All anti-virus programs shut down after 2 seconds

[tsquared]

Hello,

I've recently discovered some serious issues on my computer. I've read some other posts and found very similar symptoms. However, when I tried the same prescribed methods, nothing is working. Currently, this is what I am experiencing:

- Windows Police Pro tries to prevent most programs from running

- Malwarebytes' Anti-Malware installed and ran for 2 seconds before shutting down, now when I try to run it, the following error message pops up :"Windows cannot acces the specified device, path or file. you may not have the appropriate permissions to accese the item"

- Hijack This installs but gets the same error as Malwarebytes

- I downloaded Combo-Fix, but when I run it I get this error: " C:\Users\Owner\Desktop\COMBO-~1.EXE The NTVDM CPU has encountered an illegal instruction. CS:1211 IP:01dd OP:63 6f 6e 74 65 Choose 'Close' to terminate the applocation"

I am not sure what my next step should be, can anyone please help? BTW, I am on vista ultimate.

Thanks very much.

[sjpritch25]

Welcome to Malwarebytes!!!!

Delete your current copy of ComboFix

Please download ComboFix again from here

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Save it to your desktop as svchost.exe

Let me know if it still won't run.

Please download Win32kDiag.exe by AD to your Desktop.

Double-click on Win32kDiag.exe.

It will create Win32kDiag.txt on your Desktop.

In your next reply, please include the log. Thanks

[tsquared]

Thanks for the welcome.

I went ahead and downloaded the new version of ComboFix as you've suggested. It runs but tells me that "Spyware Doctor" is running and it may be intrusive to ComboFix. I closed down what looked like Spyware Doctor processes in task manager (pctsAnxs.exe - PC tools auxiliary service and pctsSvc.exe - PC tools Security Service), but ComboFix still says spyware doctor is running, although it went ahead and started the scan anyway.

After scanning for about 3 minutes, it says it needs to reboot, and wants me to write down this file name "c:\windows\system32\drivers\kbiwkmocnmuofk.sys" because it might need it later. I did that but after the machine reboots, there is no resumed ComboFix process. I tried to run it again and the does the same thing.

One thing to note is that before I'm able to run ComboFix in the first place, I had to first stop the windows police pro processes in task manager. So maybe after it rebooted, these processes came back and blocked the original instance of ComboFix?

I've attached the catchme.log file, but there's not much in it.

I tried downloading the Win32kDiag.exe file you've mentioned, but whenever i right click and go to "save link as", it gives me the error: "The download cannot be saved because an unknown error occurred. Please try again."

Sorry I wasn't able to make too much progress, is there anything you would suggest doing next?

Thanks again.

[tsquared]

here's the attachment

catchme.zip

[tsquared]

Update: I went ahead and uninstalled Spyware Doctor since I couldn't figure out how else to stop it from running. This time when I ran ComboFix, the warning messages didn't come up, but the result is the same. It scans for a little while and wants to reboot because it has "detected rootkit activity", and wanted me to write down that file name mentioned above. After the reboot, a bunch of "Debugger detected [97]" pop ups appeared, I think this is because windows police pro came back and blocked everything. So now I know it wasn't Spyware Doctor causing the issue, but I'm still not sure how to proceed.

[sjpritch25]

Let me know if you still can't run it. Thanks

http://ad13.geekstogo.com/Win32kDiag.exe

[tsquared]

Okay that one worked. Here's the file.

Win32kDiag.txt

[sjpritch25]

Did you rename ComboFix.exe before you saved it to your desktop?

[sjpritch25]

After you stop the process for police patrol. Can you run Malwarebytes? If you update to the newest version it should be able to remove this infection. Let me know if your successful or not. Thanks

[tsquared]

I did rename ComboFix.exe to svchost.exe, but it renamed itself after every time it ran.

I tried running Malwarebytes again after stopping the windows police pro processes but it still gave the same error as before. I just reinstalled the latest version from the website and got the updates, but still ran into the same issues: (window closing after 3 second of scanning, won't run again due to permissions error)

[sjpritch25]

okay permission error i most of missed that earlier.

Please download this file to your desktop Junction.zip, Extract the folder Junction to your desktop. Open Junction folder and double-click on junction.bat. Let it run

In your next reply, please include the log. Thanks

Junction.zip

[tsquared]

Here you go, thanks.

log.txt

[sjpritch25]

Okay this is going to take a few steps before we can get the scanner to run. Please be patient.

Download the first attached file fix.zip, Extract fix folder to your Desktop. Open the folder, double-click on fix.bat, let it run.

Download the second attached file search.zip, Extract search.bat. Double-Click on search.bat, a log will pop up.

In your next reply, please include the log.

fix.zip

search.zip

[tsquared]

Dear sjpritch25,

Thanks for all the help so far. I just wanted to tell you that I'm out of town this week for work and won't get home to run those scans until this weekend. Sorry for this inconvenience, I will download and run those files as soon as I get back.

Thanks

[sjpritch25]

no problem

[tsquared]

Here's the log file, thanks.

log.txt

[sjpritch25]

Sorry for the delay, please run Junction.bat again and post the log. Thanks

[tsquared]

Sorry for the late reply, please find attached the log file.

log.txt

[sjpritch25]

Please download attached file fix.zip, extract fix.bat to your desktop.

Please download Inherit by sUBs and save it to your Desktop.

It must be saved to your desktop.

• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
  
• Please open it with notepad and post the contents here.
  

"%userprofile%\desktop\win32kdiag.exe" -f -r

How is everything running???

fix.zip

[tsquared]

The inherit link didn't work so I used the one you've sent over last time with the new fix.bat on my desktop. I went ahead and ran that, got the "OK" pop up then ran the command you've provided (I'm on Vista so I just pasted it in the search window, but I think it's the same thing). Attached is the output file.

Most applications are running okay now, but there is definitely still something wrong. Malwarebytes still closes within a few seconds after i start a scan. There are also pop up ads showing up once in a while by themselves. There's also this pop up warning from my task bar that comes up every minute or so, it doesn't look like a legit windows message but I'm not sure what's bringing it up. Please see attached screenshot.

Again, thanks so much for helping me out. I work out of town and apologize for the long delays between posts.

Win32kDiag.txt

[sjpritch25]

Inherit

Please delete fix.bat from your desktop.

Download that attached file fix.zip, Extract fix.bat to your desktop. Double-Click on fix.bat and allow it to run.

Let me know if you can run Hijackthis and mbam afterwords.

fix.zip

[tsquared]

Fix.bat just disappeared after I clicked on it. I still cannot run Malwarebytes, but it seems to have taken a step backwards. Now I am getting the "WIndows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item" error. What's worse is that now task manager seems to be disabled...

[sjpritch25]

Please delete your current copy of ComboFix

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
  
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
  

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

[tsquared]

I downloaded the newest version of ComboFix from bleeping computer, saved it to my desktop, then closed all browsers and known anti-virus programs (I cannot tell for sure because task manage has been disabled and I cannot see background processes that may be running). When I ran ComboFix, the command prompt window pops up for a second and disappears.

I'd also like to mention that whenever I start up the computer, instead of bringing me to the desktop, it just opens a windows explorer window and stops. I have to navigate to the windows folder and manually run explorer.exe a couple of times to bring up my desktop and task bar.

[sjpritch25]

Please delete your current copy of Combofix

Download it again, but save it as winlogon.exe and to your desktop. Let me know if your still having issues running it. Thanks