Debugger detected [97]

[thegraz]

Hi and thanks for taking my problem.

I have read the stickies and cannot include a HJT scan as the program does not work. I was able to install it but when I go to run it I get a Windows Error "windows cannot access the specified device, path, or file, you may not have the appropriate permission to access the item" which of course is not true. I am the owner of the Laptop.

Now on to the problem
The infected machines OS is Vista Home Ed. I have tried Malwarebytes Anti Malware in safe mode and this does not work. When I start my machine I receive about 20 Debugger detected [97] warnings. I can close all of those and anytime I click to run an application I get the Debugger detected [97] error and the application shuts down. I can right click and start the app as an administrator, but still can't get programs like anti virus and malware removers to work.

McAfee and Super Anti spy ware can not be started and are/were up to date with the latest patches.

The machine will close everything whenever, reboot sometimes on its own, go to Safe Mode on its own, and a lot of other very strange behavior. I am using another PC in the house to write this and work on a fix.

Thanks for the help,

[Blade81]

Hi Jim,

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

[thegraz]

Hi blade,

Here is the log

Log file is located at: C:\Users\Jim's Laptop\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB4AE.tmp\ZAPB4AE.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\bthservsdp.dat

[Blade81]

Hi,

I'm not sure but that log looks a bit short. Could you attach the file as an attachment? I want to make sure whole log gets included.

[thegraz]

Hi,

Sure here it is.
I am in Safe Mode FYI, since I can't log in normally. If I try and start Vista normally I get an errer that my machine will restart in 1 min. Sometimes I just get a blue screen, as well.

Thanks

[Blade81]

Ok. Looks like it was complete log after all.

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
dir /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >c:\LogIt.txt
start c:\LogIt.txt

Double-click on fixes.bat file to execute it. LogIt.txt file should open up. Copy-paste contents to your reply.

[thegraz]

Hi,
Here is the LogIt.txt

Volume in drive C is OS
Volume Serial Number is 66B3-F6AE

Directory of C:\WINDOWS\System32

01/19/2008 02:36 AM 177,152 scecli.dll

Directory of C:\WINDOWS\System32

01/19/2008 02:35 AM 592,384 netlogon.dll

Directory of C:\WINDOWS\System32

11/02/2006 04:46 AM 61,952 cngaudit.dll
3 File(s) 831,488 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6

11/02/2006 04:46 AM 11,776 cngaudit.dll
1 File(s) 11,776 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e

11/02/2006 04:46 AM 176,640 scecli.dll
1 File(s) 176,640 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12

01/19/2008 02:36 AM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783

11/02/2006 04:46 AM 559,616 netlogon.dll
1 File(s) 559,616 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857

01/19/2008 02:35 AM 592,384 netlogon.dll
1 File(s) 592,384 bytes

Total Files Listed:
8 File(s) 2,349,056 bytes
0 Dir(s) 68,522,024,960 bytes free

[Blade81]

Hi,

• Download The Avenger by Swandog46 from here.
• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  
  Code:

  Files to move:
  C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll|C:\WINDOWS\System32\cngaudit.dll

• In the avenger window, click the Paste Script from Clipboard, button.
• Click the Execute button.
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
• Please post this log in your next reply.

[thegraz]

Hi and thanks

Just so I don't mess things up. Usually when I reboot normally I get and error that the PC will reboot in a minute and then it will.

In order to do everything I am doing now I have to be in safe mode.

So, when I Execute and it reboots should I let it go or should I Safe Mode it?

Thanks

[Blade81]

Try to let it boot into normal mode.