Can Anyone Please Possibly Tell Me What This Is?

In my AVG Anti-Spyware 7.5, under the "Analysis" heading>"AutoStart" tab, one item on the list (the last item, at the bottom of the list) looks very suspicious to me.

Under Application is says:
"AppInit_DLLS"

Location is:
"Registry\HKLM\Wi..."

Path: (AND THIS IS THE SUSPICIOUS PART?) it starts off with "~1", then has what appears as 6 Chinese symbols or script characters, to me (not sure how o even duplicate it for the purpose of this post?). It ends with ")".

Any advice is appreciated.

PS - Actually I'm not so sure about the item that's second to last on the list before this other one. It is:

"BootExecute"
"Registry\HKLM|Co..."
"Isdelete" ----------??

 

Hi grc123,
Welcome to the Malware Forum!

Please go to the READ & RUN ME FIRST and scroll down to the bottom of the page. Select the link for the instructions for your operating system and on the page that opens up, scroll down until you come to Using MGTools. Follow the instructions in that and attach the set of logs (MGlogs.zip which you will find directly under C:\ ). You may want to also run Combofix on that page. If you decide to do that, run it before you do the MGTools.

If you have malware we will send you back through all the instructions, but either or both of these mentioned will give us a better idea.

Thanks.
abri

 

Ok, thank you for the reply.

I got everything downloaded, the first four programs to the desktop, MGTools elsewhere, but upon trying to setup the first program (SAS), I get an "Error 1303" message denying me set-up due to not having necessary privileges (something to that effect). UAC IS disabled, I have the red shield displaying in the lower right corner next to the clock.

Can we proceed? Oh, also, why I am awaiting a reply, I should have my UAC turned back on (I have turned it back on) - correct?

Thanks.
PS - Perhaps it should be noted that we (the Malware Forum and I) attempted this maybe two months or so ago to no avail, although I am less nervous (less anxious) about it now as the PC is not as new (it was almost brand new back then), so I do feel more comfortable about moving forward.

 

Hi grc123,
Can you post the MGlogs.zip which is produced when you run the MGTools? If you've already run them, the MGlogs.zip file will be located directly under C just about the superman icon. This may give an answer to your question about the AppInit file.
abri

 

Ok, thanks. So I should again disable my UAC, and 'physically unplug/disconnect' my internet connection until I am done running the MGTools scan as previously stated?

 

Hi grc123,
Generally we ask you to disconnect from the internet if we've asked you to disable your antivirus program. Otherwise it should be enough if you only disable the UAC. Let me know if that works.
abri

 

Ok, thanks. I tried it, and got a message (error?) that states; "For some reason your system denied write access to the Hosts File. ..."

I suppose I have the Hosts File locked by some sort of protection, but not sure which one (?).

 

Looking about 3/4 down the results page, next to "020", I see what I was speaking of, only here it is represented with "??????". Should I delete this (?) - or what is my next move please??

 

Hi grc123,

You have Windows Parental Control running on your computer. Have you tried disabling this? Normally it will not prevent you from running the programs we ask you to run, but this may depend on the level it's set at.

Also, I'm not sure if you left UAC disabled for the entire time you were doing the scans or only while you were downloading and installing them? It needs to be disabled until they are all finished.

We can try fixing the AppInit file, but if malware has set it this way, it may not work. We need to see your logs in particular the MGlogs.zip.

1) Download and install Erunt. Use it to create a backup of your registry.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

If you aren't able t get Erunt to make a backup, please try the REGEDIT4 anyway.

Let me know if you get a success message and how this goes? Can you run the other scans now?

Thanks.
abri

 

< I did set this for when my six year-old son visits, on a profile (User Account) that I set-up for him - but it's really not an issue (not something we currently need), it's just me trying to be "over-protective", as I tend to be with my kids - and my PC. I have now disabled it.

< To the best of my recollection, I believe I *did* leave UAC *off* throughout.

< I thought that is what I submitted - the "Hijack This" log??

I will do my absolute best to perform the following tasks, but I have to admit to being confused.

1. I am going to disable UAC again, and leave it disabled throughout - correct?
2. I am not certain what "bold text" you are speaking of below ... that which you are instructing me to copy?
3. I am not certain that I understand the "all files" feature you are asking me to be sure of. I understand "Save as", but not "all files"?
4. And the finally, you're asking if I can; "run the other scans now"? - Is this question in reference to the first 3 (4?) scans in the original instructions?

Thank you abri ...

 

Hi grc123,

Sorry, sloppy me! The REGEDIT4 should look like this:

When you store a text file (one which ends with .txt), there's a window below where you enter the file name, and in that it will say Text File (*.txt). To the right of this there's an arrow you can click on for a drop down menu. If you don't change this to All Files, no matter what name you give the file, it will end with .txt. In the drop down menu you'll see the option for All FIles. Click on the arrow for the drop down menu and then click on All Files. You need this option so you can give the file a name ending with .reg If you don't change it, it will end with .reg.txt on the end of your file and that won't help you.

I want to see if the parental control option might have been getting in the way of your doing the scans or if trying to fix the AppInit might give you a better chance of running the scans you haven't been able to run. After you do the above, please try running all of the scans you can in the READ & RUN ME.

HijackThis is one of 5 scans we have in the MGTools program. If your MGTools have already been run as indicated by the log you posted called C:\MGTools.analyse.exe, then you should already have the logs. They are called MGlogs.zip and can be found as a file (not a folder) directly under C: just above the superman icon. See if you can find them. If so, you don't have to run the scan again. Just come back here and start a new reply, go down to the Manage Attachments button below the box you're posting in (you have to scroll down to see it) and click on that. In the Window that opens up, browse to C:\ in your Windows Explorer and click on the C, not the + sign. Then look on the right side of your Windows Explorer widow and scroll down until you come to the files listed below the folders. Look for the superman icon and you should find the MGlogs.zip sitting just above it. Click on MGlogs.zip and then click on Upload File. Click on Close the Window and then Submmit Reply.

Let me know how any or all of this goes?
abri

 

Originally Posted by abri View Post
1) Download and install Erunt. Use it to create a backup of your registry. <Ok, I've downloaded Erunt, and am about to install it.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" < I've done this, all except the "double-click" part. Please excuse me - i'm pretty lame-brained when it comes to some of this stuff - but i am to "double-click" on what - exactly? -->->? Once you have saved it double click it and allow it to merge with the registry.

Also, Erunt is ok to run with Vista, correct? I have Vista Home Basic.

 

Hi grc123,

Sorry this is newland. What we are trying to do is take the contents of the box, beginning with the word REGEDIT4 and copy it from our website into notepad on your computer. When you open notepad and transfer the contents of the box from this thread to Notepad on your computer, then you will have something which is generally stored by default as a txt file. In Windows Explorer you can find a lot of files which have the .txt ending.

In this particular case, we don't want the file to have the .txt ending. We want it to end with the letters .reg

When you end this small file with .reg and store it on your desktop, it will have a different function than if you end it with .txt

After you have saved it to the desktop, using the ending .reg then close Notepad. Close all your windows and look on your desktop for a file which is called fixMe.reg

This is the file that you just created.

Double-click on the icon on the desktop with this name and allow it to run. In a way it's a bit like an .exe file in that when you double click on just the name, it runs. That's how this one is. After it runs, it should popup a little success message.

I hope this is clearer.

Thanks.
abri

 

Hi & thanks abri.

Some parts of your last post I already knew/understood - and some was good new info. for me. In any event, I found myself a bit overwhelmed, a bit confused, and well, decided that maybe if I stepped-away from it for a few days, perhaps with a clearer mind, I'd do better (?) - but apparently not so much.

I do see a new icon on my desktop (in addition to the two for ERUNT) named: "NTREGOPT" - could that possibly be the "fixMe.reg that I'm looking for, except that I somehow misnamed it? I am certain I named it as you asked, and changed it to "All Files" rather than ".txt" in the drop-down box before I saved it as "fixMe.reg" - but I don't have an icon named fixMe.reg.

Sorry I'm still confused - can you still help?

Thanks again ...

 

Hi grc123,

The program called NTREGOPT is part of Erunt and it's not what you're looking for. You can pull that icon into the trash if you want. It is a shortcut leading to the folder where Erunt is stored and it is not something we will use.

The file you're looking for called fixMe.reg should show up in a Windows search. If you click on the Start buttun and then click on Search and then on Files on Folders, you can type in the name fixMe.reg. Where you have the choice Search In, choose to have it search all of C or all of your drives. If you wish to make the search a little faster, you can click on the option When was the file modified and put in a date of about a week ago and one that is today's date. Then it will only look at files and folders on your computer which were put in in the past week. See if you can find it that way.

If that search does not yield anything, then try the following two searches. Do exactly as you did above, but instead, search first for fixMe.* and if that doesn't find anything, put in *.reg and see if either of those brings forth the missing file.

If one of these searches finds the file, note where it is on your computer.

Let me know how this goes?
abri

 

Ok, thanks. I found it - should I post it here?

 

Hi grc123,

Do not post it here! This is a tiny program I want you to run by double-clicking on it. It will attempt to replace that one registry key you have that's infected with a dummy. We will see if it works. Please go to where you found the file and double click on it. When it's finished, it should pop up at small success message.

Then I would like for you to run CCleaner. The icon should be on your desktop. Double-click on it and it will open. Down in the lower right-hand corner there's a button called Start Cleaner. Click on that. There will be a warning that this will permanently delete files. Click on yes and then allow it to run. When it's finished, the Start Cleaner button will light up again. Then you can just close the window by clicking on the red x up in the upper right hand corner.

Then I would like for you to get a fresh set of logs. To do this, please go to Windows Explorer and find the folder under C:\ called MGTools. Open this folder and look for a file called GetLogs.bat. Double-click on GetLogs.bat and allow it to run all the way to completion. When it's finished, it will say something like Hit any key to close the window.

Once you've done this, please come back here to this thread at Major Geeks and start a new reply and in the reply, tell me if you got a success message for the FixMe.reg when you ran it. Then before you submit your reply, please go down to Manage Attachments, click on that and then browse to this file:

C:\MGlogs.zip

This is a file (not a folder) and sits just above the superman icon under C. When you find it, click on it and then upload the file. Close the Manage Attachments window and then Submit your Reply.

Let me know how this goes?

abri

 

Ok, I think I understand and can do this - one last question for now: Should I again disable UAC and disconnect (physically) from the internet before I take the next step please?

 

Hi grc123,

Try it first without disabling UAC. This is an internal program and may not be restricted. If you don't get the success message or if you get an error message, then try it with UAC disabled. You don't have to disconnect from the internet.

abri

 

Ok thanks. I double clicked and immediately got a pop-up box from Registry Editor stating: "Cannot import C:\MGtools\fixME.reg: The specified file is not a registry script. You can only import binary files from within the registry editor".

~*UPDATED*~ I got the same message/result with the UAC turned-off (disabled). Do we have any other options abri?

Thanks ...

 

Hi grc123,

We'll try one thing first and if that doesn't work,we'll try another. Let's try it this way first:

Please click on the zip file I've attached here with my post. Allow it to download to your desktop. Once it's finished downloading it, minimize all your windows so you can see the desktop. Find the zip folder. Double-click on the zip folder to open it. At the top of the window that opens you'll see the word File. Click on that and then click on Extract All. A small set of instructions will come up. Click on Next. On the next page you will need to click on the button that says Browse. In the little window that opens up, click on the Desktop. Then Ok. That little window will close. Click on Next to continue. In the window that opens up you'll see Show extracted files with a check mark next to it. Click on the little box to uncheck it. Then click on the word Finish.

Again, close any windows that are open on your desktop so you can see the desktop.
Now find the file called FixMe.reg.

What happens when you double-click on this file? Do you get the same error message or do you get a success message?

abri

 

I get the exact same 'error' message.

Thanks ...

 

CORRECTION - I actually got a slightly different error message this time: "Cannot import C:\Users\... Not all data was successfully written to the registry. Some keys are open by the system or other processes".

 

Hi grc123,

Please do the following:

1) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

2) Now run CCleaner at the default setting with the Windows tab as the top one.

3) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log. The Avenger log called avenger.txt is located directly under C and so are the MGlogs.zip. When you come back here to tell me how things went, you can click on post reply and when the window opens for your reply, scroll down farther and you'll see the Manage Attachments button. Click on that. Then browse to each location under your C: drive to find these two files. When you've found both of them, click on the Upload Files button and when they finish uploading click on Close this window. Be sure that you actually type us a message before you submit your reply, as you have to always send a message with your attachments.


Let me know how things went this time?

abri

 

Hi abri - one question at this point: You said "Do not change any check box options!!" - I am assuming this means to leave the check-box UN-checked
as that is how it came-up (appeared/opened) this time, from when we used it in the previous (fixME.zip) step??

 

Avenger is a different way of applying a registry patch from the FixMe.reg that we tried before. The checked or not-checked options refer to what you see when you open Avenger after you have extracted it from the zip file to your desktop. If you completed this, you'll find a sword on your desktop with the name Avenger.exe. When you double-click on this, it will open the program. At the bottom of the window you'll see that Scan for rootkits is checked and Automatically disable any rootkits is unchecked. These should remain as they are.

abri

 

Got it, thanks!

 

Hi grc123,

Avenger was successful. That's good! Let's see if we can make a new MGlogs.zip and find it.

Please go to the MGTools folder in C:\ and click on it to open it (not on the + sign but on the folder itself). Over on the right side you'll see some files. Find the one that's called GetLogs.bat. Double-click on GetLogs.bat and allow the scan to run. When it's finished it will say something like Hit any key to close the window.

Then come back to this thread and post a reply to me. When you write to me about how this went, then scroll down to the Manage Attachments button and click on it. Then click on the browse button and when you see your Explorer, click on the C (not on the + sign, but on the C itself). Look over on the right side where you'll see both folders and files. Look down the list until you come to the superman icon. The file just above the superman icon is called MGLogs.zip. Click on this and then click on the upload button. When it finishes uploading, click on Close this Window and then click on Submit. Remember you have to type something at least 4 letters long. "Here's the log" will also do.

abri

 

I'm so sorry - I tried to upload something, but it's not what you asked for.

When I select 'Manage Attachments > Browse', I get a list of folders on the left, but when I click on "C", there is no "Superman" icon to choose/select (it's not there, in the list that displays after I click-on "Browse"), though I have seen it on my desktop before - last week when we were working on this.

I should note that when I do run the scan, at the beginning I get a warning or error message from HijackThis, something to the effect of not being able to access my "Hosts" file - the same message I got earlier in this thread, when we were attempting to do something else. The scan does run, asking me several times to "Be Patient" - which I was, and it ran until it said, as you mentioned; "Hit Any Key To Continue" at the end ...

 

Hi grc123,

I feel certain that if the scan ran, the log is there. Let's look for it first in your computer. Please right-click on the Start button and in the small menu that pops up left-click on Explore. This will open your Windows Explorer. A window should open up that is divided into two parts. On the left side is a directory and the right side will show what is in each directory. At the top of the left side you will see the files in descending order starting with Desktop. Beneath that there should be My Computer and beneath that there should be something like Local Drive (C: )

If you can't see this, then click on the + sign next to My Computer and see if you can see the Local Drive (C: ) If you can, click on the word Local Drive. This will show everything that's in the Local Drive (C: ) and it will all appear over on the right side of the window. Over on the right side, you should see a bunch of yellow folders and beneath them a bunch of files.

Is anything I'm telling you the same as what you are seeing? If so, look down among the files over there on the right side and see if the superman icon is there.

If you don't find it this way, we can do a search like we did last time. You have your Windows Explorer open now, because we are looking for the superman icon. At the top of this window there's a magnifying glass with the word search. Click on that and in the Window that opens up, click on Files and Folders. Then type in the name MGlogs.zip
Then click on Search and wait for the search to finish. If it finds this, please note the pathway - write it down. It may look like this C:\MGTools.zip

However, it may be in a different folder and it may look like this C:\Documents and Settings\MGlogs.zip

Whatever the pathway is, write it down so that when you come back here to post to me, you can find it with the browse button.

abri

 

It's not showing-up anywhere (??). The Superman icon was not in the list on the right, and when I tried searching the other way (searching for "MGlogs.zip" with the small search-box in the upper right-hand corner - with the magnifying glass) I could not find it either. I even tried the "Advanced Search" option, and I also tried all the different locations that I have to choose from. Everything I try comes back: "No items match your search".

Again I'm wondering; could the warning/error message from HijackThis about not being able to access the "Hosts file" possibly be the problem?

 

Hi grc123,

What you described with the window ending with the Hit any key message sounds like the scan ran correctly. Also, there's not a small search box in the upper right hand corner of Windows Explorer although there is something like that in the browser called Firefox. This makes me think there could have been an error in the search and before we go to all the trouble of reinstalling the MGTools in case they were damaged (this does happen once in awhile when we do a fix), I would like to make sure the search went correctly.

I hope you have enough patience with me.


When you did the Windows search for the FixMe.reg you found it. However, when you did the search for the MGlogs.zip, you did not find it. What is troubling me in this case is your mention of the small window in the upper right hand corner with the magnifying glass. So, let us start here:

When you right-click on the Start button in the lower left hand corner of your screen and the little menu comes up and then click on the word Explorer, what kind of window opens up for you? What does it look like when it first opens? There should be a window opening up with a lot of yellow folders on the left side and one highlighted that says Start Menu. Is this what you are getting?

What I think might have happened, is that if you did the search in this way, it may have only searched the actual Start Menu folder rather than searching the whole C drive.
Do you think that could have happened? Because if you enter Windows Explorer at a certain point and don't highlight the directory you want to search, then it will simply look for the item you ask it to search for in the directory which is highlighted. In that case, it would not find the file we are looking for because it's not in the Start Menu folder.

So try this:


RIGHT-Click on the Start button in the lower left hand corner of your screen. In the little menu that opens up, go up to the word Explorer and LEFT-click on that. Now when Windows Explorer opens up, which folder is highlighted?

If it is the folder called Start Menu (or a name similar to this) then take your mouse and point it up higher than this folder at the Local Drive (C: ) and click on it to highlight it. Then go to the top of the window in the middle where you'll see a magnifying glass with the word search next to it and click on this. When it opens up click on Files and Folders. The area of the computer you're searching now should be C:

Now do this:

Try the search again by putting in MGlogs.zip where it says complete or part of file name. Leave the window A word or Phrase inside the File blank. Then look at the little window just below that one where it says Search In and see if it says C: (It might also say Local Drive C: or something like this).

If all of that is correct, see if you can get the search to work this time.

Let me know if you have better luck this time. If not, we'll simply reinstall the MGTools over the old ones and rerun them. If they did get damaged, this will overwrite the damaged files with ones that are okay.


abri

 

Hi abri, I was afraid you were going to run out of patience with me!!

I was going by your description on the 'search box/upper-right-magnifying glass'. I do have Vista, I don't know if you're maybe thinking of XP or 2000 (or another OS?). If I could figure-out how to send a screen-shot I would do so ...

Meanwhile, I'm going to refer back to your last reply, and do my best to move-ahead.

Thanks ...

~*UPDATE*~ I'm going to try to paste this in here - I don't know if it will work. This is what I get when I: Right click on Start > Left click on "Explore" (mine says "explore", not explorer" BTW, I also have an option for "Explore All Users") > and Left click on "OS (C: )"

If the paste doesn't work - I'll try to attach it in the next post.

Thanks ...

 

Here is what I see when I follow the directions previously given - see attachment please ...

~*UPDATED*~ ***I think the file (".rtf") is too large to attach/upload***

 

Hi grc123,

I'm definitely thinking of XP. I'm sure that's why I was confused about the magnifying glass being up in the right hand corner.

I think it would be easiest if you go back to the Vista Cleaning Procedure and redo those for Using MGTools. These will be the right instructions and should include any special instructions for turning off UAC. When it asks you if you want to install over the old one, just say yes.

See if that will work.
abri

 

Ok, thank you - I'll keep you posted on my progress.

Thanks again.

 

Here is the MGtoolslog ....

Ok, no it's not.

I'm getting "closer" - I can find the Superman icon now (in my Admin account/profile - though I actually downloaded it in another account/profile???), but it's coming-up as an ".exe" file, which will not attach here at MG. I get a message saying; "Invalid File".

I'll try again, downloading it straight into my admin account/profile ... that's all I know that's left to do???

~* I think I could upload (attach) it now, except that it's too big - 1.18MB??

Can you advise please - thanks.

 

Hi grc123,

You don't need to attach the MGTools.exe file. You simply need to double-click on it and allow it to run. It will install everything and run the new set of logs at the same time. If it tells you in the Vista instructions that you need to have UAC disabled, then please do that first. Please make a note of where the superman icon is located, so that when you're finished running the tools, you can come back to that place and see if the new set of logs is located just above it.

abri

 

Ok - great - thank you abri! I'll let you know of my result(s).

 

Well ... (?) - We ran it ...

Though I found it in my user account, I had to go to the admin acct. (with UAC "off/disabled", and PC restarted) to not get the command prompt message: "Zip I/O Error Permission Denied Zip Error Could Not Create Output File (C:/MGlogs.zip)" - which I got/get when trying to run it from my U.A. I also did not get the HijackThis warning/error message RE: 'Hosts files-lack of access' when running it as an admin.

It occurred to me earlier today that I'm a bit surprised that I was able to run a zip file, as I have no (known?) "zip-handling" (compression?) program (i.e. WinZip, 7-Zip, etc.).

Lastly, and in reference to my first (confused) sentence of this post - I do not see the files located in the list above the Superman icon when I go back into explorer now. The program claimed to run successfully when I finally ran it from admin (as opposed to running it from my UA) - but again, what is located above the Superman icon is: "GoToAssistDownloadHelper.exe" (?).

Thanks abri - I sure do hope we're getting ... "SoMeWhErE"??..

 

Hi grc123,

You did successfully run the tools once. ... Therefore, I know such a thing is possible with this machine. The most probable reason for the errors you got is because the new MGTools were not downloaded to the C:\ drive. You may have a default download location for anything you download, so that if you don't specifically tell it to download to the C:\ drive, it will put the downloads under your User Name.

Do you think that's possible?
abri

 

Hi & thanks for the reply abri ...

I do use (99% of the time) the Mozilla (Firefox) Browser, and I went into the tools>options>main tab & changed it from: 'download (save) files to desktop' (which is the default setting I believe) to: 'always ask me where to save files' - but I don't believe I had done that the first time or two that we tried all of this. So yes, that was most likely the case at least originally.

 

Hi grc123,

If the tools ran and you got the message Hit any key to close the window, then I think we can get your logs without looking for the zip file. Right-click on Start and select Explore and in the Windows Explorer click on Local Drive ( C: ) Then look for the MGTools folder. Open the folder. If you see recent versions of the files you named before - newfiles.txt, runkeys.txt and hijackthis.log, please upload just those. You won't be uploading them from Windows Explorer but rather will have to come back to this website and find them again with the Manage Attachments button of your Reply and with the browse button. See if that will work.

abri

 

Hi abri,
I'm sorry I'm so thick-skulled with this stuff ... every time I try to upload them through Manage Attachments here, I can only seem to get the entire MGTools.exe (C:/Users/Net/MGtools.exe) folder to go into the box when I click on Browse - before I would click Upload. And again, the entire folder is too large to send (MG restriction). I don't know how to break it down into individual files to attach (?). Can you still help please?
Thank you ...

 

Yes, of course. It's important to be very precise. The MGTools.exe is a file not a folder. I don't think you could even upload an .exe file if you tried. The MGTools is the folder (without the .exe on the end). It contains more than you need.

When you go to the browse button, find the MGTools folder which will be yellow. Double-click on the folder to open it. That should show you the contents. There will probably be one folder in there called backups and then a bunch of files. See if double-clicking on the MGTools folder (it's yellow) - and not on the MGTools.exe file (it's the superman icon) - if that helps. If you get into the MGTools folder when you double click on it, then you should be able to find the HijackThis.log, the newfiles.txe and runkeys.txt. It will be possible to upload all three of these.


abri

 

Did this work?? I will also try it the way you just described in your last reply - you were quicker than I thought you'd be - so I sent this before I was able to read your latest reply ... Thanks ...

 

LOL .. sorry, we're posting at the same time. It worked and it did not work. Your zip file only contains the unkeys.txt and I need the other logs. What this means is that when you ran GetLogs.bat, it didn't run all the way to the end. Go to the MGTools folder (the yellow one) and open it. Look for the file called GetLogs.bat. You'll need to be using an administrator user and have UAC disabled. Double-click on it to run it and allow it to run all the way to the end. At the end it will say Hit any key to close the window. After it runs, do whatever you just did again to upload the zip file. That worked! It just didn't have all the logs in it.

Thanks.
abri

 

It doesn't seem to want to take (attach) the "GetLogs.Bat" file (which is only 2.88KB) - it ends up "Invalid File", and then just disappears. Now, I can tell you that the date on that file: 12/15/07 - is before this PC was even purchased (new, from Dell). Maybe that's the date the Malware program was designed/built??

In any event, I am not certain how to do this at the moment, but I will continue to try, though it is extremely frustrating.

Oh, one last thing, the scan does not seem to want to run correctly - again. I went to Admin, disabled UAC, but keep getting error messages, from HiJackThis about the Hosts files again, and also that message (MULTIPLE times) about not being able to "create an output file", in the DOS/Command Prompt box/window.