PC unresponsive unless in Safe Mode - Was fine seconds ago!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Heskey, Sep 20, 2007.

  1. Heskey

    Heskey Private First Class

    Hey guys,

    I've just got back from spending the night at a friends and sat down at my PC, it was working perfectly, but since I'd left it on overnight, I gave it a restart.

    When I came to login, all I could see was my background for a few seconds, and then my desktop appeared.

    Problem is, when I click START, it takes seconds to load and half the icons are missing, clicking any of my favourite programs does nothing, and the 'shut down' menu has been replaced with the Windows 98/classic kinda drop down box, despite having the XP interface in safemode (I'm running XP Home).

    Whenever I click icons on the desktop the icon (not the name) disappears and doesn't load.

    When I press the 'full tab' button in the bottom right it takes about a minute to expand.

    When I press Alt + Ctrl + Del to see if there's any malicious programs loading when I startup, nothing happens.

    The only thing that DOES seem to work is right clicking and rearranging/creating folders, but clicking properties etc doesn't load anything.

    ----

    Now, I went into safemode and ran Spybot Search & Destroy, HiJack This and AdAware. I found pretty much nothing and quarenteed/immunized/deleted what it did find.

    This hasn't resolved the issue though and I'm having to operate my PC in safemode.

    I begin Uni on Monday so I really need to get my PC working ASAP, since the connection I've bought in my accomodation only works on 1 registered computer (my PC), so I can't hook up my laptop.

    ----

    The only thing I've done before restarting my PC was creating a new login account for Battlefield 2142 at the advice of EA Tech Support, since I'm getting some "Protection Error: 103" when I tried to load it on my default account.

    PLEASE help! :(

    - Heskey
     
  2. abri

    abri MajorGeek

    Hi Heskey!
    Welcome to Major Geeks! I'm sorry your computer is ailing! This may or may not be a malware problem. Have you tried going back to an earlier restore point, like to a day or two before you started to see the problems? I recommend this as the first thing. If that doesn't solve the problems, then I will post you a different set of instructions. If you've never done this, please ask for instructions!
    abri
     
  3. Heskey

    Heskey Private First Class

    Thanks for your speedy response,

    The last time I did a system restore, it duplicated every single one of my files, and the time before that, it wiped everything that was in a folder.

    I've grown so untrusting of it.

    If you could post a full set of instructions of what/how to do, I'll give it a whirl.

    I can't honestly think though what has changed in the space of a restart to cause my PC to go tits-up.

    I've just tried turning all automatic services on startup to manual, but that didn't solve the problem.

    Also downloaded AVG Free, but can't install in safemode :S

    Bare in mind, I'm at uni on Monday and I NEED this PC, even if it's only in safemode, to do my work.

    Also, I don't have my reformat disks with me at the moment so if my PC breaks with this restore attempt, I'm gonna be absolutely rogered :(

    - Heskey
     
  4. abri

    abri MajorGeek

    Hi Heskey,
    I haven't ever heard of those things happening when system restore is used to return to an earlier restore point. It is an odd problem. I wanted to ask you if you rebooted your computer several times after the restart that gave you problems? If you rebooted several times, did you always have the same problems? Did anything change, get worse, get better? Also, when you said that you fixed, quarentined, immunized and deleted what Spybot, AdAware and HijackThis find, did you mean you also fixed what HijackThis found? That would not be a good idea. If this were my computer, I would simply go back to the last restore point I knew to be good, but with your peculiar experiences, I would suggest that you try to go through our standard procedures which I'll post in a box with links below and then let us look at your logs and see if there's a malware issue or not. It's possible there is. If you have problems running any of these things, please tell us. Do as much as you can.



    abri
     
  5. Heskey

    Heskey Private First Class

    When I first restarted, I put it down to the PC buggering up and restarted again - When it did it again I restarted once more, then realising it was gonna keep doing it, I ran to safemode to scan, then came back to find it still doing it when I restarted.

    New Info: I've just found that when I load my PC normally, I have about 10 seconds of full function out of it, able to laod my start menu, go into My Computer (Icons appearing!) until after about 10 seconds the 'explorer' closes as all I can see is my background image; in about 4 seconds when my desktop reappears, the PC is sluggish again; startmenu slow to load, icons missing, clicking things doesn't work.

