Malwarebytes, AVG, Avira, and HJT won't Run

[Byro]

So I followed the instructions I was given by Yardbird.

Installed Avira: scanned, came up with quite a few different problems (around 20), "fixed" the issues, then shutdown the computer for the night. Started the computer this morning, Avira wouldn't scan and this error comes up : An error occurs in the scheduler.

Error test: The program to execute is invalid or destroyed.

Error code: [3].

Installed HJT: Started a scan with logfile being saved, closed after a couple of seconds. Try to reopen HJT and get the Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

I am logged on as an admin.

Waiting for further instructions.

[Maurice Naggar]

Hello Byro,

Download and Save to the DESKTOP Win32kDiag from any of the following locations and save it to your Desktop.

• Download Win32kDiag (Win32kDiag.exe) - #1
  
• Download Win32kDiag (Win32kDiag.exe) - #2
  
• Download Win32kDiag (Win32kDiag.exe) - #3
  

Click on Start button. Select Run, and copy-paste the following command (the bolded text) into the "Open" textbox, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Then, using My Computer {Windows Explorer} locate your hijackthis.exe

The default setup goes into this folder C:\Program Files\Trend Micro\HijackThis

RIGHT-click on hijackthis.exe and select Rename, and rename it to BRAVO.exe

Start Bravo.exe, do a Scan and Save log

Reply with a copy of the HijackThis log. If the HJT does not run, post a copy of the Win32kdiag.txt

[Byro]

Running from: C:\Documents and Settings\Tim.BARNES\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Tim.BARNES\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\$NtServicePackUninstall$\avc.sys

Attempting to restore permissions of : C:\WINDOWS\$NtServicePackUninstall$\avc.sys

[1] 2004-08-03 23:10:12 38912 C:\WINDOWS\$NtServicePackUninstall$\avc.sys ()

[1] 2008-04-13 13:46:20 38912 C:\WINDOWS\ServicePackFiles\i386\avc.sys ()

[1] 2004-08-04 01:10:10 38912 C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\avc.sys ()

Could not rename HJT to BRAVO

[Maurice Naggar]

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

If you are a casual viewer, do NOT try this on your system!

If you are not Byro and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own. But do as much as you can of the following.

But it is important that you get going on these following steps. If one does not run, do the next task.

=

Close any of your open programs while you run these tools.

Confirm for me that you have run Win32kdiag just as I listed (earlier).

This log looks way too short. Please look at it again with NOTEPAD.

I'd like to insure we have all lines.

=

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

=

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

• Double-click FixPolicies.exe.
  
• Click the "Install" button on the bottom toolbar of the box that will open.
  
• The program will create a new Folder called FixPolicies.
  
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  
• A black box will briefly appear and then close.
  
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
  

=

(With much thanks to Tetonbob at TSF, whose methods & verbiage I'm using here).

Download This tool save it directly to your desktop - not a folder on the desktop - the commands are tailored for the desktop location.

Click Start>Run and

Copy then Paste the following bolded text into the Run box and click OK:

"%userprofile%\desktop\Inherit.exe" "C:\Program Files\Trend Micro\HijackThis\hijackthis.exe"

Repeat for these files, or simply find the files, and drag.drop them onto inherit.exe. Any other files you get an access denied message, you can do the same

"%userprofile%\desktop\Inherit.exe" "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

"%userprofile%\desktop\Inherit.exe" "c:\WINDOWS\system32\wbem\wmiprvse.exe"

=

Next, Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click Yes.
  
• Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
• GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  
• Save it where you can easily find it, such as your desktop.
  

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

• Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  
• Save it where you can easily find it, such as your desktop.
  

Run MBAM and do a quick scan. If not able to run, proceed with next step.

Run Hijackthis and do a Scan and Save. If not able to run, let me know.

Reply with copy of Gmer.txt log

the MBAM scan log

the HijackThis log

It is very important we get some log(s) in order to proceed further.

Do NOT use the attach feature to place your logs. Always Copy and Paste in-line of body of reply textbox.

[Byro]

Gmer.exe ran for about 20-30 minutes and then closed itself and went back to the desktop.

I think I'll just start saving for a new computer.

Any more ideas would be appreciated, but I'm starting to move from bargaining to acceptance.

Thanks, Byro

[Maurice Naggar]

Search for Gmer.txt

See if you can find it. Let me know and if found, copy and paste a copy here.

Go >> here <<

and download RootRepeal and SAVE to your Desktop.

Doubleclick RootRepeal.exe icon on your Desktop.

Click on the Report tab at bottom of window and then click on Scan button.

A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers

Files

Processes

SSDT

Hidden Services

Stealth Objects

You will then be asked which drive to scan.

Check C: (or the drive your operating system is installed on if not C) and click Ok again.

The scan will start.

It will take a little while so please be patient. When the scan has finished, click on Save Report.

Name the log RootRepeal.txt and save it to your Documents folder (it should default there).

When you have done this, please copy and paste it in this thread.