Help with GetRunKey

Those are just temporary files created in order to build the final log of information. When GetRunKey.bat terminates properly, these files will be deleted.

The filename to be created is runkeys.txt not GetRunKey.txt.

Are you sure no other error messages are occurring?
Do you know how to open a command prompt window and run the GetRunKey.bat file from the command prompt? This would help you see any other error messages more clearly.

Does ShowNew.bat run properly and produce a newfiles.txt log?

 

I have a feeling that it is having a problem due to the size of some of your registry key hives. Please download the attached GetRunKeyD.zip file and extract the contents into the same folder where you previously extracted GetRunKey.zip. There is one file in this new zip file. The file is named GetRunKeyD.bat. We will run this later after doing some other cleaning steps.


Did you download and install Torrent101 yourself? If so, that is where you malware problems began. You need be a lot more careful. This is malware. DOn't be in such a rush to use these programs. I see on the same day you installed this, you also installed Limewire, Turbo Torrent.
Are Pest Patrol and Trojan Hunter paid versions or free trial versions?

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 9

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [gpl move gram ping] C:\Documents and Settings\All Users\Application Data\Anti Cool Gpl Move\Bits License.exe
O4 - HKCU\..\Run: [book ante] C:\DOCUME~1\Jason\APPLIC~1\ELSEPL~1\AXISNEW.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://winkflash.com/photo/loaders/SAXFile.cab

After clicking Fix, exit HJT.


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\All Users\Application Data\Anti Cool Gpl Move\two bags.exe
C:\Documents and Settings\All Users\Application Data\Anti Cool Gpl Move\Bits License.exe
C:\Documents and Settings\Jason\Application Data\Else plus\AXISNEW.exe
C:\Documents and Settings\Jason\Application Data\Else plus\cucsqxit.exe
C:\Documents and Settings\Jason\Application Data\Else plus\zocwgbag.exe
C:\Program Files\Torrent101\ZM\minime.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.


After reboot, use Windows Explorer to delete the below folders if foound:
C:\Documents and Settings\Jason\Application Data\Else plus <--- the whole folder
C:\Documents and Settings\Jason\Application Data\Torrent101 <--- the whole folder
C:\Documents and Settings\All Users\Application Data\Anti Cool Gpl Move <--- the whole folder
C:\Program Files\Torrent101 <--- the whole folder
C:\Program Files\Else plus <--- the whole folder

Now run Ccleaner.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKeyD - assuming this modified version runs.
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You did not answer my questions about Pest Patrol and Trojan Hunter.

Also you did not follow all the steps as rquested in the order given. I still see CounterSpy installed.

The only thing that is recommended in malware cleaning forum on these programs is not to use them. Suggesting anything else would be contrary to this forums principles. You could ask questions like this in the Software Forum.

I would really like to figure out why it will not run on your PC. This is troubling since it runs on hundreds of PCs every week without a problem. Are you willing to try a few things to help debug this?

 

I almost forgot to say this!

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You can either keep Trojan Hunter until it expires or uninstall it now. It's up to you. I am wondering if some how they are interferring with GetRunKey running but I doubt it.

Sorry about that! I had intended to have a line specifying to uninstall it since it is only a trial and did not want it to conflict with Pest Patrol. Uninstall it now.

Great thanks! The first thing I would like you to quickly try is to just boot into safe mode and run the GetRunKeyD.bat program in safe mode and let me know it that runs. In the meantime, sometime this evening I will make a another modified version of GetRunKey to see if I can trace out exactly where it is freezing up.

 

You did not say whether you tried what I asked at the end of my last message

Also click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt. I'm assuming that you extracted GetRunKey into the folder named C:\spywarekillers\GetRunKey if that is not correct, substitute in the correct name of the folder below.

• cd C:\spywarekillers\GetRunKey\
• GetRunKeyD.bat

Now in the command prompt window, do you notice any error messages not observed before?


I will work on a modified version now. I will call it GRKdeb.bat. You will just need to extract it from the zip file (called GRKdeb.zip) when I attach it to my next message and try running it. Even if it does not run all the way through, I'm hoping the debug output will show me where exactly it is dying.

 

Okay I had an older debug version around. It does not have all the scan features that are in the current GetRunKey, but I think this would be a good starting test.

Download the GRKdeb.zip file from the below link and extract it into the same folder as GetRunKey.bat. Then run the GRKdeb.bat file. It will produce a log named C:\GRKdebug.txt Attach this file here.

GRKdeb.zip