22 replies to this topic

[Fred D]

I can install HijackThis sucessfullly.
I can rename the exe successfully so that the console will launch.

About half a second after hitting the "scan and save log" button, the process is killed and cannot be restarted without reinstalling.

(also, FWIW I cannot run malwarebytes either. I can install, change filename of executable, but something kills the process about 3 seconds into the scan. )

Help!

thanks!

[miekiemoes]

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[Fred D]

miekiemoes, on Sep 5 2009, 01:49 PM, said:

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

thank you for the response.
apparently ComboFix is another program that's terminated within seconds of beginning to run.

any other ideas?
I was so hoping to make it to late October to rebuild my computer from scratch (windows 7 time), but alas, I'm probably headed to the store to buy a new hard drive today. But if you do have ideas, they are welcome,
thanks!
Fred

[miekiemoes]

Hi,

No need to buy a new hard drive for that if a simple format and reinstall could solve it already..

Anyway, please try this method to download Combofix...

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

[Fred D]

miekiemoes, on Sep 5 2009, 08:17 PM, said:

Hi,

No need to buy a new hard drive for that if a simple format and reinstall could solve it already..

Anyway, please try this method to download Combofix...

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Again, thanks for the response. I'm still hoping to get this going. Unfortunately, folloiwng instructions above, same exact symptoms:
- combofix saves off the internet to the desktop just fine, with the new name: Combo-fix. (then later iexplore.exe)
- close everything.
- running in safe mode.
- double-click combo-fix (or iexplore) off of desktop
- combo fix begins to run - runs for about about 7 seconds.
- process is terminated
- if I try to double-click again and run it again, it won't run and gives the following dialog box:
"Some files could not be created. Please close all applications, reboot Windows and restart this installation"

All applications are closed when I see this. Also, I am running in Safe mode with no internet connection. when I reboot, same story; runs for 7 seconds, terminates, then won't run again.

ideas?

thanks!
Fred

[miekiemoes]

You're dealing with malware that locks the files...

Download and run Win32kDiag:

1. Download Win32kDiag from any of the following locations and save it to your Desktop.


• Download Win32kDiag (Win32kDiag.exe) - #1
  
  
• Download Win32kDiag (Win32kDiag.exe) - #2
  
  
• Download Win32kDiag (Win32kDiag.exe) - #3
  2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Also, for the locked files....

1) Please download this file

2) Place fr33.exe next to the exe file that doesn't want to run

3) Drag the exefile into fr33.exe. That shall free/unlock it.

Example how to do this (this is an example with malwarebytes exefile (mbam.exe).




You can do that with every exe file that cannot run.

Or, in case you want to know/interests you how to do this manually and take ownership of locked files, then please see here (XP/Vista) for more info. Note, on XP Home, the "Security" tab is only visible in Safe mode. In case there's no Security tab in XP Pro, then please see here (XP Pro
But not needed to do it manually if you use fr33.exe instead to "unlock" files.

[Fred D]

Yay! the first bit of diagnostic code that actually ran! here's the log:
**********

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE3C.tmp\ZAPE3C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\OEM\OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\50512592984F2284DAAF236CED4E1F41\8.0.6\8.0.6

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\52CB9D6ECBD08634E8A4D7EE0866C19D\8.0.148\8.0.148

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\AC1F0757D610CA645B68DC4746E5BF25\8.0.211\8.0.211

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\FC62732BFB866A144ABE271FF278EF50\8.0.63\8.0.63

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.16866_none_7fe0c12063c7ff25\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.16866_none_7fe0c12063c7ff25: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.21062_none_806634e57ce96cd5\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.21062_none_806634e57ce96cd5: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.18267_none_81c8001060eda96d\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.18267_none_81c8001060eda96d: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.22444_none_82643dbb79fdc277\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.22444_none_82643dbb79fdc277: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.18046_none_83c3136c5e04aa7f\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.18046_none_83c3136c5e04aa7f: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.22147_none_844db081772163a0\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.22147_none_844db081772163a0: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.16866_none_4755e279c14fc1a0\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.16866_none_4755e279c14fc1a0: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.21062_none_47db563eda712f50\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.21062_none_47db563eda712f50: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.18267_none_493d2169be756be8\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.18267_none_493d2169be756be8: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.22444_none_49d95f14d78584f2\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.22444_none_49d95f14d78584f2: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.18046_none_4b3834c5bb8c6cfa\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.18046_none_4b3834c5bb8c6cfa: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.22147_none_4bc2d1dad4a9261b\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.22147_none_4bc2d1dad4a9261b: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.16866_none_0a011f83f55114da\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.16866_none_0a011f83f55114da: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.21062_none_0a8693490e72828a\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.21062_none_0a8693490e72828a: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.18267_none_0be85e73f276bf22\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.18267_none_0be85e73f276bf22: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.22444_none_0c849c1f0b86d82c\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.22444_none_0c849c1f0b86d82c: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.18046_none_0de371cfef8dc034\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.18046_none_0de371cfef8dc034: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.22147_none_0e6e0ee508aa7955\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.22147_none_0e6e0ee508aa7955: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.16866_none_0a021fcdf5502e31\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.16866_none_0a021fcdf5502e31: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.21062_none_0a8793930e719be1\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.21062_none_0a8793930e719be1: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.18267_none_0be95ebdf275d879\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.18267_none_0be95ebdf275d879: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.22444_none_0c859c690b85f183\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.22444_none_0c859c690b85f183: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.18046_none_0de47219ef8cd98b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.18046_none_0de47219ef8cd98b: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.22147_none_0e6f0f2f08a992ac\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.22147_none_0e6f0f2f08a992ac: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.16866_none_0a032017f54f4788\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.16866_none_0a032017f54f4788: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.21062_none_0a8893dd0e70b538\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.21062_none_0a8893dd0e70b538: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.18267_none_0bea5f07f274f1d0\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.18267_none_0bea5f07f274f1d0: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.22444_none_0c869cb30b850ada\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.22444_none_0c869cb30b850ada: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.18046_none_0de57263ef8bf2e2\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.18046_none_0de57263ef8bf2e2: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.22147_none_0e700f7908a8ac03\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.22147_none_0e700f7908a8ac03: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.16866_none_0a042061f54e60df\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.16866_none_0a042061f54e60df: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.21062_none_0a8994270e6fce8f\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.21062_none_0a8994270e6fce8f: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.18267_none_0beb5f51f2740b27\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.18267_none_0beb5f51f2740b27: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.22444_none_0c879cfd0b842431\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.22444_none_0c879cfd0b842431: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.18046_none_0de672adef8b0c39\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.18046_none_0de672adef8b0c39: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.22147_none_0e710fc308a7c55a\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.22147_none_0e710fc308a7c55a: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.16866_none_0a0520abf54d7a36\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.16866_none_0a0520abf54d7a36: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.21062_none_0a8a94710e6ee7e6\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.21062_none_0a8a94710e6ee7e6: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.18267_none_0bec5f9bf273247e\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.18267_none_0bec5f9bf273247e: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.22444_none_0c889d470b833d88\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.22444_none_0c889d470b833d88: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.18046_none_0de772f7ef8a2590\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.18046_none_0de772f7ef8a2590: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.22147_none_0e72100d08a6deb1\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.22147_none_0e72100d08a6deb1: 3
Found mount point : C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16866_none_3fdf3668c441aa88\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16866_none_3fdf3668c441aa88

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.21062_none_4064aa2ddd631838\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.21062_none_4064aa2ddd631838

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18267_none_41c67558c16754d0\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18267_none_41c67558c16754d0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22444_none_4262b303da776dda\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22444_none_4262b303da776dda

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.18046_none_43c188b4be7e55e2\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.18046_none_43c188b4be7e55e2

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d2d2847d8d293b748203da2d4ed8109b\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.22147_none_444c25c9d79b0f03\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.22147_none_444c25c9d79b0f03

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.16917_none_8017d2ec639e89ee\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.16917_none_8017d2ec639e89ee: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.21117_none_80a147d97cbc5cfa\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6000.21117_none_80a147d97cbc5cfa: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.18320_none_81ec3fa060d3856f\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.18320_none_81ec3fa060d3856f: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.22509_none_829480c379d8ce8d\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6001.22509_none_829480c379d8ce8d: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.18101_none_83e953905de8b92f\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.18101_none_83e953905de8b92f: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.22213_none_846a2103770ca798\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.0.6002.22213_none_846a2103770ca798: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.16917_none_478cf445c1264c69\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.16917_none_478cf445c1264c69: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.21117_none_48166932da441f75\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6000.21117_none_48166932da441f75: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.18320_none_496160f9be5b47ea\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.18320_none_496160f9be5b47ea: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.22509_none_4a09a21cd7609108\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6001.22509_none_4a09a21cd7609108: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.18101_none_4b5e74e9bb707baa\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.18101_none_4b5e74e9bb707baa: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.22213_none_4bdf425cd4946a13\x86_microsoft-windows-a..bility-assistant-db_31bf3856ad364e35_6.0.6002.22213_none_4bdf425cd4946a13: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.16917_none_0a38314ff5279fa3\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.16917_none_0a38314ff5279fa3: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.21117_none_0ac1a63d0e4572af\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.21117_none_0ac1a63d0e4572af: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.18320_none_0c0c9e03f25c9b24\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.18320_none_0c0c9e03f25c9b24: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.22509_none_0cb4df270b61e442\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.22509_none_0cb4df270b61e442: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.18101_none_0e09b1f3ef71cee4\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.18101_none_0e09b1f3ef71cee4: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.22213_none_0e8a7f670895bd4d\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6002.22213_none_0e8a7f670895bd4d: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.16917_none_0a393199f526b8fa\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.16917_none_0a393199f526b8fa: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.21117_none_0ac2a6870e448c06\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6000.21117_none_0ac2a6870e448c06: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.18320_none_0c0d9e4df25bb47b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.18320_none_0c0d9e4df25bb47b: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.22509_none_0cb5df710b60fd99\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6001.22509_none_0cb5df710b60fd99: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.18101_none_0e0ab23def70e83b\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.18101_none_0e0ab23def70e83b: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.22213_none_0e8b7fb10894d6a4\x86_microsoft-windows-a..ence-mitigations-c2_31bf3856ad364e35_6.0.6002.22213_none_0e8b7fb10894d6a4: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.16917_none_0a3a31e3f525d251\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.16917_none_0a3a31e3f525d251: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.21117_none_0ac3a6d10e43a55d\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6000.21117_none_0ac3a6d10e43a55d: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.18320_none_0c0e9e97f25acdd2\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.18320_none_0c0e9e97f25acdd2: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.22509_none_0cb6dfbb0b6016f0\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6001.22509_none_0cb6dfbb0b6016f0: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.18101_none_0e0bb287ef700192\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.18101_none_0e0bb287ef700192: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.22213_none_0e8c7ffb0893effb\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.22213_none_0e8c7ffb0893effb: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.16917_none_0a3b322df524eba8\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.16917_none_0a3b322df524eba8: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.21117_none_0ac4a71b0e42beb4\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6000.21117_none_0ac4a71b0e42beb4: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.18320_none_0c0f9ee1f259e729\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.18320_none_0c0f9ee1f259e729: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.22509_none_0cb7e0050b5f3047\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6001.22509_none_0cb7e0050b5f3047: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.18101_none_0e0cb2d1ef6f1ae9\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.18101_none_0e0cb2d1ef6f1ae9: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.22213_none_0e8d804508930952\x86_microsoft-windows-a..ence-mitigations-c4_31bf3856ad364e35_6.0.6002.22213_none_0e8d804508930952: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.16917_none_0a3c3277f52404ff\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.16917_none_0a3c3277f52404ff: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.21117_none_0ac5a7650e41d80b\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6000.21117_none_0ac5a7650e41d80b: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.18320_none_0c109f2bf2590080\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.18320_none_0c109f2bf2590080: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.22509_none_0cb8e04f0b5e499e\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6001.22509_none_0cb8e04f0b5e499e: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.18101_none_0e0db31bef6e3440\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.18101_none_0e0db31bef6e3440: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.22213_none_0e8e808f089222a9\x86_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_6.0.6002.22213_none_0e8e808f089222a9: 3
Found mount point : C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16917_none_40164834c4183551\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16917_none_40164834c4183551

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.21117_none_409fbd21dd36085d\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.21117_none_409fbd21dd36085d

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18320_none_41eab4e8c14d30d2\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18320_none_41eab4e8c14d30d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22509_none_4292f60bda5279f0\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22509_none_4292f60bda5279f0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.18101_none_43e7c8d8be626492\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.18101_none_43e7c8d8be626492

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\d7480a065993d63dcab7527fa2107fee\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.22213_none_4468964bd78652fb\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6002.22213_none_4468964bd78652fb

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f9870fa09c866a37752cd50336c30a22\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18819_none_83d6ded046b75eaf\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18819_none_83d6ded046b75eaf

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\f9870fa09c866a37752cd50336c30a22\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.22909_none_846b4b875fcce288\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.22909_none_846b4b875fcce288

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\0409\0409

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\Branding\en-US\en-US

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\catroot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\System32\cngaudit.dll

[1] 2006-11-02 02:46:03 61952 C:\Windows\System32\cngaudit.dll ()

[2] 2006-11-02 02:46:03 11776 C:\Windows\System32\logevent.dll (Microsoft Corporation)

[1] 2006-11-02 02:46:03 11776 C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll (Microsoft Corporation)



Found mount point : C:\Windows\System32\com\dmp\dmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\Journal\Journal

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Messenger\Messenger

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Silverlight\Silverlight

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Police Pro\Windows Police Pro

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Roxio\MediaManager10\MediaManager10

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\log\log

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\LogFiles\Firewall\Firewall

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-09-05 17:05:22 122672 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-09-06 03:43:32 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-09-06 03:43:59 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-09-06 03:43:58 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()



Found mount point : C:\Windows\System32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\MUI\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\runtime\runtime

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\setup\en-US\en-US

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\SMI\Manifests\Manifests

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\spool\drivers\IA64\IA64

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\spool\drivers\x64\x64

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\spool\SERVERS\SERVERS

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\System32\taskeng.exe

[1] 2008-01-19 00:33:32 169472 C:\Windows\System32\taskeng.exe ()

[1] 2006-11-02 02:45:48 166400 C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.0.6000.16386_none_e3758b32c1ef5c83\taskeng.exe (Microsoft Corporation)

[1] 2008-01-19 00:33:32 169472 C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.0.6001.18000_none_e5ac4d2ebeda6d57\taskeng.exe ()



Found mount point : C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System\System

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\Tasks\Microsoft\Windows\RestartManager\RestartManager

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\SyncCenter

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\Tasks\Microsoft\Windows\WindowsCalendar\WindowsCalendar

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\wbem\MOF\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\wbem\MOF\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\System32\winevt\TraceFormat\TraceFormat

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\cmi{99681151-3537-434F-8D53-AA0EF9812DEC}\cmi{99681151-3537-434F-8D53-AA0EF9812DEC}

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\cs\cs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\da\da

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\de\de

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\el\el

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\en\en

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\en-gb\en-gb

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\es\es

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\fi\fi

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\fr\fr

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\HTML\HTML

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\it\it

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\ja\ja

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\ko\ko

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\nl\nl

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\no\no

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\pl\pl

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\pt-br\pt-br

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\ru\ru

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\sv\sv

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\th\th

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\tr\tr

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\zh-cn\zh-cn

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f32833d\2.4.1536.6592\zh-tw\zh-tw

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis1f6337\gis1f6337

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\cs\cs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\da\da

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\de\de

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\el\el

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\en\en

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\en-gb\en-gb

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\es\es

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\fi\fi

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\fr\fr

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\HTML\HTML

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\it\it

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\ja\ja

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\ko\ko

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\nl\nl

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\no\no

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\pl\pl

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\pt-br\pt-br

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\ru\ru

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\sv\sv

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\th\th

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\tr\tr

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\zh-cn\zh-cn

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gis4ad5507\2.4.1368.5602\zh-tw\zh-tw

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\gisb5a01\gisb5a01

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\GUMCDC9.tmp\CrashReports\CrashReports

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\Intuit\SpcfLogging\SpcfLogging

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\is-1KA49.tmp\is-1KA49.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\is-6HMG9.tmp\is-6HMG9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\is-BVD3D.tmp\is-BVD3D.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\is-MQ8C5.tmp\is-MQ8C5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\is-NIGMN.tmp\is-NIGMN.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\nsb1D75.tmp\nsb1D75.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\nskA62E.tmp\nskA62E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\nslAB7.tmp\nslAB7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\nsq9196.tmp\nsq9196.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\nsy58FC.tmp\nsy58FC.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\SxsTemp\SxsTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\WMFA\WMFA

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\_avast4_\_avast4_

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\~msdt\tools\tools

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\tracing\tracing

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.0.6001.18000_none_e5ac4d2ebeda6d57\taskeng.exe

[1] 2008-01-19 00:33:32 169472 C:\Windows\System32\taskeng.exe ()

[1] 2006-11-02 02:45:48 166400 C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.0.6000.16386_none_e3758b32c1ef5c83\taskeng.exe (Microsoft Corporation)

[1] 2008-01-19 00:33:32 169472 C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.0.6001.18000_none_e5ac4d2ebeda6d57\taskeng.exe ()





Finished!

[miekiemoes]

Hi,


Looks like cngaudit.dll got replaced here with a malicious copy and the good one was renamed to logevent.dll (sneaky trick) which isn't present on Vista by default.

Please do the following...

1. Please download The Avenger2 by SwanDog46
2. Unzip avenger.exe to your desktop.
3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\cngaudit.dll

4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
5. Read the prompt that appears, and press OK.
6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
7. Press the "Execute" button.
8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
Note: It is possible that Avenger will reboot your system TWICE.
9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Also,

Go to start > run and copy and paste the following command in the field:

"%userprofile%\desktop\win32kdiag.exe" -f -r

This should restore permissions on locked files and remove mountpoints.

Then run Combofix again.

[Fred D]

thanks, here's the log of the avenger:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\SYSTEM32\logevent.dll|C:\WINDOWS\SYSTEM32\cngaudit.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

[miekiemoes]

Ok, please proceed with the rest of my steps (run "%userprofile%\desktop\win32kdiag.exe" -f -r and then run Combofix again)

[Fred D]

mount points seem to be removed now, and combofix begins to run.
Combofix is telling me that avast antivirus and avast antispyware processes are running, so I haven't clicked "OK" yet on dialog box.

since I couldn't find a way to disable avast in standard mode, I'm now in Safe mode. Same thing.
but there's no Avast item in system tray
I don't have permission to open Avast from programs
and on Task Manager, I don't see any processes that are obviously Avast to me. Since it's in Safe Mode, the process list in Task Manager is pretty short:
cmd.execf
csrss.exe
csrss.exe
explorer.exe
lsass.exe
lsm.exe
NirCmd.cfxxe
services.exe
smss.exe
svchost.exe (6 of these)
System
System Idle Process
taskmgr.exe
unsecapp.exe
wininit.exe
winlogon.exe
WMIPrvSE.exe



anyway, I've not selected "OK" yet on Combofix

thanks,

[miekiemoes]

Just click OK there in safe mode. No way Avast can interfere since it's not running anyway

[Fred D]

Hooray, it ran!
OK, here's the combofix log:

****************
ComboFix 09-09-05.02 - Kari & Fred 09/06/2009 8:30.1.2 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.1632 [GMT -7:00]
Running from: c:\users\Kari & Fred\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1169 [VPS 090901-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1169 [VPS 090901-0] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\users\Kari & Fred\iexplore.exe
c:\users\Kari & Fred\Kari & Fred.exe
c:\windows\Installer\a528c8.msi
c:\windows\system32\bincd32.dat
c:\windows\system32\drivers\rotscxmvqtyqvv.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\rotscxixwmwpjv.dll
c:\windows\system32\rotscxmenrosip.dat
c:\windows\system32\rotscxpxpwisfp.dll
c:\windows\system32\rotscxsutbsxjr.dat
c:\windows\system32\sysnet.dat
c:\windows\wpd99.drv

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ROTSCXNDPIFITQ
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_AntipPro2009_100
-------\Service_rotscxndpifitq


((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-09-06 15:36 . 2009-09-06 15:36 -------- d-----w- c:\users\Kelsey\AppData\Local\temp
2009-09-06 15:36 . 2009-09-06 16:10 -------- d-----w- c:\users\Kari & Fred\AppData\Local\temp
2009-09-06 15:36 . 2009-09-06 15:36 -------- d-----w- c:\users\Jenelle\AppData\Local\temp
2009-09-04 22:26 . 2009-09-06 11:37 -------- d-----w- c:\windows\system32\log
2009-09-04 22:26 . 2009-09-04 22:26 1055648 ----a-w- C:\RootkitBuster_2.52.1013.zip
2009-09-04 22:18 . 2009-09-04 22:20 3192102 ----a-w- C:\ComboFix.exe
2009-09-04 20:52 . 2009-09-04 20:55 -------- d-----w- c:\program files\Trend Micro
2009-09-04 20:51 . 2009-09-04 20:52 812344 ----a-w- C:\HJTInstall.exe
2009-09-04 19:24 . 2009-09-06 11:37 -------- d--h--w- c:\windows\PIF
2009-09-04 18:50 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-04 18:50 . 2009-09-06 11:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-04 18:50 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 16:51 . 2009-09-04 18:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malwarexxx
2009-09-04 16:32 . 2009-09-04 16:32 0 ----a-w- C:\settings.dat
2009-09-04 16:28 . 2009-09-04 16:29 464491 ----a-w- c:\users\Kari & Fred\RootRepeal.zip
2009-09-04 15:49 . 2009-09-04 16:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-04 15:49 . 2009-09-04 15:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-04 15:46 . 2009-09-04 15:46 16409960 ----a-w- c:\users\Kari & Fred\spybotsd162.exe
2009-09-04 06:56 . 2004-08-04 14:00 506368 ----a-w- c:\windows\system32\msxml.dll
2009-09-04 06:54 . 2009-09-04 06:54 26709272 ----a-w- c:\users\Kari & Fred\sdsetup.exe
2009-09-04 06:32 . 2009-09-04 06:33 10752 ----a-w- c:\users\Kari & Fred\exefix_xp.com
2009-09-04 05:57 . 2009-09-04 05:57 -------- d-----w- c:\users\Kari & Fred\AppData\Roaming\Malwarebytes
2009-09-04 05:57 . 2009-09-04 05:57 -------- d-----w- c:\programdata\Malwarebytes
2009-09-04 05:56 . 2009-09-04 05:56 3942048 ----a-w- C:\mbam-setup.exe
2009-09-04 05:43 . 2009-09-04 05:43 308160 ----a-w- C:\avast_home_setup.exe
2009-09-02 23:53 . 2009-08-28 12:39 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-02 23:53 . 2009-08-28 10:15 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-02 18:09 . 2009-09-06 15:22 -------- d-sh--w- c:\users\Kari & Fred\AppData\Roaming\lowsec
2009-09-02 16:38 . 2009-09-06 12:27 1356 ----a-w- c:\users\Kari & Fred\AppData\Local\d3d9caps.dat
2009-09-02 14:04 . 2009-09-02 14:04 206 ----a-w- c:\users\Kari & Fred\npdwus.bat
2009-08-28 04:31 . 2009-08-28 04:31 122 ----a-w- c:\users\Kari & Fred\DEQLKH.bat
2009-08-26 23:45 . 2009-08-26 23:45 -------- d-----w- c:\users\Kari & Fred\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-26 10:01 . 2009-06-22 10:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-22 10:10 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-08-22 10:10 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-08-22 10:10 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-08-22 10:10 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-08-22 10:10 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-08-22 10:10 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-08-22 10:10 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-08-22 10:01 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-08-22 10:01 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-08-22 10:01 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-08-22 10:01 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-08-22 10:01 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-08-18 21:41 . 2009-08-18 21:41 -------- d-----w- c:\program files\EG Toolbar
2009-08-18 21:41 . 2009-08-18 21:41 -------- d-----w- c:\programdata\AGI
2009-08-18 21:41 . 2009-08-18 21:41 -------- d-----w- c:\program files\AGI
2009-08-17 03:56 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-17 03:56 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-17 03:56 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-17 03:56 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-17 03:55 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-17 03:55 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-17 03:55 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-17 03:55 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-13 18:14 . 2009-09-04 16:29 472064 ----a-w- C:\RootRepeal.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-06 11:34 . 2007-07-16 05:40 -------- d-----w- c:\programdata\Google Updater
2009-09-04 17:36 . 2008-04-18 03:23 -------- d-----w- c:\programdata\pdf995
2009-08-22 15:55 . 2007-05-29 02:12 -------- d-----w- c:\users\Kari & Fred\AppData\Roaming\Apple Computer
2009-08-22 15:47 . 2008-07-20 14:23 -------- d-----w- c:\program files\Instant CD & DVD Burner
2009-08-17 10:03 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-14 13:58 . 2009-09-04 06:56 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-06 12:40 . 2009-08-06 04:49 -------- d-----w- c:\programdata\NOS
2009-08-06 12:40 . 2009-08-06 04:49 -------- d-----w- c:\program files\NOS
2009-08-06 06:59 . 2009-01-28 18:08 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-06 04:56 . 2007-06-03 15:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-06 04:52 . 2009-08-06 04:52 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-21 21:52 . 2009-07-29 04:22 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 04:22 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 04:22 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 04:22 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-06-15 15:24 . 2009-07-15 09:57 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-07-15 09:57 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-07-15 09:57 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-07-15 09:57 289792 ----a-w- c:\windows\system32\atmfd.dll
2008-04-18 03:25 . 2008-04-18 03:25 67072 ----a-w- c:\program files\pdf995.dot
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2008-07-27 282112]

[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agcore.AGUtils]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-27 18:03 282112 ----a-w- c:\windows\System32\mscoree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9df9b682-9c18-4a01-bac3-a265ca7cd866}"= "mscoree.dll" [2008-07-27 282112]

[HKEY_CLASSES_ROOT\clsid\{9df9b682-9c18-4a01-bac3-a265ca7cd866}]
[HKEY_CLASSES_ROOT\EGToolbar.EGToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 79224]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-08 2595480]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-08 905056]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-08 140568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-18 136600]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 113136]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-12 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-11 576104]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
Yahoo! Autosync.lnk - c:\program files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe [2007-8-21 391680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C2E19DDF-306F-46E4-AC87-680E7E4BB898}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{D789942A-287F-4F96-93BC-EEB4F3CE4CC5}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{AC5396FA-BF9D-40EC-8A6D-55D5663BBCD8}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{52BF51D0-2541-478B-BAB6-F6087AEDB0AA}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{0C8FB912-D19A-40AD-992A-88BC0B42428C}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{0D72C73A-8CD0-4276-B404-E4A200125E9D}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{4B85C46B-3206-4160-B084-C4F70C1BCA93}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{8B40D769-3BDC-40EC-AE8E-CD843C27B783}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{6E8F65DF-C3F5-4E02-BF4D-106377A51662}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{1F4E9A77-9C28-457E-A010-B6C7DF21B06C}c:\\program files\\rhapsody\\rhapsody.exe"= UDP:c:\program files\rhapsody\rhapsody.exe:RealNetworks Rhapsody
"UDP Query User{AA875618-0D1C-4E51-987E-C724D562F6AD}c:\\program files\\rhapsody\\rhapsody.exe"= TCP:c:\program files\rhapsody\rhapsody.exe:RealNetworks Rhapsody
"{1733E126-5D98-4E13-893C-8FC3E8F1776D}"= UDP:c:\program files\TurboTax\Deluxe 2007\32bit\ttax.exe:TurboTax
"{E4050DD7-482E-4CF0-B48D-1E27B3148D51}"= TCP:c:\program files\TurboTax\Deluxe 2007\32bit\ttax.exe:TurboTax
"{A678376E-0072-4E01-8F6B-B5B22DC54D14}"= UDP:c:\program files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:TurboTax Update Manager
"{66E15B23-BD88-4A4A-AD81-445AD2EA1226}"= TCP:c:\program files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:TurboTax Update Manager
"{81853639-F6C8-4E26-AEAF-335094B31528}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{7158EC17-3DB9-49F7-8AD2-6D98F7EF0CC4}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{624331FE-B56B-41A0-8A4C-78468A48D311}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{115FB5F0-8F05-4789-943E-6ECDDFFD58CB}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{F8FDAC71-30AC-41E6-999F-811CD8705C7F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

S1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [4/8/2008 9:20 PM 75856]
S2 AGCoreService;AG Core Services;c:\program files\AGI\core\3.0\AGCoreService.exe [8/18/2009 2:41 PM 40960]
S2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [4/8/2008 9:20 PM 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [6/1/2007 9:21 AM 50768]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 3:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 3:52 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 3:52 PM 166384]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [9/4/2009 8:49 AM 1153368]
S2 tgsrvc_chatsupport.palm.com;SupportSoft Repair Service (chatsupport.palm.com);c:\program files\chatsupport.palm.com\bin\tgsrvc.exe [5/21/2008 5:24 AM 148768]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/9/2007 3:48 PM 24652]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [1/28/2009 11:07 AM 55264]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/8/2008 6:01 PM 533344]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 3:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 3:52 PM 1083888]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-28 16:25]

2009-09-06 c:\windows\Tasks\User_Feed_Synchronization-{772D9F7B-0E68-441F-A3A4-AB7FDE0E0B86}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]

2009-09-06 c:\windows\Tasks\User_Feed_Synchronization-{89FEEB60-617B-499F-A824-2C6370ECC6C9}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]

2009-09-06 c:\windows\Tasks\User_Feed_Synchronization-{9E718C97-9091-472A-8027-7B8F1ACA2A3C}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
Trusted Zone: turbotax.com
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
FF - ProfilePath - c:\users\Kari & Fred\AppData\Roaming\Mozilla\Firefox\Profiles\uery8kw7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?.home=ytff
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-06 09:10
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP00000039576CEC5972BF01A5 524288 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(620)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'Explorer.exe'(5616)
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-09-06 9:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-06 16:12

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 162,735,783,936 bytes free

311

[miekiemoes]

Hi,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.co...cle.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
Let me know in your next reply how things are now.

[Fred D]

miekiemoes, on Sep 6 2009, 09:01 PM, said:

Hi,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.co...cle.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
Let me know in your next reply how things are now.

Thanks,
before I run the combofix /u
does it matter which combofix I do it on? due to all the issues, I have both a "combofix.exe" and a "combo-fix.exe" on my desktop (as well as a couple other names that I saved my file as).

when I successfully ran it and generated the log, I launched the one called "combo-fix".

perhaps behind the scenes it makes no difference, but I thought i should ask,
thanks,
Fred

[miekiemoes]

combofix /u works on all since it's like that under the app paths key in the registry

[Fred D]

OK, Combofix is uninstalled now.
what symptoms should I be looking for?
should I run a full scan or something? (for example, an Mbam scan?)

I've rebooted, and Avast is still not functioning ("the aavm subsystem detected an rpc error"). I haven't tried reinstalling that or anything yet..


thanks!
Fred

[miekiemoes]

Hi,

Yes, please reinstall Avast.

Let me know in your next reply how things are now.

[Fred D]

Computer appears normal at the moment!
anything else I should do to test how it's running?
run any scans?

thanks!

[miekiemoes]

Hi,

No need for extra scans. Just make sure this won't happen anymore, so Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!