• WELCOME
Welcome to the Myantispyware - free site offering help and assistance on spyware, malware and adware removal. As a guest you can only browse and view the various topics in the forums, but can not create a new topic and reply to an existing topic. If you are seeking help, you will need to be a logged into the forums with a registered account. Registering is free.
Click here to Create a free account and read How to use Spyware Removal Forum

av software, malware, hijackthis, adaware wont work,

Moderator: Moderators

Re: av software, malware, hijackthis, adaware wont work,

Postby Swordy » Fri Oct 02, 2009 10:34 am

Logfile created: 02/10/2009 11:0:8
Lavasoft Ad-Aware version: 8.0.8
Extended engine version: 8.1
User performing scan: science

*********************** Definitions database information ***********************
Lavasoft definition file: 149.62
Extended engine definition file: 8.1

******************************** Scan results: *********************************
Scan profile name: Smart Scan (ID: smart)
Objects scanned: 64882
Objects detected: 0


Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 0
Folders.........: 0
LSPs............: 0
Cookies.........: 0
Browser hijacks.: 0
MRU objects.....: 0



Scan and cleaning complete: Finished correctly after 359 seconds

*********************************** Settings ***********************************

Scan profile:
ID: smart, enabled:1, value: Smart Scan
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: false
ID: scanhostsfile, enabled:1, value: false
ID: scanmru, enabled:1, value: false
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: folderstoscan, enabled:1, value:
ID: usespywareheuristics, enabled:1, value: true
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: filescanningoptions, enabled:1
ID: scanrootkits, enabled:1, value: true
ID: archives, enabled:1, value: false
ID: onlyexecutables, enabled:1, value: true
ID: skiplargerthan, enabled:1, value: 20480

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently
ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily, enabled:1, value: Daily
ID: time, enabled:1, value: Fri Oct 02 10:32:00 2009
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly, enabled:1, value: Weekly
ID: time, enabled:1, value: Fri Oct 02 10:32:00 2009
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: true
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: processprotection, enabled:1, value: true
ID: registryprotection, enabled:0, value: false
ID: networkprotection, enabled:0, value: false
ID: usespywareheuristics, enabled:0, value: true
ID: extendedengine, enabled:0, value: false
ID: useheuristics, enabled:0, value: false
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant


****************************** System information ******************************
Computer name: LFT00104
Processor name: Intel(R) Core(TM)2 Duo CPU T8100 @ 2.10GHz
Processor identifier: x86 Family 6 Model 23 Stepping 6
Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 5894, number of processors 2
Physical memory available: 2299744256 bytes
Physical memory total: 3211112448 bytes
Virtual memory available: 2028838912 bytes
Virtual memory total: 2147352576 bytes
Memory load: 28%
Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Windows startup mode:

Running processes:
PID: 1176 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1224 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1248 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1292 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1308 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1512 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1572 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1716 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1756 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1808 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 184 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 412 name: C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 508 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 572 name: C:\Program Files\Alwil Software\Avast4\ashServ.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1080 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1832 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2024 name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1800 name: C:\WINDOWS\Explorer.EXE owner: science domain: LFT00104
PID: 2044 name: C:\Program Files\AskBarDis\bar\bin\AskService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 248 name: C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe owner: SYSTEM domain: NT AUTHORITY
PID: 324 name: C:\Program Files\Bonjour\mDNSResponder.exe owner: SYSTEM domain: NT AUTHORITY
PID: 652 name: C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1172 name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 1936 name: C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2000 name: c:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2052 name: C:\WINDOWS\system32\IoctlSvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2108 name: C:\WINDOWS\system32\rpcnet.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2220 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2236 name: C:\WINDOWS\system32\TODDSrv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2272 name: C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2308 name: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2380 name: C:\Program Files\Longman\Exploring Science Assessment Year 7\DBServer\VA7_NT.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2412 name: C:\Program Files\Longman\Exploring Science Assessment Year 8\DBServer\VA8_NT.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2468 name: C:\Program Files\Longman\Exploring Science Assessment Year 9\DBServer\VA9_NT.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2524 name: C:\Program Files\Longman\Exploring Science Planning Year 7\DBServer\VP7_NT.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2592 name: C:\Program Files\Longman\Exploring Science Planning Year 8\DBServer\VP8_NT.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2652 name: C:\Program Files\Longman\Exploring Science Planning Year 9\DBServer\VP9_NT.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2712 name: C:\WINDOWS\system32\SearchIndexer.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3024 name: C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe owner: science domain: LFT00104
PID: 3056 name: C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe owner: science domain: LFT00104
PID: 3076 name: C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe owner: science domain: LFT00104
PID: 3108 name: C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe owner: science domain: LFT00104
PID: 3152 name: C:\WINDOWS\system32\igfxext.exe owner: science domain: LFT00104
PID: 3164 name: C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe owner: science domain: LFT00104
PID: 3188 name: C:\WINDOWS\system32\igfxsrvc.exe owner: science domain: LFT00104
PID: 3196 name: C:\WINDOWS\system32\igfxtray.exe owner: science domain: LFT00104
PID: 3220 name: C:\WINDOWS\system32\hkcmd.exe owner: science domain: LFT00104
PID: 3248 name: C:\WINDOWS\system32\igfxpers.exe owner: science domain: LFT00104
PID: 3296 name: C:\Program Files\Apoint2K\Apoint.exe owner: science domain: LFT00104
PID: 3336 name: C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe owner: science domain: LFT00104
PID: 3348 name: C:\Program Files\TOSHIBA\Controls\VolumeIndicator.exe owner: science domain: LFT00104
PID: 3356 name: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe owner: science domain: LFT00104
PID: 3368 name: C:\Program Files\HP\hpcoretech\hpcmpmgr.exe owner: science domain: LFT00104
PID: 3380 name: C:\Program Files\ACTIV Software\ACTIVdriver\ActivControl2.exe owner: science domain: LFT00104
PID: 3508 name: C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe owner: science domain: LFT00104
PID: 3624 name: C:\Program Files\Common Files\Real\Update_OB\realsched.exe owner: science domain: LFT00104
PID: 3720 name: C:\Program Files\Apoint2K\Apntex.exe owner: science domain: LFT00104
PID: 3748 name: C:\Program Files\Apoint2K\HidFind.exe owner: science domain: LFT00104
PID: 3800 name: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe owner: science domain: LFT00104
PID: 3820 name: C:\Program Files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe owner: science domain: LFT00104
PID: 3932 name: C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe owner: science domain: LFT00104
PID: 3944 name: C:\Program Files\QuickTime\qttask.exe owner: science domain: LFT00104
PID: 3960 name: C:\Program Files\iTunes\iTunesHelper.exe owner: science domain: LFT00104
PID: 1268 name: C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe owner: science domain: LFT00104
PID: 1672 name: C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe owner: science domain: LFT00104
PID: 1856 name: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe owner: science domain: LFT00104
PID: 2136 name: C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe owner: science domain: LFT00104
PID: 2896 name: C:\Program Files\Skype\Phone\Skype.exe owner: science domain: LFT00104
PID: 2976 name: C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe owner: science domain: LFT00104
PID: 2980 name: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3064 name: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3488 name: C:\WINDOWS\system32\ctfmon.exe owner: science domain: LFT00104
PID: 3288 name: C:\Program Files\Microsoft ActiveSync\wcescomm.exe owner: science domain: LFT00104
PID: 244 name: C:\Program Files\iPod\bin\iPodService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2160 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 3436 name: C:\PROGRA~1\MI3AA1~1\rapimgr.exe owner: science domain: LFT00104
PID: 3768 name: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe owner: science domain: LFT00104
PID: 3872 name: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe owner: science domain: LFT00104
PID: 2888 name: C:\Program Files\Windows Desktop Search\WindowsSearch.exe owner: science domain: LFT00104
PID: 256 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: science domain: LFT00104
PID: 3452 name: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe owner: science domain: LFT00104
PID: 2784 name: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe owner: science domain: LFT00104
PID: 3952 name: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe owner: science domain: LFT00104
PID: 4232 name: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe owner: science domain: LFT00104
PID: 4400 name: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe owner: science domain: LFT00104
PID: 4720 name: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe owner: science domain: LFT00104
PID: 4744 name: C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe owner: science domain: LFT00104
PID: 5532 name: C:\Program Files\Skype\Plugin Manager\skypePM.exe owner: science domain: LFT00104
PID: 6036 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: science domain: LFT00104
PID: 1952 name: C:\WINDOWS\system32\SearchProtocolHost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 896 name: C:\WINDOWS\system32\SearchFilterHost.exe owner: LOCAL SERVICE domain: NT AUTHORITY

Startup items:
Name: NDSTray.exe
imagepath: NDSTray.exe
Name: Toshiba Hotkey Utility
imagepath: "c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
Name: TPSMain
imagepath: TPSMain.exe
Name: SmoothView
imagepath: C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
Name: DDWMon
imagepath: C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
Name: topi
imagepath: C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
Name: IgfxTray
imagepath: C:\WINDOWS\system32\igfxtray.exe
Name: HotKeysCmds
imagepath: C:\WINDOWS\system32\hkcmd.exe
Name: Persistence
imagepath: C:\WINDOWS\system32\igfxpers.exe
Name: Apoint
imagepath: C:\Program Files\Apoint2K\Apoint.exe
Name: Camera Assistant Software
imagepath: "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
Name: Toshiba Controls Utility
imagepath: "C:\Program Files\TOSHIBA\Controls\VolumeIndicator.exe"
Name: HP Software Update
imagepath: "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
Name: HP Component Manager
imagepath: "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
Name: ActivControl
imagepath: C:\Program Files\ACTIV Software\ACTIVdriver\ActivControl2.exe
Name: TkBellExe
imagepath: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Name: Synchronization Manager
imagepath: %SystemRoot%\system32\mobsync.exe /logon
Name: NBKeyScan
imagepath: "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
Name: Adobe Acrobat Speed Launcher
imagepath: "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
Name:
Name: Acrobat Assistant 8.0
imagepath: "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
imagepath: Browseui preloader
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name: CTFMON.EXE
imagepath: C:\WINDOWS\system32\CTFMON.EXE
Name: PostBootReminder
imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: CDBurn
imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name: WPDShServiceObj
imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
Name:
location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
imagepath: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
Name:
imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Name:
location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
imagepath: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Name:
location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
imagepath: C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Name:
location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
imagepath: C:\Program Files\Windows Desktop Search\WindowsSearch.exe

Bootexecute items:
Name:
imagepath: autocheck autochk *
Name:
imagepath: lsdelete

