also @ TechSpot: Microsoft wants Xbox to be the entertainment hub for all your devices

TechSpot
Collaborate in the cloud with Office, Exchange, SharePoint, and Lync.
Microsoft Office 365. Pay-as-you-go starting at $8/user/month. Begin your free trial now.

[Inactive] Vista hangs in normal mode, but Safe Mode works perfectly

Discussion in 'Virus and Malware Removal' started by VistaOh, Jan 23, 2012.

Thread Status:
Not open for further replies.
Page 2 of 2

  1. VistaOh Newcomer, in training

    Still the same, after running Unhide. Now I cant get anything to appear in Normal Mode even with using Ctril, Alt and Del.
    VistaOh, Jan 30, 2012
    #21

  2. Broni Malware Annihilator

    Delete your Combofix file, download fresh one and post new log.
    Broni, Jan 30, 2012
    #22

  3. VistaOh Newcomer, in training

    Hi its still the same in normal mode, when I hit ctrl alt and del the menu appears after a few minutes, windows is still very very slow.
    VistaOh, Jan 31, 2012
    #23

  4. VistaOh Newcomer, in training

    sorry just seen the above post will delete my Combofix file, download fresh one and post new log.
    VistaOh, Jan 31, 2012
    #24

  5. VistaOh Newcomer, in training

    ComboFix 12-02-01.01 - huw 01/02/2012 16:59:17.1.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.952.511 [GMT 0:00]
    Running from: c:\users\huw\Desktop\combfix.exe
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-01 to 2012-02-01 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-01 17:07 . 2012-02-01 17:07 -------- d-----w- c:\users\huw\AppData\Local\temp
    2012-02-01 17:07 . 2012-02-01 17:07 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-01 16:54 . 2012-02-01 16:55 -------- d-----w- C:\Ashifa
    2012-01-31 21:08 . 2012-02-01 16:54 -------- d-----w- C:\ComboFix
    2012-01-31 18:30 . 2012-01-31 18:30 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
    2012-01-31 18:30 . 2012-01-31 18:30 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
    2012-01-31 18:30 . 2012-01-31 18:30 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
    2012-01-31 18:30 . 2012-01-31 18:30 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
    2012-01-26 16:30 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{297D3113-9D7F-4D36-89F5-158E20015274}\mpengine.dll
    2012-01-24 10:54 . 2012-01-24 10:57 -------- d-----w- C:\15d3bba4d9cb6546957b1df962b1
    2012-01-23 20:46 . 2012-01-23 20:46 -------- d-----w- c:\users\huw\AppData\Roaming\Malwarebytes
    2012-01-23 20:46 . 2012-01-23 20:46 -------- d-----w- c:\programdata\Malwarebytes
    2012-01-23 20:46 . 2012-01-23 20:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-23 20:46 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-23 19:23 . 2011-06-21 04:09 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2012-01-23 18:43 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
    2012-01-23 18:43 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
    2012-01-23 18:43 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
    2012-01-23 18:43 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
    2012-01-23 18:39 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
    2012-01-23 18:39 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2012-01-23 18:35 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
    2012-01-23 18:35 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-23 13:37 . 2011-12-16 20:28 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-11-15 14:29 . 2009-12-07 12:01 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-11-08 14:42 . 2011-12-16 20:27 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-11-07 21:28 . 2011-11-07 21:28 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2012-01-31 18:30 . 2011-05-28 21:39 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{0fc85f5d-6207-4515-a490-45a549d285c0}"= "c:\program files\Radio_Bar_1\tbRad1.dll" [2010-10-03 2735200]
    .
    [HKEY_CLASSES_ROOT\clsid\{0fc85f5d-6207-4515-a490-45a549d285c0}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0fc85f5d-6207-4515-a490-45a549d285c0}]
    2010-10-03 12:06 2735200 ----a-w- c:\program files\Radio_Bar_1\tbRad1.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{0fc85f5d-6207-4515-a490-45a549d285c0}"= "c:\program files\Radio_Bar_1\tbRad1.dll" [2010-10-03 2735200]
    .
    [HKEY_CLASSES_ROOT\clsid\{0fc85f5d-6207-4515-a490-45a549d285c0}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{0FC85F5D-6207-4515-A490-45A549D285C0}"= "c:\program files\Radio_Bar_1\tbRad1.dll" [2010-10-03 2735200]
    .
    [HKEY_CLASSES_ROOT\clsid\{0fc85f5d-6207-4515-a490-45a549d285c0}]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-09-06 20:45 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SmpcSys"="c:\program files\PACKARD BELL\SetUpMyPC\SmpSys.exe" [2008-07-07 1038136]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-08-04 6265376]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-08 894512]
    "SmpcSys"="c:\program files\Packard Bell\SetupMyPC\SmpSys.exe" [2008-07-07 1038136]
    "PCMAgent"="c:\program files\CyberLink\PowerCinema\PCMAgent.exe" [2008-03-21 143360]
    "CLMLServer"="c:\program files\CyberLink\PowerCinema\Kernel\CLML\CLMLSvc.exe" [2008-04-11 196608]
    "Skytel"="Skytel.exe" [2008-08-04 1833504]
    "PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 137752]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 171032]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 172568]
    "lxdemon.exe"="c:\program files\Lexmark 4800 Series\lxdemon.exe" [2010-02-15 455336]
    "lxdeamon"="c:\program files\Lexmark 4800 Series\lxdeamon.exe" [2010-02-15 25256]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv"="grpconv -o" [X]
    .
    c:\users\huw\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "PlayMovie"="c:\program files\CyberLink\PlayMovie\PMVService.exe"
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    .
    R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    ezSharedSvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-25 15:38]
    .
    2012-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-25 15:38]
    .
    2012-01-31 c:\windows\Tasks\User_Feed_Synchronization-{FC3EB6E0-8FFB-4E63-B727-07B7656045E7}.job
    - c:\windows\system32\msfeedssync.exe [2011-12-15 04:44]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\huw\AppData\Roaming\Mozilla\Firefox\Profiles\iajvx2qp.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: nglayout.initialpaint.delay - 600
    FF - user.js: content.notify.interval - 600000
    FF - user.js: content.max.tokenizing.time - 1800000
    FF - user.js: content.switch.threshold - 600000
    FF - user.js: network.http.max-persistent-connections-per-server - 4
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-01 17:07
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NSL]
    "ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\diMaster.dll\" /prefetch:1"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
    "ImagePath"="\??\c:\program files\CyberLink\PlayMovie\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2012-02-01 17:11:09
    ComboFix-quarantined-files.txt 2012-02-01 17:11
    ComboFix2.txt 2012-01-28 20:19
    .
    Pre-Run: 89,455,382,528 bytes free
    Post-Run: 89,426,718,720 bytes free
    .
    - - End Of File - - CB91854212576503C5B97988129DF470
    VistaOh, Feb 1, 2012
    #25

  6. Broni Malware Annihilator

    I don't see anything malicious there.

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps HERE
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Under the Custom Scan box paste this in:

      /md5start
      explorer.exe
      winlogon.exe
      userinit.exe
      svchost.exe
      /md5stop
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
    Broni, Feb 1, 2012
    #26
Page 2 of 2
Thread Status:
Not open for further replies.