5 replies to this topic

[ajs1974]

Hello, I've been working on an extremely nasty virus for the last 2 days and am at my wits end. Hijackthis and malware bytes won't run, at first they just shutdown instantly, then I get the message that I don't have sufficient administrative rights to run this program. I was able to get a scan in from Kaspersky online, however, it didn't clean anything, here is a copy of the virus log:

C:\$Recycle.Bin\S-1-5-21-2721436849-3545696861-4253450523-1005\$R1W2U6B.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1

C:\$Recycle.Bin\S-1-5-21-2721436849-3545696861-4253450523-1005\$R27FGIN.dll Infected: Packed.Win32.TDSS.y 1

C:\$Recycle.Bin\S-1-5-21-2721436849-3545696861-4253450523-1005\$R3BJWOK.exe Infected: not-a-virus:FraudTool.Win32.Agent.vz 1

C:\$Recycle.Bin\S-1-5-21-2721436849-3545696861-4253450523-1005\$R44N2EN.exe Infected: Packed.Win32.Krap.w 1

C:\$Recycle.Bin\S-1-5-21-2721436849-3545696861-4253450523-1005\$R8041XQ.zip Infected: Trojan-Dropper.Win32.Nail.em 1

C:\$Recycle.Bin\S-1-5-21-2721436849-3545696861-4253450523-1005\$R891UZC.exe Infected: Trojan.Win32.FraudPack.rcj 1

C:\$Recycle.Bin\S-1-5-21-2721436849-3545696861-4253450523-1005\$RK6XR13.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1

C:\$Recycle.Bin\S-1-5-21-2721436849-3545696861-4253450523-1005\$RM93ID9.dll Infected: Packed.Win32.TDSS.y 1

C:\$Recycle.Bin\S-1-5-21-2721436849-3545696861-4253450523-1005\$RMIPUGJ.exe Infected: Packed.Win32.Krap.x 1

C:\$Recycle.Bin\S-1-5-21-2721436849-3545696861-4253450523-1005\$RQUIOC7.dll Infected: Trojan.Win32.Tdss.anrc 1

C:\$Recycle.Bin\S-1-5-21-2721436849-3545696861-4253450523-1005\$RTI3Z9S.dll Infected: Trojan-Downloader.Win32.Agent.cnhi 1

C:\bjwwb.exe Infected: Worm.Win32.Pinit.dp 1

C:\blyuwrjl.exe Infected: Trojan-Downloader.Win32.Agent.bqxc 1

C:\ProgramData\19204834\19204834.exe Infected: Packed.Win32.Krap.w 1

C:\Users\All Users\19204834\19204834.exe Infected: Packed.Win32.Krap.w 1

C:\Users\Andrew Stuffick\.housecall6.6\Quarantine\ie0502b.jar-35851aee-10329c0d.zip.bac_a01640 Infected: Exploit.Java.ByteVerify 2

C:\Users\Andrew Stuffick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AIQP4AI0\regtools[1].vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1

C:\Users\Andrew Stuffick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2FQODCK\freefile[1].exe Infected: Packed.Win32.Krap.x 1

C:\Users\Andrew Stuffick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FJYWJJCL\ekyymmqe[1].htm Infected: Trojan-Downloader.Win32.Agent.bqxc 1

C:\Users\Andrew Stuffick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TRHAPS22\Install[1].exe Infected: Trojan.Win32.FraudPack.rcj 1

C:\Users\Andrew Stuffick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XEOB03GO\agqqerbspt[1].htm Infected: Packed.Win32.TDSS.y 1

C:\Users\Andrew Stuffick\AppData\Roaming\Microsoft\svchost.exe Infected: Trojan-Dropper.Win32.Nail.em 1

C:\Windows\System32\2.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1

C:\Windows\System32\azton.mt Infected: Worm.Win32.Pinit.dp 1

C:\Windows\System32\bekumogu.dll Infected: Trojan-Downloader.Win32.Agent.bqxc 1

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U1XHZX0B\djspmz[1].htm Infected: Worm.Win32.Pinit.dp 1

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U1XHZX0B\maqf32[1].exe Infected: not-a-virus:AdWare.Win32.SuperJuan.uak 1

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U1XHZX0B\maqf32[2].exe Infected: not-a-virus:AdWare.Win32.SuperJuan.uak 1

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VXE2UNTB\pifccpdnab[1].htm Infected: Trojan.Win32.Inject.xmi 1

C:\Windows\System32\fci.exe.exe Infected: Trojan.Win32.Inject.xmi 1

In the registry there is one program in HKLM-Software.....Run entry that's listed as "Gobehabuye" and it references a rundll32.exe file attached to a .dll that regenerates each time you delete it. I've tried deleting the .dll and the registry entry just changes to a new .dll.

I have a lot of personal items on my pc that I don't have the capacity to move, so a reinstall is out of the question. Can anyone help?

Thanks in advance

[ajs1974]

I was able to get Win32KDiag to run, here is the log:

Low\Sun\Java\Deployment\cache\6.0\47\47
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local
Low\Sun\Java\Deployment\cache\6.0\49\49
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local
Low\Sun\Java\Deployment\cache\6.0\5\5
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local
Low\Sun\Java\Deployment\cache\6.0\51\51
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local
Low\Sun\Java\Deployment\cache\6.0\52\52
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local
Low\Sun\Java\Deployment\cache\6.0\53\53
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local
Low\Sun\Java\Deployment\cache\6.0\55\55
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local
Low\Sun\Java\Deployment\cache\6.0\56\56
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local
Low\Sun\Java\Deployment\cache\6.0\57\57
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local
Low\Sun\Java\Deployment\cache\6.0\58\58
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local
Low\Sun\Java\Deployment\cache\6.0\60\60
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local
Low\Sun\Java\Deployment\cache\6.0\63\63
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local
Low\Sun\Java\Deployment\cache\6.0\8\8
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local
Low\Sun\Java\Deployment\cache\6.0\9\9
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local
Low\Sun\Java\Deployment\cache\6.0\host\host
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local
Low\Sun\Java\Deployment\cache\6.0\muffin\muffin
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roami
ng\Adobe\Flash Player\AssetCache\NMPZSKCZ\NMPZSKCZ
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roami
ng\AVG7\AVG7
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roami
ng\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roami
ng\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roami
ng\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roami
ng\Microsoft\Windows\IECompatCache\Low\Low
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roami
ng\Microsoft\Windows\IETldCache\Low\Low
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roami
ng\Microsoft\Windows\PrivacIE\Low\Low
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\Data\Data
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\directx\directx
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\drivers\disdn\disdn
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\DriverStore\FileRepository\hpp413a
a.inf_70b6109e\I386\I386
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\GroupPolicy\Machine\Scripts\Shutdo
wn\Shutdown
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\GroupPolicy\Machine\Scripts\Startu
p\Startup
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\GroupPolicy\User\User
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\GroupPolicyUsers\GroupPolicyUsers
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\IME\CINTLGNT\CINTLGNT
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\IME\PINTLGNT\PINTLGNT
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\IME\TINTLGNT\TINTLGNT
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\inetsrv\inetsrv
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\Lang\Lang
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\LogFiles\Firewall\Firewall
Mount point destination : \Device\__max++>\^
Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
[1] 2009-08-29 20:26:17 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLo
g.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Applicati
on.etl
[1] 2009-08-29 20:19:43 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLo
g-Application.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.
etl
[1] 2009-08-29 20:19:43 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlo
g-Security.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.et
l
[1] 2009-08-29 20:27:11 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventL
og-System.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
[1] 2009-08-29 20:24:28 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsS
ession.etl ()

Found mount point : C:\Windows\System32\Macromed\update\update
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\MUI\dispspec\dispspec
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\RTCOM\RTCOM
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\setup\en-US\en-US
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\SMI\Manifests\Manifests
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\SoftwareDistribution\Setup\Service
Startup\wuapi.dll\5.8.0.2469\5.8.0.2469
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\SoftwareDistribution\Setup\Service
Startup\wups.dll\5.8.0.2469\5.8.0.2469
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\spool\drivers\IA64\IA64
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\spool\drivers\w32x86\3\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\spool\drivers\x64\x64
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\spool\SERVERS\SERVERS
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\Tasks\Microsoft\Windows\RestartMan
ager\RestartManager
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
\SyncCenter
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\wbem\MOF\bad\bad
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\wbem\MOF\good\good
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\WDI\{533a67eb-9fb5-473d-b884-958cf
4b9c4a3}\{533a67eb-9fb5-473d-b884-958cf4b9c4a3}
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\WDI\{67144949-5132-4859-8036-a737b
43825d8}\{67144949-5132-4859-8036-a737b43825d8}
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\WDI\{ecfb03d1-58ee-4cc7-a1b5-9bc6f
ebcb915}\{ecfb03d1-58ee-4cc7-a1b5-9bc6febcb915}
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\System32\WDI\{ffc42108-4920-4acf-a4fc-8abdc
c68ada4}\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}
Mount point destination : \Device\__max++>\^
Cannot access: C:\Windows\System32\WerFault.exe
[1] 2009-04-11 02:28:11 217088 C:\Windows\System32\WerFault.exe ()
[1] 2006-11-02 05:45:54 216064 C:\Windows\winsxs\x86_microsoft-windows-errorrepo
rtingfaults_31bf3856ad364e35_6.0.6000.16386_none_6dd05aa63fde4065\WerFault.exe (
Microsoft Corporation)
[1] 2008-01-18 23:33:36 217088 C:\Windows\winsxs\x86_microsoft-windows-errorrepo
rtingfaults_31bf3856ad364e35_6.0.6001.18000_none_70071ca23cc95139\WerFault.exe (
Microsoft Corporation)
[1] 2008-01-18 23:33:36 217088 C:\Windows\winsxs\x86_microsoft-windows-errorrepo
rtingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe (
Microsoft Corporation)
[1] 2008-09-20 00:00:16 217088 C:\Windows\winsxs\x86_microsoft-windows-errorrepo
rtingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFault.exe (
Microsoft Corporation)
[1] 2009-04-11 02:28:11 217088 C:\Windows\winsxs\x86_microsoft-windows-errorrepo
rtingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe (
)

Found mount point : C:\Windows\System32\winevt\TraceFormat\TraceFormat
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\cmi{99681151-3537-434F-8D53-AA0EF9812D
EC}\cmi{99681151-3537-434F-8D53-AA0EF9812DEC}
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\CTShared\CTRedist\CTRedist
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Drivers\support\amd64\amd64
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Drivers\support\i386\i386
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Drivers\wdm\common\amd64\amd64
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Drivers\wdm\common\i386\thunk\t
hunk
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Drivers\wdm\lang\amd64\amd64
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Drivers\wdm\lang\i386\i386
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Drivers\wdm\win2k_xp\amd64\amd6
4
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Drivers\wdm\win2k_xp\data\data
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Drivers\wdm\win2k_xp\i386\i386
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\License\Br_Port\Br_Port
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\License\Deutsch\Deutsch
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\License\English\English
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\License\Espanol\Espanol
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\License\Francais\Francais
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\License\Italiano\Italiano
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\License\Japanese\Japanese
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\License\Korean\Korean
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\License\Nederlnd\Nederlnd
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\License\PChinese\PChinese
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\License\TChinese\TChinese
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Readme\Br_Port\Br_Port
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Readme\Deutsch\Deutsch
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Readme\English\English
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Readme\Espanol\Espanol
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Readme\Francais\Francais
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Readme\Italiano\Italiano
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Readme\Japanese\Japanese
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Readme\Korean\Korean
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Readme\Nederlnd\Nederlnd
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Readme\PChinese\PChinese
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\CRF000\Readme\TChinese\TChinese
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\eDatasecurity\eDatasecurity
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\Low\Low
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\MPTelemetrySubmit\MPTelemetrySubmit
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Temp\SxsTemp\SxsTemp
Mount point destination : \Device\__max++>\^
Cannot access: C:\Windows\Temp\~DF9641.tmp
[1] 2009-08-28 23:26:10 16384 C:\Windows\Temp\~DF9641.tmp ()

Found mount point : C:\Windows\Temp\~msdt\tools\tools
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\tracing\tracing
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\Web\printers\images\images
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Cannot access: C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf
3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe
[1] 2009-04-11 02:28:11 217088 C:\Windows\System32\WerFault.exe ()
[1] 2006-11-02 05:45:54 216064 C:\Windows\winsxs\x86_microsoft-windows-errorrepo
rtingfaults_31bf3856ad364e35_6.0.6000.16386_none_6dd05aa63fde4065\WerFault.exe (
Microsoft Corporation)
[1] 2008-01-18 23:33:36 217088 C:\Windows\winsxs\x86_microsoft-windows-errorrepo
rtingfaults_31bf3856ad364e35_6.0.6001.18000_none_70071ca23cc95139\WerFault.exe (
Microsoft Corporation)
[1] 2008-01-18 23:33:36 217088 C:\Windows\winsxs\x86_microsoft-windows-errorrepo
rtingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe (
Microsoft Corporation)
[1] 2008-09-20 00:00:16 217088 C:\Windows\winsxs\x86_microsoft-windows-errorrepo
rtingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFault.exe (
Microsoft Corporation)
[1] 2009-04-11 02:28:11 217088 C:\Windows\winsxs\x86_microsoft-windows-errorrepo
rtingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe (
)


Finished! Press any key to exit...

[ajs1974]

Any ideas here? Should I run the same script from Avenger that I've seen here?

Files to move:
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

I've run a check with Avast and still I try to run any AV MWB, or HIjack and it closes after about a second.

Any help would be appreciated.

[AdvancedSetup]

Download and run Win32kDiag:

• Download Win32kDiag from any of the following locations and save it to your Desktop.
  
  • Win32kDiag.exe from geekstogo.com
    
  • Win32kDiag.exe from bleepingcomputer.com
    
  • Win32kDiag.exe from rootrepeal.psikotick.com
• Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  
• When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  
• Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic, please do not attach the file.

Let it run for at least an hour without bothering it regardless of what it says. Then post back the results.

[AdvancedSetup]

Please post a status update on this.

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.