I AM HURT! My Computer is wrecked!

RedSarge · Apr 23, 2011

You guys here on Major Gees forum were very helpful last time in helping me out with my previous problem.

And I appreciate it, as now that my MSN works again I can talk to my extended family again. THANKS!

Unfortunately my PC was recently infected by what I believe is the trojan and fake AV "HILOTI". Hiloti has completely ruined my PC by preventing me from even starting windows.

Here's how it breaks down.

1) On April 21 I visited a website I frequent known as "Warseer", a hobby forum that in NO WAY SHOULD be expected to install malicious content on ones PC. (But this is the internet, so I guess nothing is safe.) Warseer had recenlty been hacked.

2) The website was hacked but had returned to normal in around a week, having no signs of bad content. I then visited the website as I was glad it was now ok, I bookmarked a webpage on Warseer for later reading.

3) I then accessed this bookmark later in the day, during other things, bypassing google (my homepage) which might have told me if it was SAFE OR NOT. INSTANTLY I WAS INFECTED with 3 ".exe" processes running in my task manager within 30 seconds.

4) I closed the processes, but the damage was done. Shortly a pop-up FAKE AV program told me I was infected and my RAM temperature and a bunch of other BULLSH*T!
THERE is no temperature sensing device in my computer!

5) I am not angry, I know I should be but it's weird that I'm not. After the fake AV pop my computer shut down unexpectedtly.

6) I stupidly logged back in, only to see my desktop was blank and ALL my icons WHERE gone SAVE IE and Firefox.

7) Al programs in the START menu where also gone, though I know I still had them.

8) So I shutdown, logged into my PC Administrator account in SAFE MODE

9) I THEN ran IN ORDER
- SYSTEM RESTORE (failed)
- SYSTEM RESTORE again to earlier date (failed)
- Ran Malwarebytes Anti Malware
- downloaded but did not install (Avast & SuperSpyware)
- Got Defogger to remove and disc emulation
- Ran SpyBot

All of these helped in removing 10 various Registry keys and other ".dll's". I decided to delete the QUARANTINED FILES to avoid them coming back...

I have LOGS of all the removed files but... I CANNOT GET THEM TO YOU GUYS!!! NO! My PC NOW only restarts now.

10) This morning I started my PC after doing all the changes last night, it will get to the windows screen then REBOOT>

11) I hit F8 and made sure not to reboot on error so I could at least keep the PC on, I get a BLUE error screen telling that "some files might be damaged".

12) NOTHING SPECIFIC

13) I think one of my rootkit files was infected and my PC might require a BOOT disk because MBAM.exe.
I have XP install disc from years back.
(Malwarebytes) might have deleted an essential file.

My AVAST expired a long time ago and because I don't visit malicious sites I didn't renew it, even un-install it so It would stop bothering me.. so there was no protections outside of free ware.

I have had my PC for 6 years, I dust it every year, maintain it, it is the last connection I have with my Father.
That is all that is left..

I am a full time Engineering student, and cannot afford to buy another PC right now!

I am totally screwed over.

*** BEWARE the website known as WARSEER is hacked and has become an ATTACK SITE *** Do not go there!

I write from a library computer that nly gives me 30minutes, so please forgive my haste.. I have 5 minutes left to look up Hiloti.

-RedSarge

TimW · Apr 24, 2011

RedSarge said: ↑

I have LOGS of all the removed files but... I CANNOT GET THEM TO YOU GUYS!!! NO! My PC NOW only restarts now.

This morning I started my PC after doing all the changes last night, it will get to the windows screen then REBOOT>
Click to expand...

If you cannot boot in any mode ( safe or normal mode ) and you cannot run any of the READ & RUN ME there is not much we can do for you except suggest what is in the below quote box

[*]Take the hard disk out and scan it in another well protected PC
[*]Use another PC to make a special CD which you can boot from to try and run virus and spyware scans or to at least backup data. CDs like the below:

http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

UBCD4Win

http://www.sysresccd.org/Main_Page

http://trinityhome.org/Home/index.php?wpid=1&front_id=12

Kaspersky Rescue Disk.

BitDefender Rescue Disk-with-auto-update.

[*]reinstall

Click to expand...

RedSarge · Apr 25, 2011

Hmm well, that does not bode well. Darn.

In fact here's the update.
- I do not have the windows XP disc, the booklet I thought had the disc in it was in fact just a piece of cardboard.

I hope to use the Windows recovery console via the Windows website kb310396, this way I could replace damage files.

This probably is a lost cause but here is the BSOD error that I was able to bring up.

0x0000007B (0xF8A5C528, 0xC000000E, 0x00000000, 0x00000000)

I have access to a laptop for now so I can read & post updates.

RedSarge · Apr 25, 2011

I am not just dropping my problem here and shouting fix it, I would like help but I assure you I will get to a professional shop if there is no hope.

below is info on the error code

0x0000007B - misconfigured files, related to a boot virus.

0xF8A5C528 - i don't know what this one is

0xC000000E - so this tells me that there are registry errors, no doubt related to the deletion of the trojan files

0x00000000 - this is caused by misconfigured system files...

TimW · Apr 25, 2011

As I said, unfortunately we can't help you much if you can't boot. You can create a disc for the recovery console:

This is a download of an .iso file of just the Recovery Console for XP.
Burn to CD with Nero or other 'disc image' capable tool and boot.

XP Recovery Console.

Then you can try doing this:
How to recover from a corrupt registry.

RedSarge · May 7, 2011

Ok, well I got the UBCD4WIN to help me out, I think I can copy down the required logs from any prrograms here, checking out the "recover from a corrupt registry" link, thank you TimW.

So at least I can get 'into' my pc.

RedSarge · May 7, 2011

ALLRIGHT PROGRESS!

Here are two logs I was able to recover post-system boot failure.
These are from MBAM

TimW · May 7, 2011

I have to assume that you did fix the items that MBAM found. If you can, please do the rest of the Read and Run first instructions and get me the requested logs:
SAS
RootRepeal --- if it runs
ComboFix
C:\MGLogs.zip

RedSarge · May 8, 2011

The stupid fricking Ultimate Boot CD defaults to X: drive, a virtual DRIVE and this interferes with SAS, RootReal (won't even extract properly) and Combo Fix (keeps telling me it is corrupt)...

I don't know how the heck I'm going to fix this thing.
IF ONLY THERE WAS A WAY to COMPARE my System 32 folder and my Registry with a PROPER XP Home installation... :confused

So in short,
SAS - no run
RootRepeal - no run
ComboFix - no run
C:\MGLogs.zip - does not make the MGLogs.zip

I'm sure it has something to do with the boot CD.

TimW · May 8, 2011

If it is one of the new TDL infections, you may need to create this disc:

*** Please print these instructions ***

1. Download Hiren's BootCD Iso to the desktop of a clean computer.
2. Extract the zipped HirensBootCD.zip to your desktop.
3. Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso.
4. Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.
5. Insert a blank CD in your drive.
6. Press Start. This will burn the image to disc. After it has completed...
7. Restart your sick computer and boot from the HBCD you created.
o If your PC is not booting from the CD, you need to change the boot order:
+ Restart your PC
+ As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
+ Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
+ Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
+ The tab should now show your current boot order.
+ If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
+ Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
o Your PC should now boot from your CD.
o Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
8. When the CD boots choose "DOS BootCD".

At the Hiren's BootCD main menu, select Next and hit Enter.

At the second menu select 1 MBR (Master Boot Record)Tools

In the list of MBR Tools select 1 MBR Work 1.08

This screen will show the hard drive configuration.

Type 5 to Install standard MBR code then hit Enter
Type 1 to select Standard then hit Enter
Type Y then hit Enter to confirm
Type E then hit Enter to exit
Press Ctrl+Alt+Del to restart the machine

If you can then boot to either normal or safe mode w/networking, try running this:
TDSSkiller - How to run

RedSarge · May 8, 2011

Thank you TimW, but before I try that I think I FOUND IT!

Volsnaps.sys this little bugger! Darn, PC's are like people..

I'll let you know, you've been very helpful, the other forum stone walls me.

RedSarge · May 8, 2011

Ok, update.

I looked over my recovered logs that I had posted earlier, in a more awake state, I researched each entry and found "VOLSNAP.SYS" is a system driver file that hackers and other evil-doers like to infect or damage.

Causing instant BLUE SCREEN, really terrible.

So, I recovered a copy from my PC's I386 Cache (ensured file size) as my BOOT CD did not have one! THIS MIGHT BE AN ISSUE as it could be infected on all locations, but MABM only showed "C:\Windows\System 32\Drivers\Volsnap.sys was infected, and deleted.

NOTE:
*I tryed posting this from my Adminastrator account.

Here is what I did.

1) After replacing volsnap.sys
2) Rebooted without boot CD
3) Started in Safe Mode *crossed fingers*

4) It worked, was in Safe Mode (non networked)

5) Decided to log out of safe Mode and log in as Administrator, I DID THIS in order to run the README & RUNME better.

6) I noticed that "box.exe" started and my Internet Explorer was closed down, I am still infected as a FAKE AV showed up again!!!!! I thought as much, something still remains.

7) Logged Out

I ask; what is the best way to NOW go about removing this terrible plague?

LOG IN SAFE MODE? then RUN READ ME RUN ME!?

I know combofix and others run better in normal mode.

I WILL NOT touch my PC until I receive more information from this forum.
Thank you.

TimW · May 9, 2011

Yes, if you can log into safe mode, do so and run all the scans that we request. Get me some logs to look at:
SAS
MBAM
ComboFix
C:\MGLogs.zip

Also run this:
TDSSkiller - How to run

RedSarge · May 9, 2011

Just a quick reply before i continue, cant post for long before IE goes crazy.

WILL POST LOGS

However, I have found that I have Rootkit.Win32.TDSS.tdl4

located on \harddisk0\

I will cure it, and continue on.

TimW · May 9, 2011

Thats why I want you to run the TDSSKiller program.

RedSarge · May 9, 2011

should I reboot after using TDS Killer?

I want to cmoplete the read me run me, TDS log found rootkit.win32.tdss.tdl4 (\harddisk\0)

I will log onto networked safemode and bost logs than get the heck outta networked to prevent download of malicious software.

TimW · May 9, 2011

Yes, reboot and first see if you can get into normal mode and run the scans. If not, do them in safe mode.

RedSarge · May 9, 2011

Since it is apparent that I have the money making Rootkit TDSS, and it keeps telling me to register, aka give them money.

I am currently doing the following:

Posting from laptop - while PC runs SAS in "normal mode" as Admin. Disconnected from internet physically.

The READ ME RUN guide states rebooting after running steps like SAS, SHOULD I reboot when asked? I'd like to not have to remove a possible re-infection.

The log is not ready yet, but programs like MBAM caused me BSOD by removing Volsnap.sys. I'm currently praying that my PC doesn't randomly shut down from SAS, if it does I will move onto the next step in the READ ME RUN.

I feel like I have taken off several weeks off my life span...

TimW · May 9, 2011

You need to run TDSSKiller first. Then do the other scans.

RedSarge · May 9, 2011

Ok, so I did run TDSS Killer again, this was after SAS, it found the same found rootkit.win32.tdss.tdl4 (\harddisk\0)

which is so depressing, honestly. I do not want to keep asking however.

SAS Removed the infection, at least to an extent that I can enter my Windows Security console... the REAL one.

I WANT TO POST THE LOG, but if I connect to the internet will I GET infected again!!!! Aghr.. I don't know!?

Should I re-enable my windows firewal and give it a shot?

I WOULD LIKE TO RUN THE WHOLE GUIDE, then post all logs at once even if I get infected again, I hope you didn't tl:dr.

Edit: Latest Mbam definitions are only available to me on the net, no USB drive.

RedSarge · May 9, 2011

Root Repeal can scan, but gives error:

"RootRepeal Error - Invalid PE image found!"

WILL post all logs tomorrow after I purchase Norton or Kaspersky, I want to install one of these to protect my PC 'before' I get back on the interent. Hopefully that will protect me once I reconnet my desktop PC to the internet.

TimW · May 10, 2011

You don't need to purchase anything. Microsoft Security Essentials is a good AV program and its free. If you are worried, just transfer the logs to the computer you are using to access our site and attach them. I cant help you without seeing logs.

RedSarge · May 11, 2011

Ok finally got a usb stick, here are the logs.

I am concerned about combofix deleting:
c:\documents and settings\My Name\WINDOWS -- yikes! Don't I need that!?

I have not tested 'My Name" profile as it might still be infected, I cannot access it from Admin, it is private. Well, I gueess we'll see what the logs say.

TDSSS Killer cannot 'cure' "Root.Windows32.tdlr\harddisk\0" as far as I know.

RedSarge · May 11, 2011

MgTools is here.

EDIT YES, thank you for your patience.

Added tdss killer

TimW · May 11, 2011

Give me a few to look at your logs.

Ok, do you have your XP cd? We may need to use it.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
C:\Documents and Settings\Admin\Local Settings\Application Data\bm1uxbtac6u03165lf7058a12ol
C:\Documents and Settings\All Users\Application Data\18734900
C:\Documents and Settings\All Users\Application Data\bm1uxbtac6u03165lf7058a12ol
C:\Documents and Settings\All Users\Application Data\~18734900"
C:\Documents and Settings\All Users\Application Data\~18734900r
C:\Documents and Settings\Admin\Templates\bm1uxbtac6u03165lf7058a12ol
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the latest version and attach that log:
TDSSkiller - How to run

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

Then attach the below logs:
* TDSSKiller log
* C:\ComboFix.txt
* C:\MGlogs.zip

RedSarge · May 11, 2011

No, but fortunate to have a Xp BootCd. (UBCD4WIN)

Ok here is the new combofix log, TDSS & MgTools.zip TimW.

I noticed "nppdf32.dll" is among recent recent, I think it is best that I un-install Adobe and re-install it after this is all over. I have had the internet disconnect for two days.

TDSS came up clean! *hooray*

TimW · May 12, 2011

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract+ avenger.exe from the Zip file and save it to your desktop

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Files to delete:
C:\Documents and Settings\Admin\Local Settings\Application Data\bm1uxbtac6u03165lf7058a12ol
C:\Documents and Settings\All Users\Application Data\18734900
C:\Documents and Settings\All Users\Application Data\bm1uxbtac6u03165lf7058a12ol
C:\Documents and Settings\All Users\Application Data\~18734900
C:\Documents and Settings\All Users\Application Data\~18734900r
C:\Documents and Settings\Admin\Templates\bm1uxbtac6u03165lf7058a12ol
Click to expand...

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

NOW--- What is this:
C:\WINDOWS\system32\drivers\back vol ???

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

Then attach the below logs:
* C:\Avenger.txt
* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

RedSarge · May 12, 2011

Ok, again thanks very much.

Here is MGTools.zip, ComboFix & Avenger logs.

"C:\WINDOWS\system32\drivers\back vol ???" is a backup I made of the I386 directory cache non-infected "volsnap.sys". I WILL DELETE IT.

I made it just incase the infection tried to corrupt ALL three of my volsnap.sys file locations.

TimW · May 12, 2011

Your logs are clean!!

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 7 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0

Help Support MajorGeeks
Buy Discounted Software @ Majorgeeks Store. Giveaways Too!

Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

MajorGeeks on FaceBook

RedSarge · May 12, 2011

Update!

Upon logging into my USER account :"RedSarge" I get this message =

Error loading C:\Windows\mdestmod.dll

The specified module could not be found.

In addition, - I am missing almost ALL of my Programs in my START MENU! I still have them installed, but I need help here.

Is there a SUB FORUM on MajorGeeks that can help me to use a .reg file from one of my older back-ups to just recover the Program Start Menu REGISTRY entries?

I know which ones I would need to add.

RAN these on my account
1) SAS found something
2)MBAM found one thing
3)TDSS - CLEAN

I think this might inidate a problem:
FIREFOX randomly uses a lot of CPU (99%) now!
VERY SUSPICIOUS

Kestrel13! · May 12, 2011

Please try running this:

Resetting Registry and File Permissions

I AM HURT! My Computer is wrecked!

RedSarge Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

RedSarge Private E-2

RedSarge Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

RedSarge Private E-2

RedSarge Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

RedSarge Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

RedSarge Private E-2

RedSarge Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

RedSarge Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

RedSarge Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

RedSarge Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

RedSarge Private E-2

RedSarge Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

RedSarge Private E-2

Attached Files:

RedSarge Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

RedSarge Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

RedSarge Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

RedSarge Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Useful Searches