The "Permission" Virus Disables my Anti-Virus programs

I also want to know what files are showing in the MGTools ...so open a command prompt again and input this:
dir C:\MGtools > c:\filelist.txt

Now go to the MGTools folder and tell me what happens when you try to run SN64.bat

 

• Open a command prompt in Windows and run the below commands
  • cd C:\
  • MGtools.exe
  • capture the output from the command prompt window. Seeing a message like below is normal
    • 32 bit Windows OS found
  • Seeing a message that says 32 bit Windows OS not found is not normal
  Tell me what you get.

 

Are you sure about that? The normal message would be 32 bit Windows OS found

There is no message that it prints to say 32 bit Windows OS not found.

It either prints a message for finding 32 bit or 64 bit OS's. It does not print one about them not being found.

You need to capture the output from the command prompt window to a file or you need to get a snapshot of just that window so that it is legible.

 

First let me ask if you are sure you followed the instructions give here: Using MGtools for running MGtools with Vista. If you did not disable UAC and reboot and if you did not right click and Run as Administrator then you are going to have problems.

If the above is not what the problem is, you need to give us the info from a command prompt window that was requested since what you had already been telling us was incorrect info. Click Start, Run and enter cmd and click OK. This will open a command prompt window. In the command prompt window enter the below commands each followed by a carriage return.

cd C:\MGtools
ShowNew.bat

Copy and paste the output from the command prompt window here so that we can see what happens. You can copy this by right clicking on the top bar of the the command prompt window and use the Edit commands to Mark and then Copy the info. You can save it into a file to attach or you can just paste it into a message here.

 

Open a command prompt window again and enter the below command and hit enter

calc

Does the calulator open?

If yes, type the below command and hit enter

dir

Does the above give a directory listing?

If yes, type the below command and hit enter

cd C:\MGtools

Does the prompt in the window change to show C:\MGtools>

If yes, type the below commands and hit enter (there is a space before and after each > sign):

set > env.txt
dir > dir.txt

If the command prompt window is still open, type the below command, hit enter and tell me what happens:

sn64.bat


Also attach the below files if you got to this point:
C:\MGtools\env.txt
C:\MGtools\dir.txt


And no matter what happens with all of the above, see if you run any of the below. Attach logs if they run.


Running GMER to detect rootkits

Using ESET's Online Scanner

 

Okay then attach the below two logs and try running the two procedures given
C:\MGtools\env.txt
C:\MGtools\dir.txt

 

You need to try running those two other scans I requested from GMER and ESET.

 

Not everything being printed by GMER is necessarily a problem. In fact most of what it prints is typically quite normal.

Sounds similar to infections plague XP where some system files are infected and are the root cause. You would be the first person with Vista that I have seen with this infection if this is the case. Open Windows Explorer ( Right Click Start and select Explore) and navigate to the below folder and files an right click on them. Select Properties and tell me the exact file sizes in bytes:

C:\windows\system32\netlogon.dll
C:\windows\system32\scecli.dll

These are two of the 3 commonly used in XP for the infection. The 3rd is eventlog.dll but this file does not exist in Vista. The infection could also be using other files in Vista since there are many more new possibilities.

 

It found 3. All things you or someone else downloaded some of which were not a good idea. You need to go thru your PC right now and delete all downloads of cracks and other illegal software. If any of this software was installed, you need to uninstall it.

 

As I stated, I needed the file size in bytes not KB. Also there is at least one more file we know of on Vista that could be infected, so give me the files size (in bytes) of c:\windows\system32\cngaudit.dll

In fact, try running the below procedure and attach the requested log:

Win32KDiag - How to run


Do you have an intallation DVD for Vista?

Problems do not always manifest themselves immediately. Sometime it is a slow deterioration. I cannot say that this was your source for sure. When you got infected, what were you doing? What website were you on? Were you downloading anything? Were you trying to open any online videos? Did you install any special codecs?

 

Okay. The also tell me the size in bytes of c:\windows\system32\cngaudit.dll

I only need the size in byes not the bytes size on disk.

Also please run the below in addition to the Win32kDiag already requested.


Now we need to scan the system with this special tool.

• Please download Junction.zip and save it.
• Unzip it and put junction.exe in the Windows directory (C:\Windows).
• Go to Start => Run... => Copy and paste the following command in the run box and click OK:
  cmd /c junction -s c:\ >log.txt
  ​
  A command window opens starting to scan the system. Wait until a log file opens. Attach this log that is in the Windows folder.

 

Okay I can see your problems from the Win32kDiag log, but please try the below.

• Extract the Junction.exe file from the ZIP file again but this time save it to C:\junction.exe
• Now try the below which is slightly different than last time.
• Go to Start => Run... => Copy and paste the following command in the run box and click OK:
  cmd /c C:\junction -s c:\ >log.txt
  ​
  A command window opens starting to scan the system. Wait until a log file opens. Attach this log that is in the Windows folder.

 

First I want you to copy the below file to your root folder.

C:\Windows\System32\logevent.dll

If you don't know how to copy the file, just navigate to it and right click on it and select Copy. Then navigate back to your C:\ folder and right click and select Paste. MAKE SURE the file is copied into the root folder before you continue because the fix will not work if the file is not copied there.



Now download The Avenger by Swandog46, and save it to C:\avenger.zip. You MUST save it here.

• Extract avenger.exe from the Zip file and also save it to c:\avenger.exe Again you MUST save it there.
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now do the below.

• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log

"%userprofile%\desktop\win32kdiag.exe" -f -r



Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

I assume you are referring to running junction. It can take quite awhile for it to finish scanning since it is going to look thru ALL files and folders on your hard disk. Just wait.

 

Sorry about that. I was on an older PC at the time that did not have my updated procedures. The first part of those instructions for Avenger should be like below.




Now download The Avenger by Swandog46, and save it to C:\avenger.zip. You MUST save it here.

• Extract avenger.exe from the Zip file and also save it to c:\avenger.exe Again you MUST save it there.
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

 

Then it should have rebooted your PC. Then you need to continue.

 

You should not wait. If you don't continue, the infection could respread making it more difficult to fix.

 

OK! Get me the below logs ASAP.

• Avenger
• the new win32kdiag log
• the new MGlogs.zip

 

Uninstall this Viewpoint Media Player while I look thru your logs.

Also see if you can run the procedure given with junction a few messages back and get me that log. We may need to fix some permissions in other folders. Also I already see some other malware now that we got the other scans to run.

 

Also attach this log file:


C:\Windows\System32\log.txt

 

Okay then continue with the below.

You need to run MSconfig and put your PC into Normal Startup mode as requested in step 4 of the READ & RUN ME.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

It seems that it never finished running completely to make the new log, but it deleted the what we asked it to.

Where exactly do you have the junction.exe file located?