[Resolved] Vista start-up problems

broni · #51 (**permalink**) 07-06-2009, 02:00 AM

So, I assume, at this point, there serious problem with starting in any mode, correct?

infectedknit · #52 (**permalink**) 07-06-2009, 02:59 AM

No, the serious problems are thankfully gone. There are just a few... symptoms I guess. It is sluggish with more than two programs running, when I used to not have a problem at all. As well, whenever I DO run more than one program, occassionally my explorer.exe stops working, and it has to restart. I'm still running with one of my RAM sticks out, since we weren't sure if it was infected at all, should I try using that one as well?

broni · #53 (**permalink**) 07-06-2009, 03:03 AM

No. 2GB is enough for running Vista smoothly.

Let's run one more scan....

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

infectedknit · #54 (**permalink**) 07-06-2009, 05:05 AM

ComboFix 09-06-06.03 - Koerhijo 06/06/2009 21:45.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.509.90 [GMT -5:00]
Running from: c:\users\Koerhijo\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\RelevantKnowledge
c:\program files\RelevantKnowledge\rlservice.exe
c:\program files\ShoppingReport
C:\resycled
c:\users\Koerhijo\AppData\Roaming\.#
c:\users\Koerhijo\FAVORI~1\LimeWireWin.exe
c:\users\Koerhijo\Favorites\LimeWireWin.exe
c:\windows\system32\Config.ini
c:\windows\system32\drivers\Msft_User_AuxiliaryDis playEnhancedDriver_01_00_00.Wdf
c:\windows\system32\drivers\Msft_User_WpdFs_01_00_ 00.Wdf
c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_ 00_00.Wdf
c:\windows\system32\launcher.exe
D:\resycled

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_RelevantKnowledge
-------\Service_Windows Tribute Service

((((((((((((((((((((((((( Files Created from 2009-05-07 to 2009-06-07 )))))))))))))))))))))))))))))))
.

2009-06-07 02:58 . 2009-06-07 02:58 -------- d-sh--w- \$RECYCLE.BIN
2009-06-07 02:53 . 2009-06-07 02:58 -------- d-----w- c:\users\Koerhijo\AppData\Local\temp
2009-06-07 02:53 . 2009-06-07 02:53 -------- d-----w- C:\temp
2009-06-07 02:33 . 2009-06-07 02:42 -------- d-----w- \Qoobox
2009-06-06 16:13 . 2009-06-06 16:11 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-03 00:43 . 2009-06-03 00:47 -------- d-----w- c:\users\Koerhijo\AppData\Roaming\ImgBurn
2009-06-02 23:53 . 2009-06-02 23:53 -------- d-----w- c:\program files\Seagate
2009-06-02 23:34 . 2009-06-02 23:34 -------- d-----w- c:\program files\Lavalys
2009-06-02 22:49 . 2008-11-24 04:19 2651988 -c--a-w- c:\programdata\{148D8B8A-8F96-4822-81EC-D510B626B7D5}\DriverScanner_Setup.exe
2009-06-02 22:49 . 2009-06-06 16:14 -------- d-----w- c:\program files\Uniblue
2009-06-02 22:49 . 2009-06-02 23:43 -------- d-----w- c:\users\Koerhijo\AppData\Roaming\Uniblue
2009-06-02 22:49 . 2009-06-02 22:52 -------- d-----w- c:\programdata\DriverScanner
2009-06-02 22:46 . 2009-06-02 22:49 -------- dc-h--w- c:\programdata\{148D8B8A-8F96-4822-81EC-D510B626B7D5}
2009-06-02 04:24 . 2009-06-02 04:25 -------- d-----w- c:\windows\system32\ca-ES
2009-06-02 04:24 . 2009-06-02 04:25 -------- d-----w- c:\windows\system32\eu-ES
2009-06-02 04:24 . 2009-06-02 04:25 -------- d-----w- c:\windows\system32\vi-VN
2009-06-02 02:25 . 2009-06-02 02:25 -------- d-----w- c:\programdata\Avira
2009-06-02 02:25 . 2009-06-02 02:25 -------- d-----w- c:\program files\Avira
2009-06-02 02:25 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-02 02:25 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-02 02:07 . 2009-04-11 06:28 670720 ----a-w- c:\windows\system32\mssvp.dll
2009-06-02 02:06 . 2009-04-11 06:28 83456 ----a-w- c:\windows\system32\wlgpclnt.dll
2009-06-01 02:27 . 2009-06-07 02:56 1073741824 --sha-w- \pagefile.sys
2009-05-29 18:24 . 2009-05-31 04:11 -------- d-----w- c:\users\Koerhijo\AppData\Roaming\Xfire
2009-05-29 18:24 . 2009-05-29 20:02 -------- d-----w- c:\programdata\Xfire
2009-05-29 18:24 . 2009-05-29 18:24 -------- d-----w- c:\program files\Xfire
2009-05-21 02:27 . 2009-05-21 02:27 738120 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlig ht\MCESpotlight\SpotlightResources.dll
2009-05-17 22:25 . 2009-05-17 22:27 -------- d-----w- c:\users\Koerhijo\AppData\Local\Roblox
2009-05-16 16:05 . 2009-05-16 16:05 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Brow se\NetTVResources.dll
2009-05-14 22:59 . 2009-05-14 22:59 -------- d-----w- c:\users\Koerhijo\AppData\Local\assembly
2009-05-14 03:11 . 2009-05-14 23:06 -------- d-----w- c:\users\Koerhijo\AppData\Local\PLAYXPERT
2009-05-09 17:55 . 2009-03-19 21:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-09 17:55 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-05-09 17:55 . 2009-05-09 17:55 -------- d-----w- c:\program files\iPod
2009-05-09 17:54 . 2009-05-09 17:55 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-09 17:47 . 2009-05-09 17:47 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-09 17:34 . 2009-05-09 17:34 -------- d-----w- c:\program files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-07 02:56 . 2009-06-01 02:27 1073741824 --sha-w- \pagefile.sys
2009-06-07 02:54 . 2008-04-26 01:21 12 ----a-w- c:\windows\bthservsdp.dat
2009-06-07 01:54 . 2008-09-18 02:44 -------- d-----w- c:\users\Koerhijo\AppData\Roaming\LimeWire
2009-06-07 00:53 . 2009-04-15 02:20 -------- d-----w- c:\program files\Diablo II
2009-06-06 16:09 . 2008-04-26 06:29 -------- d-----w- c:\program files\Java
2009-06-04 02:41 . 2009-01-19 19:43 -------- d-----w- c:\program files\Steam
2009-06-03 17:37 . 2008-09-18 00:16 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-03 05:25 . 2008-12-25 03:21 1356 ----a-w- c:\users\Koerhijo\AppData\Local\d3d9caps.dat
2009-06-03 05:20 . 2008-12-25 03:40 -------- d-----w- c:\program files\Alwil Software
2009-06-02 23:52 . 2008-10-02 03:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-02 04:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-06-02 04:25 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-06-02 04:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-06-02 04:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-06-02 04:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-06-02 04:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-06-02 04:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-06-02 04:24 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-01 18:32 . 2008-10-23 23:12 -------- d-----w- c:\program files\Starcraft
2009-06-01 18:32 . 2008-10-02 03:13 -------- d-----w- c:\users\Koerhijo\AppData\Roaming\Ventrilo
2009-06-01 18:32 . 2008-10-02 03:05 -------- d-----w- c:\program files\DKP Profiler Uploader
2009-05-16 16:49 . 2009-03-04 03:33 -------- d-----w- c:\program files\PLAYXPERT
2009-05-14 22:59 . 2008-12-01 00:24 -------- d-----w- c:\program files\Curse
2009-05-14 21:46 . 2008-12-31 04:22 -------- d-----w- c:\programdata\NVIDIA
2009-05-10 00:51 . 2008-10-09 01:46 -------- d-----w- c:\users\Koerhijo\AppData\Roaming\Apple Computer
2009-05-09 17:55 . 2009-03-23 03:19 -------- d-----w- c:\program files\iTunes
2009-05-09 17:55 . 2008-10-09 01:42 -------- d-----w- c:\program files\Common Files\Apple
2009-05-06 02:02 . 2008-11-22 01:01 -------- d-----w- c:\program files\Windows Live
2009-05-06 02:02 . 2009-02-24 01:03 -------- d-----w- c:\program files\Windows Live Toolbar
2009-05-06 02:02 . 2009-05-06 02:02 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-05-06 02:00 . 2009-05-06 02:00 -------- d-----w- c:\program files\Microsoft
2009-05-06 01:59 . 2009-05-06 01:59 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-05-06 01:44 . 2009-05-06 01:44 -------- d-----w- c:\program files\Common Files\Windows Live
2009-05-03 16:12 . 2009-05-03 16:12 552 ----a-w- c:\users\Koerhijo\AppData\Local\d3d8caps.dat
2009-04-21 01:46 . 2009-01-19 20:00 -------- d-----w- c:\program files\Common Files\Steam
2009-04-20 02:13 . 2008-09-08 00:27 81104 ----a-w- c:\users\Koerhijo\AppData\Local\GDIPFONTCACHEV1.DA T
2009-04-20 01:41 . 2009-04-20 01:41 -------- d-----w- c:\users\Koerhijo\AppData\Roaming\AdobeUM
2009-04-20 01:37 . 2008-10-26 18:14 -------- d-----w- c:\program files\Common Files\Adobe
2009-04-13 16:30 . 2009-04-13 03:09 -------- d-----w- c:\program files\dt
2009-04-11 06:33 . 2009-06-02 02:07 986600 ----a-w- c:\windows\system32\winload.exe
2009-04-11 06:33 . 2009-06-02 02:07 926184 ----a-w- c:\windows\system32\winresume.exe
2009-04-11 06:33 . 2009-06-02 02:07 292840 ----a-w- c:\windows\system32\drivers\volmgrx.sys
2009-04-11 06:33 . 2009-06-02 02:07 897000 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-04-11 06:33 . 2009-06-02 02:07 614376 ----a-w- c:\windows\system32\ci.dll
2009-04-11 06:28 . 2009-06-02 02:07 56320 ----a-w- c:\windows\system32\xmlfilter.dll
2009-04-11 06:27 . 2009-06-02 02:08 441344 ----a-w- c:\windows\system32\SearchIndexer.exe
2009-04-11 06:22 . 2009-06-02 02:06 7168 ----a-w- c:\windows\system32\f3ahvoas.dll
2009-04-11 06:21 . 2009-06-02 02:06 37376 ----a-w- c:\windows\system32\cdd.dll
2009-04-11 05:42 . 2009-06-02 02:06 93696 ----a-w- c:\windows\system32\drivers\bridge.sys
2009-04-11 05:03 . 2009-06-02 02:08 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-04-11 05:03 . 2009-06-02 02:08 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
2009-04-11 04:57 . 2009-06-02 02:06 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-04-11 04:54 . 2009-06-02 02:06 2048 ----a-w- c:\windows\system32\mferror.dll
2009-04-11 04:51 . 2009-06-02 02:06 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2009-04-11 04:47 . 2009-06-02 02:07 273920 ----a-w- c:\windows\system32\drivers\afd.sys
2009-04-11 04:46 . 2009-06-02 02:06 69120 ----a-w- c:\windows\system32\drivers\rassstp.sys
2009-04-11 04:46 . 2009-06-02 02:06 121344 ----a-w- c:\windows\system32\drivers\ndiswan.sys
2009-04-11 04:46 . 2009-06-02 02:06 41472 ----a-w- c:\windows\system32\drivers\raspppoe.sys
2009-04-11 04:46 . 2009-06-02 02:06 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2009-04-11 04:46 . 2009-06-02 02:06 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2009-04-11 04:46 . 2009-06-02 02:07 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-04-11 04:45 . 2009-06-02 02:07 72192 ----a-w- c:\windows\system32\drivers\tdx.sys
2009-04-11 04:45 . 2009-06-02 02:07 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2009-04-11 04:45 . 2009-06-02 02:07 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2009-04-11 04:45 . 2009-06-02 02:07 401408 ----a-w- c:\windows\system32\drivers\http.sys
2009-04-11 04:45 . 2009-06-02 02:06 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys
2009-04-11 04:45 . 2009-06-02 02:06 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2009-04-11 04:43 . 2009-06-02 02:06 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2009-04-11 04:43 . 2009-06-02 02:07 196096 ----a-w- c:\windows\system32\drivers\usbhub.sys
2009-04-11 04:43 . 2009-06-02 02:07 148992 ----a-w- c:\windows\system32\drivers\rfcomm.sys
2009-04-11 04:43 . 2009-06-02 02:08 507904 ----a-w- c:\windows\system32\drivers\bthport.sys
2009-04-11 04:43 . 2009-06-02 02:07 22528 ----a-w- c:\windows\system32\drivers\bthenum.sys
2009-04-11 04:43 . 2009-06-02 02:07 29696 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS
2009-04-11 04:43 . 2009-06-02 02:06 62208 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2009-04-11 04:42 . 2009-06-02 02:07 226304 ----a-w- c:\windows\system32\drivers\usbport.sys
2009-04-11 04:42 . 2009-06-02 02:07 25856 ----a-w- c:\windows\system32\drivers\USBCAMD2.sys
2009-04-11 04:42 . 2009-06-02 02:07 25856 ----a-w- c:\windows\system32\drivers\USBCAMD.sys
2009-04-11 04:42 . 2009-06-02 02:07 39936 ----a-w- c:\windows\system32\drivers\usbehci.sys
2009-04-11 04:42 . 2009-06-02 02:06 31616 ----a-w- c:\windows\system32\drivers\winusb.sys
2009-04-11 04:42 . 2009-06-02 02:07 167936 ----a-w- c:\windows\system32\drivers\portcls.sys
2009-04-11 04:42 . 2009-06-02 02:06 12800 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-04-11 04:42 . 2009-06-02 02:06 39424 ----a-w- c:\windows\system32\drivers\hidclass.sys
2009-04-11 04:42 . 2009-06-02 02:06 52992 ----a-w- c:\windows\system32\drivers\stream.sys
2009-04-11 04:42 . 2009-06-02 02:08 561152 ----a-w- c:\windows\system32\drivers\hdaudbus.sys
2009-04-11 04:39 . 2009-06-02 02:06 16384 ----a-w- c:\windows\system32\iscsilog.dll
2009-04-11 04:39 . 2009-06-02 02:06 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2009-04-11 04:39 . 2009-06-02 02:06 19456 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2009-04-11 04:38 . 2009-06-02 02:07 149504 ----a-w- c:\windows\system32\drivers\ks.sys
2009-04-11 04:38 . 2009-06-02 02:07 17408 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-04-11 04:27 . 2009-06-02 02:06 2560 ----a-w- c:\windows\system32\msimsg.dll
2009-04-11 04:24 . 2009-06-02 02:07 2034688 ----a-w- c:\windows\system32\win32k.sys
2009-04-11 04:23 . 2009-06-02 02:07 626176 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-04-11 04:23 . 2009-06-02 02:06 76288 ----a-w- c:\windows\system32\drivers\dxg.sys
2009-04-11 04:23 . 2009-06-02 02:06 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-04-11 04:22 . 2009-06-02 02:06 33280 ----a-w- c:\windows\system32\drivers\watchdog.sys
2009-04-11 04:15 . 2009-06-02 02:07 288768 ----a-w- c:\windows\system32\drivers\srv.sys
2009-04-11 04:15 . 2009-06-02 02:07 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-04-11 04:15 . 2009-06-02 02:07 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-04-11 04:14 . 2009-06-02 02:07 114688 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2009-04-11 04:14 . 2009-06-02 02:07 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\En hancedStorageShell]
@="{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}"
[HKEY_CLASSES_ROOT\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}]
2009-04-11 06:28 114176 ----a-w- c:\windows\System32\EhStorShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-06 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"BindDirectlyToPropertySetStorage"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleD esktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Wind ows^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Wind ows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Wind ows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Wind ows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):30,98,f7,ea,3c,e3,c9,01

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{9B4F29D8-3E8D-42AC-A4E2-1DAA600D9031}"= UDP:3724:Blizzard Downloader
"{9C8D0AD1-B484-45F6-89CD-E24174740C84}"= UDP:6112:Blizzard Downloader
"{C7B4DF5F-BA85-4692-857C-63B6C18DDD52}"= UDP:c:\program files\WoW\BackgroundDownloader.exe:Blizzard Downloader
"{F8B67BD4-894A-4FA0-B9F6-3B59C2968F39}"= TCP:c:\program files\WoW\BackgroundDownloader.exe:Blizzard Downloader
"TCP Query User{1C733F29-20E2-43E9-8A1A-3FC76AEACBA9}c:\\users\\koerhijo\\downloads\\wow-burningcrusade-trial-enus-installer-downloader.exe"= UDP:c:\users\koerhijo\downloads\wow-burningcrusade-trial-enus-installer-downloader.exe:wow-burningcrusade-trial-enus-installer-downloader.exe
"UDP Query User{9624E9AE-7310-423B-88E1-938543F65EC0}c:\\users\\koerhijo\\downloads\\wow-burningcrusade-trial-enus-installer-downloader.exe"= TCP:c:\users\koerhijo\downloads\wow-burningcrusade-trial-enus-installer-downloader.exe:wow-burningcrusade-trial-enus-installer-downloader.exe
"{5F24F60E-B2F7-4850-B970-D6C4F5C92745}"= UDP:c:\program files\WoW\WoW-2.4.0-enUS-downloader.exe:Blizzard Downloader
"{460DB991-9519-4D5E-BD4D-4FB399A81EAC}"= TCP:c:\program files\WoW\WoW-2.4.0-enUS-downloader.exe:Blizzard Downloader
"TCP Query User{FFFF7521-B4CC-4A01-A6FB-52C8E2F1E453}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{E084112D-1C90-475D-9AAB-E4EB004D8B82}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{E4860CC2-B2C3-4810-BFDB-C33BB1FC7F90}c:\\brood\\starcraft.exe"= UDP:c:\brood\starcraft.exe:Starcraft
"UDP Query User{18F78CF3-0A11-4DB7-9A49-A64EAA874C82}c:\\brood\\starcraft.exe"= TCP:c:\brood\starcraft.exe:Starcraft
"TCP Query User{B42EE1EF-6102-4C6D-A807-536BA881FE42}c:\\program files\\starcraft\\starcraft.exe"= UDP:c:\program files\starcraft\starcraft.exe:Starcraft
"UDP Query User{90BF10F7-4AA3-4C65-8892-104A619B40C9}c:\\program files\\starcraft\\starcraft.exe"= TCP:c:\program files\starcraft\starcraft.exe:Starcraft
"TCP Query User{48D19489-4EBE-4BCF-8D28-84768F878F1E}c:\\program files\\turbine\\the lord of the rings online\\lotroclient.exe"= UDP:c:\program files\turbine\the lord of the rings online\lotroclient.exe:lotroclient
"UDP Query User{8DC8E94F-B740-460D-894F-207B5B59E0A0}c:\\program files\\turbine\\the lord of the rings online\\lotroclient.exe"= TCP:c:\program files\turbine\the lord of the rings online\lotroclient.exe:lotroclient
"TCP Query User{7F5B30E8-C85C-4604-9E3E-768F94D7D64A}c:\\ijji\\english\\u_goonzu.exe"= UDP:c:\ijji\english\u_goonzu.exe:<ijji Downloader>
"UDP Query User{4D87371A-3C1C-4A4D-97D0-1BB72FCDF2B6}c:\\ijji\\english\\u_goonzu.exe"= TCP:c:\ijji\english\u_goonzu.exe:<ijji Downloader>
"{087EFE08-075C-4EB7-83F9-F96D73271071}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{3D9CEFEA-54F3-42E1-8F8E-AB21FB377147}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{D154265D-D321-4767-97DB-DF66B9438E00}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{E62FD99A-6C6C-456A-ABB9-8A58DDFA2E8D}"= UDP:c:\program files\RelevantKnowledge\rlvknlg.exe:rlvknlg.exe
"{478D6B9D-6BFC-4EF4-933F-7765A0443B7E}"= TCP:c:\program files\RelevantKnowledge\rlvknlg.exe:rlvknlg.exe
"{0CF09CFC-F25D-49BC-BA55-FBC47B256C48}"= UDP:c:\program files\Guild Wars\Gw.exe:Guild Wars
"{BAD78EF5-8FFC-4768-AE9F-A90B9C0FCE2B}"= TCP:c:\program files\Guild Wars\Gw.exe:Guild Wars
"{DBEE975D-43EC-4E8D-AFC5-5975F608009A}"= UDP:c:\users\Public\Games\World of Warcraft\Launcher.exe:World of Warcraft
"{E89DEDAB-8680-4A06-9D2B-89A1092D3824}"= TCP:c:\users\Public\Games\World of Warcraft\Launcher.exe:World of Warcraft
"{C64C8578-FF0C-4132-9D27-57AB34DFD2B5}"= UDP:c:\program files\Curse\CurseClient.exe:Curse Client
"{5790AE22-FC51-45C9-86BB-D7E069AA7B3C}"= TCP:c:\program files\Curse\CurseClient.exe:Curse Client
"{6CB4EF1A-92C1-425A-B35D-4478B8315B84}"= UDP:c:\program files\Vuze\Azureus.exe:Vuze
"{16E9D7B3-DFE7-4C54-ABC4-B0756E9D5354}"= TCP:c:\program files\Vuze\Azureus.exe:Vuze
"TCP Query User{4B4588A9-44E7-4EE4-A790-077AD5CC5F04}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{B689A469-2E58-44BD-9CB6-203463EBBC35}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{4CD47BDF-5239-4153-BD9F-BBAB624C8A37}c:\\program files\\curse\\curseclient.exe"= UDP:c:\program files\curse\curseclient.exe:CurseClient
"UDP Query User{AD05E2D0-F469-464E-95A1-1125FCC7DCED}c:\\program files\\curse\\curseclient.exe"= TCP:c:\program files\curse\curseclient.exe:CurseClient
"{C6077AC8-6164-4880-8A65-B722CE823C40}"= UDP:80:xbox live
"{CAAAAB1F-163E-4040-A245-CF9B0460CE4E}"= TCP:88:xbox live
"{465F801C-3F40-443F-A064-640FB6C097DA}"= TCP:3074:xbox live
"{3857A1C0-04CD-465A-9F39-8011AF9CA483}"= UDP:3074:xbox live
"{5FDC1043-AEAE-47AB-AC8B-5F619129DBA7}"= TCP:53:xbox live
"{51B951E7-99CA-476E-A86F-BD101B97835E}"= UDP:53:xbox live
"{D4A57686-C7D0-4E06-8B22-D7C706E4F838}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{5FBD8548-64D6-476C-A4CF-4F233092C96B}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{8985ED63-053F-4452-A958-9B34E6406C8E}c:\\program files\\steam\\steamapps\\2muchtime2544\\counter-strike source\\hl2.exe"= UDP:c:\program files\steam\steamapps\2muchtime2544\counter-strike source\hl2.exe:hl2
"UDP Query User{BD737A4D-FB4E-446E-B8E2-07D5F8FF82CE}c:\\program files\\steam\\steamapps\\2muchtime2544\\counter-strike source\\hl2.exe"= TCP:c:\program files\steam\steamapps\2muchtime2544\counter-strike source\hl2.exe:hl2

S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt [8/18/2005 7168]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssflt r.sys [5/5/2009 9:02 PM 55280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys

.
------- Supplementary Scan -------
.
uStart Page = hxxp://isb.guildlaunch.com/
mStart Page = hxxp://qwest.live.com
uInternet Settings,ProxyOverride = <local>
IE: Add to Windows &Live Favorites - Sign In
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Koerhijo\AppData\Roaming\Mozilla\Firefox\ Profiles\a7x88ipr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-06 21:58
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\E verestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1227161236-579168265-3883670517-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e4,a0,ce,5e,27,ef,9f,19,19,ab,39,85,ca,5e ,67,ce,22,73,3c,f1,33,5e,a9,
85,b3,01,04,48,2f,d9,6f,ad,5b,4d,59,a9,a4,20,9d,d8 ,07,6a,41,4c,23,c7,e0,25,\
"??"=hex:13,d1,1a,62,0f,a8,71,10,34,f2,a4,7b,21,e3 ,ee,87

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1900)
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\program files\Avira\AntiVir Desktop\sched.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\supportsoft\bin\sprtlisten.exe
c:\windows\System32\stacsv.exe
c:\windows\System32\WUDFHost.exe
c:\program files\XPSMiniViewGadget\XPSMiniViewGadget.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
.
************************************************** ************************
.
Completion time: 2009-06-07 22:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-07 03:08

