can't run Mbytes or Combofix but i have SAS and Mg logs....

Were you unable to run RootRepeal? You did not allow MGTools to run to completion. You need to wait until it tells you to hit any key. Please run it again and tell me if you get the pop up to the HJT license. You need to agree to that!

 

Sigh..you were almost at my next reply. With this bump, you would have been waiting another 3 or 4 days.

HOwever, I suspect you have one of the newer infections that is becoming very difficult to deal with. We can start by trying this:

 

Yes! You are infected with one of the new nasty forms of malware that blocks many applications from running. And those that will run, will run once and then not again as you saw with SUPERAntiSpyware.


I will be sending you a Private Message with some instructions to follow. We are doing this privately to keep the info out of the hands of the malware creators. Please do not mention the name of utility we will be giving you or where you are getting it from. Just try to do what we ask you to do and then post back here with any problems you had. Again in mentioning your problems, please don't refer to the program by name. Just call it "the utility" or "the program". For example, you response could be:
The program ran OK. Or the program would not run, I received the following error message...(put your error message here).

 

That didnt help unfortunately. Try running this:
Win32KDiag - How to run

 

Yes I noticed that. Please attach the full log if you have it. We can see the cngaudit.dll file is part of your infection and will need to be replaced with a valid copy of the file.

 

Just in case WIn32kDiag does not finish. Please do the below.

Open up notepad and copy and paste all of the below text in the quote box into it. Then save the file as "find.bat" (you need to use the quotes as shown to avoid having a .txt appended to it) and save it to your Desktop. The double click the find.bat file to run it. When it is finished, attach the c:\flist.log file that will be created. While it is running, a command prompt window will show. It will closed when it is finished.

 

Saying it is not a bump does not change the fact that the effect is still a bump. It cost you at least 2 days.


Here is what I want you to do....

Please copy C:\Windows\System32\logevent.dll to your C:\ drive so you now have:
C:\logevent.dll

Now:

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now go to start / run / type:
"%userprofile%\desktop\win32kdiag.exe" -f -r

Attach the new win32kdiag log.

 

Let me be more specific:

Please do the below to make a copy of the good system file into the root folder of your hard disk so that we can use it to fix your problem.

1. Click on the Start button, then click on Run...
2. In the empty "Open:" box provided, type cmdand press Enter
   • This will launch a Command Prompt window (looks like DOS).
3. Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).
   copy C:\Windows\System32\logevent.dll C:\ /y
4. In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
5. Press Enter.
   • When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
     NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script below will not work if the file copy was not successful.
6. Exit the Command Prompt window.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now do the following (make sure you redownload the file. Do not use the old copy.):

• Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log

C:\win32kdiag.exe -f -r

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Then attach the below logs:

• C:\avenger.txt
• the new log from Win32kDiag
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes to running MBAM and you should also run SAS.

Please use add/remove programs to uninstall:
Viewpoint Media Player

Then use windows explorer to find and delete:
C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
C:\Windows\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* SAS
* MBAM
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

We will deal with re-hiding your system files when you are all clean.

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now continue on.

 

Your logs look clean. Tell me what issues you may still have.

 

Good to know. If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Go to add/remove programs and uninstall HijackThis.
7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
8. If you are running Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore ato create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   
   • How to Protect yourself from malware!

 

Then you will need to manually delete the rest of Combo. You can do a windows search for the combofix remaining folders.

To re-hide your system files, you can go to the control panel, double click the Folders icon. There click on view and click the "Do not show hidden files.....", apply and ok out.

 

Running MGClean.bat should take care of all of this automatically.