JSntgRvr

Hi, Dave5151 The log for Win32kdiag is not included. It should be saved on your desktop. Lets take a deeper look: Download OTS.exe by OldTimer to your Desktop. Close any open browsers. Double-click on OTS.exe to start the program. Leave all settings as they appear as default, except for the following: Under Drivers, select "All". Under Additional Scans, click on the "Extra" button. [*]Now click the Run Scan button on the toolbar. [*]The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes. [*]When the scan is complete Notepad will open with the report file loaded in it. [*]Save that notepad file Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).

Good Morning, bojadada Seems that those nasties are now gone. Download TFC by OldTimer to your desktop (Temp File Cleaner) Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). It will close all programs when run, so make sure you have saved all your work before you begin. Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion. Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean. Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.) To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. (Windows XP) 1. Turn off System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. 2. Reboot. 3. Turn ON System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check *Turn off System Restore*. Click Apply, and then click OK.. Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools. Follow these steps to uninstall Combofix Click START then RUN Now Copy and paste "c:\documents and settings\frank\Desktop\Combo-Fix.exe" /u in the runbox (including the quotation marks) and click OK. Note the space between the " and the /u, it needs to be there. Create a Restore point (If the above process fails to do so): Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. In the System Restore dialog box, click Create a restore point, and then click Next. Type a description for your restore point, such as "After Cleanup", then click Create. How is the computer doing?

Hi, bojadada Success! If your current copy fails to run, please download Malwarebytes' Anti-Malware from Here. Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly. Please run the F-Secure Online Scanner Note: You must use Internet Explorer for this scan! Accept the License Agreement. Once the ActiveX installs click Full System Scan Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient. When the scan completes, click the Automatic cleaning (recommended) button. Click the Show Report button and copy and paste the entire report in your next reply.

Hi, bojadada I am going to try to kill the rootkits. If you haven't downloaded Combofix, please do (See Post #8). Make sure is saved on the desktop. Download the enclosed folder. Save and extract its contents to the desktop. Once extracted, open the folder and click on the RunMe.bat. The MSDOS window will be displayed for seconds and the computer will restart. Upon restart, click on Combo-Fix and follow its instructions on Post #8.

Yes. Do not allow it to scan. Click on No, then select the rootkit tab, save and post the report.

Not much. I'll be happy to see one of these utilities remove what is blocking Windows.

Download RootRepeal from one of the following locations and save it to your desktop: Link 1 Link 2 Link 3 Double click to start the program Click on the Report tab at the bottom of the program window Click the button In the Select Scan dialog, check: Drivers Files Processes SSDT Stealth Objects Hidden Services Shadow SSDT [*]Click the OK button [*]In the next dialog, select all drives showing [*]Click OK to start the scan Note: The scan can take some time. DO NOT run any other programs while the scan is running [*]When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt [*]Go to File, then Exit to close the program If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead. To attach a file, do the following: Click Add Reply Under the reply panel is the Attachments Panel Browse for the attachment file you want to upload, then click the green Upload button Once it has uploaded, click the Manage Current Attachments drop down box Click on to insert the attachment into your post

Go to this link: ftp://ftp.drweb.com/pub/drweb/livecd/ There will be a list of files. I believe these are already included in the .iso file, which is the last lik on the page. This is the .iso file: ftp://ftp.drweb.com/pub/drweb/livecd/minD...iveCD-5.0.0.iso For more instructions read here: ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf

There is nothing blocking. Please attempt to merge that .reg file into the Registry in Safe Mode. To boot in Safe Mode follow these steps: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. .

Hi, bojadada Download GMER from Here. Note the file's name and save it to your root folder, such as C:\. Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file. Click on this link to see a list of programs that should be disabled. Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator") Allow the driver to load if asked. You may be prompted to scan immediately if it detects rootkit activity. If you are prompted to scan your system click "No", save the log and post back the results. If not prompted, click the "Rootkit/Malware" tab. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked. Select all drives that are connected to your system to be scanned. Click the Scan button to begin. (Please be patient as it can take some time to complete) When the scan is finished, click Save to save the scan results to your Desktop. Save the file as Results.log and copy/paste the contents in your next reply. Exit the program and re-enable all active protection when done.