    I'm assuming that something is loading with my PC when the explorer crashes?

    Being in student accomodation, I'm on the network with everyone else who's bought a connection; my only shared folder is My Shared Documents; is it possible someone has done this deliberately to me?

    I'm going through the procedures now and eagerly await a response.

    Worst comes to worst, my bro is coming up tomorrow with our disc.

    - Heskey
     
  6. Heskey

    Heskey Private First Class

    I've ran the following scans and here are their logs;

    NOTE - All these were scanned in SafeMode (As obviously Normal Mode doesn't work at all), and one scan is missing due to being unable to install in safemode.
     

    Attached Files:

  7. Heskey

    Heskey Private First Class

    I'm going to attempt to backup my important folders using an external HDD before I attempt anything else on your instruction (a system restore for example).

    At least then if we're unsuccessful today, I can carpet bomb and reformat my HDD's tomorrow and start fresh...

    The final 2 logs are here;
     

    Attached Files:

  8. abri

    abri MajorGeek

    Hi Heskey!

    I need for you to redo HijackThis, because you ran it from the wrong location with the wrong name, and it doesn't do us any good if it's run from the wrong location with the wrong name. Please put it in a folder called HijackThis or HJT under C:\ProgramFiles. After you've located it in that file, please rename hijackthis.exe to be analyse.exe. There are certain vermin that like to evade detection if it runs under hijackthis.exe. That's why we ask you to rename it.

    Thanks.
    abri
     
    Last edited: Sep 20, 2007
  9. Heskey

    Heskey Private First Class

    Ah sorry about that - I copied the .exe to my desktop so I could quickly scan before my PC died in normal mode but it didn't work.

    Here's the file (Safemode ran again, sorry)

    ------------

    I'd just like to remind ya, I can log in normally, and have about 10 seconds to load up a few programs that then function perfectly, but then my taskbar/desktop disappears and doesn't return.

    I'm actually in Normal Mode now without any slowness/response issues, it's just that the problem has regressed to not giving me my desktop back at all.

    I'm rambling now, basically I'm in normal mode and can see:

    This window of Mozilla FireFox
    Trillian
    iTunes

    That's all I got time to load before the desktop vanished.

    Are we still dealing with Malware or is it some corrupt loadup .dll?

    I'm just worried that even if I do fix it, or reformat my PC, that it'll come back in the future.
     

    Attached Files:

  10. Heskey

    Heskey Private First Class

    Using my firefox browser I was able to open analyse.exe and save a log file in normal mode!

    I hope this helps:

    --

    Haha, using that same Open File trick I can load my programs, so I've managed to load steam and currently seeing if I can play NS!

    Yep, I can play my games through using that trick, but I still want my desktop and taskbar back! :S

    I've managed to get you a picture of what my PC looks like in Normal Mode now; note that shortcut keyboards like Ctrl + N, Alt + Ctrl + Delete and even the Calculator button I have (multimedia keyboard) don't work, but the keyboard itself does. Take a look at the picture:

    http://img504.imageshack.us/img504/4840/help0003gr5.jpg

    (Exceeded the upload limit so had to imageshack it)
     

    Attached Files:

    Last edited: Sep 20, 2007
  11. abri

    abri MajorGeek

    Hi Heskey!

    Your computer has some problems. You're running a bad copy of WarCraft. Copies like that are often bound with backdoors like the ones that BitDefender found. I think you would be well off to dump that and get a legal copy. With the hijackthis, we're going a bit in the dark for the moment until I get a log from the correct one. However, I can see you have two bad services running that may be part of the problem.

    To begin with, I would like for you to go into Windows Explorer and delete this file:
    Then follow the instructions below:

    1) Please look in Add/Remove Programs for the following and uninstall it/them. If you get any errors just make a note and proceed.
    2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run
    Disable/Remove Windows Messenger

    3)
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to Remote Procedure Call (RPC) MO
    • then right click the entry, select Properties and press Stop Service.
    • When it showsthat it is stopped, next please set the Start-up Type to 'Disabled'.
    Now repeat the above steps to Stop and Disable the below Service (if you do not find it or get any errors, just continue):

    • Remote Procedure Call (RPC) Se (RPCSEO)

      When you've completed these, please
    • Click OK until you get back to Windows.

    4) Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/paste RPCSE into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now repeat the above to delete the below Service (if you do not find them or get any errors, just continue):
    Now exit HJT but wait to reboot until you've finished running ATF Cleaner farther down.

    5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.


    6) After you have completed the above, please reboot your computer.

    7) After you reboot, please run new scans for ShowNew (newfiles.txt), GetRunKeys (runkeys.txt) and analyse.exe (hijackthis.log) and attach fresh logs
    • ShowNew Log
    • GetRunKey Log
    • HijackThis Log


    abri
     
  12. Heskey

    Heskey Private First Class

    I'll follow your instructions but I'll just inform you, those apparently corrupt WC3 files are just on my PC; I used them in a previous format but since last reformatting I bought legit copies and have used them since.

    I did however copy over my saved game - Could that be the problem? In backing everything up, I just copied it again onto my external HDD - Have I infected everything on there, or the HDD itself? Or is it only when opened?

    Plus, what would cause the save file to affect my PC -now-? I haven't loaded WC3 in about a week, and my PC has been restated fine since then.

    Eitherway, I'll follow your instructions, but take a look at what I can see also:

    http://img504.imageshack.us/img504/4840/help0003gr5.jpg

    Thanks, following instructions now.
     
  13. Heskey

    Heskey Private First Class

    Abri,

    Read through the log I took down along the way of following your instructions, then read below the line to find my results:

    I followed your instructions in Safe Mode, here are the notes I took along the way:

    I get this error when trying to uninstall Java Runtime Environment 6 Update 1:

    "The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

    I'm running in safemode because I can't access control panel in normal mode, but Warcraft 3 (legit copy, but carried over save game from illegal copy) uninstalled fine; including the save game.

    Remote Protocol MO was already stopped, but I switched it from automatic to disabled.

    I disabled the one below it, but it did not have (RPCSEO) on the end (Just Remote Procedure Call (RPC) Se) so I don't know how effective that 'delete an NT file' will be - Just done it, they both deleted the services you asked me to disable. Continuing:

    -------------------------------

    Okay, so after I restarted, my PC loaded fine... My desktop didn't flicker, I've got my taskbar, icons, XP shut-down menu. My PC appears to be working again!

    Can you explain to me what the problem was, and if it was something like a corrupt WC3 savefile, why did it choose -now- to destroy my PC when it's been there for ages?

    Below you'll find the brand new, Normal Mode log files.

    Unless there's any other steps I have to take, thank you thank you thank you so much for your help! THANK YOU!!

    -------------------------------

    PS. I was advised by EA Tech support to create a new user account to play 2142 on due to the Protection Error 103; do you think creating that new user account had anything to do with this? I don't wanna go "Yay my PC's fixed, back to business!", re-add a new account and have the problem happen AGAIN.

    Am I gonna be safe resuming normality now? :p

    PS. Seeing as I'm no longer in safemode, I've managed to add/remove Java Time SE 6.1 suntime whatever it was called :)

    - Heskey
     

    Attached Files:

  14. Heskey

    Heskey Private First Class

    Hmm, ever since the problem's been fixed, Ultima Online runs pretty dire, and affects my PC when it's open - I've reinstalled and repatched but no cure; have I caused longterm damage to it, or would removing registry info for it and restarting alleviate the problem also? :S

    I haven't noticed a problem with Natural Selection (Steam), yet, at least.
     
  15. abri

    abri MajorGeek

    I went looking for the Warcraft file which was this one:
    C:\Documents and Settings\James\Local Settings\Temp\warcraft3keygen.exe

    All of your Temp files should have been deleted when you ran ATF Cleaner, but they weren't. Did you run it? If not, please run it and post a new newfiles.txt log. Your warcraft file listed above is among those files. If you double click on the newfiles.txt log and do a search for warcraft file, you will see a list of Temp. files. Those are what we'd like to get rid of. If there is something you particularly don't want to part with, please zip it and put it someplace else. If there is something evil in it, it will only get out if you open the zip file.

