Infected or malware--slow startup, System Restore inoperative

D

dkamin

New member
Here are my logs. I previously posted on this at http://forums.spybot.info/showthrea...artup-very-slow-and-System-Restore-is-blocked, and Tashi instructed me to start a new thread with the log files and link to the old one.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Dan Kamin at 11:02:56 on 2013-06-28
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.330 [GMT -4:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\system32\HPSIsvc.exe
C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.softonic.com/MOY00319/tb_v1?SearchSource=10&cc=&mi=0c924765000000000000001c234d9011
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\18.7.2.3\coieplg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\18.7.2.3\ips\ipsbho.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\18.7.2.3\coieplg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\18.7.2.3\coieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\stsystra.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://vnc.webex.com/client/wbs27-vzbprodcn/webex/ieatgpc.cab
TCP: NameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{2156BD58-3B3C-4CD3-A109-47A08F329673} : DHCPNameServer = 192.168.1.1 71.252.0.12
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dan kamin\application data\mozilla\firefox\profiles\3xyzcfc0.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlhtml5videoshim.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlpepperflashvideoshim.dll
FF - plugin: c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\npdlplugin.dll
FF - plugin: c:\documents and settings\dan kamin\application data\mozilla\firefox\profiles\3xyzcfc0.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\dan kamin\local settings\application data\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_224.dll
FF - ExtSQL: 2013-06-24 12:31; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files\mozilla firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - ExtSQL: !HIDDEN! 2010-12-29 12:00; smartwebprinting@hp.com; c:\program files\hp\digital imaging\smart web printing\MozillaAddOn2
FF - ExtSQL: !HIDDEN! 2011-02-02 14:55; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.Softonic.autoRvrt - false
FF - user.js: extensions.Softonic.rvrt - false
FF - user.js: extensions.Softonic.hmpg - true
FF - user.js: extensions.Softonic.hmpgUrl - hxxp://search.softonic.com/MOY00319/tb_v1?SearchSource=13&cc=&mi=0c924765000000000000001c234d9011
FF - user.js: extensions.Softonic.hpOld0 - www.google.com
FF - user.js: extensions.Softonic.dfltSrch - true
FF - user.js: extensions.Softonic.srchPrvdr - Search the web (Softonic)
FF - user.js: extensions.Softonic.kw_url - hxxp://search.softonic.com/MOY00319/tb_v1?SearchSource=2&cc=&mi=0c924765000000000000001c234d9011&q=
FF - user.js: extensions.Softonic.dnsErr - true
FF - user.js: extensions.Softonic.newTab - true
FF - user.js: extensions.Softonic.newTabUrl - hxxp://search.softonic.com/MOY00319/tb_v1/?SearchSource=15&cc=&mi=0c924765000000000000001c234d9011
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1207020.003\symds.sys [2012-6-11 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1207020.003\symefa.sys [2012-6-11 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20130620.001\BHDrvx86.sys [2013-6-24 1002072]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1207020.003\ironx86.sys [2012-6-11 136312]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2011-10-4 99896]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.7.2.3\ccsvchst.exe [2012-6-11 130008]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2013-3-6 39056]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2013-3-18 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2013-3-18 1369624]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2013-5-14 3289208]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2013-3-14 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20130627.001\IDSXpx86.sys [2013-6-27 373728]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20130628.002\NAVENG.SYS [2013-6-28 93272]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20130628.002\NAVEX15.SYS [2013-6-28 1611992]
S2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2009-6-24 136704]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2013-3-18 168384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-6-3 162408]
S3 mam4410c;mam4410c;c:\windows\system32\drivers\mam4410c.sys [2011-2-17 24784]
S3 mam4410m;mam4410m;c:\windows\system32\drivers\mam4410m.sys [2011-2-17 25044]
S3 mam4410u;mam4410u;c:\windows\system32\drivers\mam4410u.sys [2011-2-17 52309]
.
=============== File Associations ===============
.
ShellExec: FRONTPG.EXE: edit=c:\progra~1\micros~2\office\FRONTPG.EXE
.
=============== Created Last 30 ================
.
2013-06-27 21:32:31 94208 ----a-w- c:\windows\system32\stacsv.exe
2013-06-27 21:32:30 4952064 ----a-w- c:\windows\system32\stacgui.cpl
2013-06-27 21:32:30 405504 ----a-w- c:\windows\stsystra.exe
2013-06-27 21:32:30 1601536 ----a-w- c:\windows\system32\stlang.dll
2013-06-27 21:32:01 270336 ----a-w- c:\windows\system32\stacapi.dll
2013-06-25 02:01:18 -------- d-----w- c:\program files\Softonic
2013-06-25 01:57:28 -------- d-----w- c:\documents and settings\dan kamin\application data\Softonic
2013-06-25 01:51:35 -------- d-----w- c:\program files\free-aiff-mp3-converter
.
==================== Find3M ====================
.
2013-06-12 16:05:07 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-12 16:05:07 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-07 22:30:06 920064 ----a-w- c:\windows\system32\wininet.dll
2013-05-07 22:30:05 43520 ------w- c:\windows\system32\licmgr10.dll
2013-05-07 22:30:05 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-05-07 21:53:29 385024 ------w- c:\windows\system32\html.iec
2013-05-03 01:30:20 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38:17 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-10 01:31:19 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 18:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 11:04:42.90 ===============

