[Salagubang]

Hi mfrank1,

Can I use xPUD to copy files just as I would regular Windows (i.e. Right Click-->Copy, go the target and Paste) and alsos to create new folders, etc.?

Yes.

I'm asking because xPUD says at the top a rather ominous "Warning: You Are In Super User Mode." I don't want to do anything with this strange new program that might harm my precious files.

You can compare Super User Mode with Windows running on Administrator account. You can do anything with little resistance. Since you are not deleting files, you'll be fine

Edited by Salagubang, 04 November 2010 - 07:15 PM.

[Advertisements]

OK. I've been able to back up my important files, for which I again thank you.

[mfrank1]

OK. I've been able to back up my important files, for which I again thank you.

[Salagubang]

Hi mfrank,

Please follow PLAN A wherein we will attempt to restore your windows to its previous state. Skip PLAN B if windows booted properly after restore. In the event that windows still fails to boot properly, you may proceed with PLAN B instruction which will disable GoBack.

PLAN A

Restoring windows to previous state

• Reboot your system using the xPUD bootable USB you just created.
  Note : If you do not know how to set your computer to boot from USB follow the steps here
• Your system should now display a xPUD desktop.
• Select on the File icon; on the right pane click on the "mnt" folder and highlight "sdb1" - this is your USB device.
• Click on the "Tool" menu and select Open Terminal
  
• In the open terminal window, type in the following
  
  bash rst.sh -r
  
• You will be asked for the number of the Restore Point to use, type in 2828 then press "Enter".
  

  2828 corresponds to System Restore done dated Oct 31 - next to the last restore point

• The program is finished when it say's "Done".
• Type "Exit" and uninsert your USB stick.
• Click on the "Home" icon and then click on "Power Off". Choose "Restart"
• Reboot into Windows normal mode

PLAN B

How to remove changes that GoBack makes to the boot sector and partition tables of a computer

• Download Ngbboot.iso .
• Burn the Ngbboot.iso file to CD.
• Insert the bootable GoBack CD into the CD/DVD drive.
• Restart the computer.
• When you restart the computer, you see the following options:
  
  
  • To unhook GoBack (for typical machines)
  • To repair the Master Boot Record (for typical machines)
  • To Load IDE (typical) CD-ROM Drivers and exit to the command prompt
  • To Load SCSI CD-ROM Drivers and exit to the command prompt
• Type 1 and then press Enter.
• The utility removes the changes that GoBack made to the boot sector and the partition table and further troubleshooting can proceed.
• Remove the CD then restart your computer into normal mode

[mfrank1]

Can I use the restore point for Oct 30? My problem started sometime in the night between 10/31 and 11/1. I left the computer on running a Spyware Doctor scan overnight and by morning, I had the error message and was thereafter unable to boot. I think it might be safer to boot to whatever restore point is from 10/30.

[Salagubang]

Yes. In fact you may use any restore points in the enum.log.

The number next to the "RP" corresponds to the restore point number to enter when using rst.

17.0M Dec 31 2002 /mnt/sda2/~JTrg.000/WINDOWS/System32/config/Software
40.8M Nov 5 2010 /mnt/sda2/WINDOWS/SYSTEM32/CONFIG/SOFTWARE
11.8M Nov 3 17:08 /mnt/sda2/WINDOWS/SYSTEM32/CONFIG/SYSTEM

40.4M Sep 12 16:57 /sda2/System Volume Information/_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}/Fifoed/~SOFTWARE
40.4M Sep 14 03:07 /sda2/~/RP2800/~SOFTWARE
40.4M Sep 15 23:50 /sda2/~/RP2801/~SOFTWARE
40.4M Sep 17 02:06 /sda2/~/RP2802/~SOFTWARE
40.4M Sep 18 22:59 /sda2/~/RP2803/~SOFTWARE
40.4M Sep 21 13:18 /sda2/~/RP2804/~SOFTWARE
40.5M Sep 23 11:59 /sda2/~/RP2805/~SOFTWARE
40.5M Sep 27 11:03 /sda2/~/RP2806/~SOFTWARE
40.6M Sep 30 10:17 /sda2/~/RP2807/~SOFTWARE
40.6M Oct 1 11:41 /sda2/~/RP2808/~SOFTWARE
40.6M Oct 4 03:15 /sda2/~/RP2809/~SOFTWARE
40.5M Oct 4 10:08 /sda2/~/RP2810/~SOFTWARE
40.8M Oct 5 14:35 /sda2/~/RP2811/~SOFTWARE
40.8M Oct 6 15:09 /sda2/~/RP2812/~SOFTWARE
40.8M Oct 7 16:03 /sda2/~/RP2813/~SOFTWARE
40.8M Oct 8 16:08 /sda2/~/RP2814/~SOFTWARE
40.8M Oct 9 23:24 /sda2/~/RP2815/~SOFTWARE
40.8M Oct 12 11:43 /sda2/~/RP2816/~SOFTWARE
40.8M Oct 23 12:50 /sda2/~/RP2817/~SOFTWARE
40.8M Oct 24 13:50 /sda2/~/RP2818/~SOFTWARE
40.9M Oct 26 13:52 /sda2/~/RP2819/~SOFTWARE
40.9M Oct 27 14:32 /sda2/~/RP2820/~SOFTWARE
40.9M Oct 28 15:13 /sda2/~/RP2821/~SOFTWARE
40.9M Oct 29 20:58 /sda2/~/RP2822/~SOFTWARE
40.9M Oct 29 21:40 /sda2/~/RP2823/~SOFTWARE
40.9M Oct 30 14:21 /sda2/~/RP2824/~SOFTWARE
40.9M Oct 30 14:27 /sda2/~/RP2825/~SOFTWARE
40.9M Oct 30 14:28 /sda2/~/RP2826/~SOFTWARE
40.9M Oct 30 14:29 /sda2/~/RP2827/~SOFTWARE
40.6M Oct 31 14:38 /sda2/~/RP2828/~SOFTWARE
40.6M Oct 31 22:14 /sda2/~/RP2830/~SOFTWARE
11.7M Sep 12 16:57 /sda2/System Volume Information/_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}/Fifoed/~SYSTEM
11.8M Sep 14 03:07 /sda2/~/RP2800/~SYSTEM
11.8M Sep 15 23:50 /sda2/~/RP2801/~SYSTEM
11.7M Sep 17 02:06 /sda2/~/RP2802/~SYSTEM
11.7M Sep 18 22:59 /sda2/~/RP2803/~SYSTEM
11.7M Sep 21 13:18 /sda2/~/RP2804/~SYSTEM
11.8M Sep 23 11:59 /sda2/~/RP2805/~SYSTEM
11.8M Sep 27 11:03 /sda2/~/RP2806/~SYSTEM
11.8M Sep 30 10:17 /sda2/~/RP2807/~SYSTEM
11.8M Oct 1 11:41 /sda2/~/RP2808/~SYSTEM
11.8M Oct 4 03:15 /sda2/~/RP2809/~SYSTEM
11.8M Oct 4 10:08 /sda2/~/RP2810/~SYSTEM
11.8M Oct 5 14:35 /sda2/~/RP2811/~SYSTEM
11.8M Oct 6 15:09 /sda2/~/RP2812/~SYSTEM
11.8M Oct 7 16:03 /sda2/~/RP2813/~SYSTEM
11.8M Oct 8 16:09 /sda2/~/RP2814/~SYSTEM
11.8M Oct 9 23:24 /sda2/~/RP2815/~SYSTEM
11.8M Oct 12 11:43 /sda2/~/RP2816/~SYSTEM
11.8M Oct 23 12:50 /sda2/~/RP2817/~SYSTEM
11.8M Oct 24 13:50 /sda2/~/RP2818/~SYSTEM
11.8M Oct 26 13:52 /sda2/~/RP2819/~SYSTEM
11.8M Oct 27 14:32 /sda2/~/RP2820/~SYSTEM
11.8M Oct 28 15:13 /sda2/~/RP2821/~SYSTEM
11.8M Oct 29 20:58 /sda2/~/RP2822/~SYSTEM
11.8M Oct 29 21:40 /sda2/~/RP2823/~SYSTEM
11.8M Oct 30 14:21 /sda2/~/RP2824/~SYSTEM
11.8M Oct 30 14:27 /sda2/~/RP2825/~SYSTEM
11.8M Oct 30 14:28 /sda2/~/RP2826/~SYSTEM
11.8M Oct 30 14:29 /sda2/~/RP2827/~SYSTEM
11.7M Oct 31 14:38 /sda2/~/RP2828/~SYSTEM
11.7M Oct 31 22:14 /sda2/~/RP2830/~SYSTEM

[mfrank1]

I'm afraid plan A did not work. I did some error messages go by but couldn't read them (I think it was something like "unable to rename"). I suppose I can try a few other restore points before I give Plan B a try. I'm getting nervous.

[Salagubang]

Can you also post the restore.log that was created.

[mfrank1]

Here is the restore log

Attached Files

•  restore.log   133bytes   644 downloads

[Salagubang]

The logs says it was successful in restoring the hives. It would be interesting to see if you can boot into windows now.

[mfrank1]

Salagubang, you did it! Plan B appears to have worked. Go Back was removed and the computer booted! You are a genius!
Since you reviewed a number of files related to my system, I wonder if I could impose upon you to make any suggestions for (a) getting it to work faster ... it has slowed down quite a bit and (b) getting it to turn off. In recent months, Windows had a tendency to hang at the "Windows is shutting Down" screen, requiring me to shut it down by holding in the power button.

I've run many a malware, virus and spyware scan, ran TuneUp and System Mechanic. The system would still slow to a crawl over the course of a day's use. Now I'm wondering if those programs - like Go Back - did more harm than good.

In any event, THANK YOU so much for all of your help!

[Salagubang]

Hi mfrank1,

Good Job

Now that you have your system back and working, we need to ensure that you are free from malware before I let you run off.


Step One

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in
  
  netsvcs
  drivers32
  %SYSTEMDRIVE%\*.*
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\System32\config\*.sav
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Step Two

GMER Rootkit Scanner

• GMER Rootkit Scanner - Download - Homepage
• Download GMER
• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
• IAT/EAT
• Drives/Partition other than Systemdrive (typically C:\)
• Show All (don't miss this one)
  
  NOTE - Not all of the tick boxes will be available if you are running a 64bit Operating System. You may also get an error message display on the screen when using a 64bit Operating System, this is normal, just click on OK and let it carry on.
  
  
  Click the image to enlarge it

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

[mfrank1]

OK. Here are the files you requested. OTL.txt and Extras.txt from OTL (I added "after successful restore" to the filenames to distinguish them from previous OTL files), and ark.txt from GMER Rootkit scanner. Again, I would greatly appreciate any help with the previously mentioned issues: (a) getting it to work faster ... it has slowed down quite a bit, especially over the course of the day while working and running programs and (b) getting it to turn off. In recent months, Windows had a tendency to hang at the "Windows is shutting Down" screen, requiring me to shut it down by holding in the power button.

Attached Files

•  ark.txt   386.13KB   602 downloads
•  Extras After Successful Restore.Txt   56.33KB   636 downloads
•  OTL After Successful Restore.Txt   143.47KB   569 downloads

[Salagubang]

Hi mfrank,

Again, I would greatly appreciate any help with the previously mentioned issues:(a) getting it to work faster ... it has slowed down quite a bit, especially over the course of the day while working and running programs and
(b) getting it to turn off. In recent months, Windows had a tendency to hang at the "Windows is shutting Down" screen, requiring me to shut it down by holding in the power button.

Your computer is running low on resources, (1) low ram memory and (2) low hardisk space. The ways we can do to resolve this:

• You can buy another stick of RAM to increase the memory; and/or
• Free up system resources
  
• Go to Start > Control Panel > Add/Remove Programs
• Uninstall programs that you no longer/seldom use, i.e., free programs that easily downloaded through the internet, softwares that are not essential to your daily computer habit.

NEXT

To try and ease the startup try this

Download Startup Control Panel here. (Choose the Stand Alone exe version to download)
Instal and you will find a startup icon in the control panel - run this

• In the HKLM tab, you may disable (be careful --> "disable") all the entries except your security software
• In the HKCU tab, you may disable all entries.
• In the startup tab, you may disable all entries.

Note : if you notice that some programs no longer run, you can enable them again by running startup Control Panel, selecting the entry and choosing Run Now.
If you are in doubt with something, don't hesitate to ask;)

THEN

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.pctools.com/mrc/fix_homepage/
  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.pctools.com/mrc/fix_homepage/
  FF - prefs.js..browser.search.defaultengine: "Ask.com"
  FF - prefs.js..browser.search.defaultenginename: "Secure Search"
  FF - prefs.js..browser.search.order.1: "Ask.com"
  O4 - HKLM..\RunOnceEx: [] File not found
  O9 - Extra Button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - Reg Error: Value error. File not found
  O9 - Extra 'Tools' menuitem : Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - Reg Error: Value error. File not found
  O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab (Reg Error: Key error.)
  O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} http://download1.answers.com/pub/AnswersSetup.cab (Reg Error: Key error.)
  O16 - DPF: {6B401179-541E-4BF3-800F-10C39B529DB9} http://ftp.gurunet.com/pub/cabs/GNInstallerFree.cab (Reg Error: Key error.)
  O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} http://toolbar.google.com/data/GoogleActivate.cab (Reg Error: Key error.)
  O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab (Reg Error: Key error.)
  O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} https://www-secure.symantec.com/techsupp/asa/SymAData.cab (Reg Error: Key error.)
  O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab (Reg Error: Key error.)
  O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
  O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
  O28 - HKLM ShellExecuteHooks: {6809e580-a3a7-11d1-9a00-00a0c945b006} - Reg Error: Key error. File not found
  [2010/10/31 17:46:37 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com
  @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\MF\Desktop\Offc Mgr.pif:SummaryInformation
  @Alternate Data Stream - 204 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
  @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done

NEXT

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

THEN

Do another scan of OTL and post the result on your next reply.

[mfrank1]

I will follow your instructions today, if I can. I may have been overly optimistic about previous fixes. The computer is booting, but keeps locking up when i try to run programs. It does this within the first 10 minutes of booting up. I'll try your other suggestions today. Thank you again.

[mfrank1]

OK, I've completed all of the steps. MalwareBytes did find and remove one item. Here are the logs and scan files. again, my thanks for all of your time and effort.

Attached Files

•  mbam-log-2010-11-07 (14-47-02).txt   1KB   604 downloads
•  OTL After Malware Bytes.Txt   117.82KB   580 downloads