Mega Malware - Experience.mpg

Discussion in 'Malware Help (A Specialist Will Reply)' started by sherpaprime, Feb 9, 2009.

  1. sherpaprime

    sherpaprime Private E-2

    This is a long story, so please bear with me.

    I'm running a Dell Dimension 2400 which was loaded with Windows XP home in November of 2004.

    I also have 3 boys who use my computer for recreational purposes, so i do not know exactly when the problem started or what was being done at the time. As i mainly use the computer for email, i didn't notice any problem, other than the system taking a while to boot up, but as i generally fire it up and go get a cup of coffee while it's booting, i can't say for sure when this stated either. Several months ago (summer of '08) the kids started complaining that they couldn't run games on my machine, as the animations kept pausing and skipping. At that time i was using Kaspersky 7.0 (loaded onto thet system December of '07), so i set it to do a maximum sensitivity scan, including my 250G external drive. The scan took 3 days and turned up nothing. Last month (1/09) a good friend of mine came down to visit, he has received a lot of help from you folks and said i definitely had some bad stuff on my machine, based on the boot up time and the fact that the task bar took a long time to be displayed on the screen at bootup.

    Then the fun began. first we tried to free up some space by using the Add/Remove Programs in control panel. There was a (i'm working from memory here, so i can't swear these numbers are accurate) 1.44 Meg "java update" (version 2.4.1 maybe?) that refused to be deleted via Add/Remove. So, i went to the directory that it was in and deleted it manually, but got an error message. So i did a search for that update version, and deleted every instance of it i could find. On the next to the last occurrence i found, i got a message to the effect "Not enough information to delete file" when i tried to delete it, but the file name was removed from the list of the contents of the directory. When i opened the directory containing the last occurrence in the search window, there was no file with that name or size displayed. We then emptied the recycle bin and decided to boot up in safe mode. When we tried to boot the machine in safe mode, it came up with a screen that *looked* kind of like the safe mode startup screen (the term "Safe Mode" was only in the upper left and right corners of the screen, not in the bottom corners), and when we clicked on the administrator account to log on the machine just sat there with the hourglass cursor. I pulled the plug out of the back of the system unit to power it down. We tried several more times with the same results, then decided to see if it would let us log on if we just left it. After about 10 minutes we powered down the system again and tried to restart in normal mode. It came up, but there was a huge amount of activity on the ethernet connection as the machine was booting up. After it finally finished booting, i tried the search function, but when i went to startmenu>search>for folders and files, nothing would happen. I tried this several times, to no avail. Then i shutdown the machine (from the startmenu); unplugged the ethernet cable; and restarted the machine. As i recall, it would get to the intro Winows XP screen (the one that tells you whether it's home or pro and has the little bar display at the bottom that scrolls from left to right), then the screen would go blank and nothing would happen. If i unplugged the system unit and the tried again with the ethernet cable plugged in, it would boot up normally. Repeated attempts yielded the same results.

    We decided the best way to proceed was to slave the drive with the problem on it to another drive and load a clean copy of windows on the new master, then try to use your cleaning procedure. I slaved the drive in a new system unit with a clean drive and my friend reloaded windows and then went to your Readme first malware removal page and executed the various maneuvers there. I was at work when he did most of this, so i can't swear that he did all the stuff in the right order. These turned up a few things, but when i put the original drive back into the original machine, it hadn't solved the safeboot problem.

    A day or so later, when i was perusing the Documents and Settings directory for a completely unrelated reason, i noticed that there were about 7 administrator users that i hadn't generated. As i looked i recalled that the number of new users was the same as the number of times we had tried to boot up in safe mode. I went into each user and found a number of directories and sub directories and began deleting each file individually with File Assassin. When i got to the directory named Administrator>My Documents>"Owners Videos" in noticed a temp file (prf30.tmp) which had a size of 67,833K. Needless to say, such a file aroused my suspicion, so i searched for all the files named prf*.tmp and found one in every video directory of all but one of the new users. So i checked the Owners Videos directory of that user and found the file "Experience.mpg" with the same size. When i altered the search to search for files of greater than 67 Meg, i also picked up a copy of Experience.mpg in my Program Files Directory, and my system32 directory. Well, i deleted all those with File Assassin (as well as all vestiges of the new administrative users, then defraged the suspect drive (now the only drive in the system). I was then able to use the search utility and boot up wheter or not my eithernet connection was hooked up, and my children were very happy to report that the games were now playable on my system. I then went on my merry way, but D'oh! forgot to delete my original set point. So i ended up back where i started.

