Possible Virus attack - help analysing logs requested

Welcome to Major Geeks!

We really need the complete ZIP file log from MGtools to continue and I will give you something to try. However I do have to say that this does not sound like malware.


Make sure UAC is disabled and that all protection software has been stopped and then do the below.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

 

You're welcome.

Let's try to debug this.

Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

• Right click the Command Prompt entry and select Run As Administrator.
  • It is critical that you run it this way.
• If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
• Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple/brown is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
SN64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
nwktst <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
getnetinf<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.

Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.

 

Hmm! find is a built-in exe file that is part of all Windows Installations. So either the file is really missing or your PATH environment variable may be corrupted.

Open a command prompt window again and enter the below commands. Note one > in first command and two >> signs in second command. Also there is a space after dir

set > env.txt
dir c:\windows\systeme32 >> env.txt


Then attach the env.txt file which should be in the folder you saw as your prompt in the command prompt window. Typically this is C:\Users\username

where username is your user account name.

 

You're welcome. Okay I was correct about your Windows Path Environment variable being messed up. The "find" program is actually on you PC but since the PATH variable is wrong, it cannot be found. Before we try to fix this, let's see if the new version of MGtools can work around this. ( I made a change to see if I can avoid Windows issues like this. )



Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\MGlogs.zip

 

Well not quite. Most of the logs are not in the ZIP file. Please try again and make sure you wait until it says it is finished before attaching the log. Also check again for any error messages.

If necessary, try using the command prompt instructions I gave in message # 4 so we can see if there is some other issue. The fix I made to MGtools just attempts to work around the fact that your PATH is broken and that the find command could not be located due to this. It does not address any other issues that could be occurring due to your PATH being broken. For example, many other commands like regedit.exe and reg.exe cannot be found. I can tell this from the logs that did get made.

Let's try fixing your path. See the below link

http://www.computerhope.com/issues/ch000549.htm

What you need to do is insert at the beginning of your PATH environment variable, the below text. Exactly as is written with the semicolons. The semicolon are separators.

C:\Windows\system32;C:\Windows;

If you do this properly, your PATH variable should then be the below. And actually, you could just overwrite what you currently have with the below by copying and pasting it into the PATH line once you select it for editing.

C:\Windows\system32;C:\Windows;C:\Program Files\Common Files\Microsoft Shared\Windows Live;C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live;C:\Windows\System32\Wbem;C:\Program Files (x86)\Windows


You have to reboot after saving this in order to get it to take effect.

 

You forgot to attach them.


Also please repeat what I had you do back in message # 6 with

set > env.txt
dir c:\windows\systeme32 >> env.txt

And attach the new env.txt file

 

In fact.... skip my previous message and let's try a newer version of MGtools updated tonight.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\MGlogs.zip

 

Okay, each new verson of MGtools has been helping; however, now I can see that you never properly fixed your PATH environment variable as requestedbin message # 10. $id you have a problem copying and pasting that last full line into the PATH edit box? Did you save the change?

 

Okay then change the path to the below instead. This should fix the issue with Windows Live and also should address the problem with the PATH to your system files. You cannot leave how it was originally as this will lead to problems like we are having. And some day you will try to run something and you will not understand why it did not work.

C:\Windows\system32;C:\Windows;C:\Program Files\Common Files\Microsoft Shared\Windows Live;C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live;%SystemRoot%\System32\Wbem;C:\Program Files (x86)\Windows Live\Shared

After setting the above PATH, save it and reboot after reboot. Run the below and DO NOT rename MGlogs.zip. Just attach the MGlogs.zip file that is created. Make sure you click TWICE on the Accept button for the HijackThis license agreement if you see one ( shutdown all other Windows to make sure you see the license agreement popup.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below log:

• C:\MGlogs.zip

 

Okay now that we have all the logs, I can say with more certainty what I suspected all along. And that is, the problem you mentioned in message #1 were not due to malware. You logs have all been clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Press and hold the Windows key http://forums.majorgeeks.com/chaslang/images/Windows_Logo_key.gif and then press the letter R on your keyboard. This opens the Run dialog box.
   • Copy and paste the below into the Run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome.

Not at all. That's why we are here.