Very Bad WIN32/FakeSysDef Infection

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jellobean, Oct 17, 2012.

  1. jellobean

    jellobean Private E-2

    Hi,

    I need help with this virus, but the computer is so messed up that I can't even follow the initial Read & Run First steps.

    This is my niece's netbook and I'm not sure what was done by my brother-in-law before she came begging Aunt Sarah to fix her computer. When she gave it to me, she thought her dad had erased all the programs. Whatever is on there she got from a teacher who took home her thumb drive for an assignment. (I think I need to teach her malware safety.)

    Once I took a look at the computer I realized that it wasn't wiped as my brother-in-law thought, but all the files were hidden. I figured out it must be a virus and tried to run the only virus software installed (Avira - a very old version) and was trying to see if I could access the internet, but it blue screened on me.

    I restarted in safe mode with networking and can do very little since the only thing that works is the taskmanager New Task button (everything else is hidden -- there is nothing in the start menu or any folders that are opened). I've figured out how to use dir /ah on the command prompt to find what to type in the New Task window to run some programs. Internet Explorer won't connect and when I tried to go into networking to connect to my home wireless, it won't connect. I'm not sure what the problem is as I'm connecting on my computers.

    I have managed to use the command prompt to run an Avira virus scan which found the following problems (I've retyped them by hand from the Detection window):
    ka3FPyXn6Ub29q.exe TR/FakeSysdef.A.70
    uScjSUZyRbMG49.exe TR/FakeSysdef.A.70
    8C.tmp TR/Crypt.XPACK.Gen8
    jar_cache1507400232443453680.tmp EXP/CVE-2010-4452
    jar_cache1925184717676015418.tmo EXP/CVE-2010-4452
    jar_cache2442237570098365378.tmp EXP/CVE-2010-4452
    jar_cache459116526008894102.tmp EXP/CVE-2010-4452
    jar_cache8006190616643096353.tmp EXP/CVE-2010-4452
    jar_cache939570695691538787.tmp EXP/CVE-2010-4452
    flXDJfGX[1].pdf HTML/Malicious.PDF.Gen4
    flXDJfGX[2].pdf HTML/Malicious.PDF.Gen4
    scandsk[1].exe TR/Crypt.XPACK.Gen
    flXDJfGX[1].pdf HTML/Malicious.PDF.Gen4
    flXDJfGX[2].pdf HTML/Malicious.PDF.Gen4
    flXDJfGX[3].pdf HTML/Malicious.PDF.Gen4
    vaiomediaplatform-mobile-gateway.dll TR/Sirefef.BV.2
    vds.dll TR/Sirefef.BV.2
    netbt.sys TR/Offend.KD.581389
    0.03063015339869446.exe TR/FakeSysdef.450560.15
    5762.sys TR/SimdaFF.A.1
    jar_cache5064042516220805582.tmp EXP/CVE-2012-0507
    Main.class EXP/11-3544.BN.4.A

    I clicked 'Repair all' I believe that quarantined the problems, but I know that the Fakesysdef sometimes beats quarantine.

    I spent some time reading about Fakesysdef and thought it best to post for help at this point since this appears to be a very nasty virus and this computer is very messed up already.

    As I mentioned before, I can't access the internet on that computer at the moment, even in safe mode. The machine doesn't have a drive, but I have a USB CD-Rom I could use to add programs that I downloaded on my machine. (Though I do need to get some CDs to write on first.) I am hesitant to use a thumb drive since that would likely infect any machine I put it back into. Probably not related, but making stuff more difficult is the fact that the computer is not recognizing the battery to charge it so the machine is tethered to an outlet.

    Please let me know where I should go from here. Thanks.
     
  2. jellobean

    jellobean Private E-2

    A further note:

    I left the computer running (safe mode) while waiting for a reply. I woke up this morning to a blue screen from safe mode. I am not going to restart it until I get further instructions.

    Sarah
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The below will normally help with this.

    Please download and save the below to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

    http://download.bleepingcomputer.com/grinler/unhide.exe

    Now run it ( if you are running Vista or Win 7, use right click and select Run As Administrator ). Did that help with your missing items?


    Now see if you are able to run the cleaning procedure below. Run what you can if not everything.

    READ & RUN ME FIRST. Malware Removal Guide
     
  4. jellobean

    jellobean Private E-2

    I apologize for taking so long to get back to this. This was the first weekend I was home again.

    I got some of the programs/icons to reappear with the bleeping computer unhide. However, I tried to use the link that program gave me to find how to get the shortcuts back, but it didn't work.

