\ZAP25C.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP274.tmp\ZAP274.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP48.tmp\ZAP48.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCA.tmp\ZAPCA.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\Config\News\News
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS
Status: Locked to the Windows API!

Path: C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\oobe\html\oemhw\oemhw
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\wbem\mof\bad\bad
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\My Documents\My eBooks\My eBooks
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{D444D532-D7C5-4EBB-82A7-BB3E62A7958F}\{D444D532-D7C5-4EBB-82A7-BB3E62A7958F}
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\InterTrust\ReceiptRepository\ReceiptRepository
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Roxio\Roxio
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7b64e56

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7b64e4c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7b64e5b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7b64e65

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf73a3d1c

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf73a40bc

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7b64e6a

#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xf739f090

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7b64e38

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7b64e3d

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf73a4194

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf73a4014

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7b64e74

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7b64e6f

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7b64e60

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7b64e47

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x84ebf1d8 Size: 244

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x849921d8 Size: 447

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x849921d8 Size: 447

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x849921d8 Size: 447

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x849921d8 Size: 447

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x849921d8 Size: 447

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x849921d8 Size: 447

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x849921d8 Size: 447

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x849921d8 Size: 447

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x849921d8 Size: 447

Object: Hidden Code [Driver: vaxscsi, IRP_MJ_CREATE]
Process: System Address: 0x84b37990 Size: 447

Object: Hidden Code [Driver: vaxscsi, IRP_MJ_CLOSE]
Process: System Address: 0x84b37990 Size: 447

Object: Hidden Code [Driver: vaxscsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84b37990 Size: 447

Object: Hidden Code [Driver: vaxscsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84b37990 Size: 447

Object: Hidden Code [Driver: vaxscsi, IRP_MJ_POWER]
Process: System Address: 0x84b37990 Size: 447

Object: Hidden Code [Driver: vaxscsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84b37990 Size: 447

Object: Hidden Code [Driver: vaxscsi, IRP_MJ_PNP]
Process: System Address: 0x84b37990 Size: 447

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x84d4c990 Size: 447

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x84d4c990 Size: 447

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x84d4c990 Size: 447

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x84d4c990 Size: 447

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84d4c990 Size: 447

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84d4c990 Size: 447

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84d4c990 Size: 447

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84d4c990 Size: 447

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x84d4c990 Size: 447

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84d4c990 Size: 447

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x84d4c990 Size: 447

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x84d4b5f0 Size: 447

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x84d4b5f0 Size: 447

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84d4b5f0 Size: 447

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84d4b5f0 Size: 447

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x84d4b5f0 Size: 447

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84d4b5f0 Size: 447

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x84d4b5f0 Size: 447

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x84d50990 Size: 447

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x84d50990 Size: 447

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84d50990 Size: 447

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84d50990 Size: 447

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x84d50990 Size: 447

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84d50990 Size: 447

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x84d50990 Size: 447

Object: Hidden Code [Driver: prodrv06ȅం扏楄觘蒸Ȃం扏楄�啈蒷, IRP_MJ_CREATE]
Process: System Address: 0xe1dde3c0 Size: 1306

Object: Hidden Code [Driver: prodrv06ȅం扏楄觘蒸Ȃం扏楄�啈蒷, IRP_MJ_CLOSE]
Process: System Address: 0xe1dde3c0 Size: 1306

Object: Hidden Code [Driver: prodrv06ȅం扏楄觘蒸Ȃం扏楄�啈蒷, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xe1dde3c0 Size: 1306

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x84f271d8 Size: 447

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x84f271d8 Size: 447

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x84f271d8 Size: 447

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84f271d8 Size: 447

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84f271d8 Size: 447

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84f271d8 Size: 447

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84f271d8 Size: 447

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x84f271d8 Size: 447

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x84f271d8 Size: 447

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84f271d8 Size: 447

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x84f271d8 Size: 447

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CREATE]
Process: System Address: 0xe19cd9c0 Size: 761

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CLOSE]
Process: System Address: 0xe19cd9c0 Size: 761

Object: Hidden Code [Driver: prohlp02, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xe19cd9c0 Size: 761

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x84ba2588 Size: 447

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x84ba2588 Size: 447

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84ba2588 Size: 447

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84ba2588 Size: 447

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x84ba2588 Size: 447

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x84ba2588 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x84a041d8 Size: 447

Object: Hidden Code [Driver: Program Fil, IRP_MJ_CREATE]
Process: System Address: 0x84bd7420 Size: 447

Object: Hidden Code [Driver: Program Fil, IRP_MJ_CLOSE]
Process: System Address: 0x84bd7420 Size: 447

Object: Hidden Code [Driver: Program Fil, IRP_MJ_READ]
Process: System Address: 0x84bd7420 Size: 447

Object: Hidden Code [Driver: Program Fil, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x84bd7420 Size: 447

Object: Hidden Code [Driver: Program Fil, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x84bd7420 Size: 447

Object: Hidden Code [Driver: Program Fil, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x84bd7420 Size: 447

Object: Hidden Code [Driver: Program Fil, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x84bd7420 Size: 447

Object: Hidden Code [Driver: Program Fil, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x84bd7420 Size: 447

Object: Hidden Code [Driver: Program Fil, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84bd7420 Size: 447

Object: Hidden Code [Driver: Program Fil, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84bd7420 Size: 447

Object: Hidden Code [Driver: Program Fil, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x84bd7420 Size: 447

Object: Hidden Code [Driver: Program Fil, IRP_MJ_CLEANUP]
Process: System Address: 0x84bd7420 Size: 447

Object: Hidden Code [Driver: Program Fil, IRP_MJ_PNP]
Process: System Address: 0x84bd7420 Size: 447

==EOF==



Running from: C:\Documents and Settings\Chronic McBudz\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Chronic McBudz\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\A3W_DATA\A3W_DATA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP168.tmp\ZAP168.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP19A.tmp\ZAP19A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP19C.tmp\ZAP19C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP25C.tmp\ZAP25C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP274.tmp\ZAP274.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP48.tmp\ZAP48.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCA.tmp\ZAPCA.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Program Files\CONFLICT.1\CONFLICT.1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Program Files\CONFLICT.2\CONFLICT.2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Program Files\CONFLICT.3\CONFLICT.3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{D444D532-D7C5-4EBB-82A7-BB3E62A7958F}\{D444D532-D7C5-4EBB-82A7-BB3E62A7958F}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\InterTrust\ReceiptRepository\ReceiptRepository

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Roxio\Roxio

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My eBooks\My eBooks

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\QuickTime\QuickTime

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!



Volume in drive C has no label.
Volume Serial Number is 4CF2-B953

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 03:56 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 03:56 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 03:56 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32\dllcache

04/13/2008 08:11 PM 56,320 eventlog.dll
1 File(s) 56,320 bytes

Total Files Listed:
13 File(s) 2,633,216 bytes
0 Dir(s) 82,948,857,856 bytes free

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
    •  
  • Location:Cleveland, Ohio
  • Local time:05:38 AM

Posted 15 October 2009 - 08:28 PM

Now that you were successful in creating those two logs you need to post them in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter
Back to Am I infected? What do I do?


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Am I infected? What do I do?
  4. Privacy Policy
  5. Rules ·