PDA

View Full Version : Infected or malware--slow startup, System Restore inoperative



dkamin
2013-06-28, 19:04
Here are my logs. I previously posted on this at http://forums.spybot.info/showthread.php?68877-Malware-apparently-removed-but-startup-very-slow-and-System-Restore-is-blocked, and Tashi instructed me to start a new thread with the log files and link to the old one.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Dan Kamin at 11:02:56 on 2013-06-28
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.330 [GMT -4:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\system32\HPSIsvc.exe
C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.softonic.com/MOY00319/tb_v1?SearchSource=10&cc=&mi=0c924765000000000000001c234d9011
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\18.7.2.3\coieplg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\18.7.2.3\ips\ipsbho.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\18.7.2.3\coieplg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\18.7.2.3\coieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\stsystra.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://vnc.webex.com/client/wbs27-vzbprodcn/webex/ieatgpc.cab
TCP: NameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{2156BD58-3B3C-4CD3-A109-47A08F329673} : DHCPNameServer = 192.168.1.1 71.252.0.12
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dan kamin\application data\mozilla\firefox\profiles\3xyzcfc0.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlhtml5videoshim.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlpepperflashvideoshim.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\npdlplugin.dll
FF - plugin: c:\documents and settings\dan kamin\application data\mozilla\firefox\profiles\3xyzcfc0.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\dan kamin\local settings\application data\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_224.dll
FF - ExtSQL: 2013-06-24 12:31; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files\mozilla firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - ExtSQL: !HIDDEN! 2010-12-29 12:00; smartwebprinting@hp.com; c:\program files\hp\digital imaging\smart web printing\MozillaAddOn2
FF - ExtSQL: !HIDDEN! 2011-02-02 14:55; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.Softonic.autoRvrt - false
FF - user.js: extensions.Softonic.rvrt - false
FF - user.js: extensions.Softonic.hmpg - true
FF - user.js: extensions.Softonic.hmpgUrl - hxxp://search.softonic.com/MOY00319/tb_v1?SearchSource=13&cc=&mi=0c924765000000000000001c234d9011
FF - user.js: extensions.Softonic.hpOld0 - www.google.com
FF - user.js: extensions.Softonic.dfltSrch - true
FF - user.js: extensions.Softonic.srchPrvdr - Search the web (Softonic)
FF - user.js: extensions.Softonic.kw_url - hxxp://search.softonic.com/MOY00319/tb_v1?SearchSource=2&cc=&mi=0c924765000000000000001c234d9011&q=
FF - user.js: extensions.Softonic.dnsErr - true
FF - user.js: extensions.Softonic.newTab - true
FF - user.js: extensions.Softonic.newTabUrl - hxxp://search.softonic.com/MOY00319/tb_v1/?SearchSource=15&cc=&mi=0c924765000000000000001c234d9011
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1207020.003\symds.sys [2012-6-11 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1207020.003\symefa.sys [2012-6-11 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20130620.001\BHDrvx86.sys [2013-6-24 1002072]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1207020.003\ironx86.sys [2012-6-11 136312]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2011-10-4 99896]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.7.2.3\ccsvchst.exe [2012-6-11 130008]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2013-3-6 39056]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2013-3-18 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2013-3-18 1369624]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2013-5-14 3289208]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2013-3-14 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20130627.001\IDSXpx86.sys [2013-6-27 373728]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20130628.002\NAVENG.SYS [2013-6-28 93272]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20130628.002\NAVEX15.SYS [2013-6-28 1611992]
S2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2009-6-24 136704]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2013-3-18 168384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-6-3 162408]
S3 mam4410c;mam4410c;c:\windows\system32\drivers\mam4410c.sys [2011-2-17 24784]
S3 mam4410m;mam4410m;c:\windows\system32\drivers\mam4410m.sys [2011-2-17 25044]
S3 mam4410u;mam4410u;c:\windows\system32\drivers\mam4410u.sys [2011-2-17 52309]
.
=============== File Associations ===============
.
ShellExec: FRONTPG.EXE: edit=c:\progra~1\micros~2\office\FRONTPG.EXE
.
=============== Created Last 30 ================
.
2013-06-27 21:32:31 94208 ----a-w- c:\windows\system32\stacsv.exe
2013-06-27 21:32:30 4952064 ----a-w- c:\windows\system32\stacgui.cpl
2013-06-27 21:32:30 405504 ----a-w- c:\windows\stsystra.exe
2013-06-27 21:32:30 1601536 ----a-w- c:\windows\system32\stlang.dll
2013-06-27 21:32:01 270336 ----a-w- c:\windows\system32\stacapi.dll
2013-06-25 02:01:18 -------- d-----w- c:\program files\Softonic
2013-06-25 01:57:28 -------- d-----w- c:\documents and settings\dan kamin\application data\Softonic
2013-06-25 01:51:35 -------- d-----w- c:\program files\free-aiff-mp3-converter
.
==================== Find3M ====================
.
2013-06-12 16:05:07 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-12 16:05:07 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-07 22:30:06 920064 ----a-w- c:\windows\system32\wininet.dll
2013-05-07 22:30:05 43520 ------w- c:\windows\system32\licmgr10.dll
2013-05-07 22:30:05 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-05-07 21:53:29 385024 ------w- c:\windows\system32\html.iec
2013-05-03 01:30:20 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38:17 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-10 01:31:19 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 18:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 11:04:42.90 ===============

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-06-28 11:39:09
-----------------------------
11:39:09.875 OS Version: Windows 5.1.2600 Service Pack 3
11:39:09.875 Number of processors: 2 586 0xF0D
11:39:09.906 ComputerName: DAN UserName:
11:39:25.562 Initialize success
11:40:55.281 The log file has been saved successfully to "C:\Documents and Settings\Dan Kamin\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-06-28 11:39:09
-----------------------------
11:39:09.875 OS Version: Windows 5.1.2600 Service Pack 3
11:39:09.875 Number of processors: 2 586 0xF0D
11:39:09.906 ComputerName: DAN UserName:
11:39:25.562 Initialize success
11:52:50.875 AVAST engine defs: 13062800
11:53:23.375 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
11:53:23.375 Disk 0 Vendor: ST9160314AS D005DEM1 Size: 152627MB BusType: 3
11:53:23.406 Disk 0 MBR read successfully
11:53:23.406 Disk 0 MBR scan
11:53:23.484 Disk 0 Windows XP default MBR code
11:53:23.484 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152625 MB offset 63
11:53:23.500 Disk 0 scanning sectors +312576705
11:53:23.578 Disk 0 scanning C:\WINDOWS\system32\drivers
11:53:46.406 Service scanning
11:54:16.687 Modules scanning
11:54:27.281 Disk 0 trace - called modules:
11:54:27.281
11:54:27.906 AVAST engine scan C:\WINDOWS
11:54:57.015 AVAST engine scan C:\WINDOWS\system32
11:58:19.500 AVAST engine scan C:\WINDOWS\system32\drivers
11:58:50.890 AVAST engine scan C:\Documents and Settings\Dan Kamin
12:00:07.078 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dan Kamin\Desktop\MBR.dat"
12:00:07.078 The log file has been saved successfully to "C:\Documents and Settings\Dan Kamin\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-06-28 11:39:09
-----------------------------
11:39:09.875 OS Version: Windows 5.1.2600 Service Pack 3
11:39:09.875 Number of processors: 2 586 0xF0D
11:39:09.906 ComputerName: DAN UserName:
11:39:25.562 Initialize success
11:52:50.875 AVAST engine defs: 13062800
11:53:23.375 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
11:53:23.375 Disk 0 Vendor: ST9160314AS D005DEM1 Size: 152627MB BusType: 3
11:53:23.406 Disk 0 MBR read successfully
11:53:23.406 Disk 0 MBR scan
11:53:23.484 Disk 0 Windows XP default MBR code
11:53:23.484 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152625 MB offset 63
11:53:23.500 Disk 0 scanning sectors +312576705
11:53:23.578 Disk 0 scanning C:\WINDOWS\system32\drivers
11:53:46.406 Service scanning
11:54:16.687 Modules scanning
11:54:27.281 Disk 0 trace - called modules:
11:54:27.281
11:54:27.906 AVAST engine scan C:\WINDOWS
11:54:57.015 AVAST engine scan C:\WINDOWS\system32
11:58:19.500 AVAST engine scan C:\WINDOWS\system32\drivers
11:58:50.890 AVAST engine scan C:\Documents and Settings\Dan Kamin
12:00:07.078 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dan Kamin\Desktop\MBR.dat"
12:00:07.078 The log file has been saved successfully to "C:\Documents and Settings\Dan Kamin\Desktop\aswMBR.txt"
12:02:39.218 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dan Kamin\Desktop\MBR.dat"
12:02:39.234 The log file has been saved successfully to "C:\Documents and Settings\Dan Kamin\Desktop\aswMBR.txt"

shelf life
2013-07-07, 15:39
hi dkamin,

If you still need help simply reply back.

dkamin
2013-07-07, 16:08
hi dkamin,

If you still need help simply reply back.

Hi Shelf Life,

I believe I do. Startup, for some reason, has gotten quicker, but is still longer than I believe it should be; the desktop icons come up rather quickly but it seems to take a long time for the internet icon to come up in my taskbar. I haven't tried System Restore since Spybot's instructed me not to do that.

I found the programs that I inadvertently downloaded, and I believe I deleted them. One was called QuickShare widget extension. Also, a search engine called Softonic Downloader replaced Google in my browsers, but I was able (I think) to remove that. Appreciate any help you can offer to make sure I'm malware free. Thanks, Dan

shelf life
2013-07-07, 18:01
hi,

Ok as a check you can run Adwcleaner which will remove junkware installs.


Please download Adwcleaner (http://www.bleepingcomputer.com/download/adwcleaner/) to your desktop.
Double click on the AdwCleaner.exe icon to start
Click on Search
A log file will automatically open after the scan has finished
Close the log file.
Now click on the delete button. Machine will reboot and produce a new log at start up.
Copy and paste the contents of that log file in your reply
You can also find the logfiles at C:\AdwCleaner[R1].txt, AdwCleaner[R2]

dkamin
2013-07-07, 19:19
hi,

Ok as a check you can run Adwcleaner which will remove junkware installs.


Please download Adwcleaner (http://www.bleepingcomputer.com/download/adwcleaner/) to your desktop.
Double click on the AdwCleaner.exe icon to start
Click on Search
A log file will automatically open after the scan has finished
Close the log file.
Now click on the delete button. Machine will reboot and produce a new log at start up.
Copy and paste the contents of that log file in your reply
You can also find the logfiles at C:\AdwCleaner[R1].txt, AdwCleaner[R2]

Hi SL. Here's the logfile. Bootup time still lags for internet icon to come in.

# AdwCleaner v2.304 - Logfile created 07/07/2013 at 12:05:05
# Updated 03/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Dan Kamin - DAN
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Dan Kamin\My Documents\Downloads\AdwCleaner(1).exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Documents and Settings\Dan Kamin\Application Data\Mozilla\Firefox\Profiles\3xyzcfc0.default\searchplugins\softonic.xml
Folder Deleted : C:\DOCUME~1\DANKAM~1\LOCALS~1\Temp\Softonic
Folder Deleted : C:\Documents and Settings\Dan Kamin\Application Data\Softonic
Folder Deleted : C:\Program Files\Softonic

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{7ABBFE1C-E485-44AA-8F36-353751B4124D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\649A52D257CA5DB4EAAE8BA9EB23E467

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://search.softonic.com/MOY00319/tb_v1/?SearchSource=15&cc=&mi=0c924765000000000000001c234d9011 --> hxxp://www.google.com

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Documents and Settings\Dan Kamin\Application Data\Mozilla\Firefox\Profiles\3xyzcfc0.default\prefs.js

C:\Documents and Settings\Dan Kamin\Application Data\Mozilla\Firefox\Profiles\3xyzcfc0.default\user.js ... Deleted !

Deleted : user_pref("extensions.Softonic.autoRvrt", "false");
Deleted : user_pref("extensions.Softonic.dfltSrch", true);
Deleted : user_pref("extensions.Softonic.dnsErr", true);
Deleted : user_pref("extensions.Softonic.hmpg", true);
Deleted : user_pref("extensions.Softonic.hmpgUrl", "hxxp://search.softonic.com/MOY00319/tb_v1?SearchSource=13&[...]
Deleted : user_pref("extensions.Softonic.hpOld0", "www.google.com");
Deleted : user_pref("extensions.Softonic.kw_url", "hxxp://search.softonic.com/MOY00319/tb_v1?SearchSource=2&cc[...]
Deleted : user_pref("extensions.Softonic.newTab", true);
Deleted : user_pref("extensions.Softonic.newTabUrl", "hxxp://search.softonic.com/MOY00319/tb_v1/?SearchSource=[...]
Deleted : user_pref("extensions.Softonic.rvrt", "false");
Deleted : user_pref("extensions.Softonic.srchPrvdr", "Search the web (Softonic)");
Deleted : user_pref("extensions.helperbar.SmartbarDisabled", false);
Deleted : user_pref("extensions.helperbar.SmartbarStateMinimaized", false);

File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\n4bnyet8.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v28.0.1500.71

File : C:\Documents and Settings\Dan Kamin\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.2073] : homepage = "hxxp://search.softonic.com/MOY00319/tb_v1?SearchSource=48&cc=&mi=0c92476500000000000[...]

*************************

AdwCleaner[R1].txt - [3754 octets] - [07/07/2013 12:03:55]
AdwCleaner[S1].txt - [2681 octets] - [10/03/2013 16:56:33]
AdwCleaner[S2].txt - [3736 octets] - [07/07/2013 12:05:05]

########## EOF - C:\AdwCleaner[S2].txt - [3796 octets] ##########

shelf life
2013-07-07, 21:01
That removed some goodies.

You can also download Malwarebytes to see if it can dig up anything. Keep and use it as a anti-malware app.

Please download the free version of Malwarebytes (http://www.malwarebytes.org/products/) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
NOTE: The free version must be updated manually and a scan started manually.

dkamin
2013-07-08, 20:07
Malwarebytes found no threats. The only issue now seems to be that my Network Connection and Local Area Connection icons take several minutes to load-2-4 minutes. All the desktop icons load quite quickly, along with the other taskbar items. I also got a message on startup that indexing was paused due to disk activity. Do you think these things indicate that I still have a problem, or are they business as usual? Also, I haven't tried System Restore since trying it last week when my computer was first infected by Softonic and QuickShare, and it wouldn't work. Don't know if that should be rechecked. Thanks, Dan

Here's the Malwarebytes log.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.08.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dan Kamin :: DAN [administrator]

7/8/2013 10:29:15 AM
mbam-log-2013-07-08 (10-29-15).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 351794
Time elapsed: 2 hour(s), 28 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

shelf life
2013-07-09, 02:09
Ok. We will get another download to use. It requires that you read a short guide first. Read through the guide then apply the directions on your own machine. Post the log in your reply and we will go from there.

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

dkamin
2013-07-09, 05:53
ComboFix 13-07-08.04 - Dan Kamin 07/08/2013 22:29:18.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.808 [GMT -4:00]
Running from: c:\documents and settings\Dan Kamin\My Documents\Downloads\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\vlc-1.1.5-win32.exe
c:\documents and settings\Dan Kamin\WINDOWS
c:\windows\system32\_000036_.tmp.dll
c:\windows\system32\Cache
c:\windows\system32\Cache\26c630d098e22dd5.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\3c291164390c60dd.fb
c:\windows\system32\Cache\3cabfd7411ed8571.fb
c:\windows\system32\Cache\43aeac657b02f23e.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6797490e3d59566d.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\75b35f01df754a6c.fb
c:\windows\system32\Cache\95f567698be8a182.fb
c:\windows\system32\Cache\9e616eaf85ab92ed.fb
c:\windows\system32\Cache\a076b89a7f2f9df4.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ace76dfae44e7816.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d12f9ced4eac5f13.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
E:\Autorun.inf
E:\Setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-06-09 to 2013-07-09 )))))))))))))))))))))))))))))))
.
.
2013-06-27 21:32 . 2007-05-10 14:23 94208 ----a-w- c:\windows\system32\stacsv.exe
2013-06-27 21:32 . 2007-05-10 14:23 4952064 ----a-w- c:\windows\system32\stacgui.cpl
2013-06-27 21:32 . 2007-05-10 14:22 405504 ----a-w- c:\windows\stsystra.exe
2013-06-27 21:32 . 2007-04-10 21:02 1601536 ----a-w- c:\windows\system32\stlang.dll
2013-06-27 21:32 . 2007-05-10 14:23 270336 ----a-w- c:\windows\system32\stacapi.dll
2013-06-27 13:09 . 2013-06-27 13:12 -------- d-----w- c:\documents and settings\Administrator
2013-06-25 01:51 . 2013-06-25 02:00 -------- d-----w- c:\program files\free-aiff-mp3-converter
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 16:05 . 2012-04-05 13:05 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-12 16:05 . 2011-05-16 20:14 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-07 22:30 . 2006-03-04 03:33 920064 ----a-w- c:\windows\system32\wininet.dll
2013-05-07 22:30 . 2004-08-04 10:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-05-07 22:30 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-05-07 21:53 . 2004-08-04 10:00 385024 ------w- c:\windows\system32\html.iec
2013-05-03 01:30 . 2005-03-30 01:21 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2005-03-30 01:01 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2012-08-29 18:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2012-08-29 18:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2012-08-29 18:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE -b -l [2000-1-21 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe /startup [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-10-14 13:40 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-07-02 18:29 159744 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-01-28 17:08 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2010-10-29 15:14 2498560 ----a-w- c:\windows\system32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Carbonite Backup]
2012-08-29 18:51 1061960 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-12-29 02:32 136176 ----atw- c:\documents and settings\Dan Kamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-03-13 14:34 81920 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-02-20 16:35 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2006-06-26 15:33 243248 ----a-w- c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 07:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
2012-11-13 18:08 3825176 ----a-w- c:\program files\Spybot - Search & Destroy 2\SDTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 14:22 405504 ----a-w- c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-06-03 20:27 19603048 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-03-16 17:14 295512 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1207020.003\symds.sys [6/11/2012 6:41 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1207020.003\symefa.sys [6/11/2012 6:41 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20130702.001\BHDrvx86.sys [7/2/2013 4:47 PM 1002072]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1207020.003\ironx86.sys [6/11/2012 6:41 PM 136312]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [10/4/2011 6:00 PM 99896]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.7.2.3\ccsvchst.exe [6/11/2012 6:41 PM 130008]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [3/6/2013 2:21 AM 39056]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [3/18/2013 4:54 PM 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [3/18/2013 4:54 PM 1369624]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 12:32 PM 97536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/14/2013 12:09 PM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20130706.002\IDSXpx86.sys [7/8/2013 5:58 PM 373728]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [2/10/2012 6:17 PM 47360]
S2 HP LaserJet Service;HP LaserJet Service;c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [6/24/2009 10:57 AM 136704]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [3/18/2013 4:54 PM 168384]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/3/2013 4:21 PM 162408]
S3 mam4410c;mam4410c;c:\windows\system32\drivers\mam4410c.sys [2/17/2011 7:59 PM 24784]
S3 mam4410m;mam4410m;c:\windows\system32\drivers\mam4410m.sys [2/17/2011 7:59 PM 25044]
S3 mam4410u;mam4410u;c:\windows\system32\drivers\mam4410u.sys [2/17/2011 7:59 PM 52309]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 16:05]
.
2013-07-08 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-03-18 18:08]
.
2013-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1500820517-682003330-1003Core.job
- c:\documents and settings\Dan Kamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-29 02:32]
.
2013-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1500820517-682003330-1003UA.job
- c:\documents and settings\Dan Kamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-29 02:32]
.
2013-07-08 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1229272821-1500820517-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 15:36]
.
2013-07-08 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1229272821-1500820517-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 15:36]
.
2013-07-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1229272821-1500820517-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 15:36]
.
2013-07-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1229272821-1500820517-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 15:36]
.
2013-07-03 c:\windows\Tasks\ReclaimerUpdateFiles_Dan Kamin.job
- c:\documents and settings\Dan Kamin\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.50\agent\rnupgagent.exe [2013-06-13 17:26]
.
2013-07-08 c:\windows\Tasks\ReclaimerUpdateXML_Dan Kamin.job
- c:\documents and settings\Dan Kamin\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.50\agent\rnupgagent.exe [2013-06-13 17:26]
.
2013-06-19 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-03-18 18:07]
.
2013-07-08 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_Dan Kamin.job
- c:\documents and settings\Dan Kamin\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.50\agent\rnupgagent.exe [2013-06-13 17:26]
.
2013-03-18 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-03-18 18:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
FF - ProfilePath - c:\documents and settings\Dan Kamin\Application Data\Mozilla\Firefox\Profiles\3xyzcfc0.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.com
FF - ExtSQL: !HIDDEN! 2010-12-29 12:00; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2
FF - ExtSQL: !HIDDEN! 2011-02-02 14:55; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
Notify-SDWinLogon - SDWinLogon.dll
MSConfigStartUp-MediaGet2 - c:\documents and settings\Dan Kamin\Local Settings\Application Data\MediaGet2\mediaget.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-08 22:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1004)
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2013-07-08 22:43:26
ComboFix-quarantined-files.txt 2013-07-09 02:43
.
Pre-Run: 78,789,869,568 bytes free
Post-Run: 78,924,890,112 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
.
- - End Of File - - 3F63A752F7D72314783978DDEF7BEF93
8F558EB6672622401DA993E1E865C861

dkamin
2013-07-09, 15:26
Hi Shelf Life,

Not sure if this could be affecting my slow internet icon startups, but I often get error reports (to send to Microsoft) about the failure of my HP wireless printer failing to connect. Here are the parts of them I can copy and paste:

Some unexpected errors have happened to software you recently used. You were not asked to send these error reports at the time they occurred.

EventType : clr20r3 P1 : hplaserjetservice.exe P2 : 1.1.0.0
P3 : 4a425ade P4 : hplaserjetservice P5 : 1.1.0.0 P6 : 4a425ade
P7 : bd P8 : 10e P9 : system.nullreferenceexception

Thanks, Dan

shelf life
2013-07-10, 04:23
It looks like you have these items disabled or unchecked in msconfig (http://netsquirrel.com/msconfig/)

msconfig\startupreg\hpqSRMon]
You might try checking it and see if its related to the printer error your seeing.


Enable this one also and see if it helps your connection
msconfig\startupreg\Broadcom Wireless Manager UI

dkamin
2013-07-10, 06:05
It looks like you have these items disabled or unchecked in msconfig (http://netsquirrel.com/msconfig/)

msconfig\startupreg\hpqSRMon]
You might try checking it and see if its related to the printer error your seeing.


Enable this one also and see if it helps your connection
msconfig\startupreg\Broadcom Wireless Manager UI

Okay, here's what's happening. I entered msconfig and checked the hpq box. When I hit "Okay" I got a message that access was denied, because I don't have administrator privileges. My friend who helped me earlier said I shouldn't be getting this command, that it might be malware wanting to prevent my accessing msconfig. However, when I rebooted the item remained checked.

I couldn't find the Broadcom Wireless Manager n the startup list. I use XP, if that's any help to locate it.

Startup remains about 5 minutes long. However, I have three users listed, and if I stay on the user screen for a minute the icons come up much faster, but the wireless and cable connection icons still take about two minutes.

Sorry to be such a bother! Dan

shelf life
2013-07-11, 00:20
Malwarebytes will fix things malware might do like a disabled task manager or being unable to make registry changes. Not seeing any malware. Lets get another download which is similar to adwcleaner. Make sure all the toolbar garbage is gone. You might also try resetting IE back to its defaults. IE>tools>Internet Options>Advanced tab> Reset.

Download RogueKiller.exe (http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe)
Quit all programs that you may have started.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7, right-click and select "Run as Administrator to start"
For Windows XP, double-click to start.
Wait until the Prescan has finished
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and copy/paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop
Exit by File>Quit


long time for the internet icon
Is this the MS network icon or some other softwares icon like your wireless card?

dkamin
2013-07-11, 05:11
RogueKiller V8.5.2 [Mar 9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Dan Kamin [Admin rights]
Mode : Remove -- Date : 07/10/2013 22:10:33
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[12] : NtAlertResumeThread @ 0x805D4C0C -> HOOKED (Unknown @ 0x8A3A0530)
SSDT[13] : NtAlertThread @ 0x805D4BBC -> HOOKED (Unknown @ 0x8A1FBD68)
SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AEE -> HOOKED (Unknown @ 0x89F8B270)
SSDT[19] : NtAssignProcessToJobObject @ 0x805D66D0 -> HOOKED (Unknown @ 0x8A5DB5C8)
SSDT[31] : NtConnectPort @ 0x805A4604 -> HOOKED (Unknown @ 0x8A33C098)
SSDT[43] : NtCreateMutant @ 0x80617822 -> HOOKED (Unknown @ 0x8A297630)
SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A2E -> HOOKED (Unknown @ 0x8A3C6418)
SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x89FB54B8)
SSDT[57] : NtDebugActiveProcess @ 0x80643CB2 -> HOOKED (Unknown @ 0x89E50750)
SSDT[68] : NtDuplicateObject @ 0x805BE03C -> HOOKED (Unknown @ 0x89F91268)
SSDT[83] : NtFreeVirtualMemory @ 0x805B2FE6 -> HOOKED (Unknown @ 0x8A1E7538)
SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9362 -> HOOKED (Unknown @ 0x8A1B6B60)
SSDT[91] : NtImpersonateThread @ 0x805D7890 -> HOOKED (Unknown @ 0x89E82A88)
SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8A369108)
SSDT[108] : NtMapViewOfSection @ 0x805B206E -> HOOKED (Unknown @ 0x8A2DC590)
SSDT[114] : NtOpenEvent @ 0x8060F1E0 -> HOOKED (Unknown @ 0x8A1FD2D0)
SSDT[122] : NtOpenProcess @ 0x805CB486 -> HOOKED (Unknown @ 0x8A1EFA38)
SSDT[123] : NtOpenProcessToken @ 0x805EE030 -> HOOKED (Unknown @ 0x8A219260)
SSDT[125] : NtOpenSection @ 0x805AA420 -> HOOKED (Unknown @ 0x8A03DD20)
SSDT[128] : NtOpenThread @ 0x805CB712 -> HOOKED (Unknown @ 0x8A1EF9F0)
SSDT[137] : NtProtectVirtualMemory @ 0x805B8452 -> HOOKED (Unknown @ 0x8A5DB4F8)
SSDT[206] : NtResumeThread @ 0x805D4A48 -> HOOKED (Unknown @ 0x89FFD1D8)
SSDT[213] : NtSetContextThread @ 0x805D2C4A -> HOOKED (Unknown @ 0x89F8F288)
SSDT[228] : NtSetInformationProcess @ 0x805CDED0 -> HOOKED (Unknown @ 0x8A25A278)
SSDT[240] : NtSetSystemInformation @ 0x8060FE98 -> HOOKED (Unknown @ 0x8A189D08)
SSDT[253] : NtSuspendProcess @ 0x805D4B10 -> HOOKED (Unknown @ 0x8A1FD1F0)
SSDT[254] : NtSuspendThread @ 0x805D4982 -> HOOKED (Unknown @ 0x89FFD298)
SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x89EF6208)
SSDT[258] : NtTerminateThread @ 0x805D2502 -> HOOKED (Unknown @ 0x8A19DE10)
SSDT[267] : NtUnmapViewOfSection @ 0x805B2E7C -> HOOKED (Unknown @ 0x89F8C2D0)
SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x8A2367B0)
S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8A3CCBF8)
S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A3C5200)
S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A3C6950)
S_SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A3C2598)
S_SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8A3E0E38)
S_SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A188778)
S_SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8A3E4618)
S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A293850)
S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8A3CFA60)
S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A369AC8)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9160314AS +++++
--- User ---
[MBR] 735558283eb882d10429f4baef6de194
[BSP] 2f3e1d68fd4dad25f7b87b4131285341 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_07102013_02d2210.txt >>
RKreport[1]_S_07102013_02d2209.txt ; RKreport[2]_D_07102013_02d2210.txt

dkamin
2013-07-11, 05:15
Is this the MS network icon or some other softwares icon like your wireless card?[/QUOTE]

It's the two computer screen icons, one for the Wireless Network Connection and one for Local Area Connection/Network Cable (I use Verizon Wifi and not cable plug in at home)

dkamin
2013-07-11, 05:29
By the way, I usually dock my computer and use external keyboard and screen at home. I took it out for this cleanup. Let me know if you'd like me to keep it out during any of the procedures we are doing. Thanks, Dan

dkamin
2013-07-11, 05:31
Just tried changing an item on the msconfigure startup tab and got the same Access denied message. However, as I mentioned, it did let me check the HP Printer item before, and retains that change.

shelf life
2013-07-12, 02:19
Try booting into safe mode and chose the option: safe mode with networking.
to reach safe mode tap the f8 key during a computer restart, chose the safe mode with networking option. Log into your normal account.
See if the networking services start up faster in safe mode then they do in normal mode. To get back to normal mode just reboot your machine like you normally would. You can keep the laptop out of the docking station.

dkamin
2013-07-12, 06:11
Try booting into safe mode and chose the option: safe mode with networking.
to reach safe mode tap the f8 key during a computer restart, chose the safe mode with networking option. Log into your normal account.
See if the networking services start up faster in safe mode then they do in normal mode. To get back to normal mode just reboot your machine like you normally would. You can keep the laptop out of the docking station.

Okay, this might have given us some clues. Here's what happened.

1) All desktop icons came up quickly
2) All my quick launch icons on the left of the toolbar came up quickly as well, but NONE of the icons on the right side of the taskbar came up--neither of the network icons, the indexing icon, the volume icon, the remove hardware icon, or the Norton icon;
3) Nevertheless, when I started Firefox, my default browser, it came right up and connected to the internet
4) Microsoft Outlet came up much more quickly than it usually does; HOWEVER, a second screen labelled Office 2010 came up on top, and a message saying that it was making connections or something--sorry, can't remember, FOLLOWED BY an error message saying that I it couldn't find a license for Office 2010, that the repair was cancelled by the user or the program, and that it was going to shut down the program. I use Office 2000 however, and this has never come up before when I open Outlook 2010. My copies of Outlook and Office are legal. I wonder if an incompatibility between the programs is causing the delayed startup.

shelf life
2013-07-13, 02:37
Your #4 observation is possible. Also I would make sure you have the latest driver for your NIC, based on the make and model of your machine. You only want to get it from the HP website, no where else. HP site also has good troubleshooting sections for various problems.

I want to check out the items under the driver section of Roguekiller. It dosnt mean malware, could be your AV. We will get a tool from Malwarebytes to use as one more check.

Download the beta version of Malwarebytes Anti-rootkit to your desktop.
Read the Disclaimer since this is a Beta version

http://www.malwarebytes.org/products/mbar/

Download Malwarebytes Anti-Rootkit from the link to the right.
Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run mbar.exe
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access
Windows Update
Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
Verify that your system is now functioning normally.

Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
Copy and paste the contents of these two log files in your next reply.

dkamin
2013-07-13, 07:09
[QUOTE=shelf life;443190]Your #4 observation is possible. Also I would make sure you have the latest driver for your NIC, based on the make and model of your machine. You only want to get it from the HP website, no where else. HP site also has good troubleshooting sections for various problems.

I have a Dell Latitude D630, so I presume you mean to load it from the Dell website--I have an HP printer we've talked about, so that might be the confusion. I tried downloading some of the drivers but they wouldn't open. Could you check the site and advise? Then I'll proceed with the other suggestions. Let me know if you need my service tag number to access the driver site.

dkamin
2013-07-13, 16:55
Malwarebytes Anti-Rootkit didn't detect any threats. I don't believe a log file was created.

shelf life
2013-07-14, 00:23
your right I was thinking HP, not dell. Those dell drivers are a .exe file. what happens when you click on them? You might make sure in network connections that just your wireless adapter is enabled and any other local area connection is disabled. I assume with a laptop you are wireless.

Also go to start>run and type in: services.msc under the name column look for these ;

HP LaserJet Service
RealNetworks Downloader Resolver Service
HPSIService

right click on each one and select properties. Under the service status if it says Started click the Stop button to stop the service then change startup type to disabled. If you make any changes reboot your machine and see if it helped any.

dkamin
2013-07-14, 06:36
I couldn't download the drivers from Dell for some reason. Yes I usually just use the wireless. Should I disable all the others?

dkamin
2013-07-14, 06:59
Okay, I disabled the other internet items and the wireless came up right away. So if I need to plug into a cable connection is that Local Area 2 or Broadband Connection? What was the HP program you had me disable? I can still print wirelessly. I think you've cracked this thing, Shelf Life. Thank you so much! Dan

shelf life
2013-07-15, 00:40
ok. good. If you have to use a wired connection for your laptop enable the local area connection 2 and you can disable the wireless connection. I think the combination of two networks starting up slowed the process down. HPSI service is stuff thats installed with HP printer driver and starts at boot up. As long as you can print ok you can keep it disabled. All is good now?

dkamin
2013-07-15, 00:56
I think so. I start on the screen with the user names, which my friend Barry installed during a previous Spybot session to expedite the process and get around Malware that prevented me from changing the startup items. If I stay on that for a minute or so before clicking my username things come up in a couple of minutes, faster than if I click my username immediately. To tell you the truth, it's been so long since I've had normal startup that I think this time is pretty normal for Dell computers of this vintage. Do you think removing the other usernames would make it faster, or is as good and it'll get with my computer?

shelf life
2013-07-15, 04:19
If you are the only user of the machine then it wouldnt hurt to remove them. Will it speed boot up? Dont know really. I think you can delete them using the User Accounts in the control panel.

dkamin
2013-07-15, 15:33
My friend who installed them said that they came up much faster than my account before, but now the other account comes up in 2:30 and mine at 2:40, so I think that's a very reasonable startup time. I believe you can consider this case closed, and another feather in your cap. Thanks so much SL. Dan

shelf life
2013-07-17, 00:00
Glad to help. Couple things you can do:

start Adwcleaner and click the uninstall button. You can also delete the logs

DDS and Aswmbr, delete the icons/logs

rougekiller, just delete the icon/logs

Combofix:
start>run and type in conbofix /uninstall
note the space after the x and before the /

Malwarebytes: (general malware) keep and note the free version must be updated manually and a scan started manually
Malwarebytes Anti-Rootkit: (rootkits) Keep it if you want, must be updated manually and a scan started manually

That should cover it.
Some tips to help you remain malware free:

No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update (http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us) frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here. ( http://secunia.com/vulnerability_scanning/online/)
Check your browser for vulnerabilities. ( https://browserscan.rapid7.com/scanme)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars or other "offers" if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits or lack of habits.*

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing tricks. (http://www.fraud.org/tips/internet/phishing.htm)

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX and Java applets with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista, Windows 7 and Windows 8 attempts to address.

Every MS remote code execution bulletin ends with this sentence: "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

8) Use Windows native firewall and get a inexpensive hardware router.

9) Your browser risks. The why and how (http://www.us-cert.gov/reading_room/securing_browser/) to secure your browser for safer surfing.
Consider disabling Java (http://disablejava.com/) in your browser.

10) Warez, cracks, keygens etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Do you really trust the source of the file?

More info with pictures in link below.
Happy Safe Surfing