Pre-Run: 193,287,708,672 bytes free
Post-Run: 192,819,863,552 bytes free

345 --- E O F --- 2009-06-04 23:58

infectedknit · #55 (**permalink**) 07-06-2009, 05:06 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:10 PM, on 6/6/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Safari\Safari.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Home : Intrepid Shadow Blades [ISB] - Guild Launch Guild Hosting
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - Sign In
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3. dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 5478 bytes

broni · #56 (**permalink**) 07-06-2009, 05:15 AM

Uninstall Combofix:

Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u"
Restart computer.

================================================== ==========

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

That's about all I can do. Your computer is totally clean.
I suggest, you run defrag.

infectedknit · #57 (**permalink**) 07-06-2009, 05:47 AM

Hmmm, alright. I did everything the last post said to do (defrag running right now). Too bad it's still running at about 80% of what I remember... maybe it's just my imagination. *shrugs*

Thanks for all the help Broni! I really do appreciate it.

infectedknit · #58 (**permalink**) 07-06-2009, 05:52 AM

And.... wow. I feel so stupid. According to my System page... and I just did a refresh check... I only have 512 MB of RAM.... I think I didn't put the RAM back in right when I took it out. >.<

broni · #59 (**permalink**) 07-06-2009, 06:17 AM

Surely Vista on 512MB will be very slow.
I thought, you had 3GB of RAM.
How many sticks, and of what values did you take out?

infectedknit · #60 (**permalink**) 07-06-2009, 06:23 AM

Alright, yes Vista on 512 MB is severely slow.

I do have 3GB of RAM. When I took one by one out to check it, I didn't put them back in properly (They were sitting like halfway out).

I had four sticks, and each was... I'm not sure. One was 512MB, but the rest made up for a grand total of 3GB.

I have since opened my computer back up, and inserted them all back in properly, and it is just back to the way it was.

Thanks Broni for fixing the major problem. Too bad I had to go and make another problem that you couldn't figure out. Wow... lol.