Vista hangs in normal mode, but Safe Mode works perfectly

VistaOh · Jan 30, 2012

Still the same, after running Unhide. Now I cant get anything to appear in Normal Mode even with using Ctril, Alt and Del.

Broni · Jan 30, 2012

Delete your Combofix file, download fresh one and post new log.

VistaOh · Jan 31, 2012

Hi its still the same in normal mode, when I hit ctrl alt and del the menu appears after a few minutes, windows is still very very slow.

VistaOh · Jan 31, 2012

sorry just seen the above post will delete my Combofix file, download fresh one and post new log.

VistaOh · Feb 1, 2012

ComboFix 12-02-01.01 - huw 01/02/2012 16:59:17.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.952.511 [GMT 0:00]
Running from: c:\users\huw\Desktop\combfix.exe
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-01 to 2012-02-01 )))))))))))))))))))))))))))))))
.
.
2012-02-01 17:07 . 2012-02-01 17:07 -------- d-----w- c:\users\huw\AppData\Local\temp
2012-02-01 17:07 . 2012-02-01 17:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-01 16:54 . 2012-02-01 16:55 -------- d-----w- C:\Ashifa
2012-01-31 21:08 . 2012-02-01 16:54 -------- d-----w- C:\ComboFix
2012-01-31 18:30 . 2012-01-31 18:30 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-31 18:30 . 2012-01-31 18:30 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-31 18:30 . 2012-01-31 18:30 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-31 18:30 . 2012-01-31 18:30 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-26 16:30 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{297D3113-9D7F-4D36-89F5-158E20015274}\mpengine.dll
2012-01-24 10:54 . 2012-01-24 10:57 -------- d-----w- C:\15d3bba4d9cb6546957b1df962b1
2012-01-23 20:46 . 2012-01-23 20:46 -------- d-----w- c:\users\huw\AppData\Roaming\Malwarebytes
2012-01-23 20:46 . 2012-01-23 20:46 -------- d-----w- c:\programdata\Malwarebytes
2012-01-23 20:46 . 2012-01-23 20:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-23 20:46 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-23 19:23 . 2011-06-21 04:09 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-01-23 18:43 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-23 18:43 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-23 18:43 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-23 18:43 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-23 18:39 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-23 18:39 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-01-23 18:35 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-23 18:35 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:37 . 2011-12-16 20:28 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-15 14:29 . 2009-12-07 12:01 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-08 14:42 . 2011-12-16 20:27 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-07 21:28 . 2011-11-07 21:28 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-01-31 18:30 . 2011-05-28 21:39 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0fc85f5d-6207-4515-a490-45a549d285c0}"= "c:\program files\Radio_Bar_1\tbRad1.dll" [2010-10-03 2735200]
.
[HKEY_CLASSES_ROOT\clsid\{0fc85f5d-6207-4515-a490-45a549d285c0}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0fc85f5d-6207-4515-a490-45a549d285c0}]
2010-10-03 12:06 2735200 ----a-w- c:\program files\Radio_Bar_1\tbRad1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0fc85f5d-6207-4515-a490-45a549d285c0}"= "c:\program files\Radio_Bar_1\tbRad1.dll" [2010-10-03 2735200]
.
[HKEY_CLASSES_ROOT\clsid\{0fc85f5d-6207-4515-a490-45a549d285c0}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{0FC85F5D-6207-4515-A490-45A549D285C0}"= "c:\program files\Radio_Bar_1\tbRad1.dll" [2010-10-03 2735200]
.
[HKEY_CLASSES_ROOT\clsid\{0fc85f5d-6207-4515-a490-45a549d285c0}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="c:\program files\PACKARD BELL\SetUpMyPC\SmpSys.exe" [2008-07-07 1038136]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-08-04 6265376]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-08 894512]
"SmpcSys"="c:\program files\Packard Bell\SetupMyPC\SmpSys.exe" [2008-07-07 1038136]
"PCMAgent"="c:\program files\CyberLink\PowerCinema\PCMAgent.exe" [2008-03-21 143360]
"CLMLServer"="c:\program files\CyberLink\PowerCinema\Kernel\CLML\CLMLSvc.exe" [2008-04-11 196608]
"Skytel"="Skytel.exe" [2008-08-04 1833504]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 172568]
"lxdemon.exe"="c:\program files\Lexmark 4800 Series\lxdemon.exe" [2010-02-15 455336]
"lxdeamon"="c:\program files\Lexmark 4800 Series\lxdeamon.exe" [2010-02-15 25256]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
c:\users\huw\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PlayMovie"="c:\program files\CyberLink\PlayMovie\PMVService.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
.
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-25 15:38]
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-25 15:38]
.
2012-01-31 c:\windows\Tasks\User_Feed_Synchronization-{FC3EB6E0-8FFB-4E63-B727-07B7656045E7}.job
- c:\windows\system32\msfeedssync.exe [2011-12-15 04:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\huw\AppData\Roaming\Mozilla\Firefox\Profiles\iajvx2qp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.http.max-persistent-connections-per-server - 4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-01 17:07
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\CyberLink\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-02-01 17:11:09
ComboFix-quarantined-files.txt 2012-02-01 17:11
ComboFix2.txt 2012-01-28 20:19
.
Pre-Run: 89,455,382,528 bytes free
Post-Run: 89,426,718,720 bytes free
.
- - End Of File - - CB91854212576503C5B97988129DF470

Broni · Feb 1, 2012

I don't see anything malicious there.

Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.

Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps HERE

Your system should now display a REATOGO-X-PE desktop.

Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.

Double-click on the OTLPE icon.

When asked Do you wish to load the remote registry, select Yes

When asked Do you wish to load remote user profile(s) for scanning, select Yes

Ensure the box Automatically Load All Remaining Users" is checked and press OK

OTL should now start.

Under the Custom Scan box paste this in:

/md5start
explorer.exe
winlogon.exe
userinit.exe
svchost.exe
/md5stop

Press Run Scan to start the scan.

When finished, the file will be saved in drive C:\OTL.txt

Copy this file to your USB drive if you do not have internet connection on this system

Please post the contents of the OTL.txt file in your reply.

TechSpot

Welcome to TechSpot

Vista hangs in normal mode, but Safe Mode works perfectly

VistaOh Newcomer, in training

Broni Malware Annihilator Posts: 39,437 +177

VistaOh Newcomer, in training

VistaOh Newcomer, in training

VistaOh Newcomer, in training

Broni Malware Annihilator Posts: 39,437 +177

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.