Disinfection will require the use of more powerful tools than we recommend in this forum so I am moving this topic to the HijackThis Logs and Malware Removal and we will continue there.
Please follow these instructions in the order as provided.
We need to create a clean copy of the bad file which needs to be replaced.
Go to go to
, then type in the open box: Notepad
- Copy and paste everything in the code box below into the Untitled - Notepad.
copy C:\WINDOWS\system32\dllcache\eventlog.dll c:\eventlog.dll
- Go to File > Save As, click the drop-down box to change the Save As Type to All Files and save it as "fixes.bat" on your desktop.
- Double-click fixes.bat to run the script.
- A window will open and close quickly, this is normal.
Please download The Avenger
by Swandog46, and save it to your Desktop.-- The Avenger must be run from a user account with administrator privileges.
- Click the Execute button.
- You will be asked "Are you sure you want to execute the current script?"
- Click Yes to the prompt to confirm you want to execute.
- You will be asked "First step completed...Avenger has been successfully set up to run on next boot. Reboot now?
- Click Yes to the Reboot now? prompt.
- Note: If the above script contains Drivers to delete or Drivers to disable, then The Avenger will require two reboots to complete its operation. If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
- Your PC should reboot. If not, reboot it yourself.
- After reboot, a log file from Avenger named avenger.txt will automatically open and be saved to the root of the system drive (typically C:\avenger.txt).
- Copy and paste the contents of avenger.txt in your next reply.
CAUTION: Avenger is a very powerful program, designed to remove highly persistent files and registry keys" under the guidance and supervision of an expert". Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
We need to run Win32kDiag.exe again with a specific command to fix some malware related changes.
Please download Malwarebytes Anti-Malware
(v1.40) and save it to your desktop.alternate download link 1alternate download link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
- Make sure you are connected to the Internet.
- Double-click on mbam-setup.exe to install the application.
- When the installation begins, follow the prompts and do not make any changes to default settings.
- When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
- If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
- If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
- If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
- The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
- When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
- Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
- Click on the Show Results button to see a list of any malware that was found.
- Make sure that everything is checked, and click Remove Selected.
- When removal is completed, a log report will open in Notepad.
- The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
- Exit MBAM when done.
Please print out and follow these instructions: A guide and tutorial on using ComboFix
.If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
from one of the mirrors below and save to your desktop. Important
: Some types of malware will disable ComboFix and other security tools so you must rename the file before
downloading and saving.
-- Do not touch your mouse/keyboard until the Combofix scan has completed, as this may cause the process to stall or the computer to lock.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
- Double-click on Combo-Fix.exe and follow the prompts, instructions you printed out earlier.
- If using Windows Vista and you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
- When finished, please copy and paste the contents of C:\ComboFix.txt in your next reply.
- Be sure to re-enable your anti-virus and other security programs after the scan is complete.
- If you no longer have access to your Internet connection after running ComboFix, please reboot to restore it. If that does not restore the connection, then follow the instructions for Manually restoring the Internet connection provided in the "How to Guide" you printed out earlier.
-- Combofix will temporarily disable your desktop, and if interrupted may leave it disabled. If this occurs, please reboot to restore it.
-- Combofix disables autorun of all CD, floppy and USB devices to assist with malware removal and increase security.
Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own. Please read Combofix's Disclaimer.
Reports/logs to post in your next reply:
* MBAM report log