24 replies to this topic

[tsquared]

Hello,

I've recently discovered some serious issues on my computer. I've read some other posts and found very similar symptoms. However, when I tried the same prescribed methods, nothing is working. Currently, this is what I am experiencing:
- Windows Police Pro tries to prevent most programs from running
- Malwarebytes' Anti-Malware installed and ran for 2 seconds before shutting down, now when I try to run it, the following error message pops up :"Windows cannot acces the specified device, path or file. you may not have the appropriate permissions to accese the item"
- Hijack This installs but gets the same error as Malwarebytes
- I downloaded Combo-Fix, but when I run it I get this error: " C:\Users\Owner\Desktop\COMBO-~1.EXE The NTVDM CPU has encountered an illegal instruction. CS:1211 IP:01dd OP:63 6f 6e 74 65 Choose 'Close' to terminate the applocation"

I am not sure what my next step should be, can anyone please help? BTW, I am on vista ultimate.

Thanks very much.

[sjpritch25]

Welcome to Malwarebytes!!!!

Delete your current copy of ComboFix

Please download ComboFix again from here
http://www.bleepingc...to-use-combofix

Save it to your desktop as svchost.exe

Let me know if it still won't run.





Please download Win32kDiag.exe by AD to your Desktop.
Double-click on Win32kDiag.exe.
It will create Win32kDiag.txt on your Desktop.
In your next reply, please include the log. Thanks

[tsquared]

Thanks for the welcome.

I went ahead and downloaded the new version of ComboFix as you've suggested. It runs but tells me that "Spyware Doctor" is running and it may be intrusive to ComboFix. I closed down what looked like Spyware Doctor processes in task manager (pctsAnxs.exe - PC tools auxiliary service and pctsSvc.exe - PC tools Security Service), but ComboFix still says spyware doctor is running, although it went ahead and started the scan anyway.

After scanning for about 3 minutes, it says it needs to reboot, and wants me to write down this file name "c:\windows\system32\drivers\kbiwkmocnmuofk.sys" because it might need it later. I did that but after the machine reboots, there is no resumed ComboFix process. I tried to run it again and the does the same thing.

One thing to note is that before I'm able to run ComboFix in the first place, I had to first stop the windows police pro processes in task manager. So maybe after it rebooted, these processes came back and blocked the original instance of ComboFix?

I've attached the catchme.log file, but there's not much in it.

I tried downloading the Win32kDiag.exe file you've mentioned, but whenever i right click and go to "save link as", it gives me the error: "The download cannot be saved because an unknown error occurred. Please try again."

Sorry I wasn't able to make too much progress, is there anything you would suggest doing next?

Thanks again.

[tsquared]

here's the attachment

Attached Files

•  catchme.zip   184bytes   15 downloads

[tsquared]

Update: I went ahead and uninstalled Spyware Doctor since I couldn't figure out how else to stop it from running. This time when I ran ComboFix, the warning messages didn't come up, but the result is the same. It scans for a little while and wants to reboot because it has "detected rootkit activity", and wanted me to write down that file name mentioned above. After the reboot, a bunch of "Debugger detected [97]" pop ups appeared, I think this is because windows police pro came back and blocked everything. So now I know it wasn't Spyware Doctor causing the issue, but I'm still not sure how to proceed.

[sjpritch25]

Let me know if you still can't run it. Thanks

http://ad13.geekstog.../Win32kDiag.exe

[tsquared]

Okay that one worked. Here's the file.

Attached Files

•  Win32kDiag.txt   1.29K   29 downloads

[sjpritch25]

Did you rename ComboFix.exe before you saved it to your desktop?

[sjpritch25]

After you stop the process for police patrol. Can you run Malwarebytes? If you update to the newest version it should be able to remove this infection. Let me know if your successful or not. Thanks

[tsquared]

I did rename ComboFix.exe to svchost.exe, but it renamed itself after every time it ran.

I tried running Malwarebytes again after stopping the windows police pro processes but it still gave the same error as before. I just reinstalled the latest version from the website and got the updates, but still ran into the same issues: (window closing after 3 second of scanning, won't run again due to permissions error)

[sjpritch25]

okay permission error i most of missed that earlier.


Please download this file to your desktop Junction.zip, Extract the folder Junction to your desktop. Open Junction folder and double-click on junction.bat. Let it run

In your next reply, please include the log. Thanks

Attached Files

•  Junction.zip   45.28K   18 downloads

[tsquared]

Here you go, thanks.

Attached Files

•  log.txt   74.49K   28 downloads

[sjpritch25]

Okay this is going to take a few steps before we can get the scanner to run. Please be patient.


Download the first attached file fix.zip, Extract fix folder to your Desktop. Open the folder, double-click on fix.bat, let it run.



Download the second attached file search.zip, Extract search.bat. Double-Click on search.bat, a log will pop up.

In your next reply, please include the log.

Attached Files

•  fix.zip   83.34K   19 downloads
•  search.zip   239bytes   20 downloads

[tsquared]

Dear sjpritch25,

Thanks for all the help so far. I just wanted to tell you that I'm out of town this week for work and won't get home to run those scans until this weekend. Sorry for this inconvenience, I will download and run those files as soon as I get back.

Thanks

[sjpritch25]

no problem

[tsquared]

Here's the log file, thanks.

Attached Files

•  log.txt   70bytes   40 downloads

[sjpritch25]

Sorry for the delay, please run Junction.bat again and post the log. Thanks

[tsquared]

Sorry for the late reply, please find attached the log file.

Attached Files

•  log.txt   13.78K   28 downloads

[sjpritch25]

Please download attached file fix.zip, extract fix.bat to your desktop.

Please download Inherit by sUBs and save it to your Desktop.

It must be saved to your desktop.

• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
  
• Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r




How is everything running???

Attached Files

•  fix.zip   324bytes   9 downloads

[tsquared]

The inherit link didn't work so I used the one you've sent over last time with the new fix.bat on my desktop. I went ahead and ran that, got the "OK" pop up then ran the command you've provided (I'm on Vista so I just pasted it in the search window, but I think it's the same thing). Attached is the output file.

Most applications are running okay now, but there is definitely still something wrong. Malwarebytes still closes within a few seconds after i start a scan. There are also pop up ads showing up once in a while by themselves. There's also this pop up warning from my task bar that comes up every minute or so, it doesn't look like a legit windows message but I'm not sure what's bringing it up. Please see attached screenshot.

Again, thanks so much for helping me out. I work out of town and apologize for the long delays between posts.

Attached Files

•  Win32kDiag.txt   104.91K   15 downloads
•  popup.jpg   29.06K   2 downloads