Help, I am having problems with an infection

What about Combofix? Try running that please unless you are on a 64-bit system. Then I want you to rename MGTools.exe to 123.com and try and run it again, if not in normal mode then in safe mode.

 

Based on your OTL log this is likely because you have not disabled UAC and rebooted as instructed. Your OTL log shows UAC is enabled

 

Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The red is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

If it ran, attach the logs.

 

Do you have MGTools downloaded to C:\MGTools.exe? Where did "find" come from? Is UAC disabled? Are all your AV and AS software disabled?

 

If the C:\MGTools folder was created, try running these:
C:\MGtools\GRK64.bat
C:\MGtools\SN64.bat

 

Let's see if we can get HITMAN to free you up enough to run the scans.

 

Well then Hitman pro did not fix anything! It is obviously incorrect about MGtools.exe Hitman Pro is actually more instrusive and does more questionable things then MGtools. That still does not make Hitman a trojan. Obviously Hitman is not actually verifying anything related to MGtools which is rather easy to do. The same is all true for the false detection by Kaspersky.


Note your last OTL log still showed UAC enabled so when you are disabling it, it is not really disabling. Also after disabling, you have to reboot for it to take effect.

When you ran GRK64.bat and SN64.bat from the command prompt, what messages did you see? If they are not running, some form of error message should appear or does it just abort. You MUST run it from the command prompt like below to debug.


Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
SN64 <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.



ALSO note, you should shutdown your McAfee software before running any of the MGtools scans to avoid problems due to McAfee interference.

 

I know it will probably not work, but you mentioned you could not run combofix, but what about after renaming it? I know you renamed MGTools, but what about CF? Try it just to see. Rename to abc.com and give it a go.

Also although you are on a 64 bit system, this tool here (if it will run at all due to the condition your machine's in) should run in a reduced functionality mode, but it may still catch something so let's see...

Download TDSSKiller from Kaspersky to your directly onto your Desktop

• Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor. )
• Allow the application to run if prompted by Windows or any security programs you have installed
• It will start the scan and run rather quickly and will notify you of whether anything is found or not.
• Follow the instructions to delete/quarantine if asks you what to do when if finds something.
• Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

 

What happened when you tried to do a repair install?

 

If your image was from before all this occurred, I would definitely use it. You may wish to check for things that you will lose and safely back them up. But I do believe that reverting to that saved image will help. Much of what is happening seems to be software related, not necc. malware related.

 

Let me know how that goes. I would hope you can then run the scans to be on the safe side. :major

 

Likely very true that the Windows OS has been corrupted. The message below
"find" is not recognized as an internal or external command, operable program or batch file.

which was received when trying to run the batch files, indicates that either you are missing a file which is part of Windows or that your path has been corrupted and the file could not be located. find.exe is a part of Windows and on an x64 system copies should be located in both of the below folders:

C:\Windows\system32
C:\Windows\SysWOW64

 

Fingers crossed!!

 

Based on the fact that you can now run MGTools and after a quick look through those logs, you are good to go!! The only thing I can recommend at this point is to first clean out this folder:
C:\Users\Michael Quelch\Local Settings\TEMP\

Then create a new restore point.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   
   
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
10. After doing the above, you should work thru the below link:
    
    • How to Protect yourself from malware!
    
    

Support MajorGeeks with Geek Wear!

 

You are very welcome!! Safe surfing.