PDA

View Full Version : reallly slow boot



NZHawk
28-05-2009, 12:11 PM
Windows XP SP2
P4 2.8Ghz
1 Gb ram
80Gb hdd

boots to the desktop picture - then hangs for approx 5 minutes, then the icons appear and everything seems to operate fine from there.

I have:
chkdsk /r : no change
checked ram: passed
checked hdd: passed
Malwarebyytes: removed Hijack.controlpanelstyle
did a repair install from the Windows XP cd
Comondo registry: 945

any suggestions on speeding up the boot

Thank you

Speedy Gonzales
28-05-2009, 12:16 PM
You should be careful, with registry cleaners. Some do more damage than good. Use something better than comodo registry cleaner. Its probably wiped something that was needed. Use something like glary utilties. It may do a better job

NZHawk
28-05-2009, 01:29 PM
Ran garyutilities and still takes a long time through the complete boot.

Speedy Gonzales
28-05-2009, 01:32 PM
If you havent posted a hjt log for this pc before, post it now

NZHawk
28-05-2009, 01:36 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:58 p.m., on 28/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Firebird\Firebird_2_0\Bin\FBGuard.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Firebird\Firebird_2_0\Bin\fbserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\heap41a\svchost.exe
C:\heap41a\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\Sierra Wireless Inc\Watcher\WaHelper.exe
C:\Program Files\MINDAlink\mlp_manager.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\New user\Desktop\2 Cleaning Tools\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www,grabaseat.co.nz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [WatcherHelper] "C:\Program Files\Sierra Wireless Inc\Watcher\WaHelper.exe"
O4 - HKCU\..\Run: [mlp_manager] C:\Program Files\MINDAlink\mlp_manager.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219909716000
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FirebirdGuardianDefaultInstance - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_0\Bin\FBGuard.EXE
O23 - Service: FirebirdServerDefaultInstance - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_0\Bin\fbserver.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5777 bytes

Speedy Gonzales
28-05-2009, 01:46 PM
You've got something. Tick these then tick fix checked. Disable system restore. Close browsers. May pay to update windows after as well

This is a worm (http://www.sophos.com/security/analyses/viruses-and-spyware/w32ahkheapa.html)

If you use usb flash drives on this system, DON'T connect anything to it, until you fix this

Delete this folder AFTER

C:\heap41a\svchost.exe
C:\heap41a\svchost.exe

Uninstall Askbar

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O4 - HKLM\..\Policies\Explorer\Run: [status] present

O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

Get another virus scanner, get trojan remover after you tick the above, do another scan, then select all options under utilities

As the Sophos site says:

<Temp>\MicrosoftPowerPoint\2.mp3 - can be safely removed
<Temp>\MicrosoftPowerPoint\drivelist.txt - can be safely removed
<Temp>\MicrosoftPowerPoint\Icon.ico - can be safely removed
<Temp>\MicrosoftPowerPoint\Install.txt - detected as W32/AHKHeap-A
<Temp>\MicrosoftPowerPoint\pathlist.txt - can be safely removed
<Temp>\MicrosoftPowerPoint\svchost.exe - can be safely removed
C:\heap41a\2.mp3 - can be safely removed
C:\heap41a\drivelist.txt - can be safely removed
C:\heap41a\Icon.ico - can be safely removed
C:\heap41a\reproduce.txt - detected as W32/AHKHeap-A
C:\heap41a\script1.txt - detected as W32/AHKHeap-A
C:\heap41a\std.txt - detected as W32/AHKHeap-A
C:\heap41a\svchost.exe - can be safely removed
C:\heap41a\offspring\autorun.inf - detected as W32/AHKHeap-A

W32/AHKHeap-A attempts to periodically copy itself to removeable drives and USB keys. The worm will attempt to create a hidden file Autorun.inf on the removeable drive and copy itself to the removeable drive as MicrosoftPowerPoint.exe.

The file Autorun.inf is designed to start the worm once the removeable drive is connected to a uninfected computer.

The following registry entries are set to run W32/AHKHeap-A on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer\Run
status
present

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer\Run
winlogon
C:\heap41a\svchost.exe C:\heap41a\std.txt

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue
0

pctek
28-05-2009, 02:56 PM
WHY YOUR PC SLOWS DOWN OVER TIME


1) Not enough RAM, Win XP needs 512mb to run properly, Vista should have at least 1GB.

2) Spyware.

3) Windows Bloat

The longer you use Windows, the more disordered your registry can become, especially if you regularly install and uninstall software. Many applications, on being uninstalled, leave behind “orphan” registry entries. They don’t remove all traces of themselves; causing problems such as sluggish performance, system lockups, or a bloated registry that takes longer to load on startup.

Also the NTFS file system contains a file called the master file table (MFT). There is at least one entry in the MFT for every file on an NTFS volume, including the MFT itself.

All information about a file, including its size, time and date stamps, permissions, and data content is either stored in MFT entries or in space external to the MFT but described by the MFT entries.

As files are added to an NTFS volume, more entries are added to the MFT and so the MFT increases in size. When files are deleted from an NTFS volume, their MFT entries are marked as free and may be reused, but the MFT does not shrink. Thus, space used by these entries is not reclaimed from the disk.

Utilities that defragment NTFS volumes cannot move MFT entries, and excessive fragmentation of the MFT can impact performance.

Therefore the only cure for bloat is to wipe the PC and do a fresh install of Windows from scratch.

NZHawk
28-05-2009, 03:15 PM
Is there any utilities that will remove "free" MFT entries.

Speedy Gonzales
28-05-2009, 03:16 PM
I wouldnt worry about MFT entries till you remove that worm / tick those entries

NZHawk
28-05-2009, 03:19 PM
could someone re-review this HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:09:38 p.m., on 28/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Firebird\Firebird_2_0\Bin\FBGuard.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Firebird\Firebird_2_0\Bin\fbserver.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\Sierra Wireless Inc\Watcher\WaHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MINDAlink\mlp_manager.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\New user\Desktop\2 Cleaning Tools\Hijack This\HijackThis.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [WatcherHelper] "C:\Program Files\Sierra Wireless Inc\Watcher\WaHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [mlp_manager] C:\Program Files\MINDAlink\mlp_manager.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219909716000
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FirebirdGuardianDefaultInstance - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_0\Bin\FBGuard.EXE
O23 - Service: FirebirdServerDefaultInstance - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_0\Bin\fbserver.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6186 bytes

Thank you

SolMiester
28-05-2009, 03:19 PM
If I were you, I would re-install the O/S as PCTek said due to bloating of the O/S. Make sure you back everything up including pst files or express db file, docs & fav etc.....
I image my PC for a standard build with all my fav programs and settings. My docs, games and media files are all on separate disks.
If I have an issue, i just image in back down........

Speedy Gonzales
28-05-2009, 04:43 PM
You havent ticked everything yet

O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot

O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

Dont forget to delete the C:\heap41a folder, and the folders that were posted before in the temp folder.Use ccleaner

NZHawk
28-05-2009, 05:17 PM
I did tick everything but it came back.
I searched for C:\heap41a in all folders hidden & otherwise and it wasn't there to delete, I believe Avast removed it on the boot up scan.
I used CCleaner removed all temp files

I looked at the registry entries and but couldn't find any they/you listed.

Although when I searched the registry for heap41a I did find an entry in
HCU\Software\Microsoft\Windows\ShellNoRoam\MuiCach e --> which contained C:\heap41a\svchost.exe ---- should I remove this entry?

Would another post of HJT log help?

Speedy Gonzales
28-05-2009, 05:20 PM
If Avast is installed, uninstall AVG. Open my computer, and go to C, if that heap folder, is still there, it'll be in C

NZHawk
28-05-2009, 05:24 PM
AVG is uninstalled - now

I did look in C: and no heap folder

Speedy Gonzales
28-05-2009, 05:28 PM
Scan all of c with Avast

NZHawk
28-05-2009, 05:32 PM
Updated and am thoroughly scanning with Avast as we speak.

Found 2 C:\heap41a files and moved them to safe box or something

NZHawk
28-05-2009, 05:56 PM
C:\heap41a\reproduce.txt
C:\heap41a\script.txt
C:\heap41a\std.txt

were all moved to the chest.
would another HJT log be helpful?

Speedy Gonzales
28-05-2009, 06:46 PM
Theyre probably in the virus chest, when it finishes reboot, run avast (the program itself) from all programs / go to menu / virus chest highlight those files and delete them. Then run trojan remover again and select all options under utilities (if you didn't before)

NZHawk
28-05-2009, 07:15 PM
Ok I have deleted the files and ran Trojan remover & the utility options again.
But the computer still takes 5 minutes + some to complete the boot.

Speedy Gonzales
28-05-2009, 07:19 PM
Has it EVER been updated since SP2 came out?

NZHawk
28-05-2009, 07:24 PM
I will take care of that now.
Will this improve the booting?

Speedy Gonzales
28-05-2009, 07:27 PM
It may do, has it been defragged as well? Look in device manager under IDE / Ata /atapi controllers, under primary and secondary (under advanced settings).

Its not in PIO mode is it? WHAT else is connected to the hdd (if its IDE)?

Blam
28-05-2009, 09:09 PM
If it hasn't been defragged in ages, then that would speed things up.

Might want to defrag the registry too. Probably bloated as hell

NZHawk
29-05-2009, 09:50 AM
I found the culprit of the delayed boot - corrupted ZoneAlarm Personal Firewall. Once I uninstalled it, the boot process was normal.

mark c
29-05-2009, 11:23 AM
Avast messes up Zonealarm. I got Sygate instead.

Agent_24
29-05-2009, 04:04 PM
Zonealarm is horrible. It works OK but does strange things to your PC.

If you want a good firewall, get Comodo