    Once your computer is clean, we have a final and important set of instructions you need to do, which includes flushing your restore points and setting a new one that's clean. I would like to see the newfiles log before we do that.

    I'll answer your other questions in a second post.
    abri
     
  16. abri

    abri MajorGeek

    The legitimate copy is fine. The keygen copy is in your Temp files. This may or may not have had to do with the backdoor you had. I doubt it had to do with the other problems you were having. I rather think the remote protocol had to do with those problems:
    This is good!

    I'm thinking of getting a signature - never fix what aint broke!
    :)
    More tomorrow.
    abri
     
  17. Heskey

    Heskey Private First Class

    Twice I've ran ATF Cleaner and then the 3 new logs now, these are the 2nd log files done exactly as you instructed, but on a quick check it seems war3keygen is still there:

    Unfortunately now I can't seem to click anything that's not a text box (I.E. bold button, attachments, smilies) so I can't link these new files...

    It's like it's just an image, the hell's going on? :S

    I can do it on another forum using the same interface but not this?
     
  18. abri

    abri MajorGeek

    Do you mean you can't click on anything except txt files in your computer or do you mean you can only click on txt files when you try to upload something to this forum? Since ATF doesn't seem to be emptying your temp files, it's probably not emptying your internet cache either. Do you have another browser like Firefox and if so, can you upload using another browser? Is your computer still otherwise all right except for this forum? This is important for me to know.

    abri
     
  19. Heskey

    Heskey Private First Class

    No no what I meant was, when I got to post a message I can only write in the text boxes; the buttons above don't 'pop out' when I moused over them, they were just solid images that I couldn't interact with. (Other forums using the same format were fine)

    Just installed IE7 to post it, but when I restarted, it seems Mozilla's working here again now, so here're the logs:
     

    Attached Files:

  20. Heskey

    Heskey Private First Class

    I think it's definately worth noting to you that CCleaner won't install on my PC,

    It follows the setup, up to the point where it shows a progress bar of the installation - It gets about 1/10th the way in and then just vanishes, without any message or error, and no trace of it is in my program files or add/remove programs.

    I've got other problems, which can wait 'til we've got rid of this keygen, but I'll list them here anyway:

    Ultima Online - Ever since my PC trouble yesterday, it's been running sluggishly, and when it is loaded the rest of my PC is sluggish too; when closed it's fine - I've reinstalled it, but that didn't help. I've uninstalled it and manually deleted any files associate with it, including anything explicitly labelled to do with Ultima Online in the regedit (from EA Games folders). I'll wait to reinstalled it though.

    Battlefield 2142 - As I say, it used to work fine but when I load it now it says PROTECTION ERROR 103 and closes; the tech support tells me to make a new profile and install it on that, as some admin files may have been messed up in my windows installation. I've uinstalled it and also removed any corresponding registry files, but it's still appearing in my add/remove programs list with a white dos-box for it's icon, and despite clicking uninstall numerous times it's still there. I seem to remember Battlefield : Vietnam did the same a few years ago, but I've never had a problem with 2142 before.

    Eitherway, like I say let's focus on this keygen first, and keep those 2 above for reference.
     
  21. abri

    abri MajorGeek

    Hi Heskey!

    I would like to check for a rootkit. Nothing could be more desirable to a virus than to hang out in the TEMP files and prevent any software from functioning which could get rid of those. Let's try the following two scans, please. It probably would be a good idea after you download these, to disconnect your computer from the internet and turn off your antivirus program before you run them. Remember to turn it back on before reconnecting.


    After you've completed that, please do the following:

    abri
     
  22. abri

    abri MajorGeek

    Hi Heskey!
    We found two new files in your computer that I would like to have you check after you finish the two rootkit scans in post 21. Please go to this address - jotti - and upload each of the files in the box below one at a time and have them scanned. Please note! The file name serivce.dll is spelled exactly the way it is given. You can identify it by its misspelling of the word service. At the jotti website, there's a box at the top of the page where you can upload them and then click on scan. Please report the results back to me. This is a scan that uses many different antivirus machines to check if these files contain known viruses. The files I want you to upload are both under C:\WINDOWS and are:
    Also, please tell me which ATF options are checked to be deleted. I want to make sure that you have the right things checked. If we can't use ATF or CCleaner to clear out the TEMP files, we will do the manually, but it's a slower process.
    Thanks!
    abri
     
    Last edited: Sep 21, 2007
  23. Heskey

    Heskey Private First Class

    Hi Abri,

    Thanks for your continued support with my PC, and I appologise for the wait in response; I've been at a friends.

    The logs are below as you requested, however Jotti appears to be down at the moment, I'll check it regularly to follow your latest instruction.

    As for ATF, the following options are ticked when I clean:

    Main = Select All:

    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    History
    Prefetch
    Java Cache
    Recycle Bin

    Firefox:

    Cache
    Cookies
    History
    Download History
    Saved Form Info
    (NOT) Saved Passwords
     

    Attached Files:

  24. Heskey

    Heskey Private First Class

    Jotti:

    I can't find serivce, or intel.dll's in the C:\WINDOWS directory.

    The only .dll's in there are:

    twain
    twain_32
    Unicows
    vmmreg32
     
  25. abri

    abri MajorGeek

    Hi Heskey!
    Your files are still hidden, that's why. Please follow the instructions here to make your files visible (step 2 of the READ ME). You have one thing in the correct position, but two of them are not. Once you've made them all visible, you should be able to upload those two files to Jotti. There are three things you have to do! You must do them all: Check "Show hidden", uncheck "hide Extenstions" and uncheck "Hide protected" as per these instructions below.

    Windows XP
    • Right Click Start.
    • Select Explore
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading select Show hidden files and folders.
    • Uncheck the Hide extensions for known file types option.
    • Uncheck the Hide protected operating system files (recommended) option.
    • Click Apply.
    • Click OK.
    After doing this, please see if you can upload the files to Jotti as per the instructions in post 18. Then tell me what Jotti finds. If, after doing the above, you still can't find the files, please tell me and I will make them visible.

    abri
     
    Last edited by a moderator: Sep 23, 2007
  26. Heskey

    Heskey Private First Class

    Jotti is still unresponsive. Turning hidden important files off has revealed serivce.dll but still no sign of Intel.dll
     
  27. abri

    abri MajorGeek

    I see what you mean about jotti. Check serivce.dll: at this one instead: VirusTotal

    Intel.dll
    is adware. It was in your first newfiles.txt log, but wasn't there anymore in your second one, so that's why you can't find it.

    abri
     
  28. Heskey

    Heskey Private First Class

    Not sure how to report the findings of serivce; managed to get Jotti working, but here you go:

    File: serivce.dll
    Status:
    INFECTED/MALWARE
    MD5: 0e429c103b923d645ed5bf1fb8e73074
    Packers detected:
    -
    Bit9 reports: File not found

    --------------------------------------------------------

    Scan taken on 24 Sep 2007 13:02:01 (GMT)

    A-Squared Found nothing
    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    CPsecure Found BackDoor.W32.Hupigon.fej
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found nothing
    Fortinet Found nothing
    Kaspersky Anti-Virus Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    Rising Antivirus Found nothing
    Sophos Antivirus Found nothing
    VirusBuster Found nothing
    VBA32 Found nothing

    --------------------------------------------------------

    Last file scanned at least one scanner reported something about: obcts.dll.virus (MD5: 2d62803fabf00251de07ba4f70b17d69, size: 86016 bytes), detected by:

    Scanner Malware name
    A-Squared X
    AntiVir TR/BHO.Soshelp
    ArcaVir X
    Avast X
    AVG Antivirus X
    BitDefender X
    ClamAV X
    CPsecure X
    Dr.Web Adware.Baidu.280
    F-Prot Antivirus X
    F-Secure Anti-Virus X
    Fortinet X
    Kaspersky Anti-Virus X
    NOD32 X
    Norman Virus Control X
    Panda Antivirus X
    Rising Antivirus X
    Sophos Antivirus X
    VirusBuster X
    VBA32 X
     
  29. abri

    abri MajorGeek

    Hi Heskey,
    please go to Windows Explorer and find the file in the box, right click on it and select the option to rename it. Change the name to serivce.ddd
    See if this affects the way your computer runs with several reboots.
    If it doesn't have any effect on your computer, we will remove it.
    abri
     
  30. Heskey

    Heskey Private First Class

    Alright, I'll see how this affects my PC :)
     
  31. Heskey

    Heskey Private First Class

    Question - What to do about that un-deleting TEMP folder backdoor, and the backdoor found by jotti? I've renamed serivce.dll to .ddd, but is this supposed to cease the functionality of the malware, or do I still have it? :S
     
  32. Heskey

    Heskey Private First Class

    My PC popped up with this, I've screenshotted it as it's the same name as the backdoor found by jotti - What can you tell me about it?

    Plus, despite clearing the registry etc for UO, it's still running like poo and makes my PC run like poo when it's open (Didn't do this the day before I came here - I.E. Last Wednesday).

    Would you recommend a fresh reformat, or do you think it's inevasive, or the backdoor will come with it?

    I just want to fix my PC :S
     

    Attached Files:

  33. abri

    abri MajorGeek

    It needs to be put in the vault or healed. Either one. It's possible this is part of your computer problem.

    How are you clearing the registry?

    I want to try to delete your temporary files and this one serivces.dll file before you resort to drastic measures.


    Please go to Windows Explorer and delete everything in the following two folders which you are allowed to delete. You probably will not be able to delete anything with today's date.

    - C:\Documents and Settings\James\Local Settings\Temp\
    - C:\WINDOWS\Temp\


    The file we renamed from serivce.dll to serivce.ddd is unknown. I've really scoured the internet looking for it, and I can't find anything on it either good or bad. Without knowing specifically that it's bad, I'm trying to get it off of your computer in a way that we can still recover it, if it has a bad effect on your computer to remove it. Since your computer is not quite right as it is, the only thing you will be able to tell me is if your computer is getting worse from where it is or better or staying the same. I would like for you to do the instructions below and see first what effect this has on your computer. I want to look at the newfiles log again before we delete the serivces.dll file.

    After you delete the temporary files above, please do the following:

    Please delete the contents of C:\WINDOWS\Prefetch.

    Then do the following:

    Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    - Temporary Files
    - Temporary Internet Files
    - Recycle Bin

    And Click OK.

    Please run ShowNew and post a newfiles.txt log.
    Thanks!
    abri
     
  34. Heskey

    Heskey Private First Class

    Here you go.

    I used RUN > Regedit to remove files in the EA folders associated with Ultima Online - Everytime I reinstall it's the same story, am I gonna have to reformat to be able to play it properly again or is there a way to... fix, it?
     

    Attached Files:

  35. abri

    abri MajorGeek

    Hi Heskey,
    If your computer has not been affected by our changing the name of the serivce.dll file to serivce.ddd (that you can tell), I would like for you to remove it using Avenger. This will create a backup.

    Download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt

    After you delete the temporary files above, please do the following:

    Please delete the contents of C:\WINDOWS\Prefetch.

    Then do the following:

    Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    - Temporary Files
    - Temporary Internet Files
    - Recycle Bin

    And Click OK.

    Before you post me the Avenger log and another fresh newfiles log, please look at the following folder and tell me what's in it.
    I don't know why it has a Sept. 21st date on it and I would like to know. After that, please post the two logs for me - avenger and newfiles.txt.

    Reformatting your computer may be the only thing to return your registry back to its original state, although I would still try other things first. If the main problem you're having now is with the games, the game forums would be the next place to turn to, but their advice doesn't seem to be helping you either. It's obviously a problem if you can't use ATF Cleaner or CCleaner and you've been having trouble whenever you tried to use System Restore. These are all things that ought to work, even if you have viruses, so something is wrong there. The reason I'm wondering about the en-US folder is because it's a folder that's associated with Internet Explorer 7 beta. It may or may not be active anymore, but if you have Internet Explorer 7 and are getting your updates, there shouldn't be anything beta going on in your computer anymore. We have deleted this folder from some machines, but I would want to know what's in it before I deleted it and I'm wondering why it's in use at all.
    Thanks!
    abri
     
  36. Heskey

    Heskey Private First Class

    Hey again, the log files are at the bottom of this post, as is a picture of the contents of en-US.
     

    Attached Files:

  37. abri

    abri MajorGeek

    Hi Heskey!
    Avenger didn't run. I was going to tell you to turn off your antivirus and run it again, but I don't find any antivirus on your computer. Are you using an installed antivirus?

    Please try and run Avenger again. Sometimes it will run after rebooting when it had problems before. If you still get a log like the last one, where it doesn't even get far enough to read the file we're trying to delete, I would like for you to try Pocket Killbox which also makes a backup. I don't know if this file is malware or not. The only thing I know about it is that there's no information on the internet about it that I could find, and that it's large.

    If Avenger doesn't run, please make a Folder called DLLbackup directly in C:\, move the serivce.ddd in there and then reboot.

    Download - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.


    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools
    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    Now attach a new newfiles.txt log.

    abri
     
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The below was stated in message # 32.
    This is not a problem!!!!! It is just a file in System Restore which will be remove when System Restore is toggle during final steps. If this is what you are worried about, stop worrying about it because it is not an issue.
     
  39. Heskey

    Heskey Private First Class

    Here you are, Avenger ran this time I believe:
     

    Attached Files:

  40. abri

    abri MajorGeek

    Hi Heskey,
    In your first post you described that your computer was working, you left it on for a longer period of time while you were away and then came back to it and decided to restart it before you started using it again. The subsequent problems you had were not from restarting your computer, but rather they were already in place and set to go off at your next reboot. It was a real attack on your computer, not some odd fluke. The same thing could have happened a week earlier if the malware had been installed then. The original problems you came in with are resolved, but in the meantime you got some new ones and so you've been having trouble with your gaming sites. You have several options at this point and I think any of them would be useful, but sometimes the least elegant and the most efficient is simply easier.

    As I mentioned before, somethings on your computer are not right. System restore should work. ATF Cleaner should work. It should be possible to install CCleaner. These are several things which make me think your registry might not be in complete working order. Also, gaming companies make changes. They throw them out onto their players and some of them don't work. For this reason alone, it would be useful for you to have a system restore which is working. (also antivirus and firewall)

    It is possible at this point to go into the gaming forums, either where you play or to the gaming forum here, and ask for help. It's also possible, even after all this effort, to reformat. When you last reformatted (was that in July?), you may have brought problems with you if you transferred data. However, the problem you came to us with was very recent and was unlikely the result of transferring your gaming data. (Please keep the keygen off your computer even if you're not using that version ... they often harbor backdoors)

    If you have a copy of XP which goes with your computer, you can do a reinstall, often without losing your data, provided you keep your data on a separate parition from your operating system. At this point, you may be able to do a repair install which could help you with your registry. For that, I advise asking for instructions in the Software Forum here. If you don't have separate partitions and you decide at some point to do a complete reformat, it would be a good idea to put in two partitions and make sure all your data are separated from your operating system, so you don't have to lose all your records whenever you reinstall XP. Remember that OEM versions of XP cannot be reinstalled an endless number of times.

    As a side note, and only because I'm thinking of it at the moment, in your last newfiles.txt log, a bunch of .sqm files appeared under C:\, so I wanted to tell you what I found on them. They belong to Windows Live Messenger! The explanation was this: "The files are part of the Customer Experience Improvement Program and can be stopped by going to Help -> Customer Experience Improvement Program then turning the fecker off!"

    In the box below, I'll ask you to remove the tools and logs that we used here. There's no evidence now for further malware problems, but you did have malware and that or something else may have left some changes in your registry which can't be easily tracked down. Also, I'm not familiar with the drivers your games use, but the information on your drivers is in the newfiles.txt log which will continue to be available for you to look at here in this thread, keeping in mind that the information in the log is dated and will become less reliable with time.

    There's a link to "How to protect yourself from malware" at the end of the box below along with a link back to the READ & RUN ME where it tells you about "disabling and re-enabling system restore". Both of these are important. The how to protect yourself link provides you with good information on free antf-virus, free anti-spyware and free firewalls and they are lightweight and work well together with games.

    I'm glad I could help you some but I'm sorry I couldn't help you completely! Please follow these instructions and links in the box.
    abri
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds