[jszook]

I believe I have more than one virus one my comp. I get an error on start up sayins cant start folisoso.dll. And I download new antispy and malware tools and get the same thing after one scan. The error saying I don't have permission or access. and cannot run rootrepeal or any other anti programs

Edited by jszook, 09 October 2009 - 11:20 PM.

[Advertisements]

Hello, jszook, and welcome to GeeksToGo!

Please download Win32kDiag.exe to your desktop. Double-click to run it. A log should appear when it is finished. Post that log here.

If it doesn't pop up, a log should be located on your desktop as "Win32kDiag.txt".

[handhfan]

Hello, jszook, and welcome to GeeksToGo!

Please download Win32kDiag.exe to your desktop. Double-click to run it. A log should appear when it is finished. Post that log here.

If it doesn't pop up, a log should be located on your desktop as "Win32kDiag.txt".

[jszook]

Ok here it is.


Running from: C:\Users\jeremy\Documents\Downloads\Win32kDiag.exe

Log file at : C:\Users\jeremy\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.GpmgmtLib\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Private.GpmgmtpLib\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\GAC_MSIL\Microsoft.GroupPolicy.GPOAdminGrid\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP201D.tmp\ZAP201D.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5CA0.tmp\ZAP5CA0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAD9C.tmp\ZAPAD9C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD078.tmp\ZAPD078.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPED1C.tmp\ZAPED1C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\CSC\v2.0.6\namespace\namespace

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\CSC\v2.0.6\pq



ERROR OCCURRED!

------------------------------

Windows Version: Windows Vista SP1

Exception Code: 0xc0000005

Exception Address: 0x00912525

Attempt to write to address: 0x00000000

[handhfan]

Please delete your copy of Win32kDiag.exe and the Win32kDiag.txt log file.

Download a fresh copy of Win32kDiag.exe to your desktop, rename it Win32kDiag.com and see if it runs then. Please post the contents of the new Win32kDiag.txt log file, even if there is an error.

Start Notepad and copy/paste the contents of the following code box into notepad.

@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\sceclt.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\ntelogon.dll C:\WINDOWS\eventlog.dll C:\WINDOWS\logevent.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0

In notepad, select File -> Save As... and in the dropdown box set Save as type: to All Files
Save the file as look.bat on your desktop
Close notepad and double-click on look.bat. A small black box may appear - this is normal.
A text file called log.txt should open on your desktop - copy/paste the contents of log.txt in your reply

[jszook]

Ok I have no idea where to find Win32kdiag. but I'll try it again yeah that didnt work. So how do i uninstall win32kdiag.

[jszook]

Volume in drive C has no label.
Volume Serial Number is 309D-B680

Directory of C:\WINDOWS\System32

03/30/2009 11:11 AM 177,152 scecli.dll

Directory of C:\WINDOWS\System32

03/30/2009 11:09 AM 592,384 netlogon.dll

Directory of C:\WINDOWS\System32

11/02/2006 05:46 AM 61,952 logevent.dll

Directory of C:\WINDOWS\System32

11/02/2006 05:46 AM 61,952 cngaudit.dll
4 File(s) 893,440 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6

11/02/2006 05:46 AM 11,776 cngaudit.dll
1 File(s) 11,776 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e

11/02/2006 05:46 AM 176,640 scecli.dll
1 File(s) 176,640 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12

03/30/2009 11:11 AM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783

11/02/2006 05:46 AM 559,616 netlogon.dll
1 File(s) 559,616 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857

03/30/2009 11:09 AM 592,384 netlogon.dll
1 File(s) 592,384 bytes

Total Files Listed:
9 File(s) 2,411,008 bytes
0 Dir(s) 154,513,387,520 bytes free

[handhfan]

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.


Download Combofix from any of the links below but rename it to the name in the picture below before saving it to your desktop.



Link 1
Link 2
Link 3


==================================


Double click on the renamed ComboFix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt so we can continue cleaning the system.

[jszook]

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

[handhfan]

Did you run ComboFix as well?

[jszook]

i didn't get any type of txt.doc so i don't know whats up

[handhfan]

Did you get a blue box, and a bunch of prompts, and did it go through 50 or so stages, and reboot?

Or, did it not seem to run and do all this?

[jszook]

it ran the blue box and threw the stages then I went to sleep and got up and no txt.

[handhfan]

Okay. Navigate to the C:\Qoobox folder, and see if there are any text files in there. If so, post whatever you can find. If not, just let me know, and move on to the following:

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Analysis" check box.
  
• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
  
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[handhfan]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.