    So this time, after i slaved the infected drive to the clean drive i had been using before, i went to your readme first malware removal page and went through it step by step, including installing the .NET Framework to allow MGTools to run thoroughly. I still have the 68,833k file in my new administrator account, from when i tried to go into safe mode. That is the only occurrence of that file and there are no other 67,833 meg files on either disc.

    I searched for all text (*.txt) files On the C drive, but didn't find any for SAS or mbam. I have attached the logs for MGTools and Combofix

    Any help would be greatly appreciated. Thank you.

    Reposted because when i tried to post, i got an error saying i had logged on since i had strated the post.
     

    Attached Files:

    sherpaprime, Feb 9, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Your logs are all clean. You are not having malware problems. Your main problem is the lack of adequate free disk space on your Windows boot drive. In fact the partition size is just way too small. The below is your Windows Boot drive info
    Code:
    Drive C: 
Description Local Fixed Disk 
Compressed No 
File System NTFS 
Size 6.00 GB (6,440,357,888 bytes) 
Free Space 1.17 GB (1,252,487,168 bytes) 
Volume Name  
Volume Serial Number C416027D
    Unless the above is from when you were running as a slave drive??????


    While this procedure can sometimes be of use to get you started, it will not be as effective as required because your are not actually running the infected operating system nor loading possible infected registry keys. So in the end, any logs produced from it are not really that useful. And as stated above, if that is what the attach logs are from, the logs are of no use to me.

    These are not malware. They are just Dell demonstration video files put into each new user account to demonstrate how to use Windows and your Dell PC....etc.


    They are not that hard to find. Here is a list of all your logs. The only one that would have anything of possible interest is the SUPERAntiSpyware logs from Jan 10, 2009 that is 158,369 bytes in size. It would have to be compressed into a ZIP file to upload.
    Code:
    "C:\Documents and Settings\Joe Deathgarvin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\"
supera~1.log  Jan  7 2009         460  "SUPERAntiSpyware Scan Log - 01-07-2009 - 23-11-46.log"
supera~2.log  Jan 10 2009      158369  "SUPERAntiSpyware Scan Log - 01-10-2009 - 08-41-48.log"
supera~3.log  Feb  8 2009         461  "SUPERAntiSpyware Scan Log - 02-08-2009 - 14-15-00.log"
supera~4.log  Feb  8 2009         465  "SUPERAntiSpyware Scan Log - 02-08-2009 - 15-24-55.log"
 
"C:\Documents and Settings\Joe Deathgarvin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\"
mbam-l~1.txt  Jan  7 2009         832  "mbam-log-2009-01-07 (23-18-32).txt"
mbam-l~2.txt  Jan  8 2009         859  "mbam-log-2009-01-08 (04-46-41).txt"
mbam-l~3.txt  Jan 10 2009         869  "mbam-log-2009-01-10 (22-37-12).txt"
mbam-l~4.txt  Feb  9 2009         854  "mbam-log-2009-02-09 (10-09-41).txt"
     
    chaslang, Feb 11, 2009
    #2
  3. sherpaprime

    sherpaprime Private E-2

    These logs are for the infected drive slaved (as the E:\ drive) to a small (6G) clean drive.

    I will attach all the logs that i can find from when my friend was running the cleaning procedures in January on the infected drive, including the SUPERAntiSpyware log you mentioned). The fact that the machine will not go into safe mode (i have about 7G free on the infected 37G disk) leads me to believe that there is some malware at work. The failure to boot up when no ethernet connection is present and the apparently adaptive behavior of disabling the search function (which was not restored by rebooting) after i had used the search function to locate instances of the program and delete them also bolster this conclusion (IMHO).