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-06-28 11:39:09
-----------------------------
11:39:09.875 OS Version: Windows 5.1.2600 Service Pack 3
11:39:09.875 Number of processors: 2 586 0xF0D
11:39:09.906 ComputerName: DAN UserName:
11:39:25.562 Initialize success
11:40:55.281 The log file has been saved successfully to "C:\Documents and Settings\Dan Kamin\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-06-28 11:39:09
-----------------------------
11:39:09.875 OS Version: Windows 5.1.2600 Service Pack 3
11:39:09.875 Number of processors: 2 586 0xF0D
11:39:09.906 ComputerName: DAN UserName:
11:39:25.562 Initialize success
11:52:50.875 AVAST engine defs: 13062800
11:53:23.375 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
11:53:23.375 Disk 0 Vendor: ST9160314AS D005DEM1 Size: 152627MB BusType: 3
11:53:23.406 Disk 0 MBR read successfully
11:53:23.406 Disk 0 MBR scan
11:53:23.484 Disk 0 Windows XP default MBR code
11:53:23.484 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152625 MB offset 63
11:53:23.500 Disk 0 scanning sectors +312576705
11:53:23.578 Disk 0 scanning C:\WINDOWS\system32\drivers
11:53:46.406 Service scanning
11:54:16.687 Modules scanning
11:54:27.281 Disk 0 trace - called modules:
11:54:27.281
11:54:27.906 AVAST engine scan C:\WINDOWS
11:54:57.015 AVAST engine scan C:\WINDOWS\system32
11:58:19.500 AVAST engine scan C:\WINDOWS\system32\drivers
11:58:50.890 AVAST engine scan C:\Documents and Settings\Dan Kamin
12:00:07.078 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dan Kamin\Desktop\MBR.dat"
12:00:07.078 The log file has been saved successfully to "C:\Documents and Settings\Dan Kamin\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-06-28 11:39:09
-----------------------------
11:39:09.875 OS Version: Windows 5.1.2600 Service Pack 3
11:39:09.875 Number of processors: 2 586 0xF0D
11:39:09.906 ComputerName: DAN UserName:
11:39:25.562 Initialize success
11:52:50.875 AVAST engine defs: 13062800
11:53:23.375 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
11:53:23.375 Disk 0 Vendor: ST9160314AS D005DEM1 Size: 152627MB BusType: 3
11:53:23.406 Disk 0 MBR read successfully
11:53:23.406 Disk 0 MBR scan
11:53:23.484 Disk 0 Windows XP default MBR code
11:53:23.484 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152625 MB offset 63
11:53:23.500 Disk 0 scanning sectors +312576705
11:53:23.578 Disk 0 scanning C:\WINDOWS\system32\drivers
11:53:46.406 Service scanning
11:54:16.687 Modules scanning
11:54:27.281 Disk 0 trace - called modules:
11:54:27.281
11:54:27.906 AVAST engine scan C:\WINDOWS
11:54:57.015 AVAST engine scan C:\WINDOWS\system32
11:58:19.500 AVAST engine scan C:\WINDOWS\system32\drivers
11:58:50.890 AVAST engine scan C:\Documents and Settings\Dan Kamin
12:00:07.078 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dan Kamin\Desktop\MBR.dat"
12:00:07.078 The log file has been saved successfully to "C:\Documents and Settings\Dan Kamin\Desktop\aswMBR.txt"
12:02:39.218 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dan Kamin\Desktop\MBR.dat"
12:02:39.234 The log file has been saved successfully to "C:\Documents and Settings\Dan Kamin\Desktop\aswMBR.txt"
 

Attachments

shelf life said:
hi dkamin,

If you still need help simply reply back.
Click to expand...

Hi Shelf Life,

I believe I do. Startup, for some reason, has gotten quicker, but is still longer than I believe it should be; the desktop icons come up rather quickly but it seems to take a long time for the internet icon to come up in my taskbar. I haven't tried System Restore since Spybot's instructed me not to do that.

I found the programs that I inadvertently downloaded, and I believe I deleted them. One was called QuickShare widget extension. Also, a search engine called Softonic Downloader replaced Google in my browsers, but I was able (I think) to remove that. Appreciate any help you can offer to make sure I'm malware free. Thanks, Dan
 
hi,

Ok as a check you can run Adwcleaner which will remove junkware installs.


Please download Adwcleaner to your desktop.
Double click on the AdwCleaner.exe icon to start
Click on Search
A log file will automatically open after the scan has finished
Close the log file.
Now click on the delete button. Machine will reboot and produce a new log at start up.
Copy and paste the contents of that log file in your reply
You can also find the logfiles at C:\AdwCleaner[R1].txt, AdwCleaner[R2]
 
Adw Cleaner log

shelf life said:
hi,

Ok as a check you can run Adwcleaner which will remove junkware installs.


Please download Adwcleaner to your desktop.
Double click on the AdwCleaner.exe icon to start
Click on Search
A log file will automatically open after the scan has finished
Close the log file.
Now click on the delete button. Machine will reboot and produce a new log at start up.
Copy and paste the contents of that log file in your reply
You can also find the logfiles at C:\AdwCleaner[R1].txt, AdwCleaner[R2]
Click to expand...

Hi SL. Here's the logfile. Bootup time still lags for internet icon to come in.

# AdwCleaner v2.304 - Logfile created 07/07/2013 at 12:05:05
# Updated 03/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Dan Kamin - DAN
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Dan Kamin\My Documents\Downloads\AdwCleaner(1).exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Documents and Settings\Dan Kamin\Application Data\Mozilla\Firefox\Profiles\3xyzcfc0.default\searchplugins\softonic.xml
Folder Deleted : C:\DOCUME~1\DANKAM~1\LOCALS~1\Temp\Softonic
Folder Deleted : C:\Documents and Settings\Dan Kamin\Application Data\Softonic
Folder Deleted : C:\Program Files\Softonic

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{7ABBFE1C-E485-44AA-8F36-353751B4124D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\649A52D257CA5DB4EAAE8BA9EB23E467

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://search.softonic.com/MOY00319/tb_v1/?SearchSource=15&cc=&mi=0c924765000000000000001c234d9011 --> hxxp://www.google.com

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Documents and Settings\Dan Kamin\Application Data\Mozilla\Firefox\Profiles\3xyzcfc0.default\prefs.js

C:\Documents and Settings\Dan Kamin\Application Data\Mozilla\Firefox\Profiles\3xyzcfc0.default\user.js ... Deleted !

Deleted : user_pref("extensions.Softonic.autoRvrt", "false");
Deleted : user_pref("extensions.Softonic.dfltSrch", true);
Deleted : user_pref("extensions.Softonic.dnsErr", true);
Deleted : user_pref("extensions.Softonic.hmpg", true);
Deleted : user_pref("extensions.Softonic.hmpgUrl", "hxxp://search.softonic.com/MOY00319/tb_v1?SearchSource=13&[...]
Deleted : user_pref("extensions.Softonic.hpOld0", "www.google.com");
Deleted : user_pref("extensions.Softonic.kw_url", "hxxp://search.softonic.com/MOY00319/tb_v1?SearchSource=2&cc[...]
Deleted : user_pref("extensions.Softonic.newTab", true);
Deleted : user_pref("extensions.Softonic.newTabUrl", "hxxp://search.softonic.com/MOY00319/tb_v1/?SearchSource=[...]
Deleted : user_pref("extensions.Softonic.rvrt", "false");
Deleted : user_pref("extensions.Softonic.srchPrvdr", "Search the web (Softonic)");
Deleted : user_pref("extensions.helperbar.SmartbarDisabled", false);
Deleted : user_pref("extensions.helperbar.SmartbarStateMinimaized", false);

File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\n4bnyet8.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v28.0.1500.71

File : C:\Documents and Settings\Dan Kamin\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.2073] : homepage = "hxxp://search.softonic.com/MOY00319/tb_v1?SearchSource=48&cc=&mi=0c92476500000000000[...]

*************************

AdwCleaner[R1].txt - [3754 octets] - [07/07/2013 12:03:55]
AdwCleaner[S1].txt - [2681 octets] - [10/03/2013 16:56:33]
AdwCleaner[S2].txt - [3736 octets] - [07/07/2013 12:05:05]

########## EOF - C:\AdwCleaner[S2].txt - [3796 octets] ##########
 
That removed some goodies.

You can also download Malwarebytes to see if it can dig up anything. Keep and use it as a anti-malware app.

Please download the free version of Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
NOTE: The free version must be updated manually and a scan started manually.
 
Malwarebytes found no threats. The only issue now seems to be that my Network Connection and Local Area Connection icons take several minutes to load-2-4 minutes. All the desktop icons load quite quickly, along with the other taskbar items. I also got a message on startup that indexing was paused due to disk activity. Do you think these things indicate that I still have a problem, or are they business as usual? Also, I haven't tried System Restore since trying it last week when my computer was first infected by Softonic and QuickShare, and it wouldn't work. Don't know if that should be rechecked. Thanks, Dan

Here's the Malwarebytes log.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.08.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dan Kamin :: DAN [administrator]

7/8/2013 10:29:15 AM
mbam-log-2013-07-08 (10-29-15).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 351794
Time elapsed: 2 hour(s), 28 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
Ok. We will get another download to use. It requires that you read a short guide first. Read through the guide then apply the directions on your own machine. Post the log in your reply and we will go from there.

Guide to using Combofix
 
ComboFix 13-07-08.04 - Dan Kamin 07/08/2013 22:29:18.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.808 [GMT -4:00]
Running from: c:\documents and settings\Dan Kamin\My Documents\Downloads\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\vlc-1.1.5-win32.exe
c:\documents and settings\Dan Kamin\WINDOWS
c:\windows\system32\_000036_.tmp.dll
c:\windows\system32\Cache
c:\windows\system32\Cache\26c630d098e22dd5.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\3c291164390c60dd.fb
c:\windows\system32\Cache\3cabfd7411ed8571.fb
c:\windows\system32\Cache\43aeac657b02f23e.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6797490e3d59566d.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\75b35f01df754a6c.fb
c:\windows\system32\Cache\95f567698be8a182.fb
c:\windows\system32\Cache\9e616eaf85ab92ed.fb
c:\windows\system32\Cache\a076b89a7f2f9df4.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ace76dfae44e7816.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d12f9ced4eac5f13.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
E:\Autorun.inf
E:\Setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-06-09 to 2013-07-09 )))))))))))))))))))))))))))))))
.
.
2013-06-27 21:32 . 2007-05-10 14:23 94208 ----a-w- c:\windows\system32\stacsv.exe
2013-06-27 21:32 . 2007-05-10 14:23 4952064 ----a-w- c:\windows\system32\stacgui.cpl
2013-06-27 21:32 . 2007-05-10 14:22 405504 ----a-w- c:\windows\stsystra.exe
2013-06-27 21:32 . 2007-04-10 21:02 1601536 ----a-w- c:\windows\system32\stlang.dll
2013-06-27 21:32 . 2007-05-10 14:23 270336 ----a-w- c:\windows\system32\stacapi.dll
2013-06-27 13:09 . 2013-06-27 13:12 -------- d-----w- c:\documents and settings\Administrator
2013-06-25 01:51 . 2013-06-25 02:00 -------- d-----w- c:\program files\free-aiff-mp3-converter
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 16:05 . 2012-04-05 13:05 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-12 16:05 . 2011-05-16 20:14 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-07 22:30 . 2006-03-04 03:33 920064 ----a-w- c:\windows\system32\wininet.dll
2013-05-07 22:30 . 2004-08-04 10:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-05-07 22:30 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-05-07 21:53 . 2004-08-04 10:00 385024 ------w- c:\windows\system32\html.iec
2013-05-03 01:30 . 2005-03-30 01:21 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2005-03-30 01:01 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2012-08-29 18:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2012-08-29 18:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2012-08-29 18:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE -b -l [2000-1-21 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe /startup [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-10-14 13:40 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-07-02 18:29 159744 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-01-28 17:08 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2010-10-29 15:14 2498560 ----a-w- c:\windows\system32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Carbonite Backup]
2012-08-29 18:51 1061960 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-12-29 02:32 136176 ----atw- c:\documents and settings\Dan Kamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-03-13 14:34 81920 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-02-20 16:35 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2006-06-26 15:33 243248 ----a-w- c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 07:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
2012-11-13 18:08 3825176 ----a-w- c:\program files\Spybot - Search & Destroy 2\SDTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 14:22 405504 ----a-w- c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-06-03 20:27 19603048 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-03-16 17:14 295512 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1207020.003\symds.sys [6/11/2012 6:41 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1207020.003\symefa.sys [6/11/2012 6:41 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20130702.001\BHDrvx86.sys [7/2/2013 4:47 PM 1002072]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1207020.003\ironx86.sys [6/11/2012 6:41 PM 136312]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [10/4/2011 6:00 PM 99896]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.7.2.3\ccsvchst.exe [6/11/2012 6:41 PM 130008]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [3/6/2013 2:21 AM 39056]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [3/18/2013 4:54 PM 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [3/18/2013 4:54 PM 1369624]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 12:32 PM 97536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/14/2013 12:09 PM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20130706.002\IDSXpx86.sys [7/8/2013 5:58 PM 373728]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [2/10/2012 6:17 PM 47360]
S2 HP LaserJet Service;HP LaserJet Service;c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [6/24/2009 10:57 AM 136704]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [3/18/2013 4:54 PM 168384]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/3/2013 4:21 PM 162408]
S3 mam4410c;mam4410c;c:\windows\system32\drivers\mam4410c.sys [2/17/2011 7:59 PM 24784]
S3 mam4410m;mam4410m;c:\windows\system32\drivers\mam4410m.sys [2/17/2011 7:59 PM 25044]
S3 mam4410u;mam4410u;c:\windows\system32\drivers\mam4410u.sys [2/17/2011 7:59 PM 52309]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 16:05]
.
2013-07-08 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-03-18 18:08]
.
2013-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1500820517-682003330-1003Core.job
- c:\documents and settings\Dan Kamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-29 02:32]
.
2013-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1500820517-682003330-1003UA.job
- c:\documents and settings\Dan Kamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-29 02:32]
.
2013-07-08 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1229272821-1500820517-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 15:36]
.
2013-07-08 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1229272821-1500820517-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 15:36]
.
2013-07-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1229272821-1500820517-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 15:36]
.
2013-07-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1229272821-1500820517-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 15:36]
.
2013-07-03 c:\windows\Tasks\ReclaimerUpdateFiles_Dan Kamin.job
- c:\documents and settings\Dan Kamin\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.50\agent\rnupgagent.exe [2013-06-13 17:26]
.
2013-07-08 c:\windows\Tasks\ReclaimerUpdateXML_Dan Kamin.job
- c:\documents and settings\Dan Kamin\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.50\agent\rnupgagent.exe [2013-06-13 17:26]
.
2013-06-19 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-03-18 18:07]
.
2013-07-08 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_Dan Kamin.job
- c:\documents and settings\Dan Kamin\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.50\agent\rnupgagent.exe [2013-06-13 17:26]
.
2013-03-18 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-03-18 18:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
FF - ProfilePath - c:\documents and settings\Dan Kamin\Application Data\Mozilla\Firefox\Profiles\3xyzcfc0.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.com
FF - ExtSQL: !HIDDEN! 2010-12-29 12:00; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2
FF - ExtSQL: !HIDDEN! 2011-02-02 14:55; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
Notify-SDWinLogon - SDWinLogon.dll
MSConfigStartUp-MediaGet2 - c:\documents and settings\Dan Kamin\Local Settings\Application Data\MediaGet2\mediaget.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-08 22:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1004)
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2013-07-08 22:43:26
ComboFix-quarantined-files.txt 2013-07-09 02:43
.
Pre-Run: 78,789,869,568 bytes free
Post-Run: 78,924,890,112 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
.
- - End Of File - - 3F63A752F7D72314783978DDEF7BEF93
8F558EB6672622401DA993E1E865C861
 
Wireless printer causing delay?

Hi Shelf Life,

Not sure if this could be affecting my slow internet icon startups, but I often get error reports (to send to Microsoft) about the failure of my HP wireless printer failing to connect. Here are the parts of them I can copy and paste:

Some unexpected errors have happened to software you recently used. You were not asked to send these error reports at the time they occurred.

EventType : clr20r3 P1 : hplaserjetservice.exe P2 : 1.1.0.0
P3 : 4a425ade P4 : hplaserjetservice P5 : 1.1.0.0 P6 : 4a425ade
P7 : bd P8 : 10e P9 : system.nullreferenceexception

Thanks, Dan
 
It looks like you have these items disabled or unchecked in msconfig

msconfig\startupreg\hpqSRMon]
You might try checking it and see if its related to the printer error your seeing.


Enable this one also and see if it helps your connection
msconfig\startupreg\Broadcom Wireless Manager UI
 
shelf life said:
It looks like you have these items disabled or unchecked in msconfig

msconfig\startupreg\hpqSRMon]
You might try checking it and see if its related to the printer error your seeing.


Enable this one also and see if it helps your connection
msconfig\startupreg\Broadcom Wireless Manager UI
Click to expand...

Okay, here's what's happening. I entered msconfig and checked the hpq box. When I hit "Okay" I got a message that access was denied, because I don't have administrator privileges. My friend who helped me earlier said I shouldn't be getting this command, that it might be malware wanting to prevent my accessing msconfig. However, when I rebooted the item remained checked.

I couldn't find the Broadcom Wireless Manager n the startup list. I use XP, if that's any help to locate it.

Startup remains about 5 minutes long. However, I have three users listed, and if I stay on the user screen for a minute the icons come up much faster, but the wireless and cable connection icons still take about two minutes.

Sorry to be such a bother! Dan
 
Malwarebytes will fix things malware might do like a disabled task manager or being unable to make registry changes. Not seeing any malware. Lets get another download which is similar to adwcleaner. Make sure all the toolbar garbage is gone. You might also try resetting IE back to its defaults. IE>tools>Internet Options>Advanced tab> Reset.

Download RogueKiller.exe
Quit all programs that you may have started.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7, right-click and select "Run as Administrator to start"
For Windows XP, double-click to start.
Wait until the Prescan has finished
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and copy/paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop
Exit by File>Quit

long time for the internet icon
Click to expand...
Is this the MS network icon or some other softwares icon like your wireless card?
 
RogueKiller Log 3-16-13

RogueKiller V8.5.2 [Mar 9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Dan Kamin [Admin rights]
Mode : Remove -- Date : 07/10/2013 22:10:33
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[12] : NtAlertResumeThread @ 0x805D4C0C -> HOOKED (Unknown @ 0x8A3A0530)
SSDT[13] : NtAlertThread @ 0x805D4BBC -> HOOKED (Unknown @ 0x8A1FBD68)
SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AEE -> HOOKED (Unknown @ 0x89F8B270)
SSDT[19] : NtAssignProcessToJobObject @ 0x805D66D0 -> HOOKED (Unknown @ 0x8A5DB5C8)
SSDT[31] : NtConnectPort @ 0x805A4604 -> HOOKED (Unknown @ 0x8A33C098)
SSDT[43] : NtCreateMutant @ 0x80617822 -> HOOKED (Unknown @ 0x8A297630)
SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A2E -> HOOKED (Unknown @ 0x8A3C6418)
SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x89FB54B8)
SSDT[57] : NtDebugActiveProcess @ 0x80643CB2 -> HOOKED (Unknown @ 0x89E50750)
SSDT[68] : NtDuplicateObject @ 0x805BE03C -> HOOKED (Unknown @ 0x89F91268)
SSDT[83] : NtFreeVirtualMemory @ 0x805B2FE6 -> HOOKED (Unknown @ 0x8A1E7538)
SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9362 -> HOOKED (Unknown @ 0x8A1B6B60)
SSDT[91] : NtImpersonateThread @ 0x805D7890 -> HOOKED (Unknown @ 0x89E82A88)
SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8A369108)
SSDT[108] : NtMapViewOfSection @ 0x805B206E -> HOOKED (Unknown @ 0x8A2DC590)
SSDT[114] : NtOpenEvent @ 0x8060F1E0 -> HOOKED (Unknown @ 0x8A1FD2D0)
SSDT[122] : NtOpenProcess @ 0x805CB486 -> HOOKED (Unknown @ 0x8A1EFA38)
SSDT[123] : NtOpenProcessToken @ 0x805EE030 -> HOOKED (Unknown @ 0x8A219260)
SSDT[125] : NtOpenSection @ 0x805AA420 -> HOOKED (Unknown @ 0x8A03DD20)
SSDT[128] : NtOpenThread @ 0x805CB712 -> HOOKED (Unknown @ 0x8A1EF9F0)
SSDT[137] : NtProtectVirtualMemory @ 0x805B8452 -> HOOKED (Unknown @ 0x8A5DB4F8)
SSDT[206] : NtResumeThread @ 0x805D4A48 -> HOOKED (Unknown @ 0x89FFD1D8)
SSDT[213] : NtSetContextThread @ 0x805D2C4A -> HOOKED (Unknown @ 0x89F8F288)
SSDT[228] : NtSetInformationProcess @ 0x805CDED0 -> HOOKED (Unknown @ 0x8A25A278)
SSDT[240] : NtSetSystemInformation @ 0x8060FE98 -> HOOKED (Unknown @ 0x8A189D08)
SSDT[253] : NtSuspendProcess @ 0x805D4B10 -> HOOKED (Unknown @ 0x8A1FD1F0)
SSDT[254] : NtSuspendThread @ 0x805D4982 -> HOOKED (Unknown @ 0x89FFD298)
SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x89EF6208)
SSDT[258] : NtTerminateThread @ 0x805D2502 -> HOOKED (Unknown @ 0x8A19DE10)
SSDT[267] : NtUnmapViewOfSection @ 0x805B2E7C -> HOOKED (Unknown @ 0x89F8C2D0)
SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x8A2367B0)
S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8A3CCBF8)
S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A3C5200)
S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A3C6950)
S_SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A3C2598)
S_SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8A3E0E38)
S_SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A188778)
S_SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8A3E4618)
S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A293850)
S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8A3CFA60)
S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A369AC8)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9160314AS +++++
--- User ---
[MBR] 735558283eb882d10429f4baef6de194
[BSP] 2f3e1d68fd4dad25f7b87b4131285341 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_07102013_02d2210.txt >>
RKreport[1]_S_07102013_02d2209.txt ; RKreport[2]_D_07102013_02d2210.txt
 
