Jump to content


Photo

Slow boot time (6 Minutes)


  • This topic is locked This topic is locked
18 replies to this topic

#1 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 29 August 2009 - 10:46 PM

Hey guys. Thanks in advance.

My computer starts really slow. It takes 6 minutes from when i see my desktop to when firefox is up and running. That seams pretty long to me.

Yes, i am running Mcafee, but this is only a recent problem i've noticed. I've been running Mcafee for a while now, and i only started noticing this a couple weeks ago.

Other than this, I see no other problems. After this initial slow boot all programs start and run at an acceptable speed.

I ran Kaspersky online scanner (no problesm found), McAfee (nothing), MBAM (nothing), Spybot(nothing but a few cookies).

I also cleared cookies, cache, and Temporary files. I also defragmented (didnt really need it). Nothing really changed after this.

My system runs a Windows XP.

Here is my HijackThis in case you wanna take a look.. THANKS guys. I appreciate your help/input.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:45 PM, on 8/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dlcfcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\EzButton\CPATR10.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wireless\Client Manager\CMAGS.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwaprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CPATR10] C:\PROGRA~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /FU "C:\WINDOWS\TEMP\E_SE4.tmp" /EF "HKCU"
O4 - Global Startup: Wireless Client Manager.lnk = ?
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6835 bytes

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 01 September 2009 - 10:56 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 03 September 2009 - 08:46 AM

Hi,
I'm nasdaq and will be helping you.

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Nothing suspicious was found on your log.

Download ATF Cleaner by Atribune from here http://www.atribune....c...5&Itemid=25 and save it to your Desktop.
Follow the instructions for the browser you use.

Read the instructions about the cookies. Delete what you do not need.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
*Prefetch (Windows XP) only.
Java Cache


The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

* The purpose of Prefetch folder is to increase the speed at which you can access the programs that you use on your PC. Unfortunately, Windows doesn't differentiate between a program you use every day and one you use every blue moon, which means that it may be prefetching a lot of stuff that you rarely use, adding to your startup time.
You may find that the first time you boot up after cleaning out this folder, your PC takes longer to get into gear - the second, and subsequent, boots should be quicker.
===

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 03 September 2009 - 09:55 AM

Thanks nasdaq!

I ran ATFCleaner

Here is the log requested:


Results of screen317's Security Check version 0.98.9
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!


``````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 15
Adobe Flash Player 10
Adobe Reader 7.1.0
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent


McAfee VirusScan McShield.exe
McAfee VIRUSS~1 mcsysmon.exe

``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

#5 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 03 September 2009 - 12:41 PM

Nothing suspicious was found.

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingc...to-use-combofix

Link 1
Link 2


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#6 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 03 September 2009 - 01:48 PM

thanks for checking my stuff nasdaq.

Here is the log requested:



ComboFix 09-09-03.02 - Victor 09/03/2009 14:21.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.274 [GMT -5:00]
Running from: c:\documents and settings\Victor\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\10868.msi
c:\windows\Installer\11a6752.msp
c:\windows\Installer\1202bb.msi
c:\windows\Installer\20463.msi
c:\windows\Installer\2af592.msi
c:\windows\Installer\72960.msi
c:\windows\Installer\8ca76.msi
c:\windows\Installer\96b0f.msi

.
((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-08-13 22:43 . 2005-05-13 05:00 278528 ----a-w- c:\windows\system32\esint5a.dll
2009-08-13 22:43 . 2005-05-13 05:00 176128 ----a-w- c:\windows\system32\eswia5a.dll
2009-08-13 22:42 . 2009-08-13 22:42 -------- d-----w- C:\epson
2009-08-13 22:09 . 2009-08-13 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
2009-08-13 22:09 . 2007-12-07 07:08 86528 ----a-w- c:\windows\system32\E_FLBALA.DLL
2009-08-13 22:09 . 2007-12-07 07:01 78848 ----a-w- c:\windows\system32\E_FD4BALA.DLL
2009-08-12 13:46 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 03:34 . 2009-08-13 22:43 -------- d-----w- c:\program files\EPSON
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-26 14:49 . 2008-02-03 04:30 -------- d-----w- c:\program files\dl_Cats
2009-08-05 09:01 . 2004-03-19 21:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 22:21 . 2004-03-17 05:01 -------- d-----w- c:\program files\Java
2009-08-04 00:00 . 2009-04-01 17:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 18:36 . 2009-04-01 17:37 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-04-01 17:37 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-29 14:02 . 2007-04-23 20:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-25 10:23 . 2008-12-14 19:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-22 03:55 . 2008-04-04 05:27 -------- d-----w- c:\program files\Windows Live
2009-07-17 19:01 . 2004-03-19 21:01 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-03-01 18:17 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-02-07 01:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2002-08-07 21:46 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2002-08-07 21:45 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2002-08-29 11:41 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2004-03-19 21:00 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-03-19 21:01 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2002-08-07 21:46 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-04-03 17:00 . 2009-04-03 13:13 929824 --sha-w- c:\windows\system32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CeEPOWER"="c:\program files\TOSHIBA\Power Management\CePMTray.exe" [2002-07-19 90112]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2002-07-19 339968]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2002-07-25 45056]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-07-04 40960]
"CPATR10"="c:\progra~1\EzButton\CPATR10.EXE" [2002-08-17 151552]
"TSysSMon"="c:\toshiba\sysstability\tsyssmon.exe" [2002-04-05 49152]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-07-15 159744]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-03-29 122880]
"Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2006-10-20 73728]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2002-05-30 163840]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"SoundFusion"="cwaprops.cpl" - c:\windows\system32\cwaprops.cpl [2001-12-20 614912]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2002-04-23 28672]
"AtiPTA"="atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2002-04-23 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Client Manager.lnk - c:\program files\Wireless\Client Manager\CMAGS.EXE [2004-3-19 323584]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Victor^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Victor\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Toshiba\\Ivp\\NetInt\\Netint.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\EXCEL.EXE"=
"c:\\WINDOWS\\system32\\dlcfcoms.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 DPortIO;Dritek Port I/O Driver;c:\windows\system32\drivers\DPORTIO.SYS [4/12/2001 6:04 PM 3674]
R2 litsgt;litsgt;c:\windows\system32\drivers\litsgt.sys [11/18/2007 10:55 PM 137344]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/27/2009 5:34 PM 203280]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [8/7/2002 6:57 PM 34712]
R2 tansgt;tansgt;c:\windows\system32\drivers\tansgt.sys [11/18/2007 10:55 PM 12032]
R3 wlags48d;Agere Wireless PCCard Service;c:\windows\system32\drivers\wlags48d.sys [3/19/2004 4:27 PM 154112]
S3 busbcrw;USB Card Reader Writer driver;c:\windows\system32\drivers\busbcrw.sys [8/17/2008 4:12 PM 16896]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2006-03-27 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4135551756.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 23:56]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-27 19:32]

2002-08-31 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-30 19:23]

2009-09-03 c:\windows\Tasks\User_Feed_Synchronization-{C7DFE059-D9D2-452D-A1FB-27E22D6E30D4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hotmail.com/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Victor\Application Data\Mozilla\Firefox\Profiles\q8kw0fd7.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.hotmail.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-03 14:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\Hw*]
"DisplayName"="\09"
"DeviceDesc"="\09"
"ProviderName"=""
"MFG"="?"
"ReinstallString"="2002, 6.13.10.6118"
"DeviceInstanceIds"=multi:"\00"
.
Completion time: 2009-09-03 14:36
ComboFix-quarantined-files.txt 2009-09-03 19:35
ComboFix2.txt 2009-06-25 02:43

Pre-Run: 27,334,197,248 bytes free
Post-Run: 27,283,628,032 bytes free

167 --- E O F --- 2009-08-26 02:31

#7 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 03 September 2009 - 02:28 PM

Looking good.

Any persisting problems?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#8 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 03 September 2009 - 05:48 PM

well, I've turned my computer on and off a couple of times. Now instead of 6 minutes, it takes about 4 mintues.

Is 4 minutes from when you see a desktop to when firefox is up and running good time? It still seams a little long to me. Am i being too picky?

Thanks nasdaq.



EDIT:
Just wanted to let you know: While doing a quickscan with MBAM, McAfee showd me this log reported by a real-time scan:

***

Decetion name: Artemis!3c141448F0B6 (Trojan), Artemis!3c141448F0b6 (Trojan)

File: C:\Documents and Settings\User\Desktop\Combofix.exe

Process: C:\Program Files\Malwarebytes' AntiMalware\mbam.exe

Process Description: Malwarebytes' AntiMalware

****

WHen i checked my desktop, Combofix was no longer there. Im not too concerned because i know AVs not really like Combofix. ...Just wanted to let you know.. thanks for your help. :-)

Edited by TimmU, 03 September 2009 - 07:37 PM.


#9 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 04 September 2009 - 07:42 AM

To remove the ComboFix tool you should follow these directives.

Time for some housekeeping
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Decetion name: Artemis!3c141448F0B6 (Trojan), Artemis!3c141448F0b6 (Trojan)

Unable to find anything on this trojan name.

Let's use this online scanner (don't worry, it doesn't delete anything, it only detects).

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
*/*
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#10 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 04 September 2009 - 09:51 AM

Hey nasdaq.

Thanks. The ComboFix /u didnt work because it couldnt find combofix. i think this is right, because mcafee removed it thinking it was that trojan i posted about in the my last post.

I normally do kaspersky online scanner from here:
http://usa.kaspersky...rus-scanner.php

This takes about 18 hours to complete on my comoputer. Is the scan you are asking me to run ( http://www.kaspersky.com/virusscanner ) the same one? Do you think it takes as long?

If it does, then I'm going to have to wait to run in untill Saturday. I can't stop using it for 18 hours during on a weekday, becausre i have some business to take care of from this computer.

If you think the kaspersky you gave me is faster than the one i normally do, let me know and I'll do it for sure. If it takes as long as the one i normally do, then I'll have to wait about 24 hours to run it. I hope you can understand. Pleas let me know.

Edited by TimmU, 04 September 2009 - 09:52 AM.


#11 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 04 September 2009 - 11:22 AM

It's probably the same.

Do you have a log from the last time you scan your computer with it?

Run this scan we may get lucky.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#12 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 04 September 2009 - 12:39 PM

I sure do have the log for last time. here it is:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, August 29, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, August 29, 2009 19:37:49
Records in database: 2705002
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 78690
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 09:17:08

No threats found. Scanned area is clean.

Selected area has been scanned.


Meanwhile I will run Drweb

#13 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 04 September 2009 - 01:23 PM

Hey nasdaq.

I ran DRWeb.

It was a little confusing, but i think i got it.

I believe it ran the Express scan on its own. When it was done, it said "Done -no viruses found"

After that i wasnt able to follow any of the rest instructions.


Basically starting from the following line down, i coulndnt follow any of the instructions:
"Once the short scan has finished, mark the drives that you want to scan."

I couldnt even get a log for you because the save report list was not available.

#14 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 04 September 2009 - 05:48 PM

Hey nasdaq. I finally got DRWeb to work. I didnt use the directions provided though. I did it a bit differently.

I did custom scan, and scanned Local Disk (C:)

Here is the log.. THanks!!

C2152591d01\32788R22FWJFW\c.bat;C:\Documents and Settings\Victor\Local Settings\Application Data\Mozilla\Firefox\Profiles\q8kw0fd7.default\Cache\C2152591d01;Probably BATCH.Virus;;
C2152591d01;C:\Documents and Settings\Victor\Local Settings\Application Data\Mozilla\Firefox\Profiles\q8kw0fd7.default\Cache;Archive contains infected objects;Moved.;
A0005481.bat;C:\System Volume Information\_restore{E7FB4978-6866-4123-BB76-8116BAB3495B}\RP56;Probably BATCH.Virus;Incurable.Moved.;
A0005612.exe\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{E7FB4978-6866-4123-BB76-8116BAB3495B}\RP56\A0005612.exe;Probably BATCH.Virus;;
A0005612.exe;C:\System Volume Information\_restore{E7FB4978-6866-4123-BB76-8116BAB3495B}\RP56;Archive contains infected objects;Moved.;

#15 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 05 September 2009 - 07:18 AM

You should be cleaned now.

If McAfee reports anything about MBAM it's a false positive.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#16 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 05 September 2009 - 09:14 AM

thanks nasdaq.

Were those things that Drweb found spy?



Also. Can i suggest DrWeb to a friend of mine, or is should that only be run with a helper like yourself?



THanks a lot nasdaq. I appreciate your help.

Edited by TimmU, 05 September 2009 - 09:16 AM.


#17 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 06 September 2009 - 07:43 AM

Glad we could help.

Were those things that Drweb found spy?

No. Nothing to worry about.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
How did I get infected in the first place?
http://spywareinfofo...showtopic=60955

Your friend can also run DrWeb.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#18 TimmU

TimmU

    Advanced Member

  • Full Member
  • PipPipPip
  • 193 posts

Posted 07 September 2009 - 12:34 PM

Thanks a lot for your help nasdaq. Goodbye!

#19 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 21 September 2009 - 07:07 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




Member of UNITE
Support SpywareInfo Forum - click the button