Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC Infected - Malware - unable to run diagnostics


  • Please log in to reply
5 replies to this topic

#1 dandm2003

dandm2003

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 03 September 2009 - 07:03 PM

Hi Everyone - first, appreciate the help. Secondly, I reviewed the prep page prior to posting here, however, I'm unable to run DDS or RootRepeal. Even if I re-name the file (and even while in safe mode), I can get them to start up, but the screen shuts down after a few seconds of running.

Anyway...quick description of the problem: unknown problem attempts to open internet explorer constantly - so I've had to put in a fake proxy to get it to stop. I use firefox as my primary browser. Also, several websites blocked (a majority of which are related to virus scanning, etc - no surprise)

I've also tried Malware bytes and i can get it to install after renaming the install file, but then can't actually open the application (i double click on it, the mouse gives an hour glass symbol, then nothing....)

I've run other scans with ESET and there is a recent item in quarantine (i wonder if it's related to my current issue): systemroot\system32\UACnjxfucxitq.dll

Advice on next steps? I'm normally able to self-service, but at my wits end on this one....appreciate the advice!
John

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:49 AM

Posted 03 September 2009 - 08:34 PM

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report for me to review.
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the contents in your next reply.
Go to go to Posted Image > Run..., then copy and paste this command into the open box: cmd
press OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\ntelogon.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 dandm2003

dandm2003
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 03 September 2009 - 11:17 PM

Both ran perfectly. I'll first paste the log.txt - then i'll paste the win32diag. thanks!





Volume in drive C has no label.
Volume Serial Number is C4E6-40E5

Directory of C:\WINDOWS\system32

02/28/2006 05:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\system32

02/28/2006 05:00 AM 407,040 netlogon.dll
2 File(s) 587,264 bytes

Directory of C:\WINDOWS\system32\dllcache

02/28/2006 05:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\system32\dllcache

02/28/2006 05:00 AM 407,040 netlogon.dll
2 File(s) 587,264 bytes

Directory of C:\WINDOWS\system32\dllcache\cache

02/28/2006 05:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\system32\dllcache\cache

02/28/2006 05:00 AM 407,040 netlogon.dll
2 File(s) 587,264 bytes

Total Files Listed:
6 File(s) 1,761,792 bytes
0 Dir(s) 10,443,554,816 bytes free






Log file is located at: C:\Documents and Settings\John\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615-IE7\KB942615-IE7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944533-IE7\KB944533-IE7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB947864-IE7\KB947864-IE7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB950759-IE7\KB950759-IE7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP295.tmp\ZAP295.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP297.tmp\ZAP297.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\Wav\Wav

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IIS Temporary Compressed Files\IIS Temporary Compressed Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\17400AB28230347339DBAF1833357A38\3.1.21022\3.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1844237615-1770027372-682003330-1003\S-1-5-21-1844237615-1770027372-682003330-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2006-02-28 05:00:00 10752 C:\WINDOWS\system32\dllcache\dumprep.exe (Microsoft Corporation)

[1] 2006-02-28 05:00:00 10752 C:\WINDOWS\system32\dumprep.exe ()



Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2006-02-28 05:00:00 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2006-02-28 05:00:00 62976 C:\WINDOWS\system32\eventlog.dll ()

[2] 2006-02-28 05:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\ASP Compiled Templates\ASP Compiled Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\MetaBack\MetaBack

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Logfiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:49 AM

Posted 04 September 2009 - 07:34 AM

Disinfection will require the use of more powerful tools than we recommend in this forum so I am moving this topic to the HijackThis Logs and Malware Removal and we will continue there.

Please follow these instructions in the order as provided.

We need to create a clean copy of the bad file which needs to be replaced.

Go to go to Posted Image > Run..., then type in the open box: Notepad
Press Ok.
  • Copy and paste everything in the code box below into the Untitled - Notepad.
@echo off
copy C:\WINDOWS\system32\dllcache\eventlog.dll c:\eventlog.dll
Exit
  • Go to File > Save As, click the drop-down box to change the Save As Type to All Files and save it as "fixes.bat" on your desktop.
  • Double-click fixes.bat to run the script.
  • A window will open and close quickly, this is normal.
Please download The Avenger by Swandog46, and save it to your Desktop.
-- The Avenger must be run from a user account with administrator privileges.
  • Extract (unzip) avenger.zip to your Desktop. (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Double click on avenger.exe to run The Avenger.
  • A warning message will appear. Click Ok to continue and launch the program.
  • Make sure that the box next to "Scan for rootkits" is checked and that the box next to "Automatically disable any rootkits found" is unchecked.
  • Copy everything in the code box below to your Clipboard by highlighting it and pressing Ctrl+C or right-click on it and choose Copy, then paste it into the open space area under Input script here:

    Begin copying here:
    Files to move:
    c:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

    WARNING: The above code was created specifically for this user. If you are not this user, do NOT follow these directions as doing so could lead to disastrous problems with your operating system.
  • Click the Execute button.
  • You will be asked "Are you sure you want to execute the current script?"
  • Click Yes to the prompt to confirm you want to execute.
  • You will be asked "First step completed...Avenger has been successfully set up to run on next boot. Reboot now?
  • Click Yes to the Reboot now? prompt.
  • Note: If the above script contains Drivers to delete or Drivers to disable, then The Avenger will require two reboots to complete its operation. If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • Your PC should reboot. If not, reboot it yourself.
  • After reboot, a log file from Avenger named avenger.txt will automatically open and be saved to the root of the system drive (typically C:\avenger.txt).
  • Copy and paste the contents of avenger.txt in your next reply.

CAUTION: Avenger is a very powerful program, designed to remove highly persistent files and registry keys" under the guidance and supervision of an expert". Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


We need to run Win32kDiag.exe again with a specific command to fix some malware related changes.
  • Go to Posted Image > Run..., then copy and paste this command into the open box:
    "%userprofile%\desktop\win32kdiag.exe" -f -r
  • Click OK.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the contents in your next reply.
Please download Malwarebytes Anti-Malware (v1.40) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Please print out and follow these instructions: A guide and tutorial on using ComboFix.
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!

Download Combofix from one of the mirrors below and save to your desktop. Important: Some types of malware will disable ComboFix and other security tools so you must rename the file before downloading and saving.

Posted Image


Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
  • Double-click on Combo-Fix.exe and follow the prompts, instructions you printed out earlier.
  • If using Windows Vista and you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
  • When finished, please copy and paste the contents of C:\ComboFix.txt in your next reply.
  • Be sure to re-enable your anti-virus and other security programs after the scan is complete.
  • If you no longer have access to your Internet connection after running ComboFix, please reboot to restore it. If that does not restore the connection, then follow the instructions for Manually restoring the Internet connection provided in the "How to Guide" you printed out earlier.
-- Do not touch your mouse/keyboard until the Combofix scan has completed, as this may cause the process to stall or the computer to lock.
-- Combofix will temporarily disable your desktop, and if interrupted may leave it disabled. If this occurs, please reboot to restore it.
-- Combofix disables autorun of all CD, floppy and USB devices to assist with malware removal and increase security.


Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own. Please read Combofix's Disclaimer.


Reports/logs to post in your next reply:
* avenger.txt
* Win32kDiag.txt
* MBAM report log
* ComboFix.txt
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 dandm2003

dandm2003
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 04 September 2009 - 04:01 PM

attached both avenger and win32k txt files. Both Malware Bytes and ComboFix won't even launch when opening. (I can see the file execute in the task manager, but no windows pop up - something appears to be blocking the front-end)

Thoughts? thanks a bunch!
John

also, I tried opening combo and mbam in safe mode - no luck there either.

thanks!

Attached Files



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:49 AM

Posted 04 September 2009 - 06:22 PM

Your Win32kDiag.txt looks the same as the first one you posted so it appears you did not run it using the switch command I provided. The file we needed to replace is still showing although Avenger indicates it was able to successfully move it. Lets try that part again.

Go to go to Posted Image > Run..., then type in the open box: Notepad
Press Ok.
  • Copy and paste everything in the code box below into the Untitled - Notepad.
@echo off
copy C:\WINDOWS\system32\dllcache\eventlog.dll c:\eventlog.dll
Exit
  • Go to File > Save As, click the drop-down box to change the Save As Type to All Files and save it as "fixes.bat" on your desktop.
  • Double-click fixes.bat to run the script.
  • A window will open and close quickly, this is normal.
Open Windows Explorer and check the root directory (C:\) to make sure eventlog.dll is there. The file size will be 55808 bytes, not 62976 bytes.

If the correct file is there, Run Avenger again.
  • Copy everything in the code box below to your Clipboard by highlighting it and pressing Ctrl+C or right-click on it and choose Copy, then paste it into the open space area under Input script here:

    Begin copying here:
    Files to move:
    c:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

    WARNING: The above code was created specifically for this user. If you are not this user, do NOT follow these directions as doing so could lead to disastrous problems with your operating system.
  • Click the Execute button.
  • You will be asked "Are you sure you want to execute the current script?"
  • Click Yes to the prompt to confirm you want to execute.
  • You will be asked "First step completed...Avenger has been successfully set up to run on next boot. Reboot now?
  • Click Yes to the Reboot now? prompt.
  • Note: If the above script contains Drivers to delete or Drivers to disable, then The Avenger will require two reboots to complete its operation. If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • Your PC should reboot. If not, reboot it yourself.
  • After reboot, a log file from Avenger named avenger.txt will automatically open and be saved to the root of the system drive (typically C:\avenger.txt).
  • Copy and paste the contents of avenger.txt in your next reply.
Then run Win32kDiag.exe again but with this command:
  • Go to Posted Image > Run..., then copy and paste this command into the open box:
"%userprofile%\desktop\win32kdiag.exe" -f -r
  • Click OK.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the contents in your next reply.
After that see if you can get MBAM to run.

If not, delete your copy of Combofix and redownload a renamed version as I instructed in my previous reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users