[Resolved] Windows won't boot on old XP machine

[Corsair]

Hello,  This is my third trip to this great website. The previous trips were for virus issues with my own machines and were very successful in cleaning up and repairing my system to run great. Thanks again!  Now maybe I can get lucky again. Here goes.     My daughter has an old Dell Inspirion 1501 laptop running Windows XP Home edition. She hasn't had internet access in over a year due to financial reasons. She presented me with another grandchild last September. Since that time, I have been taking pictures of the new baby and then loading them onto her laptop so she could see the pictures. I noticed a few months ago that her laptop would take FOREVER to boot up. I ran the disk cleanup utility and disk defrag operations which did help the boot up speed but it still wasn't like it should be. It always seemed that there was a hundred programs trying to start up during windows start-up. Yesterday I was visiting my daughter and she told me her computer wouldn't even boot anymore. I took her laptop home with me to see If I could see what was going on. Here is what I see:  The Windows XP screen disappears after about one minute of run time once you power up the laptop. A boot option screen comes up and asks if you want to boot normally, or use safe mode, plus some other choices. I tried to boot normally and I also tried to boot using safe mode- both results the same- a window comes up saying that Windows has been shut down to protect your computer. Then it states "UNMOUNTABLE_BOOT_VOLUME". Then it tells you to boot into safe mode and recommends that you disable BIOS Memory Options such as caching or shadowing. It then lists a bunch of numbers and letters under a heading of "Tech Info". If we can get the machine to boot, then I can use my internet access from that machine for you to help see what is going on. My daughter no longer has the original Windows re-install disc either. She rembers throwing them out. I do have an unused Dell Windows Vista upgrade disc that I never used if it comes down to it though. She does have some pictures on her drive that she doesn't have any backups for. Hope that you followed my descrition of problem.

[Hoov]

Do you have a Windows XP install CD? It can have come from a different machine.

Also try booting to the Vista disk. Don't install Vista yet, just see if the computer will start.

[Corsair]

Hey Hoov! Glad it was you responding. Re-living our Mikado/Oscoda connection.
I have a reinstallation DVD that came from my desktop for Windows XP Media Center Version 2005. I also have a never used express upgrade DVD to Windows Vista that I got for that same desktop system that I never installed. I now run Windows 7 on that desktop so I have no use for either of those DVD's for my own machines. My daughter cannot afford anything as you might have guessed by now. I'm just trying to get a system that runs for her to a least store pictures. Please spell out what you want me to do next.      Thank you!!

[Hoov]

1.Insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.

Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
 
2.When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
 
3.If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console.
 
4.When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.
 
5.At the command prompt, type chkdsk /r , and then press ENTER.
 
6.At the command prompt, type exit , and then press ENTER to restart your computer (don't boot to the CD this time).

This takes a bit longer, but the system should boot back into Windows.

[Corsair]

I inserted XP DVD into drive, shut off power, turned on power. "Welcome to Setup" window never appeared. Same screens as before. I tried more than once. I did notice that by pushing F2 button, I could access BIOS setup screen, (I think that's what it's called.) I did not hear the DVD running on boot up.  Next?

[Hoov]

Go back into the BIOS and make sure that the CD/DVD drive is at the top of the boot order list. If not, move it there, save the changes and try again.

[Corsair]

Success!  It took many hours for chkdsk to complete. It did find some errors. Now, the system will boot but still takes forever to boot. Should I get online from my home with it for you to look at anything? I have no idea if this has virus's or malware or what. She used to get online with it quite some time ago using some mobile broadband usb modem or something, but that was some time ago. As of now, she won't be using it to get online at home because she has no internet access. Whatever you recommend!!  Appreciate the help.

[Hoov]

We are getting into the malware removal part of the procedure, so I am moving this thread to there. If it is taking forever to boot, it still needs to be cleaned up. If you don't, then chances are good you will end up with the exact same problem.

I need you to reboot windows cleanly. To do that please go to the run command and type in msconfig . Once that starts, select selective startup, and then uncheck the load startup items. Now click on the services tab, and down near the bottom of the window, check the box that says Hide all Microsoft Services now go up and uncheck all the services still listed, make sure you scroll down the list if need to unselect all the non Microsoft services. Now click apply, then click OK and reboot the computer.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot''s Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes'' Anti-Malware
  
• Launch Malwarebytes'' Anti-Malware

• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click ''Show Results'' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM''s database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

We need to see some information about what is happening in your machine.  Please perform the following scan:

• Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • DDS.scr
    
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
• Notepad will open with the results.
• Please copy and paste both logs into your next response. You may need more than one response.
• Close the program window, and delete the program from your desktop.

Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet. 

Information on A/V control HERE

[Corsair]

Finally completed directions. I still have windows booting using the selective start up as you first instructed. I assume that is correct because you didn't direct me to change to normal boot. Yes, I realize that there is no Anti Virus running on this machine. Here are the three log files in two posts:
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.25.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Colleen Doherty :: D30R69C1 [administrator]

2/25/2012 2:27:13 PM
mbam-log-2012-02-25 (14-27-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 226066
Time elapsed: 40 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 24
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\WUSN.1 (Adware.WhenU) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\New.net (Adware.NewDotNet) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net (Adware.NewDotNet) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 13
C:\Documents and Settings\Colleen Doherty\Application Data\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colleen Doherty\Application Data\FunWebProducts\Data (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colleen Doherty\Application Data\FunWebProducts\Data\Colleen Doherty (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\101x135 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\NewDotNet (Adware.NewDotNet) -> Quarantined and deleted successfully.

Files Detected: 25
C:\Documents and Settings\Colleen Doherty\Desktop\CursorManiaSetup2.2.60.9.ZCfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colleen Doherty\My Documents\Downloads\CursorManiaSetup2.3.78.2.ZCfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\NDNuninstall6_38.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colleen Doherty\Application Data\FunWebProducts\Data\Colleen Doherty\avatar.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Colleen Doherty\Application Data\FunWebProducts\Data\Colleen Doherty\register.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\0068B972.urr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\00C318C3.urr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\00C4FC39.urr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\00C4FF07.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\f3wallpp.bmp (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\00299E9A.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\0030C605.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\00710171.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\0108ADB0.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search3 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm.bak (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\NewDotNet\nncore.dll (Adware.NewDotNet) -> Quarantined and deleted successfully.
C:\Program Files\NewDotNet\readme.html (Adware.NewDotNet) -> Quarantined and deleted successfully.
C:\Program Files\NewDotNet\uninstall.exe (Adware.NewDotNet) -> Quarantined and deleted successfully.

(end)
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Colleen Doherty at 15:27:00 on 2012-02-25
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.894.607 [GMT -5:00]
.
FW: Norton Internet Worm Protection *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\cidaemon.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061220
uSearch Page =
uSearch Bar =
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061220
mDefault_Page_URL = hxxp://www.dell.com
mSearch Page =
mStart Page = hxxp://home.sweetim.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mSearchAssistant =
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{4FEEA601-3F03-4D31-A928-BB8F3867A758} : DhcpNameServer = 209.18.47.61 209.18.47.62
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\colleen doherty.d30r69c1\application data\mozilla\firefox\profiles\pxasqf06.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\8\NP_wtapp.dll
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\mozilla firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
S3 NWVMModem;Virgin Mobile USB Modem Driver;c:\windows\system32\drivers\nwvmmdm.sys [2009-5-15 174720]
S3 NWVMPort;Virgin Mobile USB Status Port Driver;c:\windows\system32\drivers\nwvmser.sys [2009-5-15 174720]
S3 NWVMPort2;Virgin Mobile USB Status2 Port Driver;c:\windows\system32\drivers\nwvmser2.sys [2009-5-15 174720]
S4 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
S4 NvtlService;NovaCore SDK Service;c:\program files\novatel wireless\novacore\server\NvtlSrvr.exe [2009-8-24 82432]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-12-20 1251720]
.
=============== Created Last 30 ================
.
2012-02-25 20:18:06   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-25 19:25:34   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\application data\Malwarebytes
2012-02-25 19:24:47   --------   d-----w-   c:\documents and settings\all users\application data\Malwarebytes
2012-02-25 19:24:44   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-02-25 19:24:44   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-02-25 18:28:09   --------   d-----w-   c:\windows\pss
2012-02-20 04:13:17   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\application data\YoudaGames
2012-02-16 04:47:32   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\application data\IronCode
2012-02-16 04:33:43   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\application data\Rainbow
2012-02-16 04:24:51   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\AtlantisQuest
2012-02-16 04:20:34   16856   ----a-w-   c:\program files\mozilla firefox\plugin-container.exe
2012-02-16 04:20:02   719832   ----a-w-   c:\program files\mozilla firefox\mozcpp19.dll
2012-02-15 22:18:05   3072   ------w-   c:\windows\system32\iacenc.dll
2012-02-15 22:18:05   3072   ------w-   c:\windows\system32\dllcache\iacenc.dll
2012-02-14 04:17:57   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\application data\md studio
2012-02-03 03:35:56   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\application data\PeaceCraft3
2012-01-31 03:47:42   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\local settings\application data\Seppia
2012-01-30 02:44:22   --------   d-----w-   c:\documents and settings\colleen doherty.d30r69c1\local settings\application data\CrimsonThief
.
==================== Find3M  ====================
.
2012-02-17 17:48:24   90112   ----a-w-   c:\windows\DUMPcbcb.tmp
2012-01-12 16:53:24   1859968   ----a-w-   c:\windows\system32\win32k.sys
2011-12-17 19:46:36   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-12-17 19:46:36   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58   385024   ----a-w-   c:\windows\system32\html.iec
.
============= FINISH: 15:29:07.56 ===============