    I will then put the infected drive back into the old system unit and run the cleaning procedures on it as the system drive and i'll post those logs once i have done that.

    Thank you very much for all your help, and i apologize for wasting your time with useless logs.
     

    Attached Files:

    sherpaprime, Feb 11, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay you need to attach a new set of logs (all four of them) obtained after booting up from the infected system drive. Please be sure to download the new version of MGtools that is out and use it to create a new MGlogs.zip file. Also make sure that you update both SUPERAntiSpyware and Malwarebytes before running the new scans.
     
    chaslang, Feb 12, 2009
    #4
  5. sherpaprime

    sherpaprime Private E-2

    Sorry for the delay, but keeping my job takes precedence even over scanning for viruses.

    OK, i went through the cleaning procedure again, with the infected drive re-installed in its original system unit as the C: drive (boot drive). When i first ran SAS, everything proceeded normally until the i tried to click Next in the scan summary box, at which point the application crashed. I ran it again, with the same results.

    Each time i got a dialog box saying:
    Microsfot Visual C++ runtime library

    Runtime error

    Program C:\ Program Files\SUPERAntispyware\SUPERAntispyware.exe

    R6025
    - pure virtual function call




    The other portions of the cleaning procedure went uneventfully. However i am still unable to get the computer to boot up in Safe Mode under XP Home - when i try under the Recovery Console, it seems to behave normally, although i can't really tell, because the last time i really used command prompt to any great degree was when DOS 3 came out. I was consumed with my day job when DOS 4 hit the streets, and by the time DOS 5 was out, they didn't include any serious help function with the OS any more, so i couldn't even refresh myself to the point where i had been when i left off, which was no great shakes even at the height of my knowledge.

    Anyway, after performing the cleaning procedure, when i try to go into Safe Mode in XP Home, I am given the choice of 2 users, the first is simply "Administrator" when i click on this, the machine just sits there until i power it off by unplugging it (about 10 mintues is the longest i've let it sit), and when i repower it on, there is a new Administrator user defined in C:\Documents and Settings (a different new user for each attempt to go into Safe Mode). The second is one of the users i had already had defined on the machine (the first one alphabetically in the list of users i had defined). When i click on this option, when going into Safe Mode XP Home, a password prompt comes up (the accounts are all password enabled, to prevent unauthorized usage by the kids). but nothing appears in the password box when i type in the password and, needless to say, when i hit <Enter> nothing happens.

    So anyway i've attached the logs of the cleaning procedures, along with the extra log from SAS when it crashed the second time. I ran it twice more and it came up with no problems detected, but realized that i hadn't unplugged my ethernet cable again. So i will try running SAS again, with the cable unplugged this time and i'll post the log if any problem is found.

    Thanks for all your help.
     

    Attached Files:

    sherpaprime, Feb 15, 2009
    #5
  6. sherpaprime

    sherpaprime Private E-2

    BTW, what's up with the timeout feature for adding attachments?

    Whenever i'm posting, by the time i'm ready to add the attachments, the attachment popup tells me i'm not logged in. If i log in in the attachment popup, so i an attach the file, when i go back to the regular post window, it tells me i can't post because i've logged in a second time. What gives? What i have been doing is, when the popup tells me to log in, i close it; copy my post text; hit logout on the post window; re-login; paste the post text into the window; and then attach the logs. Is there an easier way?

    Thanks again.

    sherpaprime
     

    Attached Files:

    sherpaprime, Feb 15, 2009
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The instructions for using SUPERAntiSpyware do give tips on what to do to help with crashes. But nothing was found anyway according to your logs.

    May not be malware related. You may have problems with Windows itself which may explain why new user accounts are created. This would be a topic for the Software Forum. But in SUPERAntiSpyware, see the Preferences button, and then Repairs tab on SUPERAntiSpyware and try the fix for safe boot mode that is labeled a little awkwardly as Repair broken SafeBoot key. They are referring to the registry key associated with Safe Boot mode.