Download RootRepeal from one of the following locations and save it to your desktop: Link 1 Link 2 Link 3 Double click to start the program Click on the Report tab at the bottom of the program window Click the button In the Select Scan dialog, check: Drivers Files Processes SSDT Stealth Objects Hidden Services Shadow SSDT [*]Click the OK button [*]In the next dialog, select all drives showing [*]Click OK to start the scan Note: The scan can take some time. DO NOT run any other programs while the scan is running [*]When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt [*]Go to File, then Exit to close the program If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead. To attach a file, do the following: Click Add Reply Under the reply panel is the Attachments Panel Browse for the attachment file you want to upload, then click the green Upload button Once it has uploaded, click the Manage Current Attachments drop down box Click on to insert the attachment into your post

See my previous post. I modify some of it.

Make sure you do the Step 1. The file must be copied to the root directory. I change the way the Avenger' script is shown on the topic. Open notepad. Select Format. Remove the checkmark from Wordwrap if present. Start copying the script from the word Begin, including the word, then all the way down. Try the fix once again. Keep me posted.

Hi, bojadada Please follow these steps: Step 1 Open a command prompt. (Start->Run, type CMD and click OK) At the prompt copy and paste the following commands and press Enter after each line: Copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ Exit Step 2 Click on Start->Run, copy and paste the following command into the "Run" box (including the quotation marks), and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here in your next reply. "%userprofile%\desktop\win32kdiag.exe" -f -r Step 3 1. Please download The Avenger by Swandog46 to your Desktop. Right click on the Avenger.zip folder and select "Extract All..." Follow the prompts and extract the avenger folder to your desktop 2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C): Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. 3. Now, open the avenger folder and start The Avenger program by clicking on its icon. Right click on the window under Input script here:, and select Paste. You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard. Click on Execute Answer "Yes" twice when prompted. 4. The Avenger will automatically do the following: It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.) On reboot, it will briefly open a black command window on your desktop, this is normal. After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. 5. Please copy/paste the content of c:\avenger.txt into your reply. Step 4 Please download Malwarebytes' Anti-Malware from Here. Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly. Step 5 Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** If you are using Firefox, make sure that your download settings are as follows:Tools->Options->Main tab Set to "Always ask me where to Save the files". [*]During the download, rename Combofix to Combo-Fix as follows: [*]It is important you rename Combofix during the download, but not after. [*]Please do not rename Combofix to other names, but only to the one indicated. [*]Close any open browsers. [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- [*]Double click on combo-Fix.exe & follow the prompts. [*]When finished, it will produce a report for you. [*]Please post the "C:\Combo-Fix.txt" . **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall** Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

Hi, bojadada Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here. "%userprofile%\desktop\win32kdiag.exe" -f -r Once finished. Attempt to run Malwarebytes.

Here is another option using Dr. Web Cureit: http://www.freedrweb.com/livecd/ You computer is infected with a Trojan that affects file permissions. If these options are unable to remove it, you will need to reformat and reinstall.

Hi, bojadada Welcome. Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Click Win32kDiag.exe once again and upon finished, post its Win32kDiag.txt report.

That is part of Combofix. When does it happen?

Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** If you are using Firefox, make sure that your download settings are as follows: Tools->Options->Main tab Set to "Always ask me where to Save the files". [*]During the download, rename Combofix to Combo-Fix as follows: [*]It is important you rename Combofix during the download, but not after. [*]Please do not rename Combofix to other names, but only to the one indicated. [*]Close any open browsers. [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- [*]Double click on combo-Fix.exe & follow the prompts. [*]When finished, it will produce a report for you. [*]Please post the "C:\Combo-Fix.txt" . **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall** Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. This time around allow the application to finish When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here. "C:\Users\Paul\Desktop\Win32kDiag.exe" -f -r

Hi, Dave5151 Welcome. Please save this file in a place you can remember such as, your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Hi, marz Welcome. Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Yes. Other than Malwarebutes, all other tools should be removed. The following is a list of free tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again. Spybot Search & Destroy - A useful tool which can search and annhilate bad files that make it onto your system. Now with an Immunize section that will help prevent future infections. AdAware - Another very powerful tool which searches and kills bad files that infect your system. AdAware and Spybot Search & Destroy compliment each other very well. SpywareBlaster - Great prevention tool to keep bad files from installing on your system. ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. ATF! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those bad files that like to reside in the temp folders. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask. To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes. Best wishes!

Hi, Lechnek Can you download Combofix and run it while able to boot with the Unix CD? I am also unfamiliar with Unix. There is a Rescue CD download from AVIRA that will scan a system that is unable to boot. The Avira AntiVir Rescue System is a linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to repair a damaged system, to rescue data or to scan the system for virus infections. Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer. http://dl.antivir.de/down/vdf/rescuecd/rescuecd.exe Once you