Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

routing.exe, perfs.exe, various .dlls

Started by Mechana , Aug 08 2008 01:55 PM

  • Please log in to reply

#16
Mechana
Posted 09 August 2008 - 09:38 AM

Mechana

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Alright, I'm ready to start again.

Any clue how I should get the computer into safemode without needing to reboot it in the bootup phase? Last night it seemed to be that the virus disabled my keyboard while the computer was booting up, preventing me from safemoding. I had to shut the computer off when it was booting up to allow for safemode.

I will be making a disk with the files needed for your above procedure momentarily.

Oh, yes. Every time I boot the computer up now, it sounds like the hard drive makes a combination of a grinding noise and a beep for a second. Last time that happened, it was when my old computer was days away from total failure. Any clue why it would be happening?
  • 0

Advertisements

#17
kahdah
Posted 09 August 2008 - 09:41 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Grinding is not good could hard drive failure.
Be sure to check it after we get the computer functioning again.

Try to do the steps in Normal Mode
  • 0

#18
Mechana
Posted 09 August 2008 - 09:55 AM

Mechana

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Alright. Did you see anything bad in the new HijackThis log? Should it be safe to boot in normal mode?


Hard drive failure is the last thing I need. I have a USB backup drive, should I use that to save my important files or is there a chance of the malware corrupting the drive aswell?
  • 0

#19
kahdah
Posted 09 August 2008 - 09:58 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes re-read my previous post you still have malware present.
For now you need to remove one of the 2 antivirus programs.
There is a fix for the computer shutting down in my previous post.
Please read those instructions and post the CF_RC.txt log that will appear.
Then we will finsh the cleanup.
  • 0

#20
Mechana
Posted 09 August 2008 - 10:35 AM

Mechana

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Alright. The computer I use to write the needed files to a disk is currently in use, so I am unable to get the required boot disk files onto the infected computer. I will post again if anything comes up during the steps you detailed, or with the log when I uninstall McAFee and then run the Recovery Console installation.
  • 0

#21
kahdah
Posted 09 August 2008 - 10:37 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
ok
  • 0

#22
Mechana
Posted 09 August 2008 - 02:50 PM

Mechana

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
I am unable to drag and drop files on the infected computer. I am also unable to Copy/Paste..


What action should I take now?
  • 0

#23
kahdah
Posted 09 August 2008 - 03:49 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
See if you are able to do this.

Download the contents of the attached file and save it to your cd.
Then boot into Safe Mode then right click on the BFU folder that is save to your cd then choose extract.
Choose the C:\drive and name a folder BFU to extract it to.

Then do the following
Then, please go to Start > My Computer and navigate to the C:\BFU folder double click it to open it.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select fixthis.bfu
  • Press Execute and let it do it's job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
After reboot please post a new Dss log.


[attachment=22585:BFU.zip]
  • 0

#24
Mechana
Posted 09 August 2008 - 04:05 PM

Mechana

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
This shows up when I run BFU.

"System Error &H8O0706BA (-2147023174). The RPC server is unavailable."


How should I proceed?
  • 0

#25
kahdah
Posted 09 August 2008 - 05:40 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Okay.


Please go to Start>Run type in Notepad.
Copy what is in the code box below into the open Notepad window.
Change the "Save As Type" to "All Files". Save it as fixthis.bat on your Desktop.
@Echo off
regedit /e look.txt "HKEY_LOCAL_MACHINE\System\CurrentControlSEt\Services\RpcSs"
start notepad look.txt
Double click on the fixthis.bat window will open and close quickly.This is normal.
I will need to see the contents of this txt file that opens please post it here.

ALso let me know if you are able to boot into Normal Mode.
  • 0

Advertisements

#26
Mechana
Posted 09 August 2008 - 06:53 PM

Mechana

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSEt\Services\RpcSs]
"Description"="Provides the endpoint mapper and other miscellaneous RPC services."
"DisplayName"="Remote Procedure Call (RPC)"
"ErrorControl"=dword:00000001
"Group"="COM Infrastructure"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,20,00,2d,00,6b,00,20,00,72,00,70,00,\
63,00,73,00,73,00,00,00
"ObjectName"="NT AUTHORITY\\NetworkService"
"Start"=dword:00000002
"Type"=dword:00000020
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\
00,02,00,00,00,60,ea,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSEt\Services\RpcSs\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
72,00,70,00,63,00,73,00,73,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSEt\Services\RpcSs\Security]
"Security"=hex:01,00,14,80,a8,00,00,00,b4,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,78,00,05,00,00,00,00,00,14,00,8d,00,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,18,00,8d,00,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,\
02,00,00,00,00,14,00,9d,00,00,00,01,01,00,00,00,00,00,05,04,00,00,00,00,00,\
18,00,9d,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,21,02,00,00,01,01,00,\
00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSEt\Services\RpcSs\Enum]
"0"="Root\\LEGACY_RPCSS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


