[Panda10]

Even after OTL the file was still there. The only way to get rid of any of the folders is to change the permission manually. When I ran diskpart it shows only one disk as Disk 0.

[Advertisements]

So were you able to get rid of the folder?

[RKinner]

So were you able to get rid of the folder?

[Panda10]

I had to manually remove the folder changing permissions in each folder and/or file but was finally able to remove it completely. Have you figured out what the VSS error is? The AVAST Quick Scan is still showing that the file c:\users\all users isn't able to be scan. It also pulled the folder that I deleted as not able to be scanned. I don't know what's going on or where to go from here.

[Panda10]

Question. I found somewhere else how to grant permission the root volume using the following command under the command prompt run as administrator:

icacls \\?\Volume{1362b7d2-f6a5-11e0-9cfe-e02a82d31bf9}\/grant system:f

Should I do this to try and get rid of the VSS error or is it not a problem so should I just leave it alone. I'm not going to do anything without hearing from you.

[RKinner]

I'm not convinced we want to back up this strange thing.

Let's run an Avast Boot-time scan.

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?
I expect this is like Vista and the text copy is C:\ProgramData\Alwil Software\Avast5\report\aswboot.txt. Copy and paste that in your reply.

Ron

[RKinner]

Thanks to one of my fellow helpers I now know how to find out where the strange thing is hiding.

Copy this line:

reg query HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices > \junk.txt

Start, All Programs, Accessories then right click on Command Prompt and Run As Admin.

right click and Paste or Edit then Paste and the copied line should appear. Hit Enter.

notepad \junk.txt

copy and paste the text from notepad into a reply.

Ron

PS you haven't installed Office 2010 have you?

[Panda10]

I will run a boot scan and perform the other scan this afternoon/evening. A startup version of Office 2010 was on the computer (not the full version). It is being used for her schoolwork etc. Why?

[RKinner]

The VSS error is linked to Office 2010:

http://answers.micro...38-28ab2343ff45

so it's probably not left over from the ZA infection.

Ron

[Panda10]

The aswboot log is below:

10/17/2011 1:54
Scan of all local drives

File c:\HP\Bin\EndProcess.exe is infected by Win32:KillApp-w [PUP], Moved to chest
Number of searched folders: 32809
Number of tested files: 682668
Number of infected files: 1

----------------------------------------------
10/20/2011 11:52
Scan of all local drives

Number of searched folders: 32316
Number of tested files: 697439
Number of infected files: 0

[Panda10]

The junk.txt is below:

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
\??\Volume{1362b6b8-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000100000000000
\??\Volume{1362b6b9-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000800C00000000
\??\Volume{1362b6ba-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF4000060C670000000
\??\Volume{1362b6bb-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000406A74000000
\DosDevices\C: REG_BINARY A7A3AEF40000800C00000000
\??\Volume{1362b6c6-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY 5C003F003F005C0049004400450023004300640052006F006D00680070005F004300440044005600440057005F00540053002D004C0036003300330052005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0030003300300030005F005F005F005F002300340026003100640033003600370035006100650026003000260030002E0031002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\??\Volume{1362b6c8-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY 5F003F003F005F00500043004900530054004F00520023004400690073006B002600560065006E005F005200450041004C00530049004C002600500072006F0064005F0052005400530035003200300038004C0055004E00300026005200650076005F0031002E00300030002300300030003000300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\DosDevices\D: REG_BINARY A7A3AEF4000060C670000000
\DosDevices\F: REG_BINARY 5F003F003F005F00500043004900530054004F00520023004400690073006B002600560065006E005F005200450041004C00530049004C002600500072006F0064005F0052005400530035003200300038004C0055004E00300026005200650076005F0031002E00300030002300300030003000300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
#{1362b6d0-f6a5-11e0-9cfe-e02a82d31bf9} REG_BINARY A7A3AEF40000406A74000000
\DosDevices\E: REG_BINARY 5C003F003F005C0049004400450023004300640052006F006D00680070005F004300440044005600440057005F00540053002D004C0036003300330052005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0030003300300030005F005F005F005F002300340026003100640033003600370035006100650026003000260030002E0031002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\??\Volume{1362b781-f6a5-11e0-9cfe-e02a82d31bf9} REG_BINARY 5F003F003F005F00550053004200530054004F00520023004400690073006B002600560065006E005F00530061006E004400690073006B002600500072006F0064005F004300720075007A006500720026005200650076005F0031002E00300030002300320030003000350031003000330031003800330030004300410036003200300032003800350031002600300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\??\Volume{1362b7d2-f6a5-11e0-9cfe-e02a82d31bf9} REG_BINARY 5C003F003F005C0056006F006C0075006D0065007B00610030003800380038003800300034002D0033003000370033002D0034006500660032002D0062003700660065002D003800370064003300340034003300630066003500390066007D00
\DosDevices\Q: REG_BINARY 5C003F003F005C0056006F006C0075006D0065007B00610030003800380038003800300034002D0033003000370033002D0034006500660032002D0062003700660065002D003800370064003300340034003300630066003500390066007D00
\DosDevices\G: REG_BINARY 5F003F003F005F00550053004200530054004F00520023004400690073006B002600560065006E005F00530061006E004400690073006B002600500072006F0064005F004300720075007A006500720026005200650076005F0031002E00300030002300320030003000350031003000330031003800330030004300410036003200300032003800350031002600300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\??\Volume{33f76ed1-f93a-11e0-9f55-984be1a62e47} REG_BINARY 5F003F003F005F00550053004200530054004F00520023004400690073006B002600560065006E005F004800540043002600500072006F0064005F0041006E00640072006F00690064005F00500068006F006E00650026005200650076005F003000310030003000230048005400310032004B0048005600300030003000300037002600300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00

[RKinner]

Copy the next line:

wmic diskdrive list > \junk.txt

Start, All Programs, Accessories then right click on Command Prompt and Run As Admin.

Right click and Paste or Edit then Paste. Hit Enter.

This should create a file C:\junk.txt. Please ATTACH it to your next post.

Ron

[Panda10]

Ron,

Here is the log attached as you requested.

Thanks,

Attached Files

•  junk.txt   3.34KB   51 downloads

[RKinner]

I've just switched to a Win 7 PC and now I'm starting to make some sense of your output. Vista apparently does things differently.

You have four partitions and that is what we see at the beginning of the output from the first junk.txt:

\??\Volume{1362b6b8-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000100000000000 = partition 1
\??\Volume{1362b6b9-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000800C00000000 = partition 2
\??\Volume{1362b6ba-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF4000060C670000000 = partition 3
\??\Volume{1362b6bb-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000406A74000000 = partition 4

{1362b6b8-f6a5-11e0-9cfe-806e6f6e6963} is the whole hard drive.

Your C drive information:

\DosDevices\C: REG_BINARY A7A3AEF40000800C00000000 <==Refers to partition 2. (This is where Windows lives)

D drive:
\DosDevices\D: REG_BINARY A7A3AEF4000060C670000000 <=Refers to partition 3. (Usually the Recovery Partition 10-16G)

F drive:
\DosDevices\F: REG_BINARY A7A3AEF40000406A74000000 <=Refers to partition 4. (Mystery partition)

Partition 1 is usually the leftover stuff (100M on mine) that doesn't fit with the rest. Windows calls it System on mine.

I guess the question is do you have an F: drive?

OTL did not see it. Right click on Computer and select Manage then Disk Management (Under Storage). This should show you your hard drive broken up into 4 partitions.

Does it? What does it say about the 4th partition?

[Panda10]

It has 4 partitions as follows:

C:\ NTFS Status Healthy (Boot, Page File, Crash Dump, Primary Partition)
HP_Tools FAT32 Status Healthy (Primary Partition)
Recovery D:\ NTFS Status Healthy (Primary Partition)
System NTFS Status Healthy (System Active, Primary Partition)

[RKinner]

I think you are OK then. I expect that your Recovery drive or your HP tools are not letting themselves get backed up or it could be that the Q:\ drive created by Office 2010 is the problem. Not ZA anyway.

Ron