33 replies to this topic

[bojadada]

I cant run malwarebytes at all. i can open it up and start a scan, but it closes up after 3 seconds. then when i try to open it again, nothin happens. i even tried renaming the startup files of mbam and the install files when i reinstalled but it still didnt work. my pc now cant access the internet it always shows page load errors. i am on my other computer atm so if there are any files i need to download i can. also when i click my computer theres this icon that is called safety center, its also on my desktop. and if i dont boot my pc up in safe
mode, "safety center" pops up. how do i remove this virus? help is greatly appreciated. thanks

[bojadada]

BUMP Please i need help someone answer!!!!

[JSntgRvr]

Hi, bojadada

Welcome.

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

[bojadada]

Thank you so much for the response, I really appreciate it, and in the post I say my internet wasn't working, that was NOT related to the virus if that makes a difference, I was just panicing, it's working now.

Running from: C:\Documents and Settings\frank\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\frank\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP15.tmp\ZAP15.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP17B.tmp\ZAP17B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP25D.tmp\ZAP25D.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP283.tmp\ZAP283.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2A8.tmp\ZAP2A8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC8.tmp\ZAPC8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCD.tmp\ZAPCD.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CDIIWall3res\CDIIWall3res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ehome\de\de

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ehome\fr\fr

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ehome\ja\ja

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ehome\ko\ko

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ehome\zh-chs\zh-chs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ie8updates\ie8updates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\microsoft.net\framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\microsoft.net\framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\DataColl\DataColl

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pix_office_wall\pix_office_wall

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\Registration

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

[1] 2009-09-20 11:17:23 16917 C:\WINDOWS\TEMP\WMP54Gv4_A2.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

[1] 2009-09-20 11:16:40 10791 C:\WINDOWS\TEMP\WMP54Gv4_I1.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

[1] 2009-09-20 11:16:52 21024 C:\WINDOWS\TEMP\WMP54Gv4_I2.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

[1] 2009-09-20 11:16:40 2139 C:\WINDOWS\TEMP\WMP54Gv4_S1.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

[1] 2009-09-20 11:16:43 4897 C:\WINDOWS\TEMP\WMP54Gv4_S2.gif ()



Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^



Finished!

[bojadada]

Sorry for double post(s), but I haven't spotted a search button anywhere, so I don't know what to do. Anyways, I also get redirected when I click a link in google if that makes any difference to determining a fix to this infection.

[JSntgRvr]

Hi, bojadada

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Once finished. Attempt to run Malwarebytes.

[bojadada]

JSntgRvr, on Sep 20 2009, 09:32 PM, said:

Hi, bojadada

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Once finished. Attempt to run Malwarebytes.

Running from: C:\Documents and Settings\frank\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\frank\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

[1] 2009-09-20 11:17:23 16917 C:\WINDOWS\TEMP\WMP54Gv4_A2.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

[1] 2009-09-20 11:16:40 10791 C:\WINDOWS\TEMP\WMP54Gv4_I1.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

[1] 2009-09-20 11:16:52 21024 C:\WINDOWS\TEMP\WMP54Gv4_I2.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

[1] 2009-09-20 11:16:40 2139 C:\WINDOWS\TEMP\WMP54Gv4_S1.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

[1] 2009-09-20 11:16:43 4897 C:\WINDOWS\TEMP\WMP54Gv4_S2.gif ()



Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2



Finished!

Malwarebytes still closed after 3 seconds into the scan. Also, whenver it closes, it never is able to run again, I have to re install it.

[JSntgRvr]

Hi, bojadada

Please follow these steps:

Step 1

Open a command prompt. (Start->Run, type CMD and click OK) At the prompt copy and paste the following commands and press Enter after each line:

Copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\
Exit

Step 2

Click on Start->Run, copy and paste the following command into the "Run" box (including the quotation marks), and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here in your next reply.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Step 3

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
  
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote

Begin copying here:
Files to move:
C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

Files to delete:
C:\WINDOWS\TEMP\WMP54Gv4_A2.gif
C:\WINDOWS\TEMP\WMP54Gv4_I1.gif
C:\WINDOWS\TEMP\WMP54Gv4_I2.gif
C:\WINDOWS\TEMP\WMP54Gv4_S1.gif
C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

Folders to delete:
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
  
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  
• Click on Execute
  
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

Step 4

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Step 5

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" .