Here you go. I should be able to boot into Normal Mode. Should I do that now?
  • 0

#27
kahdah
Posted 09 August 2008 - 07:58 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes boot into normal mode then see if you can remove the one antivirus program.
Again if it tries to shut down the computer do the following.
Go to start > Run then type in shutdown -a then hit ok.
================================================
After uninstalling the anti virus boot back into Safe Mode and do the following:
Go to start > run type in the following exactly hitting enter after each line:(For ex: sc stop macidwe > then hit Enter.)
sc stop macidwe
sc delete macidwe
sc stop perfs
sc delete perfs
sc stop sobicyt
sc delete sobicyt
sc stop tdxdowkc
sc delete tdxdowkc
==============
Then I will need you to show hidden Files \Folders.
To do this:
*Click Start.
*Open My Computer.
*Select the Tools menu and click Folder Options.
*Select the View Tab.
*Under the Hidden files and folders heading select Show hidden files and folders.
*Uncheck the Hide protected operating system files (recommended) option.
*Click Yes to confirm.
*Click OK

After that using Windows Explorer (to get there right-click your Start button and go to "Explore")
Delete these files listed below:

C:\Windows\system32\KarnaDrv.dll
C:\Windows\system32\macidwe.exe
C:\Windows\system32\perfs.exe
C:\Windows\system32\sobicyt.exe
C:\Windows\system32\sss.exe
C:\Windows\system32\syspilog.pil
C:\Windows\system32\tdxdowkc.exe

Now close Windows Explorer.

Now reset your Hidden files\folders to hidden.
To do this:
To reset:*Click Start.
*Open My Computer.
*Select the Tools menu and click Folder Options.
*Select the View Tab.
*Under the Hidden files and folders heading select Do not Show hidden files and folders.
*Check the Hide protected operating system files (recommended) option.
*Click Yes to confirm.
*Click OK
==================
Then boot back into normal mode and post a new dss log and let me know how things are going and if you had any problems.
  • 0

#28
Mechana
Posted 09 August 2008 - 09:19 PM

Mechana

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Here is the DSS log.

Deckard's System Scanner v20071014.68
Run by Parent on 2008-08-09 20:36:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Parent.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:37, on 2008-08-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\DNA\btdna.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Parent\My Documents\larryhadalittlelamb\Deckard System Scanner (temp).exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Parent.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Update Helper - {25D596E9-BD03-4D4A-8310-5DF3B31E8D26} - C:\Program Files\Google\Update\1.2.121.17\GoopdateBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKUS\S-1-5-21-4065617495-334337264-2154702590-1003\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-4065617495-334337264-2154702590-1003\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" (User '?')
O4 - HKUS\S-1-5-21-4065617495-334337264-2154702590-1003\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (User '?')
O4 - HKUS\S-1-5-21-4065617495-334337264-2154702590-1003\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent (User '?')
O4 - HKUS\S-1-5-21-4065617495-334337264-2154702590-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4065617495-334337264-2154702590-1003\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.k12.com
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvi...iveXClient1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5E936384-B736-4A9E-AA93-832CA59FDCEC} (InstallShield Setup Player V11) - http://ea-land.ea.co...stall/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1179847293578
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames...ctivex/YoYo.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{23B86ABE-1DB6-474D-8187-F3F0255B8C0F}: NameServer = 68.87.75.194,68.87.64.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{23B86ABE-1DB6-474D-8187-F3F0255B8C0F}: NameServer = 68.87.75.194,68.87.64.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{23B86ABE-1DB6-474D-8187-F3F0255B8C0F}: NameServer = 68.87.75.194,68.87.64.146
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate1c8e20299b95e4) (gupdate1c8e20299b95e4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)

--
End of file - 10314 bytes

-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-08 19:14:40 68096 --a------ C:\WINDOWS\zip.exe
2008-08-08 19:14:40 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-08 19:14:40 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-08 19:14:40 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-08 19:14:40 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-08 19:14:40 98816 --a------ C:\WINDOWS\sed.exe
2008-08-08 19:14:40 80412 --a------ C:\WINDOWS\grep.exe
2008-08-08 19:14:40 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-08 18:52:28 0 d-------- C:\Program Files\Trend Micro
2008-08-08 18:40:17 0 d--hs---- C:\WINDOWS\CSC
2008-08-08 12:59:01 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-08-08 12:58:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-08-08 10:38:56 0 d-------- C:\Program Files\Alwil Software
2008-08-07 19:06:09 0 --a------ C:\WINDOWS\system32\39866AC4
2008-07-24 17:07:27 0 d-------- C:\Program Files\Phun
2008-07-20 23:17:45 0 d------c- C:\AudioConverter
2008-07-20 23:16:51 0 d-------- C:\Program Files\easetech
2008-07-20 20:07:10 0 d------c- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-20 20:07:01 0 d-------- C:\Program Files\Security Task Manager
2008-07-19 14:59:28 0 d-------- C:\Program Files\Pyra Productions
2008-07-19 14:07:45 0 d-------- C:\Program Files\Easy Icon Maker
2008-07-18 16:34:44 0 d-------- C:\Program Files\Pivot Stickfigure Animator
2008-07-16 15:16:48 0 d-------- C:\Program Files\QuickTime
2008-07-16 15:13:55 0 d-------- C:\Program Files\Apple Software Update
2008-07-16 15:13:54 0 d------c- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2008-08-09 20:36:24 0 d-------- C:\Program Files\Steam
2008-08-09 15:21:32 0 d-------- C:\Documents and Settings\Parent\Application Data\DNA
2008-08-08 19:17:08 0 d-------- C:\Program Files\Common Files
2008-08-07 19:06:04 15360 --ah----- C:\WINDOWS\system32\dbi102.dll
2008-08-07 19:06:03 117615 --a------ C:\WINDOWS\system32\new2.exe
2008-08-06 08:35:38 0 d-------- C:\Program Files\McAfee
2008-08-01 17:23:19 0 d-------- C:\Program Files\Google
2008-07-19 15:56:20 102400 --a------ C:\WINDOWS\system32\_reproxy.dll
2008-07-07 23:36:17 103424 --a------ C:\WINDOWS\system32\nUI_nat.dll <Not Verified;  ; nUI>
2008-07-06 11:37:21 0 d-------- C:\Program Files\Rocks'n'Diamonds
2008-07-05 18:34:12 0 d-------- C:\Documents and Settings\Parent\Application Data\Teeworlds
2008-07-05 14:12:09 0 d-------- C:\Program Files\Image-Line
2008-07-05 14:11:26 0 d-------- C:\Program Files\VstPlugins
2008-07-05 14:09:34 0 d-------- C:\Program Files\ASIO4ALL v2
2008-07-05 14:07:10 0 d-------- C:\Program Files\Outsim
2008-07-03 18:33:11 0 d-------- C:\Documents and Settings\Parent\Application Data\NBOS
2008-07-03 18:33:09 0 d-------- C:\Program Files\nbos
2008-07-03 17:31:19 0 d-------- C:\Documents and Settings\Parent\Application Data\.crossfire
2008-07-03 17:30:30 0 d-------- C:\Program Files\Crossfire GTK Client
2008-07-03 17:28:50 0 d-------- C:\Program Files\Common Files\GTK
2008-07-03 15:47:11 0 d-------- C:\Documents and Settings\Parent\Application Data\uk.co.planetside
2008-07-03 15:44:05 0 d-------- C:\Program Files\Terragen
2008-06-29 21:19:34 0 d-------- C:\Program Files\LEGO Company
2008-06-26 17:32:44 0 d-------- C:\Documents and Settings\Parent\Application Data\SPORE Creature Creator
2008-06-26 15:15:17 0 d-------- C:\Program Files\Common Files\McAfee
2008-06-26 14:57:38 0 d-------- C:\Program Files\Clonk Endeavour
2008-06-26 14:56:00 0 d-------- C:\Documents and Settings\Parent\Application Data\Clonk
2008-06-21 23:31:55 0 d-------- C:\Program Files\KoolMoves Demo
2008-06-21 20:11:49 0 d-------- C:\Program Files\ProcedurallyGeneratedGames
2008-06-20 17:33:53 0 d-------- C:\Documents and Settings\Parent\Application Data\Malwarebytes
2008-06-20 17:33:49 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-20 13:41:10 245248 --a------ C:\WINDOWS\system32\mswsock.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-18 22:04:43 0 dr-h----- C:\Documents and Settings\Parent\Application Data\SecuROM
2008-06-18 22:02:47 0 d-------- C:\Program Files\Electronic Arts
2008-06-18 22:02:44 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-18 21:32:38 1504 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-06-18 17:13:20 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-18 17:13:17 0 d-------- C:\Documents and Settings\Parent\Application Data\Mozilla
2008-06-18 16:21:17 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-16 18:44:48 0 d-------- C:\Documents and Settings\Parent\Application Data\IEPro
2008-06-16 18:05:18 0 dr------- C:\Documents and Settings\Parent\Application Data\SpaceTime 3D
2008-06-12 23:08:04 0 d-------- C:\Program Files\Audacity
2008-06-12 11:09:52 0 d-------- C:\Program Files\PyraProductions
2008-06-12 10:43:28 0 d-------- C:\Program Files\Install Creator
2008-06-10 14:32:16 0 d-------- C:\Program Files\Framsticks
2008-06-06 19:52:04 54864 --a------ C:\WINDOWS\War3Unin.dat
2008-06-06 19:51:30 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-06-06 19:51:30 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-06-04 10:50:45 185344 --a------ C:\WINDOWS\patchw32.dll
2008-06-02 15:27:47 4608 --a------ C:\WINDOWS\system32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-06-02 15:27:47 2272 --a------ C:\WINDOWS\system32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-05-28 22:19:00 174 --a------ C:\WINDOWS\Palace.reg
2008-05-27 23:14:29 1024 --a------ C:\Documents and Settings\Parent\Application Data\WavCodec.wff


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25D596E9-BD03-4D4A-8310-5DF3B31E8D26}]
2008-07-31 16:58 184816 --a----t- C:\Program Files\Google\Update\1.2.121.17\GoopdateBho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2002-12-31 08:00 C:\WINDOWS\RTHDCPL.EXE]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [2008-01-22 23:09]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2008-01-22 23:09]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-25 09:57]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 11:01]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 08:17]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37]
"Steam"="c:\program files\steam\steam.exe" [2008-04-19 19:12]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 08:00]
"EA Core"="C:\Program Files\Electronic Arts\EADM\Core.exe" [2008-06-13 18:27]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E60A0B68-2F3C-A1D2-A901-9381E036D21A}"= C:\WINDOWS\system32\Karna2Drv.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10a77790-f28e-11db-b04b-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6cba5d2d-f4cd-11db-b3ec-806d6172696f}]
AutoRun\command- D:\ltree\autorun\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e63f5ad-087b-11dc-9ac1-806d6172696f}]
AutoRun\command- D:\ltree\autorun\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9323aad-f3fe-11db-b907-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec46b1ad-19d1-11dc-ad3e-806d6172696f}]
AutoRun\command- D:\ltree\autorun\autorun.exe




-- End of Deckard's System Scanner: finished at 2008-08-09 20:39:21 ------------

And these are the problems I have found.

-Window style set to Windows Classic, the Style Selector in the Properties does not show the Windows XP style.
-I am still unable to copy/paste or drag/drop files.
-My system clock is in army time.
-The bar at the bottom of the screen does not show the open windows.
-The computer takes about 30 seconds to start up after entering the username and password, but before that it started up faster than normal.

Edited by Mechana, 09 August 2008 - 09:22 PM.

  • 0

#29
Mechana
Posted 09 August 2008 - 09:37 PM

Mechana

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
It's getting late. I will finish this up tomorrow. I'll check to see if you posted anything when I get on my laptop tomorrow.

Thank you so much for all the work so far. I'm confident that this will be resolved within a few days.'


-Mech
  • 0

#30
kahdah
Posted 10 August 2008 - 05:08 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Do you happen to have a WIndows XP cd possibly one that came with the computer?
DO you still hear the grinding hard drive noise?
At what point did the windows theme change to classic theme?

You still have some malware present but I want to see if MalwareBYtes will find it first instaed of having you boot back into Safe mode and delete the files.
If it does not then we will have to do that.
============================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
====================
Plus please after that post a new dss log.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP