can't run mgtools.exe

I have a trojan in my anti-spyware quarantine. It's called Trojan.Agent/Gen.Cryptor.

I tried following your instructions. I disabled my Avast Antivirus, to download AND run MGtools.ex, but it won't run. nothing happens, besides a bong noise from windows. And a message pops up that "windows can not access the path, I may not have appropriate permissions to run the file."

I am using an admin account - the same one I used to download, and RE-download the file. Please advise. Thank you.


Am running XP with Online Armor, Free Avast.
I run Malwarebytes free, and SuperAntiSpyware regularly. I also have run ClamWin portable a few times.

Here are the logs you request. I have not done the "fix" at Rogue Killer yet. I did reset system restore because I had many many entries due to loading and unloading various firewalls, and removing some unnecessary files.

ClamAV has claimed that I have C:\DELL\drivers\R133281\IDE\WinXP\sataraid\nvraid.sys: Win.Trojan.Agent-145770 FOUND, but 50% of scanners at total virus say it's malware and 50% say it's not. So i don't know if it's a problem.

It also says I have

C:\Documents and Settings\Baila Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\youl8nq2.Default User\Cache\3\78\63F3Bd01: HTML.FileDownload_version_dll FOUND

C:\System Volume Information\_restore{99F1AA40-3620-43B6-A011-AA2B9C4CE24F}\RP1206\A0284821.sys: Win.Trojan.Agent-145770 FOUND

but most AV on virustotal.com did not consider them problematic when I ran them, so I haven't un-installed them. System restore took care of the second one obviously. The first is still on my pc. As I said before I haven't done the fix on roguekiller, so I still have

Registry Entries : 1 ¤¤¤
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Problem is I can't continue your process because mgtools.exe will not run.

I am still on XP pro svc pack 3

 

That is odd. I did attach all of them when I posted. I will do it again. I think I forgot to click upload. :-o

 

Thank you for your clear suggestions, I appreciate your hep.
Hve a great day.

OK. I actually think I may know out what the problem was. I was trying to figure out something in my firefox settings, and I discovered that MGtools.exe was a blocked program in my Online Armor Firewall. so I changed that, I tried again to click the executable file. This time it opened cmd.exe, but the cursor just sat and blinked. Maybe do to technical factors the program was just running slowly, but after a few minutes, I gave up and ended the task. I tried again, and again it sat with the cursor blinking, and seemingly doing nothing.

So I figured I would try to do it your way.
I opened the command prompt, and went to the directory MGtools, and typed nwktst. the response is:

nwktst.bat -10/26/2013 Version 0.43

the system cannot find the path specified

I checked in C:\MGtools folder, and there is definitely a file named NwkTst.bat

Next I tried GetRunKey

the response:

GetRunKey.Bat -10/26/2013 Version 2.74

Note: Ignore any error messages about not finding registry keys!
Just wait for the program to finish running!!

Access is denied.
The system cannot find the file specified.
Zipping runkeys.txt
zip I/O error: Permission denied

zip error: could not create output file (C:/MGlogs.zip)
Finished Zipping runkeys.txt



throughout this process, my firewall was requesting permissions for most of the actions, which of course I allowed as fully trusted. I now have a runkeys.txt file on my desktop. I don't know if there's a zipped version anywhere. If there is, I don't know what it's called.

Now the cursor is hanging, and just blinking under that last line. there is no command prompt. I can not "activate" the cmd window with my mouse enough to re-enter it and try to type anything.

I closed the cmd window, and re-opened it and went back to c:\MGtools and typed ShowNew.

the response was:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Baila>cd \MGtools

C:\MGtools>ShowNew


ShowNew.bat - 12/27/2013 Version 3.10


************************** WARNING *************************
If you see a popup saying that:

SteelWerX WhoAmI application has stopped working

do not click the Cancel button that first appears. Wait for
the Close program button to appear and click it to continue
************************** WARNING **************************

Scanning please Wait.
============= Finding copies of actxprxy.dll
============= Finding copies of beep.sys
============= Finding copies of csrss.exe
============= Finding copies of ctfmon.exe
============= Finding copies of eventlog.dll
============= Finding copies of explorer.exe
============= Finding copies of kernel32.dll
============= Finding copies of lsass.exe
============= Finding copies of netlogon.dll
============= Finding copies of ntfs.sys
============= Finding copies of powrprof.dll
============= Finding copies of proquota.exe
============= Finding copies of regedit.exe
============= Finding copies of scecli.dll
============= Finding copies of services.exe
============= Finding copies of spoolsv.exe
============= Finding copies of svchost.exe
============= Finding copies of termsrv.dll
============= Finding copies of userinit.exe
============= Finding copies of user32.dll
============= Finding copies of winlogon.exe
============= Finding copies of ws2_32.dll
Checking for .COM files to Delete. They will only print if deleted