    I also still cannot get an internet connection, both wired and wireless. When I did the troubleshoot on the wireless, it said my hardware was good, but the authorization step failed on connection. The same wire that worked on my other laptop won't register on the problem laptop.

    I tried to run RogueKiller first but it kept crashing. I then ran MalwareBytes and TDSSKiller and then tried RougeKiller again, and it ran after the first two. Also, I did all this in safe mode because things kept crashing in regular mode.

    Here is the error from the first time I tried to run RogueKiller:
    RogueKiller by Tigzy has encountered a problem and needs to close. We are sorry for the inconvenience.

    Error signature
    EventType:BEX
    P1: RogueKiller.exe
    P2: 8.3.1.0
    P3: 50afafe2
    P4: RogueKiller.exe
    P5: 8.3.1.0
    P6: 50afafe2
    P7: 000888d1
    P8: c0000409
    P9: 00000000

    I also was not able to update MalwareBytes because I don't have an internet connection on that machine.

    Also, the programs on the computer won't run from the start menu as all the folders in the start menu are empty. I have to dig into the C: drive Program Files and find the actual .exe file to run anything.

    Thanks again for helping.
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Note there are too many administrator accounts on this PC. There should only be one. Logs show the below.
    Code:
    Users on this computer:
    Is Admin? | Username
    ------------------
       Yes    | Administrator
       Yes    | Dad
       Yes    | Mom
       Yes    | Rosa
       Yes    | Teddy
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O4 - HKLM\..\RunOnce: [8F347ACE-61BC-4645-B293-D253B660F971] cmd.exe /C start /D "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp" /B 8F347ACE-61BC-4645-B293-D253B660F971.exe -postboot
    O4 - HKUS\S-1-5-21-402609690-1745380191-2322996971-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Rosa')
    O4 - HKUS\S-1-5-21-402609690-1745380191-2322996971-1006\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe (User 'Rosa')
    O4 - HKUS\S-1-5-21-402609690-1745380191-2322996971-501\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Guest')
    O4 - HKUS\S-1-5-18\..\Run: [dplaysvr] %APPDATA%\dplaysvr.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [dplaysvr] %APPDATA%\dplaysvr.exe (User 'Default user')
    O23 - Service: Winpowermanager (lp6nds35) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\svchost.exe (file missing)
    O23 - Service: Fshttps (ofcpfwsvc) - Unknown owner - \\.\globalrootC:\WINDOWS\system32\svchost.exe (file missing)

    After clicking Fix, exit HJT.

    Now run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
    explorer.exe
     
    :Services
    lp6nds35
    ofcpfwsvc
     
    :Files
    C:\Program Files\QuizulousBar
    C:\Program Files\FunWebProducts
    C:\Program Files\MyWebSearch
    C:\Documents and Settings\Administrator\Application Data\dplaysvr.exe
    C:\WINDOWS\system32\drivers\76983836.sys
    C:\WINDOWS\Temp\142375597.tmp
    C:\Documents and Settings\Administrator\Local Settings\Temp\8F347ACE-61BC-4645-B293-D253B660F971.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\dump.dat
    :Reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "NeroFilterCheck"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]
    "8F347ACE-61BC-4645-B293-D253B660F971"=-
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "dplaysvr"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{144D6DDF-B82F-46b3-A5BA-7127A3491FE5}]
    :Commands
    [purity]
    [EmptyTemp]
    [start explorer]
    
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Be patient while doing the below. The fixes can sometimes take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.

    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.
    Now uninstall the below very old versions of software:
    Java(TM) 6 Update 11
    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  6. jellobean

    jellobean Private E-2

    So my niece finally harassed me to get back to work on this.

    I ran HTJ and fixed the specified lines, however, I could not find the following lines:
    O4 - HKLM\..\RunOnce: [8F347ACE-61BC-4645-B293-D253B660F971] cmd.exe /C start /D "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp" /B 8F347ACE-61BC-4645-B293-D253B660F971.exe -postboot
    O4 - HKUS\S-1-5-21-402609690-1745380191-2322996971-501\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Guest')

    I then removed Windows Messenger.

    I need to do the OTM step next, however, the problems with the computer are preventing me from saving files to the desktop (or if they are saving, I can't see them). I tried to run OTM from the CD I had it saved on (I can't currently access the internet with the computer being fixed.), but I did not see a Run as Administrator option. I clicked Run As and was given the following choices:

    Current user (ORANGE\Rosa)
    Protect my computer and data from unauthorized program activity
    This option can prevent computer viruses from harming your computer or personal data, but selecting it might cause the program to function improperly.

    The following user:
    (Options provided as follows)
    Rosa
    Mom
    Dad
    Teddy
    (Administrator is not listed)

    I don't know whether to choose one of those options or if I need to save the program elsewhere first (since I can't access the desktop to save).

    Thanks.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    6 months is way too long a time frame to just continue where we left off. Even in time frame of 2 weeks it is typically necessary to start over.

    I need to do the OTM step next, however, the problems with the computer are preventing me from saving files to the desktop (or if they are saving, I can't see them). I tried to run OTM from the CD I had it saved on (I can't currently access the internet with the computer being fixed.), but I did not see a Run as Administrator option. I clicked Run As and was given the following choices: [/quote] You can just run it by double clicking on it since you are using Windows XP. You really should save OTM.exe onto the PC and not run it from CD. See if you are able to save files anywhere else on the PC even it not directly on the Desktop.
     
  8. jellobean

    jellobean Private E-2

    The computer had been turned off sitting in a closet since the last time I worked on this so I thought there would not be an issue with taking up where we left off. I will rerun all the initial logs and repost results.
     
  9. jellobean

    jellobean Private E-2

    Attached are the new logs. I also installed the updated Java files.

    I still have no internet connection and am missing my desktop icons and many icons in my start menu.

    Thanks
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is a new infection. I can see it in your logs. You did not have this problem previously.

    Please download and save the below to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

    http://download.bleepingcomputer.com/grinler/unhide.exe

    Now run it ( if you are running Vista or Win 7, use right click and select Run As Administrator ). Did that help with your missing items?

    Also note that Grinler ( the creator of unhide.exe ) has the below link which gives info on restoring some system defaults when the unhide program
    cannot find backups. Scroll down in the link:

    http://www.bleepingcomputer.com/forums/topic405109.html


    Did that help?



    Be patient while doing the below. The fixes can sometimes take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.
    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  11. jellobean

    jellobean Private E-2

    The desktop - icon - start menu issue:
    When I turned on the computer today, the desktop icons were back and so were some of the start menu items. More start menu items came back running unhide. I looked at the posts you directed me to, but it appears that my brother-in-law must have dumped the start menus because there was nothing in the C:/temp folder. My folders in the start menu are still mostly empty, but it does appear that some of the basic ones (i.e. Accessories) and those for programs installed in the last two days (i.e. Malwarebytes, Hitman Pro, the drivers I updated) are visible. I checked the program files and the actual files are still there. I think it's just the Start Menu/All Programs shortcuts that are still missing. I don't have the ability to reinstall all the programs, but if there is a way to manually reconnect the shortcuts please let me know. I also am missing the pinnned-to -start menu items (if there were any -- I'm not certain).



    Other issues:
    I have attached the most recent MGLogs.

    Right now, I still cannot connect to the internet.
    The wireless hangs at 'acquiring network address' and the wired connection just doesn't work.

    Also, the computer is not recognizing the battery. I get the following error:
    WARNING: The battery cannot be identified.
    This system will be unable to charge this battery.
    Strike F1 key to continue.

    I reinstalled the network card driver, but that didn't help.
    I tried to reinstall a battery driver, but it wanted to uninstall rather than install so I think the driver was already there.

    I am not sure if the continued network card and battery problems are virus related or could have been caused by something my brother-in-law did before I got the computer.
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Running cleaning programs can remove the backups but I saw a bunch of folders that still existed. You could look at them to see if Unhide missed restoring any of them. Normally it picks them all up. The below folder:

    C:\Documents and Settings\Rosa\Local Settings\TEMP\smtmp

    has many subfolders ( like 1, 2, 4 ) which contain items from your menus. This were describe in the link for Unhide that I gave you.

    Also see the below which may be of some help:

    http://www.raymond.cc/blog/restore-or-fix-missing-accessories-shortcuts-in-start-menu/

    You are missing a required system file. Go to the below link:

    http://download.bleepingcomputer.com/win-services/xp/

    And download the netbt.sys file from there. Then move it or copy it into the below folder:

    C:\WINDOWS\System32\drivers

    Then reboot your PC and see if the internet comes online.

    Hardware problems will have to be discussed in the Hardware Forum.
     
  13. jellobean

    jellobean Private E-2

    I checked the folders you noted in the Temp folder, but they don't have shortcuts in them. I have figured out from the link you provided how to replace the shortcuts by hand. It is probably the easiest way at this point. I appreciate the help finding out how to do this.

    The only file I see at that link is a netbt.reg file. Is this the file I need?

    Thanks again.
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry wrong link. I already fixed the registry entry. Please download the file from the below link

    netbt

    and save it to the C:\Windows\system32\drivers folder. Then reboot your PC and see if the internet comes online.

    Also run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
     
  15. jellobean

    jellobean Private E-2

    The internet is now working.

    Requested log is attached.
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Excellent. Are you having any remaining malware issues?​
     
  17. jellobean

    jellobean Private E-2

    At this point, I don't think I am having any more Malware issues. The computer seems to be running fine, although all I have done is accessed this site and done basic stuff since this isn't my computer. Thanks so much for all the help.
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. .
    3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    8. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
  19. jellobean

    jellobean Private E-2

    I was trying to do the cleanup from the above directions, but I cannot seem to toggle the restore.

    When I try to turn off the System Restore, I get the following error:
    System Restore encountered an error trying to enable/disable one or more drives. Please restart you machine and try again.

    I have restarted multiple times in both normal and safe mode and am still getting the same error message.
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sounds like your System Restore service is not running.

    Please click Start and type services.msc into the Run box and then click OK. This should cause the Services window to popup. Scroll down to the System Restore Service service and double click on it. Set the Startup type to Automatic and set the Service status to Started. Then click Apply and OK.

    Did the Service start or was there an error? If these is an error, give me the exact word for word error.

    If it started, see if you can toggle system restore.


     
  21. jellobean

    jellobean Private E-2

    I got the following error:

    Could not start the System Restore Service service on Local Computer.

    Error 5: Access is denied.
     
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay since we ran our final cleanup instructions, we will have to download a couple tools again.

    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
    explorer.exe
    
    :Services
    gupdate
    gupdatem
    gusvc
    lp6nds35
    ofcpfwsvc
    
     
    :Files
    C:\WINDOWS\Temp\*.*
    C:\Documents and Settings\Rosa\Local Settings\Temp\*.*
    
     
    :Reg
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{144D6DDF-B82F-46b3-A5BA-7127A3491FE5}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{144D6DDF-B82F-46b3-A5BA-7127A3491FE5}]
    :Commands
    [purity]
     
    [EmptyTemp]
    [start explorer]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now please download Farbar Service Scanner and run it on the computer with the issue.
    • Put a check mark in each option box on the left side.
    • Click "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please attach this log to your next reply.


    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below logs:

    • the C:\_OTM\MovedFiles log
    • the FSS.txt log
    • C:\MGlogs.zip
     
  23. jellobean

    jellobean Private E-2

    I am not able to run OTM as Administrator. When I right click on Run as... I get the choices to run it as "The following user:" Dad or Rosa, but Administrator is not a choice. There is also an option to run as "Current User (ORANGE\Rosa)". I tried to run it as "The following user:" Rosa, but got the following error "Unable to log on: Logon failure: user account restriction. Possible reasonas are blank passwords not aallowed, logon hour restrictions, or a policy restriction has been enforced." That account does have a blank password. When I go into safe mode, I can see Administrator as a choice, but OTM does not run in safe mode. What should I do?

    Also, another note, as an unrelated item, I am receiving an error window whenever I start Windows that reads:
    hmpsched.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

    Thanks.
     
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry about that. You have Windows XP and those instructions apply to Vista, Win7, and Win8. Just double click it to run it.

    That's from Hitman Pro which you can uninstall.
     
  25. jellobean

    jellobean Private E-2

    Requested logs are attached.
     

    Attached Files:

  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay now uninstall Avira and reboot your PC. After reboot, let's repeat the below.

    Please click Start and type services.msc into the Run box and then click OK. This should cause the Services window to popup. Scroll down to the System Restore Service service and double click on it. Set the Startup type to Automatic and set the Service status to Started. Then click Apply and OK.

    Did the Service start or was there an error? If these is an error, give me the exact word for word error.

    If it started, see if you can toggle system restore.
     
  27. jellobean

    jellobean Private E-2

    The service did not start.

    The error was:

    Could not start the System Restore Service service on Local Computer.
    Error 5: Access is denied.
     
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm sorry but you are trying to activate a thread that has been dead for almost 17 months!!!!!!!! We simply cannot pick this up now where we left off. And the time before that it was a year. I think this is waste of time. This thread was started over 2 yrs ago. If you really needed this PC, you would have worked on it sooner.

    I think you should dump this PC since Windows XP is not even supported anymore and it is a security risk.
     
    Last edited: Nov 27, 2014

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds