[Kerhwin]

ComboFix 10-10-01.07 - Kerhwin 10/02/2010 14:16:17.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3317.1891 [GMT -4:00]
Running from: c:\users\Kerhwin\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\windows
c:\users\Kerhwin\AppData\Roaming\Microsoft\Windows\Recent\GamesTorrents.url
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-09-02 to 2010-10-02 )))))))))))))))))))))))))))))))
.

2010-10-02 18:21 . 2010-10-02 18:22 -------- d-----w- c:\users\Kerhwin\AppData\Local\temp
2010-10-02 18:21 . 2010-10-02 18:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-02 13:41 . 2010-10-02 13:41 -------- d-----w- c:\users\Kerhwin\AppData\Roaming\Registry Mechanic
2010-10-02 13:37 . 2010-08-05 12:46 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2010-10-02 13:37 . 2004-08-04 11:00 506368 ----a-w- c:\windows\system32\msxml.dll
2010-10-02 13:37 . 2010-10-02 13:37 -------- d-----w- c:\program files\Common Files\PC Tools
2010-10-01 10:13 . 2010-10-02 18:07 -------- d-----w- c:\users\Kerhwin\AppData\Local\LogMeIn Hamachi
2010-10-01 10:12 . 2010-10-01 10:12 -------- d-----w- c:\program files\LogMeIn Hamachi
2010-10-01 08:23 . 2010-10-01 08:23 -------- d-----w- c:\users\Kerhwin\AppData\Local\Vitalwerks
2010-10-01 08:21 . 2010-10-01 08:21 -------- d-----w- c:\program files\No-IP
2010-10-01 07:53 . 2010-10-01 07:53 -------- d-----w- c:\program files\Sun
2010-10-01 07:52 . 2010-10-01 21:14 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-01 07:43 . 2010-10-02 17:43 -------- d-----w- c:\users\Kerhwin\AppData\Roaming\MySQL
2010-10-01 07:40 . 2010-10-01 07:40 -------- d-----w- c:\windows\hsperfdata_Kerhwin
2010-10-01 07:35 . 2010-10-01 20:59 -------- d-----w- C:\glassfishv3
2010-10-01 07:33 . 2010-10-01 07:33 -------- d-----w- c:\program files\BreakPoint Software
2010-10-01 07:24 . 2010-10-01 07:24 -------- d-----w- c:\programdata\MySQL
2010-10-01 07:21 . 2010-10-01 07:23 -------- d-----w- C:\wamp
2010-10-01 07:20 . 2010-10-01 21:07 -------- d-----w- c:\program files\MySQL
2010-09-30 01:29 . 2010-09-30 01:29 110080 ----a-r- c:\users\Kerhwin\AppData\Roaming\Microsoft\Installer\{CED3DF1E-01D1-45AD-BF33-64AE5E8843B8}\IconF7A21AF7.exe
2010-09-30 01:29 . 2010-09-30 01:29 110080 ----a-r- c:\users\Kerhwin\AppData\Roaming\Microsoft\Installer\{CED3DF1E-01D1-45AD-BF33-64AE5E8843B8}\IconD7F16134.exe
2010-09-30 01:29 . 2010-09-30 01:29 -------- d-----w- C:\sh4ldr
2010-09-30 01:29 . 2010-09-30 01:29 -------- d-----w- c:\program files\Enigma Software Group
2010-09-30 01:28 . 2010-09-30 01:29 -------- d-----w- c:\windows\CED3DF1E01D145ADBF3364AE5E8843B8.TMP
2010-09-29 19:52 . 2010-09-29 19:52 -------- d-----w- c:\users\Kerhwin\AppData\Roaming\Malwarebytes
2010-09-29 19:52 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-29 19:52 . 2010-09-29 19:52 -------- d-----w- c:\programdata\Malwarebytes
2010-09-29 19:52 . 2010-09-29 19:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-29 19:52 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-29 02:05 . 2010-06-22 12:57 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-19 11:08 . 2010-09-19 11:08 65024 ----a-w- c:\users\Kerhwin\AppData\Roaming\.minecraft\bin\natives\jinput-dx8_64.dll
2010-09-19 11:08 . 2010-09-19 11:08 62464 ----a-w- c:\users\Kerhwin\AppData\Roaming\.minecraft\bin\natives\jinput-raw_64.dll
2010-09-19 11:08 . 2010-09-19 11:08 61952 ----a-w- c:\users\Kerhwin\AppData\Roaming\.minecraft\bin\natives\jinput-dx8.dll
2010-09-19 11:08 . 2010-09-19 11:08 59392 ----a-w- c:\users\Kerhwin\AppData\Roaming\.minecraft\bin\natives\jinput-raw.dll
2010-09-19 11:08 . 2010-09-19 11:08 248832 ----a-w- c:\users\Kerhwin\AppData\Roaming\.minecraft\bin\natives\lwjgl64.dll
2010-09-19 11:08 . 2010-09-19 11:08 237568 ----a-w- c:\users\Kerhwin\AppData\Roaming\.minecraft\bin\natives\lwjgl.dll
2010-09-19 11:08 . 2010-09-19 11:08 195072 ----a-w- c:\users\Kerhwin\AppData\Roaming\.minecraft\bin\natives\OpenAL64.dll
2010-09-19 11:08 . 2010-09-19 11:08 108032 ----a-w- c:\users\Kerhwin\AppData\Roaming\.minecraft\bin\natives\OpenAL32.dll
2010-09-19 10:46 . 2010-09-19 11:08 -------- d-----w- c:\users\Kerhwin\AppData\Roaming\.minecraft
2010-09-14 20:28 . 2010-04-16 16:10 501760 ----a-w- c:\windows\system32\usp10.dll
2010-09-14 20:28 . 2010-08-17 13:32 126464 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-14 20:28 . 2010-04-05 16:08 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-14 20:28 . 2010-05-27 19:16 738816 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-02 18:22 . 2009-08-21 08:34 -------- d-----w- c:\users\Kerhwin\AppData\Roaming\Skype
2010-10-02 14:11 . 2010-08-11 13:57 -------- d-----w- c:\users\Kerhwin\AppData\Roaming\uTorrent
2010-10-02 13:22 . 2009-08-21 08:35 -------- d-----w- c:\users\Kerhwin\AppData\Roaming\skypePM
2010-10-01 21:43 . 2009-05-24 04:36 71256 ----a-w- c:\users\Kerhwin\AppData\Local\GDIPFONTCACHEV1.DAT
2010-10-01 21:15 . 2009-05-24 04:46 -------- d-----w- c:\program files\Common Files\Java
2010-10-01 19:00 . 2010-06-21 18:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-10-01 07:50 . 2009-05-24 04:46 -------- d-----w- c:\program files\Java
2010-09-30 01:28 . 2009-05-30 02:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-09-29 23:32 . 2010-08-10 07:41 -------- d-----w- c:\programdata\RegCure
2010-09-29 19:39 . 2010-08-11 20:47 -------- d-----w- c:\program files\AutocompletePro
2010-09-21 00:45 . 2010-06-12 20:12 -------- d-----w- c:\users\Kerhwin\AppData\Roaming\vlc
2010-09-15 07:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-11 04:03 . 2010-04-02 03:26 98304 ----a-w- c:\programdata\NexonUS\NGM\npNxGameUS.dll
2010-09-11 04:03 . 2010-04-02 03:26 765952 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
2010-09-11 04:03 . 2010-04-02 03:26 401408 ----a-w- c:\programdata\NexonUS\NGM\NGMResource.dll
2010-09-11 04:03 . 2010-04-02 03:26 258352 ----a-w- c:\programdata\NexonUS\NGM\unicows.dll
2010-09-11 04:03 . 2010-04-02 03:26 126976 ----a-w- c:\programdata\NexonUS\NGM\nxgameus.dll
2010-09-11 04:03 . 2010-04-02 03:26 172032 ----a-w- c:\programdata\NexonUS\NGM\NGM.exe
2010-08-11 20:47 . 2010-08-11 20:47 -------- d-----w- c:\program files\Free ISO Burn Wizard
2010-08-11 13:57 . 2010-08-11 13:57 -------- d-----w- c:\program files\uTorrent
2010-08-11 13:25 . 2006-11-02 10:25 51200 ----a-w- c:\windows\Inf\infpub.dat
2010-08-11 13:25 . 2006-11-02 10:25 143360 ----a-w- c:\windows\Inf\infstrng.dat
2010-08-11 13:25 . 2006-11-02 10:25 86016 ----a-w- c:\windows\Inf\infstor.dat
2010-08-11 13:24 . 2010-08-11 13:24 -------- d-----w- c:\program files\Elaborate Bytes
2010-08-11 05:56 . 2010-08-10 08:45 -------- d-----w- c:\program files\Hotspot Shield
2010-08-10 08:23 . 2010-08-10 08:23 -------- d-----w- c:\program files\CONEXANT
2010-08-05 18:59 . 2010-08-05 18:59 45056 ----a-r- c:\users\Kerhwin\AppData\Roaming\Microsoft\Installer\{C19AB6C4-BBD0-49EF-927D-9C7CB80BC0B0}\MapleStory.exe1_C19AB6C4BBD049EF927D9C7CB80BC0B0.exe
2010-08-05 18:59 . 2010-08-05 18:59 45056 ----a-r- c:\users\Kerhwin\AppData\Roaming\Microsoft\Installer\{C19AB6C4-BBD0-49EF-927D-9C7CB80BC0B0}\MapleStory.exe_C19AB6C4BBD049EF927D9C7CB80BC0B0.exe
2010-08-05 18:59 . 2010-08-05 18:59 10134 ----a-r- c:\users\Kerhwin\AppData\Roaming\Microsoft\Installer\{C19AB6C4-BBD0-49EF-927D-9C7CB80BC0B0}\ARPPRODUCTICON.exe
.

------- Sigcheck -------

[7] 2009-04-11 . C818C44C201898399BF999BB6B35D4E3 . 247296 . . [6.0.6000.16386] . . c:\windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6002.18005_none_cf1bd6361a0f622e\shsvcs.dll
[7] 2008-01-19 . 27F10F348E508243F6254846F8370D0D . 247296 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.18000_none_cd305d2a1ced96e2\shsvcs.dll
[7] 2006-11-02 . B264DFA21677728613267FE63802B332 . 245248 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6000.16386_none_caf99b2e2002860e\shsvcs.dll

c:\windows\System32\shsvcs.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ColdWare"="c" [X]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 2153472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-02-21 2937528]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 182744]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
"ledpointer"="CNYHKey.exe" [2006-11-09 5585408]
"MoLed"="ModLEDKey.exe" [2006-11-09 53248]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-11-15 151552]
"SigmatelSysTrayApp"="sttray.exe" [2006-11-02 303104]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-05-11 1348144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-03-30 1820040]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2010-08-05 104408]

c:\users\Kerhwin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer4"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2733326480-3196257761-3199547430-1001]
"EnableNotificationsRef"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2733326480-3196257761-3199547430-1002]
"EnableNotificationsRef"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2733326480-3196257761-3199547430-500]
"EnableNotificationsRef"=dword:00000002

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2010-03-30 1107336]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2010-06-23 322608]
S2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\DRIVERS\nmsgopro.sys [2006-09-27 28672]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 7424]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-08-05 583640]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [2010-01-27 5248]
S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2009-05-24 5504]
S3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2009-05-11 724992]

.
Contents of the 'Scheduled Tasks' folder

2010-10-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2733326480-3196257761-3199547430-1002Core.job
- c:\users\Kerhwin\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-24 19:19]

2010-10-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2733326480-3196257761-3199547430-1002UA.job
- c:\users\Kerhwin\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-24 19:19]

2010-10-01 c:\windows\Tasks\Norton Security Scan for Kerhwin.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-06-12 14:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5442
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {B1437251-01BF-47ff-8254-A4CD22E0E2BF} -
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-RegistryMechanic - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-02 14:22
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Kerhwin\AppData\Roaming\GTek\GTUpdate\AUpdate\NMSSupport\DB\{3CD7C608-F6D0-4DA9-8877-1BC31D7FA720}.xml 794 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-10-02 14:24:21
ComboFix-quarantined-files.txt 2010-10-02 18:24

Pre-Run: 291,588,358,144 bytes free
Post-Run: 291,552,210,944 bytes free

- - End Of File - - A1493EFB225E03ADB4CFF95765F2EF7F

[Fred Flintstone]

Hi Kerhwin..

I see you have Malwarebytes installed.
Please update it, run a full scan and save the log..

Then:
Download HijackThis
Please download HijackThis.msi © Trend Micro Incorporated. Save it to your desktop. Alternate link site here.

NOTE:If you have used HijackThis before to remove entries, do not uninstall the old version yet.
We may need to see/use it's backups. I will let you know when it's OK to uninstall the old version.

• Double click on the HiJackThis.msi icon on your desktop to install. Click Run if you get an Open File security prompt.
  Vista - W7 users: Right click on HiJackThis.msi and select Run as Administrator, if prompted by Windows UAC, allow it.
  
• Follow the prompts... allow the defaults... once installed ...it will create a HijackThis icon on the desktop. Default install location: C:\Program Files\Trend Micro\HijackThis
  
• Once installed, it will launch HijackThis...if not...double click the HijackThis desktop icon.
  
  If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
  
  
• Click on the "Do a system scan and save a Log file"...button.
  When the scan is finished...Notepad will open with a log file called "hijackthis.log".
  
• In the Hijackthis log, go to the top menu, click on "Format" and uncheck "Word Wrap" if checked.
  
• Copy and paste the contents of hijackthis.log file in your next reply. Save the file in the HijackThis folder.

Do not fix anything yourself... Removing any needed entries... could render your computer inoperable!.

Please post back both logs..along with a brief description of the problems you have been experiencing.
Thanks

Fred..

[Kerhwin]

I'll do that later but I can tell you what the problem is right now. When I log onto my computer it says "could not load or run 'C:Users\Kerhwin\AppData\Local\Temp\dwm.exe'" along with some other things. dwm.exe shouldn't be in AppData as far as I'm aware. Some of the things that have been wrong with my computer have been that my vista theme changed to windows 95 and vista is no longer a choosable theme. Any time I try to load something computer related (IE: Opening a folder) it takes an abnormal amount of time to do so (up to a minute). I had just got done getting rid of a registry virus as well. "Coldware" wants to stay in my registry and I can't see to get rid of it, but I've changed the binary code to render it threatless.

[Kerhwin]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:47:57 PM, on 10/2/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18498)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\ModLEDKey.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Users\Kerhwin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Users\Kerhwin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kerhwin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kerhwin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kerhwin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kerhwin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kerhwin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kerhwin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kerhwin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kerhwin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kerhwin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Users\Kerhwin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...ys=DTP&M=GM5442
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [MoLed] ModLEDKey.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Linksys Wireless Manager] "C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SSDMonitor] C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ColdWare] c
O4 - HKUS\S-1-5-21-2733326480-3196257761-3199547430-1000\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-2733326480-3196257761-3199547430-1000\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'IUSR_NMPR')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {B1437251-01BF-47ff-8254-A4CD22E0E2BF} (GamenGame Web Starter) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: Hotspot Shield Monitoring Service (HssWd) - Unknown owner - C:\Program Files\Hotspot Shield\bin\hsswd.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SpyHunter 4 Service - Enigma Software Group USA, LLC. - C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.36\bin\mysqld.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10145 bytes


--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4717

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

10/2/2010 4:51:24 PM
mbam-log-2010-10-02 (16-51-24).txt

Scan type: Quick scan
Objects scanned: 147567
Time elapsed: 5 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coldware (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Fred Flintstone]

Hi Kerhwin..

You seem to have about a dozen Chrome processes running at present, this could be a reason why your pc is running slowly.
Depends on the spec of your system of course, but Chrome uses several processes when running..
One for the main browser, one for each tab you have open, one for each plugin etc..etc..up to a maximum of 20 apparently!
More info HERE. Varying opinions, but you'll get the idea..

Is your pc any faster before you start the browser??

MBAM appears to have removed the reg loading key for Coldware so that should be ok now?.. let me know if it still appears when you reboot.

Please reboot the computer, re-run MBAM then run HJT <<< In that order and post back with the logs. Also note any errors etc..
I can't find any instance of DWM.exe in any of the logs except the legit one in the system32 folder?.. so let me know if you still get that particular error

With reference to the themes, have you checked that the themes service is running ok??
Go to Start, in the search box type Services.msc click Ok (Allow prompt from UAC).

Scroll down to Themes and ensure it is both Started and set to Automatic


Let me know how you get on..
Thanks
Fred..

[Kerhwin]

My computer runs off of 4 gigs of ram. It is exceptional. I can have chrome closed vs 30 tabs of chrome open and the speed difference will be minimal. Also, I can run programs such as chrome and counter strike at full speed. The only speed alteration has been with programs directly related to my computer. If I open a folder, right click, or try to open a program of any sort, the speed that this is done at is minimal. However, once that program is open then the speed deficiency ceases.
MBAM did not disable the loading key for Coldware, I did that manually.
I have tinkered with Coldware and ran MBAM + SB s&d + Spyhunter + Registry mechanic followed with a computer restart multiple times at this point, so the log would not differ.
The error for dwm.exe simply pops up when I log in, as far as I can tell it hasn't brought me any grief beyond that.
I have done what you recommended with the Services.msc, and it looks as though there could be a problem. Apparently my system cannot find the file specified.

[Fred Flintstone]

Hi Kerhwin, sorry for the delayed reply.. manic weekend at work!!..

I believe the speed problem (opening folders etc) to be related to the missing file shsvcs.dll as shown in the Sigcheck section of the Combofix log.
I have actually replicated this condition on my own machine by navigating to the file in System32 folder, taking ownership of the file and renaming it to .old therebye disabling it.

Example, to navigate to the file in C:\windows\system32\shsvcs.dll took about five seconds on my lappy (Vista Business with just the one gig of ram) ..
After renaming the file and rebooting, it took me over seven minutes to get back to name it back again!!
Every double click from "My Computer" to C: / Windows etc..etc.. took a couple of minutes to open and populate

After renaming it back to the original name and rebooting again, I was back to normal 5 seconds??
Tried this process three times with the same result so there is a connection there!

shsvcs.dll has dependencies including Themes, fast user switching etc, so could be the main root of your issues?

Try System File Checker (SFC), Link Here for info see if it can fix it automatically for you, if not.. we will find another way.

Let me know how it goes..

Thanks
Fred

[Kerhwin]

I think I must have deleted the files when cleaning out multiple registry viruses. Your link is incorrect, and doesn't lead me to anything. If you have an idea of where I could get the missing files back, that would be more than swell.

[Fred Flintstone]

Do you have your Vista CD / DVD??

If so you could get the file from that.

[Kerhwin]

I do not.

[Fred Flintstone]

Try this one shsvcs.dll download Use the "Click Here to Download shsvcs.dll" link..

I have downloaded the file and scanned it with E-SET and MBAM so it should be ok.

It needs to reside in your C:\windows\system32 folder. reboot afterwards and let me know if things improve / any changes?

Fred

[Kerhwin]

Upon downloading what you have given me and placing it in my system32 folder + rebooting my computer, I can't even log in anymore. I get to the "please wait" screen before you can pick an account to log into and the screen just flashes from that to a black screen and back to that, repeatedly. The same thing happens in every mode including safe mode. I no longer have a computer to use because of your suggestion. I've restarted multiple times, and have checked that the monitor cord is plugged in properly. Also, my keyboard goes unresponsive upon entering the flashing cycle. If I press the "sleep" button on the top left of the keyboard, my computer remains active. I'm currently using a friends laptop but it's costing me money. The sooner that we can fix this, the faster I can return his laptop back thus lessening my initial fee.

[Fred Flintstone]

Hi Kerhwin , sorry to hear you have this problem!
odd one, as I actually tried this fix myself on my machine without any issues before I asked you to do it..

Try this:
Reboot the computer and tap the F8 key before windows starts.
From the menu select Repair your computer
From the options, select System restore <<< give it time for the wizard to start up, it can take a while

Follow the prompts then select a restore point from a time before you installed the file and run the restore.

Let me know how it goes, I will stay around for a while ..

Thanks
Fred

[Fred Flintstone]

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.