Listing COM, DLL, EXE, and SYS file in C:\WINDOWS
Locating COM files in C:\WINDOWS\system32 - recursive
Locating DLL files in C:\WINDOWS
Locating DLL files in C:\WINDOWS\system32 - recursive
Locating EXE files in C:\WINDOWS
Locating EXE files in C:\WINDOWS\system32 - recursive
Locating SYS files in C:\WINDOWS
Locating SYS files in C:\WINDOWS\system32 - recursive
Zipping newfiles.txt
zip I/O error: Permission denied

zip error: Could not create output file (C:/MGlogs.zip)
Finished Zipping newfiles.txt
Zipping ffdata.txt
zip I/O error: Permission denied

zip error: Could not create output file (C:/MGlogs.zip)
Finished Zipping ffdata.txt
Zipping winfiles.txt
zip I/O error: Permission denied

zip error: Could not create output file (C:/MGlogs.zip)
Finished Zipping winfiles.txt


so now I also have newfiles.txt on my desktop.
I ran all the commands with my browser open, because i didn't receive any suggestion that I should close it, and I've been typing here, as I run the steps.

I closed and re-opened the cmd window angain, and ran analyse command. So now I have the hijackthis.log.

I'm attaching the 3 logs, although they are not zipped. I don't think they are excessively big.


I have finally started accessing the web with a limited acoount. If this was the reason you didn't get something you need, let me know. perhaps the limited user account is limiting these tests, and I need to redo them on an admin user..

 

Hi, Kestrel. It worked fine now, so I'm sending that log.

Thanks so much for the time and patience you are working with here!

 

error double post

 

Actually no.

What happened was, I thought I was finished at bleeping computer with a previous problem. My logs were clean. I was not running any more diagnostic or fixing software. I had one more (what I thought was an innocuous) advice question that I posted there, but I still considered the job to be done.

In the interim, I wanted to make sure the firewall I have up is set up correctly. I was having a hard time getting clear help. I must have did some kind of google search to see if somebody would help me. That's how I ended up here on major geeks, asking if anyone was willing to give me specific help/attention for the firewall.

I am going to continue my explanation, although the exact order of events may not be 100% accurate. I can't say I remember exactly. I am trying to use the time stamps on my posts to re-enact what I did.

All this while, I was repeatedly running my anti-malware software. Eventually, SuperAntispyware found this trojan, which I did not have during the bleeping computer help thread. Since I considered my previous trojan problem finished at bleeping computer, I just looked around here to find advice. I truly considered the matter at bleeping computer finished. I didn't even intend to ask for any actual help on this topic. I was looking for self-help, which led me here:

http://forums.majorgeeks.com/showthread.php?t=139313

I went quickly through the steps, and considered myself not to have problems, since my pc wasn't exhibiting any odd behavior. I skipped step 3 at that time. I was going to "wait a few days".

It looks like I did step 4, the disable and re-enable system restore step next, because my current first restore point is timestamped shortly after the logs I produced in Windows XP Malware Removal/Cleaning procedure. Upon review, I noticed I had missed the mgtools thing for some reason. So I did it then. But it wouldn't run. I tried a bunch of things, but it still wouldn't run.

So at that time, I decided to ask major geeks for help to run mgtools. It seemed logical to post it in the connected malware removal forum.

One thing led to another. When I posted for help running mgtools, I figured I had to follow protocol and attach the logs I was holding on to. (which I accidentally didn't even upload at the time!) I figured I had to explain why I was going through the steps in the first place. Which led me to give you a historical background. Really I just wanted to follow all your steps and wait, since my computer wasn't acting weird or anything.

I honestly considered my bleeping computer session to be finished. I guess I should have said that bleeping computer had already addressed the previous issues. But I was really focused on running the mgtools thing. I thought this was all part of a self-help process, to avoid bothering you guys. Without actually intending to do so, I was now working with you regarding the status of my pc.

The question I had asked at bleeping computer had been answered, and I had finished off the topic, confirming that the answer I got, applied to all similar situations. I forgot that my response included one last little question. So as far as I was concerned the matter was done. A last response by bleeping computer, which I was not expecting, did overlap with my actions and post to you over here. I should have formally ended the bleeping computer thread at that point. (I did so now.)

Just for the record, I did not sleep on Saturday night, and by Sunday afternoon it's kind of surprising that I was making any sense at all! You didn't even ask for additional logs, except the mgtools.zip. Yet I attached 3 logs which I dug out of mgtools folder for some reason! I remember struggling to find applicable files, because I had closed whatever was on my desktop!

Well, I just now looked again at the quarantine folder, and I see that the "trojan" is in a _restore folder - which means it would have been deleted when I disabled, and then re-enabled the restore application in step four. The registry key noted by roguekiller is still there.

I am so sorry if is looks like I was "double dipping" for help. I definitely had no such intention. I know that you are a volunteer and your time is valuable. I also understand that the systems used by different malware removal techniques vary, and it is completely counterproductive to get help from two people for the same problem. Your dedicated help is extremely appreciated, and I do not take it for granted, at all.

Alyab123

 

I set up my homepage to be startpage intentionally. Are you suggesting that I need to delete that setup?

 

OK. I did what you said. I don't know if i have any other problems. In middle of all this I had to do a system restore back to 5/20 8:00 AM. So I re-did the procedure, and removed the same stuff again.

I will only know if I'm having other troubles in the next few days. Superantispyware always finds adware cookies. I don't know how they get there, since I have cookies set to be deleted when I close firefox, which is the only browser I use.

The original "trojan" that sparked this thread, was still in quarantine and I deleted it. It seemed to come from a _restore file, but I have no idea which one.

Thank you for your help! I will have to look elsewhere for help configuring Online Armor, since nobody on this site has replied that they can assist me.

 

To Kestrel 13:

I am trying to track the stuff that has happened on my PC since the beginning of May. I came here to read what I did here. I just saw for the first time that you responded to my last post, in which I thought I was ending the thread.

I apologize for never acknowledging this last post of yours.

As far as I see it, you finished helping me. I first came to majorgeeks in search of help with online armor. I was looking for help in any reputable place where PC experts "hang out". (I appreciate the link you gave me in your last post).

I noticed after I came here, that I again had some sort of trojan. Since your forum has self-help cleaning directions in the malware thread. I decided to try your processes to get rid of it. The ONLY reason I asked for help was just because mgtools didn't work. I never really intended to ask for help over here. It kind of just happened, when you asked for the results of my logs.

After you responded, you asked for the logs, etc. When we finished, everything on my PC was working. I thanked you and moved on. As far as I saw, my pc was working normally.

For the next 2 weeks, I tried to create a rescue disk because that is really crucial. I went back to the forum where I had gotten the instructions for installing and using the image software. I do not consider this matter to be related to the work we did. Whatever further analysis of my PC that is being done over there, came about as a result of trying to create a darn rescue disk that works!

This is just a belated acknowledgement to your last response, and an attempt to end this thread with a proper thank you! (There doesn't seem to be a "solved" button)

Thank you again for the help you gave me.

Alyab123

 

Unfortunately, I spoke too soon. :-o
I am having many problems with my PC now, and i don't believe it's malware.

I didn't realize there were "final steps", I'm glad I came back. I had collected all your utilities and logs into a folder, and eventually deleted them when I thought I was finished here. MGtools is still on my PC, though.

As I said, I went back to the original site that had me install Macrium Reflect, since I am having a problem creating a rescue disk. In middle of trying to get help for that, I made a discovery: Under documents and settings, I have 2 user accounts called Administrator. One is actually called Administrator.XXXXX (my computer name), and the other is called Administrator. Neither shows up in the normal start-up. Only one Administrator User comes up in Safe mode, but I don't know which one it is that I am using when I log in as the system Administrator.

I started getting some help from a "network specialist" there. He had me run some scans to see if he could analyze my PC configurations, made some suggestions, and then stopped communicating with me since Tuesday June 10. I feel like I'm in limbo. I wish I could just move elsewhere for help, but I don't want to alienate myself on that site, so I'll have to wait a bit longer, and see if he ever comes back.

just FYI, these are what I ran and posted results:
minitoolbar
adwcleaner
OTL
wireless.exe test tool

I was supposed to do WindowExeAllKiller next. However, I have concerns about allowing it to proceed with the actions it recommends next. I need more specific help on tweaking the planned actions, but I'm still waiting.

clean.exe is supposed to be next. There are no guidelines listed on how long to wait for further instructions, and I don't know if I have fallen through the cracks.


Will running MGclean.bat file interfere with anything I'm in middle of?