Windows Restore Virus - Can't get PC back to orginal state?

closed

reboot to let malwarebytes cleanup

upload C:\WINDOWS\system32\TGVFDMsgservice.exe to www.virustotal.com to check it out

If you haven't all ready done it, Install Malwarebytes and do a FULL (not quick) scan (after updating it), fix anything found before closing, otherwise you'll have to do it all over again. If anything was found reboot the machine before continuing. http://www.filehippo.com/download_malwarebytes_anti_malware/

If you know you have just been infected, with a fake antivirus for example, running system restore to a previous restore point is often the fastest way of getting your machine working again

Making any changes to a PC setup always comes with a slight risk of something going wrong, the worse case scenario is an unbootable PC - ideally you should have got a backup of important data on dvd or external disk, and a disk image backup (http://www.macrium.com/reflectfree.asp) or windows disc/factory restore partition available before you start. In the unlikely event that anything does go wrong, post on another pc for advice.

Install and run ccleaner (untick the google toolbar during the install). Untick the "windows log files" box, under the system heading before cleaning. http://www.piriform.com/ccleaner/download/slim

If you suspect an infection, here are some other virus scanners to try, let them fix anything found

http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
http://www.surfright.nl/en/hitmanpro
http://support.kaspersky.com/downloads/utils/tdsskiller.exe


Scanning with all the scanners above along with your resident scanner should remove most or all infections if there are any present on your machine, below is some specific (optional) advice based on your log which may help to improve speed and tidy things up.

This is a general guide on cleaning up infections and speeding up pc's https://forums.moneysavingexpert.com/discussion/2436849 .


Using Hijackthis, tick and fix all the lines beginnning with O16

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-27-0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01...l/MSNPUpld.cab

Using Hijackthis, tick and fix all the (no file)'s

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)


Click the java icon in control panel, advanced, misc - untick java quick starter, and untick place icon in task bar

Disable ctfmon - control panel, regional and language options,languages, details, advanced, tick the Turn off advanced text services, ok

Uninstall any IE toolbars (browser helper objects or BHO's) or Firefox plugins that you don't need, this is a list of the IE BHO's evident in the log

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll


If you want a speedy machine, Use windows firewall and replace your antivirus and security software with avast 6 free - (a fast and lightweight virus scanner with good detection rates) http://www.avast.com/free-antivirus-download :


Install and run startuplite, accept suggested changes - http://www.malwarebytes.org/StartUpLite.exe

Uninstall avg in Control Panel (add/remove programs or programs/features)

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe


Uninstall superantispyware in Control Panel (add/remove programs or programs/features)

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL




Download and install cleanmem http://www.pcwintech.com/cleanmem (download direct download). In windows explorer, go to c:\windows\tasks, click on the clean system memory task, schedule, advanced, and change it from every 30 minutes to every 5 minutes, then ok, ok. Find c:\program files\cleanmem\mini_monitor, run it and right click the icon (near the clock) to set it to automatically run at startup, show percentage to keep an eye on your ram use.

In internet explorer, click on tools, internet options, advanced, disable script debugging

start, run, services.msc, disable these services unless you use them. (make a note of any services you disable,if you have any problems related to these services subsequently, simply re-enable them)

SSDP Discovery Service
Remote Registry
WebClient
Distributed Link Tracking Client


Unless you use it, use msconfig to disable qttask.exe from running at startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


Unless you use it, use msconfig to disable jusched.exe from running at startup

C:\Program Files\Common Files\Java\Java Update\jusched.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"


Unless you use it, use msconfig to disable reader_sl.exe from running at startup

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


acrobat is well out of date.

When you've done all that, post a fresh hijackthis log and any logs of infections found

GeorgeBee

Browntoa wrote: »

well from that I can see that you now need to run

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

AlienRik will read the log file and advise if theres extra stuff that needs a manual removal after that by running a small script file

Ok, downloaded, transferred, AVG removed and now running.

GeorgeBee

Closed, I will start working through your solution once ComboFix has finished doing its thing.

GeorgeBee

CompoFix log...

ComboFix 11-04-09.01 - smits96 10/04/2011 17:54:10.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1382 [GMT 1:00]
Running from: c:\documents and settings\smits96\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\19455796.exe
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\smits96\Start Menu\Programs\Windows Restore
c:\documents and settings\smits96\Start Menu\Programs\Windows Restore\Uninstall Windows Restore.lnk
c:\documents and settings\smits96\Start Menu\Programs\Windows Restore\Windows Restore.lnk
c:\documents and settings\smits96\WINDOWS
C:\Microsoft
c:\windows\Qxibab.exe
c:\windows\system32\config\systemprofile\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-03-10 to 2011-04-10 )))))))))))))))))))))))))))))))
.
.
2011-04-10 13:31 . 2011-04-10 13:31 557056 ----a-w- c:\documents and settings\All Users\Application Data\XFPwmcpwlYCi.exe
2011-03-24 21:22 . 2011-03-24 21:22

---

d

---

w- c:\documents and settings\All Users\Application Data\EA Core
2011-03-24 20:35 . 2011-03-24 20:35

---

d

---

w- C:\f7ec1154f83fcb7e1b7f1548b7b29df2
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-28 18:07 . 2011-02-28 18:07 388096 ----a-r- c:\documents and settings\smits96\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-04 17:48 . 2005-09-16 19:26 456192 ---ha-w- c:\windows\system32\encdec.dll
2011-02-04 17:48 . 2005-09-16 19:27 291840 ---ha-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2006-01-12 23:05 2067456 ---ha-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2006-01-12 23:05 677888 ---ha-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2006-01-12 23:05 439296 ---ha-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-27 2423752]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-24 251240]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-09-04 160328]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 77824]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 344064]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"TGX2_VFD"="c:\windows\system32\TGVFDMsgservice.exe" [2004-12-01 233472]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\smits96\Start Menu\Programs\Startup\
setup_9.0.0.722_01.03.2011_00-19.lnk - c:\documents and settings\smits96\Desktop\Virus Removal Tool\setup_9.0.0.722_01.03.2011_00-19\startup.exe [2011-2-28 72208]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
AOL Demo.lnk - c:\applications\Tool\AOL Demo\DSGDemo.exe [2006-1-13 177178]
Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2009-12-17 1795488]
FreeventsSchedule.lnk - c:\freevents\FreeventsSchedule.exe [2006-1-13 16384]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2006-1-13 602112]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-13 14:32 548352 ---ha-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-10-08 02:50 88363 ---ha-w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Philips\\Media Manager\\Philips Media Manager.exe"=
"c:\\Program Files\\SEGA\\Medieval II Total War\\medieval2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steem\\SteamApps\\common\\napoleon total war\\Napoleon.exe"=
.
R0 27671392;27671392 Boot Guard Driver;c:\windows\system32\drivers\27671392.sys [28/02/2011 23:50 37392]
R1 27671391;27671391;c:\windows\system32\drivers\27671391.sys [28/02/2011 23:50 128016]
R1 CXAVSAUD;Conexant 2388x Audio Capture;c:\windows\system32\drivers\cxavsaud.sys [13/01/2006 12:13 11008]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [17/02/2009 12:43 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2009 12:43 67656]
R1 setup_9.0.0.722_01.03.2011_00-19drv;setup_9.0.0.722_01.03.2011_00-19drv;c:\windows\system32\drivers\2767139.sys [28/02/2011 23:50 315408]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/04/2009 12:57 92008]
R3 CXAVSTS;Conexant 2388x AVStream TS Capture;c:\windows\system32\drivers\cxavsts.sys [13/01/2006 12:13 16768]
R3 CXBDATUNE;Conexant BDA DVB Tuner/Demod;c:\windows\system32\drivers\cxBDAtun.sys [13/01/2006 12:13 102912]
R3 TGX263;TriGem X2 Device Driver;c:\windows\system32\drivers\TGX263.sys [13/01/2006 12:13 16384]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]
S0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]
S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 14:16 130384]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2009 12:43 12872]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 14:16 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.

---

Supplementary Scan

---

.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\smits96\Application Data\Mozilla\Firefox\Profiles\3lz0yy61.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-CY08W456F0 - c:\docume~1\smits96\LOCALS~1\Temp\Qwj.exe
MSConfigStartUp-GAGEZ8R8ZB - c:\docume~1\smits96\LOCALS~1\Temp\Qwk.exe
MSConfigStartUp-Vminagawoyuli - c:\windows\euspsi.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-10 18:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.

---

DLLs Loaded Under Running Processes

---

.
- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-04-10 18:03:45
ComboFix-quarantined-files.txt 2011-04-10 17:03
.
Pre-Run: 209,672,663,040 bytes free
Post-Run: 209,787,699,200 bytes free
.
- - End Of File - - 596142518952B5E9094F8FCB85732EDF

GeorgeBee

Internet working on this PC now! Desktop still an odd Navy blue colour though.

GeorgeBee

So far....

reboot to let malwarebytes cleanup - DONE

upload C:\WINDOWS\system32\TGVFDMsgservice.exe to www.virustotal.com to check it out – CAN’T FIND THAT FILE DOING BROWSE FEATURE ON WESBITE, CAN GET C:\WINDOWS BUT CAN’T FIND SYSTEM32 – HAVE C+P THE ABOVE IN BUT NOTHING HAPPENDED?!

If you haven't all ready done it, Install Malwarebytes and do a FULL (not quick) scan (after updating it), fix anything found before closing, otherwise you'll have to do it all over again. If anything was found reboot the machine before continuing. http://www.filehippo.com/download_ma..._anti_malware/ - UPDATED. DOING FULL SCAN NOW.

GeorgeBee

Ok while it's scanning away...

If you know you have just been infected, with a fake antivirus for example, running system restore to a previous restore point is often the fastest way of getting your machine working again - HOW? SORRY, I'M A NUMPETY!

Making any changes to a PC setup always comes with a slight risk of something going wrong, the worse case scenario is an unbootable PC - ideally you should have got a backup of important data on dvd or external disk, and a disk image backup (http://www.macrium.com/reflectfree.asp) or windows disc/factory restore partition available before you start. In the unlikely event that anything does go wrong, post on another pc for advice. - I HAVE NO BACK UPS WHATSOEVER, DOM'T THINK I'LL BE ABLE TO MAKE MUCH USE OF THAT PROGRAMME VIA THE LINK AS HAVE NOTHING TO BACK UP ON.

Browntoa

ignore the other bits for now , we have got rid of probably 98% of the infection now , may be a few tidy ups by Alienrik

easiest way to back is to copy your "my documents" folder to a big enough USB drive or a DVD and burn it

RussJK

Browntoa wrote: »

manually removed how ??
download this
http://www.filehippo.com/download_malwarebytes_anti_malware/
if you did not use it , install update and do a full scan
post the log file

The OP did specifically request that you put everything in lament terms, so I hope this helps address that:

"I ask with sorrow in my heart, how did you manually remove this terrible thing?

For it is great regret that I ask you to download this:
http://www.filehippo.com/download_malwarebytes_anti_malware/

It would be a cause for great sadness if you do not install, update, and do a full scan and then post a log. I feel your loss keenly."

aliEnRIK

Manually remove this folder -
C:\f7ec1154f83fcb7e1b7f1548b7b29df2