[Hoov]

Go ahead and go back into msconfig and select normal startup and then click apply then OK and reboot the computer. Let me know how it starts and runs.

[Corsair]

Made change back to normal boot. Certainly better than what it was. I'm guessing that it still took between 3 to 5 mintues to complete boot up though. Seems way too long to me but maybe I'm just spoiled by my own system. Is there some way to see what programs, operations etc. that are starting on boot? Maybe I could shut down some unneeded operations?

[Hoov]

Download Silent Runners.zip and extract it to a new folder on your Desktop.

    * Run the Silent Runners.vbs file.
    * You will receive a prompt: "Do you want to skip supplementary searches?" - click "NO."
    * If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run.
    * This script is not malicious so please allow it.
    * A text file will appear in the folder - it''s not done, let it run. (It won''t appear to be doing anything!)
    * Once the "All Done!" prompt flashes up, open the text file, and copy & paste it in your next reply.

[Corsair]

Here is the text file:

"Silent Runners.vbs", revision 63, http://www.silentrunners.org/
Operating System: Windows XP SP3
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"ModemOnHold" = "C:\Program Files\NetWaiting\netWaiting.exe" [file not found]
"MobiLink3" = "C:\Program Files\Novatel Wireless\Virgin Mobile\MobiLink3.exe" ["Novatel Wireless Inc."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"DLCFCATS" = "rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16" [MS]
"Ulead AutoDetector" = "C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" ["Ulead Systems, Inc."]
"SigmatelSysTrayApp" = "stsystra.exe" ["SigmaTel, Inc."]
"DellSupportCenter" = ""C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter" [file not found]
"Broadcom Wireless Manager UI" = "C:\WINDOWS\system32\WLTRAY.exe" ["Dell Inc."]
"AVFX Engine" = "C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" ["Creative Technology Ltd."]
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "&Yahoo! Toolbar Helper"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll" ["Yahoo! Inc."]

{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}\(Default) = "Search Helper"
  -> {HKLM...CLSID} = "Search Helper"
                   \InProcServer32\(Default) = "C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll" [MS]

{CA6319C0-31B7-401E-A518-A07C3DB8F777}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "CBrowserHelperObject Object"
                   \InProcServer32\(Default) = "C:\Program Files\BAE\BAE.dll" ["Dell Inc."]

{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" [file not found]

{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SingleInstance Class"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll" ["Yahoo! Inc"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
  -> {HKLM...CLSID} = "Yahoo! Mail Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YMMAPI.dll" ["Yahoo! Inc."]

"{0563DB41-F538-4B37-A92D-4659049B7766}" = "WLMD Message Handler"
  -> {HKLM...CLSID} = "CLSID_WLMCMimeFilter"
                   \InProcServer32\(Default) = "C:\Program Files\Windows Live\Mail\mailcomm.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
  -> {HKLM...CLSID} = "WPDShServiceObj Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\

<<!>> livecall\CLSID = "{828030A1-22C1-4009-854F-8E305202313F}"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL" [MS]

<<!>> ms-itss\CLSID = "{0A9007C0-4076-11D3-8789-0000F8105754}"
  -> {HKLM...CLSID} = "Microsoft Infotech Storage Protocol for IE 4.0"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll" [MS]

<<!>> msnim\CLSID = "{828030A1-22C1-4009-854F-8E305202313F}"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL" [MS]

<<!>> wlmailhtml\CLSID = "{03C514A3-1EFB-4856-9F99-10D7BE1653C0}"
  -> {HKLM...CLSID} = "Windows Live Mail HTML Asynchronous Pluggable Protocol Handler"
                   \InProcServer32\(Default) = "C:\Program Files\Windows Live\Mail\mailcomm.dll" [MS]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
  -> {HKLM...CLSID} = "Yahoo! Mail Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YMMAPI.dll" ["Yahoo! Inc."]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Colleen Doherty.D30R69C1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssmyst.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
  -> {HKLM...CLSID} = "WPDShextAutoplay"
                   \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

YMPEncodeCDAudioOnArrival\
"Provider" = "Yahoo! Music Jukebox"
"InvokeProgID" = "YMP.EncodeCD"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\YMP.EncodeCD\shell\Play\command\(Default) = ""C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe" -encodecd "%1"" ["Yahoo!"]

YMPHandleCDBurningOnArrival\
"Provider" = "Yahoo! Music Jukebox"
"InvokeProgID" = "YMP.BurnCD"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\YMP.BurnCD\shell\Play\command\(Default) = ""C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe" -burncd "%1"" ["Yahoo!"]

YMPMTPMediaPlayerArrivalHandler\
"Provider" = "Yahoo! Music Jukebox"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
                   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

YMPPlayCDAudioOnArrival\
"Provider" = "Yahoo! Music Jukebox"
"InvokeProgID" = "YMP.PlayCD"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\YMP.PlayCD\shell\Play\command\(Default) = ""C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe" -playcd "%1"" ["Yahoo!"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
  -> {HKLM...CLSID} = "Yahoo! Toolbar"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Dell Wireless WLAN Tray Service, wltrysvc, "C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe" [null data]
dlcf_device, dlcf_device, "C:\WINDOWS\system32\dlcfcoms.exe -service" [" "]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
NovaCore SDK Service, NvtlService, ""C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe"" [null data]
SeaPort, SeaPort, ""C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe"" [MS]
SNMP Service, SNMP, "C:\WINDOWS\System32\snmp.exe" [MS]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Dell 725 Port\Driver = "dlcflmpm.DLL" [" "]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2012-02-25 21:18:52)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 224 seconds.
---------- (total run time: 277 seconds)

[Hoov]

There do look there are more than a few things you can stop. There is a fairly easy way of doing this, but it is not really the correct way, and that is by going thru msconfig.

To do it right, look down in your system tray and look at what starts with windows. If there are any programs there that you do not want running, if you go into the settings for that program, there is usually an option to start that program with windows. If you uncheck that box and click apply or OK, the next time you restart windows it will not start.

Go ahead and do that, and if there are programs running that you cannot seem to stop, let me know what they are and I will help you.

There are some programs that don't have that option, and there is also a program that can be used to stop them from running. We will get to that as soon as you stop as many as you can this way.

[Corsair]

I kind of already thought of that. The only thing I saw was something to do with Ulead Photo Explorer. I went to Control Panel Add/Remove programs and tried to delete the entire program but it wont permit me. It says there is an earlier version of the program on the system and I should delete that first. I don't see any other ULead programs on the list of programs though in the start menu. The only things the system tray shows running are Mobile Broadband connection (which I know that she doesn't use),and wireless network connection which is what I'm currently using to get online. The only other icons are for volume, A/c power, and local area connection (unplugged). Also, the warning symbol is showing no anti-virus installed! So really, the system tray doesn't show a whole lot running. That's all the info I can give you now. Next?