Spybot & AVG8.5 wont scan,cant save HJT,ERUNT,Malwarebytes

[northernunicorn]

Hi: I've been reading the threads & I think I may be infected with Rootkit malware?

I followed the steps in "Before you post". and did what I could.

I WASNT able to save anything suggested to desktop or anywhere (except I was able to save a file called ".housecall6.6" but it wont run.

For Spybot, I get this message when I right-click to run as administrator "Windows cant access the specified device,path or file.You may not have the apprpriate permission to access the item."
I can search for updates but cant get into Spybot to Immunize.
Same thing happens in Safe Mode

Antivirus program(AVG8.5) will not scan but will update. Resident Protection says not activated even though it shows it is.
Tried changing & still does the same.
In Safe Mode, most files show as LOCKED when I run a scan.

Windows Defender scans & shows no threats.

Computer Information:
Windows Vista SP2
Spybot-Search & Destroy version 1.6.2 (teatimer deactivated-couldnt figure it out)
Antivirus- AVG Free version: 8.5.409 database 270.13.113/2400
Windows Defender activated
Windows Vista Firewall

Things I've done to try to fix:

<<Turned off System Restore

<<Looked at Windows Uninstall/Change programs-nothing suspicious
<<Ran Disk Clean-up

<<Ran Disk Check with both boxes checked

<<Tried to scan with AVG-just stalls & closes itself very shortly-indicates Resident Shield not active though it is indicated as active-Resident Shield log for Sept.20&21/09 shows following moved to Virus Vault or Deleted--TrojanHorse Crypt.HOA (2 files), Trojan Horse Crypt.HOQ (44 files)
***Explanation: My son mis-typed name of a TV site & thats when all the files/pictures came flashing onto computer.

<<Tried to Save & Run Malwarebytes. Didnt show up anywhere.

<<Tried to run Spybot scan. Couldnt.see "lack of permission" quote above

<<Tried to Save & Run "ERUNT"Didnt show up anywhere.

I use my computer mostly for emails, typing minutes & documents (I am Secretary/Treasurer for 3 organizations) and going to several favourite well-known sites that are safe.
My son goes to TV channel & video game tips sites.

I hope I'm posting to the correct forum. Im not much of a "Techie"; however, I do try to keep safe on the Internet. I sure hope I dont have to re-format(dont know how to do that!!) or completely clear off everything & start from scratch.

I will patiently wait for a reply; I notice Im one of a great many asking for help.
Thank you

[IndiGenus]

Hello northernunicorn and welcome back to the Spybot S&D forums. Sorry for the delay in getting to your post.

Let's start with a quick diagnostic.

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

[northernunicorn]

Hi IndiGenus
Thank you for your reply. I was out of town until today; thus my late reply.

I wasn't able to save the Win32Diag.exe application to my desktop or to anywhere. The "save" seemed to work but didn't show up. I did several searches for it, even after trying to save to my own file.

Seems to be having the same result as when I tried to save things suggested in "Before You Post". Any suggestions?

Waiting for your suggestion.

[IndiGenus]

Do you have another PC you can download files on and transfer over or run with a CD/DVD or USB drive?

[northernunicorn]

Hi IndiGenus
Do you mean ...can I save the files onto a CD/DVD drive or USB stick on this computer & run from there? Sorry...not too much of a techie?

I don't presently have access to another computer. Maybe tomorrow I can see if I can use a neighbour's...if it comes to that.

Waiting for your reply.

[IndiGenus]

I meant downloading them on another PC and transferring over that way.

This may be a new infection or variation that is nasty. I'm watching one other thread in another forum with the same symptoms, and they haven't found a way to get around this yet.

[northernunicorn]

Hi from Dorothy: Sorry so long replying. Was away from home a few days.

I've found a neighbour who will let me use their computer to download onto CD. They said their computer is clean. (Thought mine was too until this happened. )
Please give a list of "things" I need to download to a CD

Thank you

[IndiGenus]

Okay normally I would post the download link when I advise the tool, but here I'll advise the tools I would expect we may use here. At least to get to the point where you can download files.

Don't run or install tools until advised, but I realize you may not want to go back and forth from your neighbors, so you can get them all on disk.

The first is the Win32kDiag tool I advised earlier. Try and copy it to your desktop to run it. If you cannot then try running from the disk.

Please save this file. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

The other tools to save to disk are as follows.

Root Repeal:
Zip Mirrors (Recommended)

• Primary Mirror
• Secondary Mirror
• Secondary Mirror

Combofix:
Link 1
Link 2

Temp File Cleaner:
TFC

DDS:
From here or here or here.

[northernunicorn]

Hi IndiGenous:
Im back and at a friend's computer.
I will try to save to CD the tools you mentioned and then run them on my computer.
Hope this works. I will let you know.
I apologize for the long wait between...family & financial obligations took over my time.

from Dorothy

[northernunicorn]

Hi IndiGenus:

[QUOTE=IndiGenus;341460]Okay normally I would post the download link when I advise the tool, but here I'll advise the tools I would expect we may use here. At least to get to the point where you can download files.

Don't run or install tools until advised, but I realize you may not want to go back and forth from your neighbors, so you can get them all on disk.

The first is the Win32kDiag tool I advised earlier. Try and copy it to your desktop to run it. If you cannot then try running from the disk.

Please save this file. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.QUOTE]

I was able to save the tools to a disk.

I was able to copy the Win32Diag tool to my desktop & run it. The log from the scan was saved to my desktop but it is larger than can fit in 1 post so I'll spread it over as many as necessary because I'm not sure if it's ok to send it as an attachment.

Note: I hope I didnt mess up by running it twice. I ran it once then thought I should have done it as administrator & ran it again...thought there would be 2 logs left on desktop but there wasn't...Please let me know if I messed up or not.

Here goes with the log:

Running from: C:\Users\JeffandMom\Desktop\Win32kDiag.exe

Log file at : C:\Users\JeffandMom\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2EBD.tmp\ZAP2EBD.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6673.tmp\ZAP6673.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9AF7.tmp\ZAP9AF7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA5B0.tmp\ZAPA5B0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB0D7.tmp\ZAPB0D7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Downloaded Program Files\CONFLICT.1\CONFLICT.1

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Downloaded Program Files\CONFLICT.2\CONFLICT.2

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\LiveKernelReports\WATCHDOG\WATCHDOG

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^