Operating System woe

Greetings folks, first post, looking to get a bit of help.

Gigabyte P55A-UD3; Rev 2.0 / Kingston 64GB SSD V Series / Intel Lynnfield Core i5-760 Quad (2.8GHz) / ASUS EAH5770 CU core 2DI/1GB GDDR5 / Kingston Hyper X DDR3 1600 (2x2GB Module) / Thermaltake TR2RX 650W

The hardware build went fine, loaded up a friend's OS so I could get a copy of Windows 7 on it--I have a Technet account and access to the licenses, just needed something to get started.

The first load of Win 7 Ultimate went fine, after loading the mobo drivers I added the video driver, then went looking online for a newer version. This caused enough problems that I decided to reload Win 7 from scratch. Plus neither Oblivion nor Fallout would work for very long. Both would crash with an Mfplat.dll error. After a couple of hours researching that dll file and downloading it, placing it in the correct spot and several other spots to try to alleviate the issue, the games would still not work.

The second load went great, still neither game worked correctly. Then evidently I left the machine too open/unprotected and got a TON of 5 to 7-letter entries in the startup tab of Msconfig. I tried going to the registry, got an error back "The registry is locked by your administrator." I turned on the admin account, logged in and tried there, same message. I booted into safe mode, Admin account; same result. I told myself "nobody locks me out of my own machine when I can fix that!"

And so load 3 went into process. However, this time, I ran into a issue that ultimately forced me to settle for Win7 Home Premium. I also researched this error and am still not quite sure why Winpeshl.exe is somehow causing the load that worked perfectly enough two previous times now takes me to a basic generic login screen where my USB keyboard will not work and I can't get any further because I now need a name and a password when I didn't provide one during the loading process. The mouse worked here without issue.

So far so good. I also poked about the Threat removal posts and wanted to know if anyone savvy with the Hijackthis program would take a look at my current log and tell me if anything doesn't look right or needs to disappear. Also, I am looking to find out if Windows' security is good enough to handle keeping out whoever zombified (only thing I can think of) my computer as long as I keep UAC running and after turning on the Admin account and giving it a 18 character password, then turning it off again. Or if there's something else I can do without spending a lot of $$.

Thanks very much for your time and assistance!


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hotmail.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://blackle.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=p55a-ud3&r=17361110368g3a96848ith3iif016q
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll (file missing)
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Best Buy Software Installer.lnk = C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (User 'Default user')
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

What originally prompted me checking out Hijack this was an entry in the Task manager processes of ButtonMonitor.exe. I did a search and found it seemed to be a data miner of some sort.
6 answers Last reply
More about operating system
  1. sounds like your got a virus floating around on one of your disks. You're not going to get a virus remotely with Win7, but you can get one with an un-patched IE and browsing to a bad site.
  2. Perhaps, but that should not keep me from completely reloading Win7 from scratch unless it's in the MBR, right?
    Or does the MBR not apply when dealing with SSDs?
    Either way, it was very confusing to keep getting the Winpeshl.exe error after a complete reload from the DVD which worked fine two times earlier.
  3. How are you reloading? Do you reformat between installs? If you are not wiping the disk with a format, you are not doing a new clean install. Also the install cd may be defective. Sounds like it has been used more than a few times. A couple of dings and scratches could make it defective.
  4. You shouldn't be seeing those kind of errors after a clean install onto new hardware with a legit disc. Agree with above posters; you either have a persistent virus (are you sure that's legal Windows disc and not a torrented one..?) or the disc is somehow faulty.
  5. It is a legally downloaded Win7 Ultimate ISO from Technet, and it worked fine the first and second times.

    After that, reloading from scratch, it was not working the same. I don't have a format disc to work with, and since all Windows versions since 2000 (iirc) fully reformats upon fresh load .. I'm at a loss as to what the exact issue is.

    The install DVD only moved from the CD bay to the table, never had anything lay on it, never dropped, double checked for scratches, etc. Nothing. In any case, I downloaded it again (just to be sure the DVD was not messed up) and burned a new DVD ISO. Same issue.

    Perhaps DogSnake is right and even though Windows tells me it will reformat the disc to load Windows fresh, it does not. However, it worked that way the second time and the load worked fine until someone zombified my machine. After that, it refused to load fully and/or correctly, bringing me to the Winpeshl.exe error multiple times (I tried it again just to make sure).

    But then the Winpeshl.exe error did not appear when I loaded a fresh version of Win 7 Home Premium, which I promptly activated.
  6. set in Bios system IDE to ACHI & go install Win7
Ask a new question

Read More

Windows 7