Gone through read & run me first with no success please help with rootkit

Welcome to Major Geeks!

Did you interrupt Combo when it was running? The log is mostly empty.

Please try doing the below:

Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then doube click on it to run it.

AVPFind.bat

It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running.


Now download and Run exeHelper

• Please download exeHelper to your desktop.
• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Also please try running the below online scan:

http://www.superantispyware.com/onlinescan.html

Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. It does not save a log.

Then try running these instructions: Using MGtools


Attach the below logs when finished with all of the above:

• C:\avplog.txt - from AVPfind
• log.txt - from exeHelper
• C:\MGlogs.zip - from MGtools

The C:\ assumes that drive C is you Windows boot drive. If you boot from another drive, then use the correct drive letter above.

 

Please see if you can do either or both of these instructions;

SysProt AntiRootkit - How to run,

Win32KDiag - How to run

 

Please do the below to make a copy of the good system file into the root folder of your hard disk so that we can use it to fix your problem.

1. Click on the Start button, then click on Run...
2. In the empty "Open:" box provided, type cmd and press Enter
   • This will launch a Command Prompt window (looks like DOS).
3. Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).
   copy C:\WINDOWS\system32\logevent.dll C:\ /y
4. In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
5. Press Enter.
   • When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
     NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script below will not work if the file copy was not successful.
6. Exit the Command Prompt window.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now do the following (make sure you redownload the file. Do not use the old copy.):

• Download this Win32kDiag(If on your desktop - Right click and choose copy / then Open my computer, click on the C drive and in the window paste it there) and save to C:\Win32kDiag.exe. You must save it here!!!!
• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log

C:\win32kdiag.exe -f -r

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Then attach the below logs:

• C:\avenger.txt
• the new log from Win32kDiag
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

See if you can continue on with the instructions. I would like to see the log from running the windiag32 fix ( Win32kDiag.txt on your desktop). I would also like to know what happens when you try to run the MGTools.exe.

Now you should have C:\logevent.dll .....I want you to drag and drop it on top of the C:\WINDOWS\system32\cngaudit.dll. Tell me if you can do that.

Did you do a search for Avenger?

( I apologize for the delay in responding....health issues. )