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

[bojadada]

Running from: C:\Documents and Settings\frank\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\frank\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

[1] 2009-09-20 11:17:23 16917 C:\WINDOWS\TEMP\WMP54Gv4_A2.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

[1] 2009-09-20 11:16:40 10791 C:\WINDOWS\TEMP\WMP54Gv4_I1.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

[1] 2009-09-20 11:16:52 21024 C:\WINDOWS\TEMP\WMP54Gv4_I2.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

[1] 2009-09-20 11:16:40 2139 C:\WINDOWS\TEMP\WMP54Gv4_S1.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

[1] 2009-09-20 11:16:43 4897 C:\WINDOWS\TEMP\WMP54Gv4_S2.gif ()





Finished!

[bojadada]

When I paste the stuff you said to copy into avenger, it says Error:Invalid script. A valid script must begin with a command directive. Aborting execution! Did I do something wrong? Maybe it's because I'm in safe mode?

[bojadada]

bojadada, on Sep 20 2009, 10:54 PM, said:

Running from: C:\Documents and Settings\frank\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\frank\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

[1] 2009-09-20 11:17:23 16917 C:\WINDOWS\TEMP\WMP54Gv4_A2.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

[1] 2009-09-20 11:16:40 10791 C:\WINDOWS\TEMP\WMP54Gv4_I1.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

[1] 2009-09-20 11:16:52 21024 C:\WINDOWS\TEMP\WMP54Gv4_I2.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

[1] 2009-09-20 11:16:40 2139 C:\WINDOWS\TEMP\WMP54Gv4_S1.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

[1] 2009-09-20 11:16:43 4897 C:\WINDOWS\TEMP\WMP54Gv4_S2.gif ()





Finished!

Ok, the first step I did wrong, so heres the new log, avenger still does the script error thing btw.
Running from: C:\Documents and Settings\frank\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\frank\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_A2.gif

[1] 2009-09-20 11:17:23 16917 C:\WINDOWS\TEMP\WMP54Gv4_A2.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_I1.gif

[1] 2009-09-20 11:16:40 10791 C:\WINDOWS\TEMP\WMP54Gv4_I1.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_I2.gif

[1] 2009-09-20 11:16:52 21024 C:\WINDOWS\TEMP\WMP54Gv4_I2.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_S1.gif

[1] 2009-09-20 11:16:40 2139 C:\WINDOWS\TEMP\WMP54Gv4_S1.gif ()



Cannot access: C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

Attempting to restore permissions of : C:\WINDOWS\TEMP\WMP54Gv4_S2.gif

[1] 2009-09-20 11:16:43 4897 C:\WINDOWS\TEMP\WMP54Gv4_S2.gif ()





Finished!

[JSntgRvr]

Make sure you do the Step 1. The file must be copied to the root directory.

I change the way the Avenger' script is shown on the topic. Open notepad. Select Format. Remove the checkmark from Wordwrap if present. Start copying the script from the word Begin, including the word, then all the way down.

Try the fix once again. Keep me posted.

[bojadada]

JSntgRvr, on Sep 21 2009, 12:09 AM, said:

Make sure you do the Step 1. The file must be copied to the root directory.

I change the way the Avenger' script is shown on the topic. Open notepad. Select Format. Remove the checkmark from Wordwrap if present.

Try the fix once again. Keep me posted.

Ok heres the avenger.txt thing

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Sep 20 22:57:10 2009

22:57:10: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Sep 20 22:57:20 2009

22:57:20: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Sep 20 22:57:24 2009

22:57:24: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Sep 20 22:57:57 2009

22:57:57: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Sep 20 22:58:38 2009

22:58:38: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Sep 20 23:02:16 2009

23:02:16: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Sep 20 23:07:15 2009

23:07:15: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Sep 20 23:07:17 2009

23:07:17: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Mon Sep 21 00:00:38 2009

00:00:38: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "aafmdgml" found!
Start Type: 3 (Manual)

Rootkit scan completed.


Error: could not open file "C:\WINDOWS\TEMP\WMP54Gv4_A2.gif"
Deletion of file "C:\WINDOWS\TEMP\WMP54Gv4_A2.gif" failed!
Status: 0xc0000102 (STATUS_FILE_CORRUPT_ERROR)


Error: could not open file "C:\WINDOWS\TEMP\WMP54Gv4_I1.gif"
Deletion of file "C:\WINDOWS\TEMP\WMP54Gv4_I1.gif" failed!
Status: 0xc0000102 (STATUS_FILE_CORRUPT_ERROR)


Error: could not open file "C:\WINDOWS\TEMP\WMP54Gv4_I2.gif"
Deletion of file "C:\WINDOWS\TEMP\WMP54Gv4_I2.gif" failed!
Status: 0xc0000102 (STATUS_FILE_CORRUPT_ERROR)


Error: could not open file "C:\WINDOWS\TEMP\WMP54Gv4_S1.gif"
Deletion of file "C:\WINDOWS\TEMP\WMP54Gv4_S1.gif" failed!
Status: 0xc0000102 (STATUS_FILE_CORRUPT_ERROR)


Error: could not open file "C:\WINDOWS\TEMP\WMP54Gv4_S2.gif"
Deletion of file "C:\WINDOWS\TEMP\WMP54Gv4_S2.gif" failed!
Status: 0xc0000102 (STATUS_FILE_CORRUPT_ERROR)


Error: folder "C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2" not found!
Deletion of folder "C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\WINDOWS\WinSxS\InstallTemp\InstallTemp" not found!
Deletion of folder "C:\WINDOWS\WinSxS\InstallTemp\InstallTemp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

[JSntgRvr]

See my previous post. I modify some of it.

[bojadada]

Ok malwarebytes still closes after exactly 3 seconds into the scan. What do I do?

[bojadada]

Ok, if I eventually stop replying, it's because I fell asleep, I might sleep soon because it's getting a bit late, and I have school tommorow. Feel free to still post replies, Ill follow the steps as soon as I can, I'll be back at around 4:00 Central Time.

[JSntgRvr]

Download RootRepeal from one of the following locations and save it to your desktop:

Link 1
Link 2
Link 3

• Double click to start the program
  
• Click on the Report tab at the bottom of the program window
  
• Click the button
  
• In the Select Scan dialog, check:
  
  
  • Drivers
    
  • Files
    
  • Processes
    
  • SSDT
    
  • Stealth Objects
    
  • Hidden Services
    
  • Shadow SSDT
• Click the OK button
  
• In the next dialog, select all drives showing
  
• Click OK to start the scan
  [indent]Note: The scan can take some time. DO NOT run any other programs while the scan is running[/indent]
  
• When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
  
• Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
  
• Under the reply panel is the Attachments Panel
  
• Browse for the attachment file you want to upload, then click the green Upload button
  
• Once it has uploaded, click the Manage Current Attachments drop down box
  
• Click on to insert the attachment into your post

[bojadada]

GAH whenever i try to start rootrepeal it says could not read the boot sector try adjusting disk access level in the options dialog, then i click ok, then it says the same thing like 5 more times, then starts. Then when i start the scan, it only does it for a few seconds, then closes. Then when i try to start it again, it says windows cannot find access to the specific device thing. What do i do?

[JSntgRvr]

Hi, bojadada

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  
• Click on this link to see a list of programs that should be disabled.
  
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  
• Allow the driver to load if asked.
  
• You may be prompted to scan immediately if it detects rootkit activity.
  
• If you are prompted to scan your system click "No", save the log and post back the results.
  
• If not prompted, click the "Rootkit/Malware" tab.
  
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  
• Select all drives that are connected to your system to be scanned.
  
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
  
• When the scan is finished, click Save to save the scan results to your Desktop.
  
• Save the file as Results.log and copy/paste the contents in your next reply.
  
• Exit the program and re-enable all active protection when done.

[bojadada]

by the scan your system prompt you mean this right? GMER has found a system modification which might have been caused by ROOTKIT activity. Dou you want to fullyscan your system? And if i press no do i do all those steps afterward or just the log?