Is this the MS network icon or some other softwares icon like your wireless card?[/QUOTE]

It's the two computer screen icons, one for the Wireless Network Connection and one for Local Area Connection/Network Cable (I use Verizon Wifi and not cable plug in at home)
 
Docking station

By the way, I usually dock my computer and use external keyboard and screen at home. I took it out for this cleanup. Let me know if you'd like me to keep it out during any of the procedures we are doing. Thanks, Dan
 
msconfig

Just tried changing an item on the msconfigure startup tab and got the same Access denied message. However, as I mentioned, it did let me check the HP Printer item before, and retains that change.
 
Try booting into safe mode and chose the option: safe mode with networking.
to reach safe mode tap the f8 key during a computer restart, chose the safe mode with networking option. Log into your normal account.
See if the networking services start up faster in safe mode then they do in normal mode. To get back to normal mode just reboot your machine like you normally would. You can keep the laptop out of the docking station.
 
shelf life said:
Try booting into safe mode and chose the option: safe mode with networking.
to reach safe mode tap the f8 key during a computer restart, chose the safe mode with networking option. Log into your normal account.
See if the networking services start up faster in safe mode then they do in normal mode. To get back to normal mode just reboot your machine like you normally would. You can keep the laptop out of the docking station.
Click to expand...

Okay, this might have given us some clues. Here's what happened.

1) All desktop icons came up quickly
2) All my quick launch icons on the left of the toolbar came up quickly as well, but NONE of the icons on the right side of the taskbar came up--neither of the network icons, the indexing icon, the volume icon, the remove hardware icon, or the Norton icon;
3) Nevertheless, when I started Firefox, my default browser, it came right up and connected to the internet
4) Microsoft Outlet came up much more quickly than it usually does; HOWEVER, a second screen labelled Office 2010 came up on top, and a message saying that it was making connections or something--sorry, can't remember, FOLLOWED BY an error message saying that I it couldn't find a license for Office 2010, that the repair was cancelled by the user or the program, and that it was going to shut down the program. I use Office 2000 however, and this has never come up before when I open Outlook 2010. My copies of Outlook and Office are legal. I wonder if an incompatibility between the programs is causing the delayed startup.
 
Your #4 observation is possible. Also I would make sure you have the latest driver for your NIC, based on the make and model of your machine. You only want to get it from the HP website, no where else. HP site also has good troubleshooting sections for various problems.

I want to check out the items under the driver section of Roguekiller. It dosnt mean malware, could be your AV. We will get a tool from Malwarebytes to use as one more check.

Download the beta version of Malwarebytes Anti-rootkit to your desktop.
Read the Disclaimer since this is a Beta version

http://www.malwarebytes.org/products/mbar/

Download Malwarebytes Anti-Rootkit from the link to the right.
Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run mbar.exe
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access
Windows Update
Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
Verify that your system is now functioning normally.

Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
Copy and paste the contents of these two log files in your next reply.
 
You must log in or register to reply here.
Back
Top