    You seem to have ignored the early important note in the READ & RUN ME about not having more than one antivirus program installed. You need to uninstall either Kaspersky or Avira immediately before doing anything else.

    What are the below files? If unknown, delete them.
    Code:
    2009-01-16 20:04 . 2009-01-16 20:05 12,485,774 --a------ C:\si la noche es clara a la luna se le ve el ombligO.flv
2009-01-15 03:51 . 2009-01-15 03:55 53,372,047 --a------ C:\C_insex1.rm
    What is the below folder for?
    Code:
    2009-01-14 05:56 . 2009-01-14 05:57 <DIR> d-------- C:\urk
    You also have some left overs from Symantec so please run the below then reboot. After reboot run it one more time.

    Norton Removal Tool (SymNRT)


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


    I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.

    Your logs do not show any malware problems. Only the above non-malware issues already mentioned.
     
    Last edited: Feb 17, 2009
    chaslang, Feb 17, 2009
    #7
  8. sherpaprime

    sherpaprime Private E-2

    The instructions for SUPERAntiSpyware give procedures for a blue screen crash while the scan is running (at least that was my interpretation of it). SInce the advice given here is rather precise and situation specific, i did not believe the situation i faced: SUPERAntiSpyware finished the scan, and the program (not the OS) crashed in the cleaning phase.

    I did this, but there was no discernible difference when attempting to reboot in Safe Mode

    Sorry, my Kaspersky subscription expired, and i assumed it was inactive due to that. Kaspersky is now uninstalled.


    I got rid of all the files you indicated and deleted the urk directory.

    I also ran the Windows Messenger removal tool.

    When i try to run the Norton Removal Tool, it says to manually remove Symantec WinFax Pro using Add/Remove Programs, only there is no entry like that (either Symantec or WinFax) in the Add/Remove Programs window. I did a search for winfax, and found a bunch of stuff (some of it looks compressed: extension is XX_) in the WINDOWS\addstuff\onea\WFPRO7.5 directory. I don't know if i should try deleting them or not, since registry entries may still make the OS think the program is still installed. Any advice?

    OK, i had no idea that was a vulnerability. Why is that? Is it because that is a standard branch of the directory tree that malware can count on, and keeping vulnerable programs there can make them easier to access and exploit, or is there another reason?

    Thanks again for all your help. I have removed all non-shortcuts except for Window standards, like the Recycle Bin and ComboFix. Is that good enough, or should i put stuff like Internet Explorer somewhere else, too?
     
    sherpaprime, Feb 18, 2009
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then I suggest you post about safe boot mode problems in the Software Forum.

    I did not see anything for WinFax in your logs and have no idea what the WINDOWS\addstuff folder is supposed to be. Yes the WFPRO7.5 folder seems like it would be WinFax Pro but it is not installed according to your log. This Norton Cleanup is also not a major issue nor is it a malware problem. You can post about it if you wish in the Software Forum.

    Saving too many files here, especially large ones, can slow your PC down. Also it exposes them to possible easy infection or deletion since malware can frequently play with the Desktop. If the files are important, don't save them here.

    You did not need to remove Internet Explorer as it was just a link to the iexplore.exe file. Basically I was saying anything that was not a shortcut ( which is a .lnk file) should be removed. The below is what your Desktop folder showed in your logs. All the EXE, ZIP. JPG, MPG, RAR, ... and so on files that are not .lnk files is what I was saying should be removed.
    Code:
    "C:\Documents and Settings\Thomas Jefferson\Desktop\"
034d0d~1.mpe  Feb 14 2009     1485404  "03.mpeg"
200707~1.pdf  Dec 29 2007      366506  "20070707-Honeywell-T8000C-en.pdf"
616597~1.wav  Oct  4 2008    62521098  "6165978000_118865.wav"
616597~2.wav  Oct 15 2008    58022218  "6165978000_118865(2).wav"
74cmdw.zip    Feb 14 2009   724978081  "74CMDW.zip"
aaw200~1.rar  Oct 22 2007    23137951  "aaw2007_{Uploaded_By_Afaz}.rar"
alana_~1.zip  Feb 14 2009    26003887  "Alana_Ackerman_Set_1.ZIP"
alana_~2.zip  Feb 14 2009    35570734  "Alana_Ackerman_Set_2.ZIP"
alana_~3.zip  Feb 14 2009    17299006  "Alana_Ackerman_Set_3.ZIP"
antivi~1.exe  Jan  3 2009    22058104  "antivir_workstation_winu_en_h.exe"
art-in~1.htm  Oct 17 2007         545  "art-index.html"
candace.wmv   Feb 14 2009     1299564  "candace.wmv"
candac~1.mpe  Feb 14 2009     2195460  "candace1.mpeg"
ccleaner.lnk  Feb 12 2009        1558  "CCleaner.lnk"
combofix.exe  Feb 14 2009     2921379  "ComboFix.exe"
COOKIES       Oct 18 2005              "Cookies"
copytr~1.exe  Aug  1 2007     7060611  "CopyTrans_Suite_v1.06.exe"
desktop.ini   Nov 27 2003          80  "desktop.ini"
divxmo~1.lnk  Jan 17 2009        1486  "DivX Movies.lnk"
explic~1.doc  Mar 13 2007       28160  "ExplicationExplicatedCOH.doc"
hj-join.zip   Jul 12 2006    17230115  "hj-join.zip"
hjsplit.zip   Oct  9 2005      172058  "hjsplit.zip"
hjspli~1.zip  Oct  9 2005      176701  "hjsplitpro.zip"
index.cfm     Oct 17 2007      155563  "index.cfm"
instal~1.exe  Nov 23 2007     1164456  "install_flash_player.exe"
itunes~1.exe  Jul 30 2007    49943864  "iTunesSetup.exe"
JUSTIN~1      Jan  3 2009              "Justin the Avenger"
kali_w~1.zip  Feb 14 2009    15009436  "Kali_West.ZIP"
keli1.mpg     Feb 14 2009    14071635  "Keli1.mpg"
keli2.mpg     Feb 14 2009     2116898  "Keli2.mpg"
keli3.mpg     Feb 14 2009     9628925  "Keli3.mpg"
keli_s~1.mpe  Feb 14 2009     2042248  "Keli_Stewart.mpeg"
kelli_~1.rmv  Feb 14 2009     2527198  "Kelli_Stewart_NEW.rmvb"
kellys~1.mpg  Feb 14 2009     4287712  "kellystewart-HOSED_.mpg"
kelly_~1.avi  Feb 14 2009      788480  "Kelly_S-c.avi"
ks-bor~1.rmv  Feb 14 2009    33471561  "ks-borrv1_sc01_-__DivX_-__NEW.rmvb"
kwda-b~1.rmv  Feb 14 2009    42009746  "kwDA-bobv1_sc02_-__DivX_-__NEW.rmvb"
launch~1.lnk  Mar 31 2004         835  "Launch Microsoft Office Outlook.lnk"
massag~1.rar  Sep  5 2008    30344707  "Massage_For_Dummies.rar"
mb.exe        Feb 13 2009     2876728  "mb.exe"
memphi~1.zip  Feb 14 2009     8663359  "Memphis_Monroe.ZIP"
micros~1.lnk  Jan 30 2008        2497  "Microsoft Office Word 2003 (2).lnk"
millen~1.lnk  Nov 13 2007         651  "Millennium Gamepak Platinum.lnk"
mozill~1.lnk  Sep  2 2005        1722  "Mozilla Thunderbird.lnk"
mozill~2.lnk  Mar  7 2007        1630  "Mozilla Firefox.lnk"
mpusinst.exe  Oct 25 2006     1032711  "mpusinst.exe"
multip~1.url  Apr  1 2004         155  "MultiPASS Registration.url"
netgear.cfg   Sep 25 2006       32788  "netgear.cfg"
notepad.lnk   Nov 27 2008        1517  "Notepad.lnk"
notepa~1.lnk  Nov 27 2008        1517  "Notepad (2).lnk"
pfsetu~1.exe  Jan 24 2006     2177125  "pfsetup_full.exe"
pm2006~1.exe  Feb 11 2007     1868730  "PM2006-V301.EXE"
rail_b~1.xls  Dec  8 2007       50688  "Rail_Baron_Payoff_Chart.xls"
realon~1.lnk  Nov  3 2003         707  "RealOne Player.lnk"
regcur~1.exe  Nov 23 2007     1075536  "RegCureSetup_1_5.exe"
royalt~1.xls  Jun 28 2008       10099  "ROYALTY CALENDAR- 2008.xlsx"
safety~1.jpg  Feb  3 2009       55404  "safety dance.jpg"
sasins~1.txt  Feb 12 2009        5275  "sasinstuctions.txt"
shockw~1.exe  Nov 23 2007     2841064  "Shockwave_Installer_Slim.exe"
shortc~1.lnk  Sep  1 2006         603  "Shortcut to cmd.exe.lnk"
shortc~2.lnk  Aug  7 2007         594  "Shortcut to MMC.EXE.lnk"
shortc~3.lnk  Oct  6 2007         833  "Shortcut to defrag.exe.lnk"
signou~1.htm  Apr 20 2008       21539  "Sign out.htm"
signou~2.htm  Jun 26 2008       21566  "Sign out(2).htm"
sov9-1~1.wav  Sep 10 2008    56859178  "sov 9-10-2008.wav"
spybot~1.exe  Feb 12 2009    16409960  "spybotsd162.exe"
spybot~1.lnk  Feb 12 2009         943  "Spybot - Search & Destroy.lnk"
spybot~2.lnk  Nov 28 2003         865  "Spybot-S&D (advanced mode).lnk"
spybot~3.lnk  Jan  3 2009         955  "Spybot - Search & Destroy (2).lnk"
thunde~1.exe  Sep  2 2005     6035272  "Thunderbird Setup 1.0.6.exe"
tonymi~1.htm  Oct 17 2007        7797  "Tony Millionaire! Show me the Maakies !.htm"
tonymi~2.htm  Oct 17 2007       69045  "tonymillionaire.htm"
unknow~1.zip  Feb 14 2009     1748149  "Unknown_1.ZIP"
usbmonit.exe  May 22 2002       32768  "USBMonit.exe"
vfc200~1.rmv  Feb 14 2009     3397722  "VFC20080519_001_NEW.rmvb"
wgr614~1.chk  Sep 25 2006      817150  "wgr614v6_2_0_13_1_0_13na.chk"
winamp.lnk    May 11 2005        1500  "WINAMP.LNK"
winamp~1.exe  Jul  4 2006     2276140  "winamp524_full_bundle_emusic-7plus.exe"
window~1.exe  Jun 28 2006     2176928  "Windows-KB890830-V1.17.exe"
window~1.lnk  Jan 13 2008         792  "Windows Media Player.lnk"
window~2.exe  Jan  5 2009     4614888  "WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe"
window~2.lnk  Feb  7 2009        1485  "Windows Explorer.lnk"
winzip.lnk    Apr 29 2008         510  "WinZip.lnk"
wordpad.lnk   Jun  4 2005         783  "WordPad.lnk"
wrar371.exe   Oct 22 2007     1206366  "wrar371.exe"
wwwair~1.htm  Jan  3 2008        2339  "[URL="http://www.airamerica.com.htm"]www.airamerica.com.htm[/URL]"


    Since no malware problems are showing in your logs, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    chaslang, Feb 20, 2009
    #9
  10. sherpaprime

    sherpaprime Private E-2

    OK, i did all the clean up stuff for my desktop and did all the deletions suggested as well as the toggling on and off of the restore point, as directed in the README page. Thanks again for all your time, help, and advice. I'll head over to the software forum, as you suggest, to work on my Safe Mode problem etc.

    Take care.

    sherpaprime
     
    sherpaprime, Feb 22, 2009
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Feb 22, 2009
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds