runouce.exe

What problem did you have trying to run MGTools? Did you get an error message?

If it is still where it should be installed ( C:\MGTools.exe ) then please try double clicking the C:\MGTools\SN64.bat. If it runs, then attach the C:\MGLogs.zip.

 

Let's start by doing this:

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now use windows explorer to find and delete:
C:\WINDOWS\system32\runouce.exe

Now see if you can run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

 

Download The Avenger by Swandog469, and save it to your Desktop.

* Extract+ avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\Avenger.txt
* C:\MGlogs.zip

Let me know it that works.

 

Avenger removed two of the items. Let's try a different approach.

Please try doing the below:

Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then doube click on it to run it.

AVPFind.bat

It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running.


Now download and Run exeHelper

• Please download exeHelper to your desktop.
• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Also please try running the below online scan:

http://www.superantispyware.com/onlinescan.html

Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. It does not save a log.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Attach the below logs when finished with all of the above:

• C:\avplog.txt - from AVPfind
• log.txt - from exeHelper
• C:\MGlogs.zip - from MGtools

The C:\ assumes that drive C is you Windows boot drive. If you boot from another drive, then use the correct drive letter above.

 

Ok.....crap.

Try doing these:

SysProt AntiRootkit - How to run,

Win32KDiag - How to run

Using Inherit to correct program execution permissions issues

 

Sigh....sometimes I think I need a nap.

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\Avenger.txt
* C:\MGlogs.zip

 

You are way out of date with your version of SUPERAntiSpyware.

• Please uninstall your current version (this is necessary).
• Then download this SUPERAntiSpyware
• Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
• After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
• Now run a new full scan of your system. And attach this new log.

Now run Malwarebytes and click the Update tab. Then click the Check for Updates button so you update to the current version of the program and database. Then run a new scan with it too. Attach the new log.

Now Click Start, Run, and enter cmd and click OK. This will open a command prompt Window. In the command prompt Window, enter the below commands each followed by the enter key:

ver > c:\ver.txt
dir C:\MGtools > C:\flist.txt

Now attach the C:\ver.txt and C:\flist.txt files here. Note there is a space after the dir and before the >

* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

 

Are you still unable to run the getlogs.bat?

 

Good!! We are now getting somewhere.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner to clean out only temp files and nothing else!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* C:\Avenger.txt
* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

My mistake.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now please try to run the getlogs.bat. and attach both the MGLogs.zip and the Avenger log.

 

Let's try it this way even though Avenger is saying it is removing it:

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

You need to move your MGLogs.zip from your desktop back to the C:\drive where the MGTools.exe is.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\Avenger.txt
* C:\MGlogs.zip

*Fingers crossed!!

 

I will need to discuss this with Chaslang.

 

Click Start, Run, and enter cmd and click OK. This will open a command prompt window. Type in the below commands each followed by the enter key. There is a space after the cd

cd C:\MGtools
zip

After typing zip, is the below what you see:

Code:

C:\MGtools>zip
Copyright (C) 1990-1999 Info-ZIP
Type 'zip "-L"' for software license.
Zip 2.3 (November 29th 1999). Usage:
zip [-options] [-b path] [-t mmddyyyy] [-n suffixes] [zipfile list] [-xi list]
  The default action is to add or replace zipfile entries from list, which
  can include the special name - to compress standard input.
  If zipfile and list are omitted, zip compresses stdin to stdout.
  -f   freshen: only changed files  -u   update: only changed or new files
  -d   delete entries in zipfile    -m   move into zipfile (delete files)
  -r   recurse into directories     -j   junk (don't record) directory names
  -0   store only                   -l   convert LF to CR LF (-ll CR LF to LF)
  -1   compress faster              -9   compress better
  -q   quiet operation              -v   verbose operation/print version info
  -c   add one-line comments        -z   add zipfile comment
  -@   read names from stdin        -o   make zipfile as old as latest entry
  -x   exclude the following names  -i   include only the following names
  -F   fix zipfile (-FF try harder) -D   do not add directory entries
  -A   adjust self-extracting exe   -J   junk zipfile prefix (unzipsfx)
  -T   test zipfile integrity       -X   eXclude eXtra file attributes
  -!   use privileges (if granted) to obtain all aspects of WinNT security
  -R   PKZIP recursion (see manual)
  -$   include volume label         -S   include system and hidden files
  -h   show this help               -n   don't compress these suffixes
C:\MGtools>

Now type exit in the command prompt window to close the command prompt.


Now Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

Let's see if we can manually update by downloading and running this: MBAM_RULES

If that does not help, see Issue # 8 here: http://www.malwarebytes.org/forums/index.php?showtopic=10138

If you get it to update, run a new scan and fix what it finds and attach the new log.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Then attach the below logs:

• the new log from Malwarebytes if it updated
• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!
If MGtools still does not create the MGlogs.zip file itself, please just put the below logs into a ZIP yourself and attach it. These are the only ones we need now:

 

You did not answer my question about running zip?

It looks like MGtools is running okay now though.

Yes these all need to be deleted they are how the infection keeps respawning.


Now download Registry Search (see the link titled RegSearch Download Link )

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• See the top 3 boxes under the Enter search strings (case independen) and click Ok... option, and enter the below two strings (use copy and past)
  • runouce
  • readme.eml
• Then click "OK".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well).
• Attach this RegSearch.txt file.

 

Since more of the infection is still present, we will have to build a fix. The RegSearch is one piece of info I need. Below is another.

Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then double click on it to run it.

Findit.bat

This may take awhile to run since it will be searching thru your whole hard disk. When it finishes, there should be a C:\badfiles.txt log. Attach this log.

 

Click refresh and try it again. After you get this log (not before), please run the below tool and let me know if it finds and removed anything.

McAfee AVERT Stinger

 

Just run the Stinger and then run the below tools from Symantec. This worm can be quite nasty and may have damaged/infected many Windows system files. Sometimes with infections like this, a reinstall becomes necessary.

W32.Nimda.A mm Removal Tool

W32.Nimda.E mm Removal Tool

 

Yes that was where it was supposed to be. I was supposed to say C:\MGtools\badfiles.txt

Just run the scans from McAfee and Symantec so we can see what they find.

 

And for your information you should read the below about this infection especially if you use this PC on a network with other PCs. They may all be infected now.

http://www.f-secure.com/v-descs/nimda.shtml

F-Secure also provides another free removal tool which you will see in the above link.

 

Based on all the items being found, I would not trust this PC anymore. You really should just reinstall.

Yes it could be carrying the infection. You could try running the scanning tools I gave you links to on this drive just to see what is found. I would suggest running the F-Secure one too.

Most likely not as soon as you plug it it, but more likely if you install or run anything from the drive that carries the infection which is why I say to scan it first before reinstalling. And then after the reinstall and with your external drive connect, rescan with ALL these tools again.

You could take the chance on running all these tools multiple times until they come up clean but there are no guarantees so it depends on how safe you want to be. Also there is still a chance that you will have system instability especially if any required system or program files cannot be cleaned and need to be deleted. There is always the chance that somewhere during the cleaning, your system could become unbootable.