Running services:
Name: ALG
displayname: Application Layer Gateway Service
Name: Apple Mobile Device
displayname: Apple Mobile Device
Name: ASKService
displayname: ASKService
Name: ASKUpgrade
displayname: ASKUpgrade
Name: aswUpdSv
displayname: avast! iAVS4 Control Service
Name: AudioSrv
displayname: Windows Audio
Name: avast! Antivirus
displayname: avast! Antivirus
Name: avast! Mail Scanner
displayname: avast! Mail Scanner
Name: avast! Web Scanner
displayname: avast! Web Scanner
Name: BITS
displayname: Background Intelligent Transfer Service
Name: Bonjour Service
displayname: Bonjour Service
Name: CFSvcs
displayname: ConfigFree Service
Name: CryptSvc
displayname: CryptSvc
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: dmserver
displayname: Logical Disk Manager
Name: Dnscache
displayname: DNS Client
Name: ERSvc
displayname: Error Reporting Service
Name: EventSystem
displayname: COM+ Event System
Name: helpsvc
displayname: Help and Support
Name: iPod Service
displayname: iPod Service
Name: lanmanserver
displayname: Server
Name: lanmanworkstation
displayname: Workstation
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: LmHosts
displayname: TCP/IP NetBIOS Helper
Name: MDM
displayname: Machine Debug Manager
Name: Nero BackItUp Scheduler 3
displayname: Nero BackItUp Scheduler 3
Name: Netlogon
displayname: Net Logon
Name: Netman
displayname: Network Connections
Name: Nla
displayname: Network Location Awareness (NLA)
Name: o2flash
displayname: O2Micro Flash Memory Card Service
Name: PLFlash DeviceIoControl Service
displayname: PLFlash DeviceIoControl Service
Name: PlugPlay
displayname: Plug and Play
Name: PolicyAgent
displayname: IPSEC Services
Name: ProtectedStorage
displayname: Protected Storage
Name: RasMan
displayname: Remote Access Connection Manager
Name: RemoteRegistry
displayname: Remote Registry
Name: rpcnet
displayname: Remote Procedure Call (RPC) Net
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: seclogon
displayname: Secondary Logon
Name: SENS
displayname: System Event Notification
Name: SharedAccess
displayname: Windows Firewall/Internet Connection Sharing (ICS)
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: Spooler
displayname: Print Spooler
Name: srservice
displayname: System Restore Service
Name: SSDPSRV
displayname: SSDP Discovery Service
Name: stisvc
displayname: Windows Image Acquisition (WIA)
Name: TapiSrv
displayname: Telephony
Name: TermService
displayname: Terminal Services
Name: Themes
displayname: Themes
Name: TODDSrv
displayname: TOSHIBA Optical Disc Drive Service
Name: TomTomHOMEService
displayname: TomTomHOMEService
Name: TOSHIBA Bluetooth Service
displayname: TOSHIBA Bluetooth Service
Name: TrkWks
displayname: Distributed Link Tracking Client
Name: VA7
displayname: VA7
Name: VA8
displayname: VA8
Name: VA9
displayname: VA9
Name: VP7
displayname: VP7
Name: VP8
displayname: VP8
Name: VP9
displayname: VP9
Name: W32Time
displayname: Windows Time
Name: WebClient
displayname: WebClient
Name: winmgmt
displayname: Windows Management Instrumentation
Name: WSearch
displayname: Windows Search
Name: WudfSvc
displayname: Windows Driver Foundation - User-mode Driver Framework
Name: WZCSVC
displayname: Wireless Zero Configuration
Swordy
 
Posts: 15
Joined: Thu Oct 01, 2009 10:11 am

Re: av software, malware, hijackthis, adaware wont work,

Postby patrik » Sat Oct 03, 2009 2:00 pm

Good work.

Download Win32kDiag from here, here or here.

Double-click Win32kDiag.exe to run Win32kDiag.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close Win32kDiag.
Win32kDiag.txt will appear on the desktop.

Read the article: How to use Kaspersky virus removal tool.
1. Download Kaspersky Virus Removal Tool to your desktop.
2. Close all other applications and double-click and run the installer.
3. When tool starts, select all the items except for CD-ROM and Floppy drives.
4. Click the Scan button. If malware is detected, don't remove anything.
5. After the scan finishes, don't neutralize anything.
6. In the Scan window click the Reports button and select Save to file.
7. Name the report AVPT.txt, and save it to the Desktop.
8. Close AVPTool. You will be prompted if you want to uninstall the program; click Yes. You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.

Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.
Also post here a contents of Win32kDiag.txt
patrik
Site Admin
 
Posts: 9277
Joined: Sun Jan 08, 2006 1:11 pm

Re: av software, malware, hijackthis, adaware wont work,

Postby Swordy » Sun Oct 04, 2009 7:21 pm

I have downloaded win32kdiag.exe and ran it, but it has stopped part way through saying the following;
'cannot access c:\windows\system32\drivers\VACsvtpsaliej.sys' (i have posted the log i got below)

Avast has then popped up detecting the following, and as your last post said not to remove anything i havn't removed it yet.

File name: C:\System Volume Information\_restore{4B263D97-E94F-431E-8CF9-1E6BE374D96D}\RP231\A0044849.dll
Malware name: Win32:Alureon-DC [Rtk]
Malware type: Rootkit
VPS version: 091004-0, 04/10/2009

should i delete the malware avast has detected?

I have downloaded and ran the kaspersky virus removal tool, should it take over 24hrs to run? it has been running all through the night last night and this morning it is only on 46%, it has detected 7 trojans so far but is stuck and the last one in the list and it is the same as the one avast has detected (see above and also AVPT log below).

also i can't close the window that win32kdiag.exe opened up even though it has stopped, and i have now lost access to my wireless internet connection and cant seem to get it back on.

UPDATE!!!!!!
i have clicked on stop onboard protection on the avast icon in my tray and as soon as i did the win32kdiag window disapeared and so did the avast window. Kaspersky virus scan has started to continue and i'm getting baloon messages saying the kaspersky uninstall is password protected, i'm assuming that its a virus trying to unistall the kaspersky virus scan?
i'll post the full kaspersky log when finished.

win32kdiag.exe log
Running from: C:\Documents and Settings\science\My Documents\Win32kDiag.exe

Log file at : C:\Documents and Settings\science\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB902400\KB902400

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB915865\KB915865

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB921398\KB921398

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP53F.tmp\ZAP53F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP55F.tmp\ZAP55F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP578.tmp\ZAP578.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA3301004F7716000000000040\9.0.0\9.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\drivers\UACsvtpsaliej.sys

[1] 2009-09-21 14:17:08 54784 C:\WINDOWS\system32\drivers\UACsvtpsaliej.sys ()


AVPT log
46% - Scan
----------
Scanned: 1208214
Detected: 7
Untreated: 7
Start time: 04/10/2009 20:32:28
Duration: 12:23:54
Finish time: 05/10/2009 23:14:24


Detected
--------
Status Object
------ ------
detected: Trojan program Trojan-Downloader.Java.OpenConnection.at File: C:\Documents and Settings\science\Application Data\Sun\Java\Deployment\cache\6.0\16\78fcee10-63c4191c/vlocal.class
detected: Trojan program Trojan-Downloader.Java.OpenConnection.at File: C:\Documents and Settings\science\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-2da03df8/vlocal.class
detected: Trojan program Packed.Win32.TDSS.z File: C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkylwyayunh.dll.vir
detected: Trojan program Packed.Win32.TDSS.z File: C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkynwtfqjco.dll.vir
detected: Trojan program Packed.Win32.TDSS.z File: C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkyofsrhjqq.dll.vir
detected: Trojan program Packed.Win32.TDSS.z File: C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gasfkypvuoodje.sys.vir
detected: Trojan program Packed.Win32.TDSS.z File: C:\System Volume Information\_restore{4B263D97-E94F-431E-8CF9-1E6BE374D96D}\RP231\A0044849.dll
Swordy
 
Posts: 15
Joined: Thu Oct 01, 2009 10:11 am

Re: av software, malware, hijackthis, adaware wont work,

Postby patrik » Mon Oct 05, 2009 1:36 pm

Disable your antivirus.

Win32kDiag should be located in the your desktop!
Click Start->Run.
Type
Code: Select all
"%userprofile%\desktop\win32kdiag.exe" -f -r
and press Enter.
When it's finished, there will be a log called Win32kDiag.txt on your desktop.

Download RootRepeal from here or here and unzip it to your Desktop.
Next click on the Report tab, then click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.
* Drivers
* Files
* Processes
* SSDT
* Stealth Objects
* Hidden Services
Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. The scan may take some time to finish,so please be patient. When the scan has finished, click on Save Report to save a report.

Post back with RootRepeal report + contents of Win32kDiag.txt file.
patrik
Site Admin
 
Posts: 9277
Joined: Sun Jan 08, 2006 1:11 pm

Re: av software, malware, hijackthis, adaware wont work,

Postby Swordy » Mon Oct 05, 2009 4:09 pm

ok here is the kaspersky virus removal tool log, win32kdiag log and rootrepeal log

kaspersky virus removal tool log
Scan
----
Scanned: 2546841
Detected: 9
Untreated: 6
Start time: 04/10/2009 20:32:28
Duration: 19:01:41
Finish time: 05/10/2009 15:34:09


Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan-Downloader.Java.OpenConnection.at File: C:\Documents and Settings\science\Application Data\Sun\Java\Deployment\cache\6.0\16\78fcee10-63c4191c/vlocal.class
disinfected: Trojan program Trojan-Downloader.Java.OpenConnection.at File: C:\Documents and Settings\science\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-2da03df8/vlocal.class
detected: Trojan program Packed.Win32.TDSS.z File: C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkylwyayunh.dll.vir
detected: Trojan program Packed.Win32.TDSS.z File: C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkynwtfqjco.dll.vir
detected: Trojan program Packed.Win32.TDSS.z File: C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkyofsrhjqq.dll.vir
detected: Trojan program Packed.Win32.TDSS.z File: C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gasfkypvuoodje.sys.vir
detected: Trojan program Packed.Win32.TDSS.z File: C:\System Volume Information\_restore{4B263D97-E94F-431E-8CF9-1E6BE374D96D}\RP231\A0044849.dll
detected: Trojan program Packed.Win32.TDSS.z File: C:\System Volume Information\_restore{4B263D97-E94F-431E-8CF9-1E6BE374D96D}\RP231\A0044850.dll
disinfected: Trojan program Trojan-Downloader.Java.OpenConnection.at File: C:\Documents and Settings\science\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-2da03df8




win32kdiag log

Running from: C:\Documents and Settings\science\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\science\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB902400\KB902400

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB902400\KB902400

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Found mount point : C:\WINDOWS\$hf_mig$\KB915865\KB915865

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB915865\KB915865

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB921398\KB921398

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB921398\KB921398

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP53F.tmp\ZAP53F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP53F.tmp\ZAP53F.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP55F.tmp\ZAP55F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP55F.tmp\ZAP55F.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP578.tmp\ZAP578.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP578.tmp\ZAP578.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA3301004F7716000000000040\9.0.0\9.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA3301004F7716000000000040\9.0.0\9.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINDOWS\system32\drivers\UACsvtpsaliej.sys

Attempting to restore permissions of : C:\WINDOWS\system32\drivers\UACsvtpsaliej.sys

[1] 2009-09-21 14:17:08 54784 C:\WINDOWS\system32\drivers\UACsvtpsaliej.sys ()



Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\wmiprvse.exe

Found mount point : C:\WINDOWS\Temp\AskBarDis\RSS\1\1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\AskBarDis\RSS\1\1

Found mount point : C:\WINDOWS\Temp\AskBarDis\RSS\1\Featured\Featured

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\AskBarDis\RSS\1\Featured\Featured

Found mount point : C:\WINDOWS\Temp\AskBarDis\RSS\1\WhatsHot\WhatsHot

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\AskBarDis\RSS\1\WhatsHot\WhatsHot

Found mount point : C:\WINDOWS\Temp\AskBarDis\RSS\1\WhatsNew\WhatsNew

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\AskBarDis\RSS\1\WhatsNew\WhatsNew

Found mount point : C:\WINDOWS\Temp\AskBarDis\RSS\2\Featured\Featured

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\AskBarDis\RSS\2\Featured\Featured

Found mount point : C:\WINDOWS\Temp\AskBarDis\RSS\2\WhatsHot\WhatsHot

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\AskBarDis\RSS\2\WhatsHot\WhatsHot

Found mount point : C:\WINDOWS\Temp\AskBarDis\RSS\2\WhatsNew\WhatsNew

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\AskBarDis\RSS\2\WhatsNew\WhatsNew

Found mount point : C:\WINDOWS\Temp\AskBarDis\upgrade\upgrade

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\AskBarDis\upgrade\upgrade

Found mount point : C:\WINDOWS\Temp\CR_19.tmp\CR_19.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\CR_19.tmp\CR_19.tmp

Found mount point : C:\WINDOWS\Temp\CR_205.tmp\CR_205.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\CR_205.tmp\CR_205.tmp

Found mount point : C:\WINDOWS\Temp\IntelIMSM\IntelIMSM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\IntelIMSM\IntelIMSM

Found mount point : C:\WINDOWS\Temp\PL-2303_loggedDrv\PL-2303_loggedDrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\PL-2303_loggedDrv\PL-2303_loggedDrv

Found mount point : C:\WINDOWS\Temp\SMARTAUDIO\SMARTAUDIO

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\SMARTAUDIO\SMARTAUDIO

Found mount point : C:\WINDOWS\Temp\WDF101.tmp\WDF101.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF101.tmp\WDF101.tmp

Found mount point : C:\WINDOWS\Temp\WDF106.tmp\WDF106.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF106.tmp\WDF106.tmp

Found mount point : C:\WINDOWS\Temp\WDF10B.tmp\WDF10B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF10B.tmp\WDF10B.tmp

Found mount point : C:\WINDOWS\Temp\WDF110.tmp\WDF110.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF110.tmp\WDF110.tmp

Found mount point : C:\WINDOWS\Temp\WDF115.tmp\WDF115.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF115.tmp\WDF115.tmp

Found mount point : C:\WINDOWS\Temp\WDF11A.tmp\WDF11A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF11A.tmp\WDF11A.tmp

Found mount point : C:\WINDOWS\Temp\WDF11F.tmp\WDF11F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF11F.tmp\WDF11F.tmp

Found mount point : C:\WINDOWS\Temp\WDF124.tmp\WDF124.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF124.tmp\WDF124.tmp

Found mount point : C:\WINDOWS\Temp\WDF129.tmp\WDF129.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF129.tmp\WDF129.tmp

Found mount point : C:\WINDOWS\Temp\WDF12E.tmp\WDF12E.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF12E.tmp\WDF12E.tmp

Found mount point : C:\WINDOWS\Temp\WDF13.tmp\WDF13.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF13.tmp\WDF13.tmp

Found mount point : C:\WINDOWS\Temp\WDF133.tmp\WDF133.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF133.tmp\WDF133.tmp

Found mount point : C:\WINDOWS\Temp\WDF14.tmp\WDF14.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF14.tmp\WDF14.tmp

Found mount point : C:\WINDOWS\Temp\WDF16A.tmp\WDF16A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF16A.tmp\WDF16A.tmp

Found mount point : C:\WINDOWS\Temp\WDF16F.tmp\WDF16F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF16F.tmp\WDF16F.tmp

Found mount point : C:\WINDOWS\Temp\WDF175.tmp\WDF175.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF175.tmp\WDF175.tmp

Found mount point : C:\WINDOWS\Temp\WDF19.tmp\WDF19.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF19.tmp\WDF19.tmp

Found mount point : C:\WINDOWS\Temp\WDF1A.tmp\WDF1A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF1A.tmp\WDF1A.tmp

Found mount point : C:\WINDOWS\Temp\WDF1C.tmp\WDF1C.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF1C.tmp\WDF1C.tmp

Found mount point : C:\WINDOWS\Temp\WDF1E.tmp\WDF1E.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF1E.tmp\WDF1E.tmp

Found mount point : C:\WINDOWS\Temp\WDF21.tmp\WDF21.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF21.tmp\WDF21.tmp

Found mount point : C:\WINDOWS\Temp\WDF22.tmp\WDF22.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF22.tmp\WDF22.tmp

Found mount point : C:\WINDOWS\Temp\WDF26.tmp\WDF26.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF26.tmp\WDF26.tmp

Found mount point : C:\WINDOWS\Temp\WDF27.tmp\WDF27.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF27.tmp\WDF27.tmp

Found mount point : C:\WINDOWS\Temp\WDF2D.tmp\WDF2D.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF2D.tmp\WDF2D.tmp

Found mount point : C:\WINDOWS\Temp\WDF30.tmp\WDF30.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF30.tmp\WDF30.tmp

Found mount point : C:\WINDOWS\Temp\WDF35.tmp\WDF35.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF35.tmp\WDF35.tmp

Found mount point : C:\WINDOWS\Temp\WDF36.tmp\WDF36.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF36.tmp\WDF36.tmp

Found mount point : C:\WINDOWS\Temp\WDF37.tmp\WDF37.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF37.tmp\WDF37.tmp

Found mount point : C:\WINDOWS\Temp\WDF38.tmp\WDF38.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF38.tmp\WDF38.tmp

Found mount point : C:\WINDOWS\Temp\WDF3A.tmp\WDF3A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF3A.tmp\WDF3A.tmp

Found mount point : C:\WINDOWS\Temp\WDF3C.tmp\WDF3C.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF3C.tmp\WDF3C.tmp

Found mount point : C:\WINDOWS\Temp\WDF3F.tmp\WDF3F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF3F.tmp\WDF3F.tmp

Found mount point : C:\WINDOWS\Temp\WDF42.tmp\WDF42.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF42.tmp\WDF42.tmp

Found mount point : C:\WINDOWS\Temp\WDF44.tmp\WDF44.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF44.tmp\WDF44.tmp

Found mount point : C:\WINDOWS\Temp\WDF45.tmp\WDF45.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF45.tmp\WDF45.tmp

Found mount point : C:\WINDOWS\Temp\WDF46.tmp\WDF46.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF46.tmp\WDF46.tmp

Found mount point : C:\WINDOWS\Temp\WDF47.tmp\WDF47.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF47.tmp\WDF47.tmp

Found mount point : C:\WINDOWS\Temp\WDF4A.tmp\WDF4A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF4A.tmp\WDF4A.tmp

Found mount point : C:\WINDOWS\Temp\WDF4C.tmp\WDF4C.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF4C.tmp\WDF4C.tmp

Found mount point : C:\WINDOWS\Temp\WDF4D.tmp\WDF4D.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF4D.tmp\WDF4D.tmp

Found mount point : C:\WINDOWS\Temp\WDF4F.tmp\WDF4F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF4F.tmp\WDF4F.tmp

Found mount point : C:\WINDOWS\Temp\WDF51.tmp\WDF51.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF51.tmp\WDF51.tmp

Found mount point : C:\WINDOWS\Temp\WDF53.tmp\WDF53.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF53.tmp\WDF53.tmp

Found mount point : C:\WINDOWS\Temp\WDF58.tmp\WDF58.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF58.tmp\WDF58.tmp

Found mount point : C:\WINDOWS\Temp\WDF59.tmp\WDF59.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF59.tmp\WDF59.tmp

Found mount point : C:\WINDOWS\Temp\WDF5D.tmp\WDF5D.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF5D.tmp\WDF5D.tmp

Found mount point : C:\WINDOWS\Temp\WDF5E.tmp\WDF5E.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF5E.tmp\WDF5E.tmp

Found mount point : C:\WINDOWS\Temp\WDF62.tmp\WDF62.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF62.tmp\WDF62.tmp

Found mount point : C:\WINDOWS\Temp\WDF63.tmp\WDF63.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF63.tmp\WDF63.tmp

Found mount point : C:\WINDOWS\Temp\WDF66.tmp\WDF66.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF66.tmp\WDF66.tmp

Found mount point : C:\WINDOWS\Temp\WDF67.tmp\WDF67.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF67.tmp\WDF67.tmp

Found mount point : C:\WINDOWS\Temp\WDF68.tmp\WDF68.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF68.tmp\WDF68.tmp

Found mount point : C:\WINDOWS\Temp\WDF6B.tmp\WDF6B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF6B.tmp\WDF6B.tmp

Found mount point : C:\WINDOWS\Temp\WDF6C.tmp\WDF6C.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF6C.tmp\WDF6C.tmp

Found mount point : C:\WINDOWS\Temp\WDF70.tmp\WDF70.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF70.tmp\WDF70.tmp

Found mount point : C:\WINDOWS\Temp\WDF71.tmp\WDF71.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF71.tmp\WDF71.tmp

Found mount point : C:\WINDOWS\Temp\WDF76.tmp\WDF76.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF76.tmp\WDF76.tmp

Found mount point : C:\WINDOWS\Temp\WDF7B.tmp\WDF7B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF7B.tmp\WDF7B.tmp

Found mount point : C:\WINDOWS\Temp\WDF7C.tmp\WDF7C.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF7C.tmp\WDF7C.tmp

Found mount point : C:\WINDOWS\Temp\WDF7D.tmp\WDF7D.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF7D.tmp\WDF7D.tmp

Found mount point : C:\WINDOWS\Temp\WDF81.tmp\WDF81.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF81.tmp\WDF81.tmp

Found mount point : C:\WINDOWS\Temp\WDF83.tmp\WDF83.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF83.tmp\WDF83.tmp

Found mount point : C:\WINDOWS\Temp\WDF86.tmp\WDF86.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF86.tmp\WDF86.tmp

Found mount point : C:\WINDOWS\Temp\WDF88.tmp\WDF88.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF88.tmp\WDF88.tmp

Found mount point : C:\WINDOWS\Temp\WDF8B.tmp\WDF8B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF8B.tmp\WDF8B.tmp

Found mount point : C:\WINDOWS\Temp\WDF8D.tmp\WDF8D.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF8D.tmp\WDF8D.tmp

Found mount point : C:\WINDOWS\Temp\WDF9.tmp\WDF9.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF9.tmp\WDF9.tmp

Found mount point : C:\WINDOWS\Temp\WDF90.tmp\WDF90.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF90.tmp\WDF90.tmp

Found mount point : C:\WINDOWS\Temp\WDF92.tmp\WDF92.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF92.tmp\WDF92.tmp

Found mount point : C:\WINDOWS\Temp\WDF95.tmp\WDF95.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF95.tmp\WDF95.tmp

Found mount point : C:\WINDOWS\Temp\WDF97.tmp\WDF97.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF97.tmp\WDF97.tmp

Found mount point : C:\WINDOWS\Temp\WDF9A.tmp\WDF9A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF9A.tmp\WDF9A.tmp

Found mount point : C:\WINDOWS\Temp\WDF9C.tmp\WDF9C.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDF9C.tmp\WDF9C.tmp

Found mount point : C:\WINDOWS\Temp\WDFA.tmp\WDFA.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDFA.tmp\WDFA.tmp

Found mount point : C:\WINDOWS\Temp\WDFA1.tmp\WDFA1.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDFA1.tmp\WDFA1.tmp

Found mount point : C:\WINDOWS\Temp\WDFA2.tmp\WDFA2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDFA2.tmp\WDFA2.tmp

Found mount point : C:\WINDOWS\Temp\WDFB.tmp\WDFB.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDFB.tmp\WDFB.tmp

Found mount point : C:\WINDOWS\Temp\WDFB6.tmp\WDFB6.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDFB6.tmp\WDFB6.tmp

Found mount point : C:\WINDOWS\Temp\WDFC2.tmp\WDFC2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDFC2.tmp\WDFC2.tmp

Found mount point : C:\WINDOWS\Temp\WDFE.tmp\WDFE.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WDFE.tmp\WDFE.tmp

Found mount point : C:\WINDOWS\Temp\_avast4_\_avast4_

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_avast4_\_avast4_

Found mount point : C:\WINDOWS\Temp\_ISTMP0.DIR\_ISTMP0.DIR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_ISTMP0.DIR\_ISTMP0.DIR

Found mount point : C:\WINDOWS\Temp\__SkypeIEToolbar_Cache\e70d95847a8f5723cfca6b3fd9946506\session\session

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\__SkypeIEToolbar_Cache\e70d95847a8f5723cfca6b3fd9946506\session\session

Found mount point : C:\WINDOWS\Temp\__SkypeIEToolbar_Cache\e70d95847a8f5723cfca6b3fd9946506\static\famfamfam\famfamfam

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\__SkypeIEToolbar_Cache\e70d95847a8f5723cfca6b3fd9946506\static\famfamfam\famfamfam

Found mount point : C:\WINDOWS\Temp\{4D36E96C-E325-11CE-BFC1-08002BE10318}0015\{4D36E96C-E325-11CE-BFC1-08002BE10318}0015

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\{4D36E96C-E325-11CE-BFC1-08002BE10318}0015\{4D36E96C-E325-11CE-BFC1-08002BE10318}0015

Found mount point : C:\WINDOWS\Temp\{4D36E96C-E325-11CE-BFC1-08002BE10318}0025\{4D36E96C-E325-11CE-BFC1-08002BE10318}0025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\{4D36E96C-E325-11CE-BFC1-08002BE10318}0025\{4D36E96C-E325-11CE-BFC1-08002BE10318}0025

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2



Finished!




rootrepeal log

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/05 16:32
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x8B3DE000 Size: 819200 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x8C3A1000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACd.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\science\local settings\temp\etilqs_apkomkv8dr5q3ativpfy
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\science\Local Settings\Temp\escrwonmax.tmp
Status: Locked to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x8e1116b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x8e111574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x8e111a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x8e11114c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x8e11164e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x8e11108c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x8e1110f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x8e11176e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x8e11172e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x8e1118ae

==EOF==
Swordy
 
Posts: 15
Joined: Thu Oct 01, 2009 10:11 am

Re: av software, malware, hijackthis, adaware wont work,

Postby patrik » Mon Oct 05, 2009 4:59 pm

Download Avenger from here and unzip to your desktop.
Run Avenger, make sure that the box next to "Scan for rootkits" has a tick in it and that the box next to "Automatically disable any rootkits found" does not have a tick in it, copy,then paste the following text in Input script Box:
Code: Select all
Drivers to delete:
UACd.sys

Then click on ‘Execute’. Afterwards, Windows restarts, and opens the log generated by The Avenger so you can see the results. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).

If Avenger will not run, please rename it to myapp.exe and try again!

Make a fresh RootRepeal log.

Post back with Avenger log + RootRepeal log.
patrik
Site Admin
 
Posts: 9277
Joined: Sun Jan 08, 2006 1:11 pm

Re: av software, malware, hijackthis, adaware wont work,

Postby Swordy » Mon Oct 05, 2009 6:44 pm

as requested here is the avenger log and a fresh rootrepeal log, there is also somthing disconecting my internet access after a while. it only comes back on after i reboot. when checking the device manager there are several alerts to devices not working properly. Is it one of the trojans? should i run the kaspersky virus removal tool again and delete them? let me know what you think is best.

avenger log
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd.sys" not found!
Deletion of driver "UACd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.



rootrepeal log 2

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/05 18:38
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9A957000 Size: 819200 File Visible: No Signed: -
Status: -

Name: lsui.sys
Image Path: lsui.sys
Address: 0xBA0A8000 Size: 61440 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x98CA3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACd.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\science\local settings\temp\etilqs_dzpxv73bz79gyf4vsbfg
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\science\Local Settings\Temp\escrwonmax.tmp
Status: Locked to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x9df8b6b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x9df8b574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x9df8ba52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x9df8b14c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x9df8b64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x9df8b08c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x9df8b0f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x9df8b76e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x9df8b72e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x9df8b8ae

==EOF==
Swordy
 
Posts: 15
Joined: Thu Oct 01, 2009 10:11 am

Re: av software, malware, hijackthis, adaware wont work,

Postby patrik » Tue Oct 06, 2009 1:52 pm

Download GMER Antirootkit from here.
Mirror location: here. This version will download a zip. If you use this mirror, please unzip it to a folder that you create such as C:\Gmer\.

Disconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. a1afk10a.exe) and allow the gmer.sys driver to load if asked.
For mirror version, double-click Gmer.exe to run the program.
When the program opens, click the ">>>" Tab
Click the "Rootkit/Malware" Tab.
Select all drives that are connected to your system to be scanned.
Click the Scan button.
When the scan is finished, click Copy to save the scan log to the Windows clipboard.
Open Notepad or a similar text editor.
Paste the clipboard contents into a text file by clicking Edit -> Paste or Ctrl + V
Save the gmer scan log to your desktop.
Close Gmer.

Post back with GMER log.
patrik
Site Admin
 
Posts: 9277
Joined: Sun Jan 08, 2006 1:11 pm

Re: av software, malware, hijackthis, adaware wont work,

Postby Swordy » Tue Oct 06, 2009 5:49 pm

GMER log

GMER 1.0.15.15125 - http://www.gmer.net
Rootkit scan 2009-10-06 18:43:40
Windows 5.1.2600 Service Pack 3
Running: 0mot9jyz.exe; Driver: C:\DOCUME~1\science\LOCALS~1\Temp\fwlcapog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0x9DE206B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0x9DE20574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0x9DE20A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x9DE2014C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0x9DE2064E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0x9DE2008C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0x9DE200F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0x9DE2076E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0x9DE2072E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0x9DE208AE]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2308] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe[3128] ntdll.dll!DbgBreakPoint 7C90120E 1 Byte [90]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[1288] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005B0002
IAT C:\WINDOWS\system32\services.exe[1288] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005B0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\WINDOWS\system32\acaptuser32.dll

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----
Swordy
 
Posts: 15
Joined: Thu Oct 01, 2009 10:11 am

Re: av software, malware, hijackthis, adaware wont work,

Postby patrik » Wed Oct 07, 2009 4:06 pm

Log is ok. How is your PC now ?
patrik
Site Admin
 
Posts: 9277
Joined: Sun Jan 08, 2006 1:11 pm

Re: av software, malware, hijackthis, adaware wont work,

Postby Swordy » Wed Oct 07, 2009 6:21 pm

pc is ok however after about 30mins i get kicked off the internet, error mentions that the driver is no longer avalible for the wireless network. i can get it back by rolling back driver in device manager then rebooting. I also havnt deleted the trojans we detected by using Kaspersky (see below) should i run it again and delete them?


[quote="Swordy"]ok here is the kaspersky virus removal tool log, win32kdiag log and rootrepeal log

kaspersky virus removal tool log
Scan
----
Scanned: 2546841
Detected: 9
Untreated: 6
Start time: 04/10/2009 20:32:28
Duration: 19:01:41
Finish time: 05/10/2009 15:34:09


Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan-Downloader.Java.OpenConnection.at File: C:\Documents and Settings\science\Application Data\Sun\Java\Deployment\cache\6.0\16\78fcee10-63c4191c/vlocal.class
disinfected: Trojan program Trojan-Downloader.Java.OpenConnection.at File: C:\Documents and Settings\science\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-2da03df8/vlocal.class
detected: Trojan program Packed.Win32.TDSS.z File: C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkylwyayunh.dll.vir
detected: Trojan program Packed.Win32.TDSS.z File: C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkynwtfqjco.dll.vir
detected: Trojan program Packed.Win32.TDSS.z File: C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkyofsrhjqq.dll.vir
detected: Trojan program Packed.Win32.TDSS.z File: C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gasfkypvuoodje.sys.vir
detected: Trojan program Packed.Win32.TDSS.z File: C:\System Volume Information\_restore{4B263D97-E94F-431E-8CF9-1E6BE374D96D}\RP231\A0044849.dll
detected: Trojan program Packed.Win32.TDSS.z File: C:\System Volume Information\_restore{4B263D97-E94F-431E-8CF9-1E6BE374D96D}\RP231\A0044850.dll
disinfected: Trojan program Trojan-Downloader.Java.OpenConnection.at File: C:\Documents and Settings\science\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-2da03df8
Swordy
 
Posts: 15
Joined: Thu Oct 01, 2009 10:11 am

Re: av software, malware, hijackthis, adaware wont work,

Postby patrik » Thu Oct 08, 2009 2:52 pm

Kaspersky found a few infected files in the Combofix quarantine and System Recovery folders.

Uninstall Combofix.
Click Start > Run - type ComboFix /u
Press Ok.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore.

Make a new restore point.
Click START > ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > SYSTEM RESTORE. click on “create new restore point” > click on NEXT and follow the prompts.

however after about 30mins i get kicked off the internet, error mentions that the driver is no longer avalible for the wireless network

You have tried to reinstall wireless card drivers or update it, if available a new one?
patrik
Site Admin
 
Posts: 9277
Joined: Sun Jan 08, 2006 1:11 pm

Re: av software, malware, hijackthis, adaware wont work,

Postby Swordy » Fri Oct 09, 2009 10:40 am

HI Patrik, i have successfully uninstalled combofix and made a fresh restore point. I have searched around and updated the intel driver for my wireless internet connection, and all seems fine. and after a little digging i found a programme called killbox which removed the unwanted icons left on my desktop that would not delete. I feels good to be finally over all of this , although i have actually kind of liked going through the motions and fixing the problem bit by bit 'with your help obviously'.

I cant thank you enough, your a legend!!!

regards and thanks again
Paul
Swordy
 
Posts: 15
Joined: Thu Oct 01, 2009 10:11 am

Re: av software, malware, hijackthis, adaware wont work,

Postby patrik » Sat Oct 10, 2009 3:40 pm

Glad to help you :)

Many of the exploits are directed to users of Internet Explorer. Try using a different browser - Firefox or Opera.

Be careful when opening attachments and downloading files.

Safe surfing!
patrik
Site Admin
 
Posts: 9277
Joined: Sun Jan 08, 2006 1:11 pm

Previous

Return to Archived Logs

Who is online

Users browsing this forum: Google [Bot] and 2 guests

cron