41 replies to this topic

[Preston2]

hijack this! will not run on my system, it runs for about 2 sec, and then just disappears, it also locks the permissions and wont let me run it again without unlocking it first, when running any program like avg, adware or anything else ive tried the same thing happens

any help would be appreciated!

thank-you in advance

[sjpritch25]

Welcome to Malwarebytes!!!


Please download Win32kDiag.exe by AD to your Desktop.
Double-click on Win32kDiag.exe.
It will create Win32kDiag.txt on your Desktop.
In your next reply, please include the log. Thanks

[Preston2]

here is the log file from Win32kDiag

the log file was quite large so i attached it to the post

thanks for helping me with this

Attached Files

•  Win32kDiag.txt   370.32K   32 downloads

[sjpritch25]

well we are getting there

Now we need to clean up what the malware disabled.


Please download the attached file, Extract preston.bat to your desktop. In your next reply, please post the log that appears. Thanks

Attached Files

•  preston.zip   241bytes   27 downloads

[Preston2]

Here is the log from the Preston.bat file

Volume in drive C is ACER
Volume Serial Number is 103F-B08B

Directory of C:\Windows\System32

02/11/2006 05:46 AM 61,952 cngaudit.dll
1 File(s) 61,952 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6

02/11/2006 05:46 AM 11,776 cngaudit.dll
1 File(s) 11,776 bytes

[sjpritch25]

Please download the attached file preston2.zip, extract preston2.bat to your desktop. Double-Click on preston2.bat and it will appear and dissappear.


Note::: If your operating system is Vista, i need you to right-click on Preston2.bat and run as Administrator. Otherwise just run it normall (by double-clicking on preston2.bat).



=================================================

1. Please download The Avenger2 by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
  
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
C:\cngaudit.dll | C:\Windows\System32\cngaudit.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
  
• You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  
• Click on Execute
  
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .






=================================================

• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
  
• Please open it with notepad and post the contents here.
  "%userprofile%\desktop\win32kdiag.exe" -f -r

At any point in the process something goes wrong, please let me know. Thanks

Attached Files

•  preston2.zip   308bytes   26 downloads

[Preston2]

Here is the Avenger log file


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\cngaudit.dll" not found!
File move operation "C:\cngaudit.dll|C:\Windows\System32\cngaudit.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.



Hijack This will not run, so here is a win32kdiag instead, i hope it helps, and again ,ive attached it because its fairly long

[Preston2]

the file is too big to upload, its around 540kb, so i created a zip file with it inside so it can be uploaded i hope thats alright

Attached Files

•  Win32kDiag.zip   35.76K   11 downloads

[sjpritch25]

not sure why the first batch didn't work. Please verify to me that is was copied. Here is the new attached batch file.


please follow my instructions again. Starting with running the first batch to copy the good copy of cngaudit.dll to your root drive C:\. Then continue with the avenger script.

Then go to start ---> Run and type the following "%userprofile%\desktop\win32kdiag.exe" -f -r in the open box and press enter. Please attach the log in your next reply along with the avenger log.


Thanks

Attached Files

•  preston2.zip   316bytes   15 downloads

[Preston2]

when i run the bat file, it says:

copying file engaudit.dll to your root drive

please wait
file not found - engaudit.dll
0 files copied
press any key to continue...

[sjpritch25]

dang

That was my error i had the wrong folder

This one should work. Sorry

Attached Files

•  preston2.zip   317bytes   22 downloads

[Preston2]

heres the avenger log

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\cngaudit.dll|C:\Windows\System32\cngaudit.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

[Preston2]

heres the win32kdiag log

Attached Files

•  Win32kDiag.zip   15.26K   12 downloads

[sjpritch25]

okay that part is fixed


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.

• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

[Preston2]

combo fix doesnt seem to be working? i renamed it before saving it, and when it runs the progress bar gets to the end, it hangs for about 5 sec, then it closes, am i doing something wrong?

[sjpritch25]

a command prompt should appear fairly shortly after. How did you wait?


If not can your run Malwarebytes??

[Preston2]

combofix will not run, but malwarebytres is currently scanning the system,

[sjpritch25]

awesome

[Preston2]

the scan isnt quite finished, but it has found 1 object, what would you like me to do once the scan is complete?

[sjpritch25]

let it remove everything it finds and post the log in your next reply.