Is this a virus?

You could navigate to the temporary directory and delete the file, but it would be best for you to follow through with the below just to be safe.

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

Yes, it is hidden. As I said, to be safe continue with my instructions that I previously posted.

 

It's normal. You obviously now have hidden files and folders set to show so that is why you are seeing those.

You certainly could run the cleaner side of Ccleaner. (Not the registry section) and then see if the error continues. Or maybe you should simply follow the instructions that I posted earlier.

 

The thumbs.db is not malware. They are hidden files.

 

You mean when you try to run it. Well, just let it continue... do NOT mouse click or use the keyboard once it is running. It is very sensitive and doing so could cause the program to stall.

Make a response again when you have logs to attach.

 

Yes your version of Malware Bytes is out of date, so open up the program, locate the update tab > let it update and then re-scan > fix anything it may find, and attach the log regardless of the results.

Now why am I not seeing a log from running MGTools.exe? Have you done so yet? If so then attach the C:\MGlogs.zip

 

I want you to do the scans in normal mode. I didn't ask for them to be run in safe mode.

 

Yes! Please attach the C:\MGlogs.zip

 

And what about this?

 

This should do the job for you.

Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
• Click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Delete this folder:

C:\Documents and Settings\User\AppData\LocalLow\Microñoft

Uninstall the below software:

• RegCure

What is inside of this folder? Do you know what it realtes to? If not, Tell me or show me with a screenshot.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• O4 - HKCU\..\Run: [Configuring] rundll32.exe C:\DOCUME~1\User\LOCALS~1\Temp\26440921.txt,M
• O18 - Filter hijack: text/html - {574940E0-1B7A-4881-8FA3-1E809714B156} - C:\Documents and Settings\User\AppData\LocalLow\Microñoft\redir.dll

After clicking Fix exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Tell me ... how is the computer behaving at this point?

 

Yes the objectkdock folder is fine.

You do any online banking? If so you should change the passwords. Best to be safe.

Delete the below folders:

• C:\Documents and Settings\User\Application Data\DriverCure
• C:\Documents and Settings\User\Application Data\ParetoLogic
• C:\Documents and Settings\All Users\Application Data\ParetoLogic

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

I doubt it would bother. But like I said, do change them if you wish!

Yes. I believe I said to you before that you should always remain in normal start up mode. Any other mode is used primarily for diagnostic and troubleshooting purposes.

 

Hey you're welcome.