Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google and Yahoo Search Results Redirected


  • This topic is locked This topic is locked
9 replies to this topic

#1 gkevans53

gkevans53

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 06 November 2009 - 10:14 PM

I am running Vista Home Premium on a wireless internet connection to AT&T DSL provider that supplies McAfee Internet Security Suite as part of the service.

Within the last few days, I have observed that when I click the links of search results I am directed to advertising or other sites not related to the search topic. By the way, this is true of Internet Explorer 8 and Mozilla Firefox but NOT Safari. With Safari I have been able to search and surf without any apparent problem.

I have tried to run Windows Defender, McAfee(installed) and McAfee(online scan) and zero problems are reported.

I have read that there are some types of trojans that are not detectable by the commercial detect and remove programs. Thus I have come to the conclusion that I am not equipped to find and remove the offending code from my system.

For what it's worth, I have downloaded and tried to run HijackThis and other 'tools' to no avail. Not simply because I am not knowledgable of the usage of such tools, but because the programs don't seem to behave correctly.

For example, HijackThis will only run one time. If I try to run it again, I get a message that says that I may not have access priviledges. The same goes for trying to delete the file using Windows Explorer. However, if I use a cmd prompt with administrator priviledges, I can delete the executable and reinstall another instance. HijackThis then appears to open and function execpt that once a scan is performed, the program exits and does not produce any logs.

I have also tried installing a new Hosts file, but this didn't change anything.

For about a week before the symptoms surfaced, I had noted that McAfee had a couple of problems (could not run a manual scan, failed when it tried to install definition updates). Today, I was able to remove and reinstall McAfee and run updates. Still no viruses or malware was reported.

Please advise how I should approach this. Thanks.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:10 PM

Posted 06 November 2009 - 11:19 PM

Hello and welcome please run these next. If you have Spybot installed temporarily disable it.
Please do not use HJT on your own,deleting the wrong thing can render the unit unbootable.

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 gkevans53

gkevans53
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 07 November 2009 - 12:32 AM

Thanks for the quick response. I have tried to follow the first sequence regarding MBAM with the exception that the file extracted/installed into Program Files instead of the Desktop. I navigated to the file and changed the name to zztoy.exe as suggested and ran the program by double clicking the zztoy.exe filename.

It appeared to run but the program exited before prompting for any interaction. One thing to note is that I tried this twice, and the second time the program exited much quicker that the first time when I could observe some progress during execution. Do you think that this implies that some actions were taken by the program? Should I proceed with the remainder of the instructions that you have already provided?

Thanks. I'll need to resume this later.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:10 PM

Posted 08 November 2009 - 04:52 PM

Hello. we had a net outage here.

Please run this tool then try MBAm again,thanks.
Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 gkevans53

gkevans53
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 08 November 2009 - 05:22 PM

As previously posted, I am still unable to generate any kind of report with MBAM (it appears to run for 7 to 12 seconds before it exits without any messages). I did however take attempt to complete the next two steps. The ATF program appeared to work fine. After which I was able to install SuperSpyware.

I am having compications with these programs as previously noted (only allowed to run once, various priviledge issues reported, etc). Thus, after not being successful running SuperSpyware in Safe Mode, I uninstalled and reinstalled and then ran the scan in Normal mode with McAfee disabled.

After 13 hours, I concluded that the number of files was at least 3 times the number on the computer and therefore the program was in an endless loop. I paused the program and chose to proceed to the next step. At this point it continued to display the results.

1 - Trojan/Gen and thousands of adtrackers.

Unfortunately, the program exited while I was trying to complete the quarantine/report/log steps . Thus I have nothing to send from the logs.

My computer is still being redirected as before, however searches now sometimes return blank or Page Does Not Exist. For the most part I don't detect any difference.

Could the Trojan or whatever also be smart enough to disable or intercept these programs/tools or changing my priviledges to only allow them to run once??? I have to uninstall and reinstall every time I try to complete the steps you have outlined for me to take. All of this is making me feel very inept, but I know that my computer skills are above novice level. Nevertheless, I keep thinking "What could I be doing wrong?"

Question 1: MBAM installer does not allow me (at least I can't see where it would) to change the name of the executable prior to it being saved to the installed directory. Your advise to rename to zztoy.exe prior to saving could not therefore be performed. Can you explain/elaborate on what I may have misunderstood or what this action is intended to accomplish?

Question 2: Is there something I need to do to upgrade my priviledges? I have administrator priviledges by default, but keep getting messages (after running the programs once) that I may not have authorization to access the files.

I took the priviledge of trying to run some other Log software and was able to generate logs from DDS if you think it might provide some useful information. Unfortunately, I haven't been able to provide anything else. Thanks.

gkevans53

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:10 PM

Posted 08 November 2009 - 05:35 PM

Some rootkits can terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Further investigation is required to determine if this is the case with the issues you have described.

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report for me to review.
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad, then copy and paste the entire contents starting with Running from... to Finished!) in your next reply.
Then go to Posted Image > Run..., and copy and paste this command into the open box: cmd
press OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop and open in Notepad.
Copy and paste the contents of that file in your next reply.

-- Vista users can refer to these instructions to open a command prompt.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 gkevans53

gkevans53
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 09 November 2009 - 12:05 PM

<Win32KDiag Log> follows:
Running from: C:\Users\Greg\Desktop\Win32kDiag.exe

Log file at : C:\Users\Greg\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2656.tmp\ZAP2656.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DA5.tmp\ZAP2DA5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4C5B.tmp\ZAP4C5B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109120000000000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109120090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\000021091A0090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\983B05722D2A359499AC721C2F8A6EDF\9.3.4035\9.3.4035

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Crypto\Keys\Keys

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SMINST\APPS\DTA\DTA

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SMINST\DRV\DTA\DTA

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\0ce8014e64ad9281a8256633d08ad4d3\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.18852_none_f5f82740381d7455\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.18852_none_f5f82740381d7455

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\0ce8014e64ad9281a8256633d08ad4d3\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.22942_none_f68c93f75132f82e\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.22942_none_f68c93f75132f82e

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cc9db45d4d7a49bee9efe23f364bf80b\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.18795_none_656cbc830d360ee8\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.18795_none_656cbc830d360ee8

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cc9db45d4d7a49bee9efe23f364bf80b\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.22886_none_66022984264aac18\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.22886_none_66022984264aac18

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB948109_ENU\hotfixas\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB948109_ENU\hotfixdts\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB948109_ENU\hotfixns\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB948109_ENU\hotfixrs\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB948109_ENU\hotfixsql\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB948109_ENU\hotfixtools\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB960089_ENU\hotfixas\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB960089_ENU\hotfixdts\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB960089_ENU\hotfixns\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB960089_ENU\hotfixrs\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB960089_ENU\hotfixsql\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB960089_ENU\hotfixtools\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB970892_ENU\hotfixas\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB970892_ENU\hotfixdts\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB970892_ENU\hotfixns\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB970892_ENU\hotfixrs\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB970892_ENU\hotfixsql\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB970892_ENU\hotfixtools\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB948109_ENU\hotfixas\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB948109_ENU\hotfixdts\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB948109_ENU\hotfixns\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB948109_ENU\hotfixrs\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB948109_ENU\hotfixsql\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB948109_ENU\hotfixtools\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB960089_ENU\hotfixas\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB960089_ENU\hotfixdts\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB960089_ENU\hotfixns\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB960089_ENU\hotfixrs\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB960089_ENU\hotfixsql\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB960089_ENU\hotfixtools\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB970892_ENU\hotfixas\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB970892_ENU\hotfixdts\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB970892_ENU\hotfixns\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB970892_ENU\hotfixrs\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB970892_ENU\hotfixsql\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB970892_ENU\hotfixtools\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\System32\cngaudit.dll

[1] 2006-11-02 04:46:03 61952 C:\Windows\System32\cngaudit.dll ()

[2] 2006-11-02 04:46:03 11776 C:\Windows\System32\logevent.dll (Microsoft Corporation)

[1] 2006-11-02 04:46:03 11776 C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll (Microsoft Corporation)



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-11-08 20:50:36 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-11-08 20:50:13 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-11-08 20:50:18 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-11-08 20:50:18 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

[1] 2009-11-08 20:51:22 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl ()



Found mount point : C:\Windows\Temp\chrome_1664\source\Chrome-bin\Dictionaries\Dictionaries

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\History\Results\Results

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00000\MCE00000

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00001\MCE00001

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00002\MCE00002

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00003\MCE00003

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00004\MCE00004

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00005\MCE00005

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00006\MCE00006

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00007\MCE00007

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00008\MCE00008

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00009\MCE00009

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE0000a\MCE0000a

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE0000b\MCE0000b

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE0000c\MCE0000c

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE0000d\MCE0000d

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE0000e\MCE0000e

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE0000f\MCE0000f

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00010\MCE00010

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00011\MCE00011

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00012\MCE00012

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00013\MCE00013

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00014\MCE00014

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00015\MCE00015

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00016\MCE00016

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00017\MCE00017

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00018\MCE00018

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00019\MCE00019

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE0001a\MCE0001a

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf1227.tmp\mdf1227.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf125.tmp\mdf125.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf12dc.tmp\mdf12dc.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf14c9.tmp\mdf14c9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf1570.tmp\mdf1570.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf1cf6.tmp\mdf1cf6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf222a.tmp\mdf222a.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf2437.tmp\mdf2437.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf2506.tmp\mdf2506.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf2633.tmp\mdf2633.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf267b.tmp\mdf267b.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf27f.tmp\mdf27f.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf2ab9.tmp\mdf2ab9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf2de2.tmp\mdf2de2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf2e97.tmp\mdf2e97.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf2eb2.tmp\mdf2eb2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf2f49.tmp\mdf2f49.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf2f86.tmp\mdf2f86.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf30b.tmp\mdf30b.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf32a0.tmp\mdf32a0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf33c8.tmp\mdf33c8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3422.tmp\mdf3422.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3481.tmp\mdf3481.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf34cd.tmp\mdf34cd.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3577.tmp\mdf3577.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3674.tmp\mdf3674.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3b15.tmp\mdf3b15.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3b68.tmp\mdf3b68.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3c01.tmp\mdf3c01.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3d73.tmp\mdf3d73.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3dfe.tmp\mdf3dfe.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3e49.tmp\mdf3e49.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf402d.tmp\mdf402d.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf409b.tmp\mdf409b.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf424d.tmp\mdf424d.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf4619.tmp\mdf4619.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf46ef.tmp\mdf46ef.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf49e6.tmp\mdf49e6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf4cc8.tmp\mdf4cc8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf4fb5.tmp\mdf4fb5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf51ab.tmp\mdf51ab.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf52ea.tmp\mdf52ea.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf5331.tmp\mdf5331.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf5415.tmp\mdf5415.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf54cd.tmp\mdf54cd.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf5501.tmp\mdf5501.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf5948.tmp\mdf5948.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf5bb9.tmp\mdf5bb9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf5e25.tmp\mdf5e25.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf5f17.tmp\mdf5f17.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf5f58.tmp\mdf5f58.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf5fd3.tmp\mdf5fd3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf601f.tmp\mdf601f.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf6432.tmp\mdf6432.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf69ab.tmp\mdf69ab.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf6d47.tmp\mdf6d47.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf6d5c.tmp\mdf6d5c.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf6f56.tmp\mdf6f56.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7103.tmp\mdf7103.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7362.tmp\mdf7362.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf73e3.tmp\mdf73e3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf75d8.tmp\mdf75d8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7785.tmp\mdf7785.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf77ec.tmp\mdf77ec.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf78b0.tmp\mdf78b0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7945.tmp\mdf7945.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7a81.tmp\mdf7a81.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7c0e.tmp\mdf7c0e.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7c1.tmp\mdf7c1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7de9.tmp\mdf7de9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7e50.tmp\mdf7e50.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7eed.tmp\mdf7eed.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7f6b.tmp\mdf7f6b.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7fe7.tmp\mdf7fe7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf81a.tmp\mdf81a.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdfad6.tmp\mdfad6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdfc28.tmp\mdfc28.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdfc6a.tmp\mdfc6a.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdfcff.tmp\mdfcff.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdfee8.tmp\mdfee8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdff10.tmp\mdff10.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdff83.tmp\mdff83.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\RtSigs\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\SiteAdvisor\SiteAdvisor

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\tracing\tracing

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

<cmd: results follow here>
Volume in drive C has no label.
Volume Serial Number is 4FB2-D328

Directory of C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e

04/11/2009 01:28 AM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3

04/11/2009 01:28 AM 592,896 netlogon.dll
1 File(s) 592,896 bytes

Directory of C:\Windows\System32

01/19/2008 02:36 AM 177,152 scecli.dll

Directory of C:\Windows\System32

01/19/2008 02:35 AM 592,384 netlogon.dll
2 File(s) 769,536 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e

11/02/2006 04:46 AM 176,640 scecli.dll
1 File(s) 176,640 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12

01/19/2008 02:36 AM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783

11/02/2006 04:46 AM 559,616 netlogon.dll
1 File(s) 559,616 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857

01/19/2008 02:35 AM 592,384 netlogon.dll
1 File(s) 592,384 bytes

Total Files Listed:
8 File(s) 3,045,376 bytes
0 Dir(s) 142,736,355,328 bytes free

Recent experience: I downloaded rkill from each of the sites and ran MBAM after each execution of rkill. They all appeared to run fine, but MBAM repeatedly exited after 7 secs when trying to Quick Scan.

I hope the above logs are helpful.

<Win32KDiag Log> follows:
Running from: C:\Users\Greg\Desktop\Win32kDiag.exe

Log file at : C:\Users\Greg\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2656.tmp\ZAP2656.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DA5.tmp\ZAP2DA5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4C5B.tmp\ZAP4C5B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109120000000000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109120090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\000021091A0090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\983B05722D2A359499AC721C2F8A6EDF\9.3.4035\9.3.4035

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\PnrpSqm\PnrpSqm

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Crypto\Keys\Keys

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SMINST\APPS\DTA\DTA

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SMINST\DRV\DTA\DTA

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\0ce8014e64ad9281a8256633d08ad4d3\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.18852_none_f5f82740381d7455\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.18852_none_f5f82740381d7455

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\0ce8014e64ad9281a8256633d08ad4d3\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.22942_none_f68c93f75132f82e\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.22942_none_f68c93f75132f82e

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cc9db45d4d7a49bee9efe23f364bf80b\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.18795_none_656cbc830d360ee8\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.18795_none_656cbc830d360ee8

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cc9db45d4d7a49bee9efe23f364bf80b\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.22886_none_66022984264aac18\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.22886_none_66022984264aac18

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB948109_ENU\hotfixas\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB948109_ENU\hotfixdts\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB948109_ENU\hotfixns\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB948109_ENU\hotfixrs\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB948109_ENU\hotfixsql\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB948109_ENU\hotfixtools\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB960089_ENU\hotfixas\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB960089_ENU\hotfixdts\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB960089_ENU\hotfixns\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB960089_ENU\hotfixrs\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB960089_ENU\hotfixsql\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB960089_ENU\hotfixtools\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB970892_ENU\hotfixas\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB970892_ENU\hotfixdts\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB970892_ENU\hotfixns\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB970892_ENU\hotfixrs\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB970892_ENU\hotfixsql\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQL9_KB970892_ENU\hotfixtools\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB948109_ENU\hotfixas\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB948109_ENU\hotfixdts\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB948109_ENU\hotfixns\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB948109_ENU\hotfixrs\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB948109_ENU\hotfixsql\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB948109_ENU\hotfixtools\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB960089_ENU\hotfixas\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB960089_ENU\hotfixdts\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB960089_ENU\hotfixns\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB960089_ENU\hotfixrs\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB960089_ENU\hotfixsql\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB960089_ENU\hotfixtools\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB970892_ENU\hotfixas\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB970892_ENU\hotfixdts\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB970892_ENU\hotfixns\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB970892_ENU\hotfixrs\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB970892_ENU\hotfixsql\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SQLTools9_KB970892_ENU\hotfixtools\files\files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\System32\cngaudit.dll

[1] 2006-11-02 04:46:03 61952 C:\Windows\System32\cngaudit.dll ()

[2] 2006-11-02 04:46:03 11776 C:\Windows\System32\logevent.dll (Microsoft Corporation)

[1] 2006-11-02 04:46:03 11776 C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll (Microsoft Corporation)



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-11-08 20:50:36 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-11-08 20:50:13 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-11-08 20:50:18 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-11-08 20:50:18 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

[1] 2009-11-08 20:51:22 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl ()



Found mount point : C:\Windows\Temp\chrome_1664\source\Chrome-bin\Dictionaries\Dictionaries

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\History\Results\Results

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00000\MCE00000

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00001\MCE00001

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00002\MCE00002

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00003\MCE00003

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00004\MCE00004

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00005\MCE00005

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00006\MCE00006

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00007\MCE00007

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00008\MCE00008

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00009\MCE00009

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE0000a\MCE0000a

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE0000b\MCE0000b

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE0000c\MCE0000c

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE0000d\MCE0000d

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE0000e\MCE0000e

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE0000f\MCE0000f

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00010\MCE00010

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00011\MCE00011

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00012\MCE00012

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00013\MCE00013

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00014\MCE00014

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00015\MCE00015

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00016\MCE00016

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00017\MCE00017

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00018\MCE00018

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE00019\MCE00019

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MCE0001a\MCE0001a

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf1227.tmp\mdf1227.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf125.tmp\mdf125.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf12dc.tmp\mdf12dc.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf14c9.tmp\mdf14c9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf1570.tmp\mdf1570.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf1cf6.tmp\mdf1cf6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf222a.tmp\mdf222a.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf2437.tmp\mdf2437.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf2506.tmp\mdf2506.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf2633.tmp\mdf2633.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf267b.tmp\mdf267b.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf27f.tmp\mdf27f.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf2ab9.tmp\mdf2ab9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf2de2.tmp\mdf2de2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf2e97.tmp\mdf2e97.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf2eb2.tmp\mdf2eb2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf2f49.tmp\mdf2f49.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf2f86.tmp\mdf2f86.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf30b.tmp\mdf30b.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf32a0.tmp\mdf32a0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf33c8.tmp\mdf33c8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3422.tmp\mdf3422.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3481.tmp\mdf3481.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf34cd.tmp\mdf34cd.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3577.tmp\mdf3577.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3674.tmp\mdf3674.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3b15.tmp\mdf3b15.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3b68.tmp\mdf3b68.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3c01.tmp\mdf3c01.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3d73.tmp\mdf3d73.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3dfe.tmp\mdf3dfe.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf3e49.tmp\mdf3e49.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf402d.tmp\mdf402d.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf409b.tmp\mdf409b.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf424d.tmp\mdf424d.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf4619.tmp\mdf4619.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf46ef.tmp\mdf46ef.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf49e6.tmp\mdf49e6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf4cc8.tmp\mdf4cc8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf4fb5.tmp\mdf4fb5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf51ab.tmp\mdf51ab.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf52ea.tmp\mdf52ea.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf5331.tmp\mdf5331.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf5415.tmp\mdf5415.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf54cd.tmp\mdf54cd.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf5501.tmp\mdf5501.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf5948.tmp\mdf5948.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf5bb9.tmp\mdf5bb9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf5e25.tmp\mdf5e25.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf5f17.tmp\mdf5f17.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf5f58.tmp\mdf5f58.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf5fd3.tmp\mdf5fd3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf601f.tmp\mdf601f.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf6432.tmp\mdf6432.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf69ab.tmp\mdf69ab.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf6d47.tmp\mdf6d47.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf6d5c.tmp\mdf6d5c.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf6f56.tmp\mdf6f56.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7103.tmp\mdf7103.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7362.tmp\mdf7362.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf73e3.tmp\mdf73e3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf75d8.tmp\mdf75d8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7785.tmp\mdf7785.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf77ec.tmp\mdf77ec.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf78b0.tmp\mdf78b0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7945.tmp\mdf7945.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7a81.tmp\mdf7a81.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7c0e.tmp\mdf7c0e.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7c1.tmp\mdf7c1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7de9.tmp\mdf7de9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7e50.tmp\mdf7e50.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7eed.tmp\mdf7eed.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7f6b.tmp\mdf7f6b.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf7fe7.tmp\mdf7fe7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdf81a.tmp\mdf81a.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdfad6.tmp\mdfad6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdfc28.tmp\mdfc28.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdfc6a.tmp\mdfc6a.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdfcff.tmp\mdfcff.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdfee8.tmp\mdfee8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdff10.tmp\mdff10.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\mdff83.tmp\mdff83.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\RtSigs\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\SiteAdvisor\SiteAdvisor

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\tracing\tracing

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

<cmd: results follow here>
Volume in drive C has no label.
Volume Serial Number is 4FB2-D328

Directory of C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e

04/11/2009 01:28 AM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3

04/11/2009 01:28 AM 592,896 netlogon.dll
1 File(s) 592,896 bytes

Directory of C:\Windows\System32

01/19/2008 02:36 AM 177,152 scecli.dll

Directory of C:\Windows\System32

01/19/2008 02:35 AM 592,384 netlogon.dll
2 File(s) 769,536 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e

11/02/2006 04:46 AM 176,640 scecli.dll
1 File(s) 176,640 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12

01/19/2008 02:36 AM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783

11/02/2006 04:46 AM 559,616 netlogon.dll
1 File(s) 559,616 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857

01/19/2008 02:35 AM 592,384 netlogon.dll
1 File(s) 592,384 bytes

Total Files Listed:
8 File(s) 3,045,376 bytes
0 Dir(s) 142,736,355,328 bytes free

Recent experience: I downloaded rkill from each of the sites and ran MBAM after each execution of rkill. They all appeared to run fine, but MBAM repeatedly exited after 7 secs when trying to Quick Scan.

I hope the above logs are helpful.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:10 PM

Posted 09 November 2009 - 03:08 PM

Yes they were.
It looks like there is a rootkit variant in this log. The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. There are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team members or above.

Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible.


Next please go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post the above Win32kDiag.exe log.

Let me know how that went.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 gkevans53

gkevans53
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 09 November 2009 - 07:24 PM

Thank you for your help and the education as we progressed.

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,111 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:10 PM

Posted 09 November 2009 - 09:53 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/270333/rootkit-variant-referred-to-hjt-forum/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users