[nyceshirtz]

i assume you wanted the hkcr.reg file as well so here is the link

 

https://www.dropbox....1/HKCR.zip?dl=0

[Advertisements]

Thank you. I want to gather a little more. Please do the following.

 

Reg Query
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
1. Download attached file and save it to the Desktop.  fixlist.txt   284bytes   134 downloads
Note. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work (in this case...the desktop).
2. Run FRST by Right-Clicking on the file and choosing Run as administrator.
3. Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
4. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the contents of it in your reply.

[BrianDrab]

Thank you. I want to gather a little more. Please do the following.

 

Reg Query
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
1. Download attached file and save it to the Desktop.  fixlist.txt   284bytes   134 downloads
Note. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work (in this case...the desktop).
2. Run FRST by Right-Clicking on the file and choosing Run as administrator.
3. Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
4. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the contents of it in your reply.

[nyceshirtz]

check the syntax of reg commands in filelst.txt.... should be reg: reg 

 

here is the link......

 

https://www.dropbox....Fixlog.zip?dl=0

[BrianDrab]

check the syntax of reg commands in filelst.txt.... should be reg: reg 

 

Thanks.

 

OK, it looks like you have a printer that is pointing to LAPTOPZ. It's the hp color LaserJet 3500N. Is this a machine that you still have? I wonder if you remove this printer from your machine if the issue goes away.

[nyceshirtz]

its a winxp laptop that i ocassionally use as it supports a usb scanner that does not have a win8.1 driver.   i removed the printer in question, rebooted normally and the problem still persists.....

[BrianDrab]

OK, so let's evaluate where we are at.

 

Back in Post#40, you said you started in Safe Mode With Networking and didn't have the issue. DHCP Client is enabled and running while in this mode so it's odd that when stopping DHCP Client in a Normal Boot resolves it. That's why it makes me think it is something else along with the DHCP Client.

 

One way to narrow down if it's a networking issue/conflict or not is to disable the network adapter.

 

Disable Network Adapters

1. Click the Start button and choose Control Panel

2. Double-Click Network Connections

3. Right-click on any network connections that are available and choose disable.

4. See if the issue presents itself and let me know.

 

 

 

[nyceshirtz]

good call.... it is definitely a networking issue/conflict.....when enabled, i get the delay, when disabled, it works properly....same presentation - if enabled, right-click, delay occurs.... you have to wait a minimum of 20 seconds for the delay to re-appear.  if you right click within the 20 second time period, it works properly.....

[BrianDrab]

OK, let's try to concentrate on the networking then. Please provide the following info.

 

RegScanner - Identify any UNC Paths

1. Download RegScanner.zip and save to your desktop.

2. Right-click on the RegScanner.zip file and select Open With...Compressed (zipped) folder.

3. Click the Extract all files link and accept all the defaults in the wizard.

4. You should now be opened up to the Regscanner folder on your desktop with four files in it.

5. Double-click on the RegScanner.exe to open.

6. In the Find String box type two backslashes (i.e. \\)

7. Under Scan the following base keys, select the 1st three. It should match the screen shot shown at the end of this post.

8. Click the Scan button and allow it to finish.

9. Right-click on any of the found rows and select HTML Report - All Items.

10. It will create a file named report.html on your desktop as well as open it in your browser.

11. Please zip/attach the html report to this post.

 

[nyceshirtz]

ok..... here it is!

 

thanks again for all your help....

Attached Files

•  report.zip   61.9KB   304 downloads

[BrianDrab]

OK, reviewing that log makes Winfax the next suspicious culprit as it's pointing to Laptopy.
 
Let's see if stopping the Print Spooler Service makes any difference.
 
Stop Print Spooler Service
1. Click the Start button and select Run.
2. Type net stop spooler and click OK.

3. See if the issue is present and let me know.

4. To re-enable after testing you can follow the previous steps but type net start spooler.

[nyceshirtz]

did as you suggested... issued net stop spooler.  no change in symptoms....rebooted....took winfax out of startup(3 tasks), renamed 3 winfax tasks that start active from windows\system32; renamed winfax directory so no startups can occur; reissued net stop spooler;....no change in symptoms....still 20+ second delay on right clicking the same file on the desktop....restored system back to original state before this test....

Edited by nyceshirtz, 22 May 2015 - 05:34 AM.

[BrianDrab]

Thank you. OK, please do the following. Your machine will reboot. Let me know if the issue exists afterwards.
 
Delete Registry Keys
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
1. Download attached file and save it to the Desktop.  fixlist.txt   410bytes   132 downloads
Note. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work (in this case...the desktop).
2. Run FRST by Right-Clicking on the file and choosing Run as administrator.
3. Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
4. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the contents of it in your reply.

[nyceshirtz]

alll i can say is WOW!  it looks like that was the probolem.....will have to check out everything.  so far, cant recreate problem!  

 

how did you decide that that registry key was the problem?????

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 22-05-2015 01

Ran by NyceShirtz at 2015-05-22 12:05:36 Run:8

Running from C:\Documents and Settings\NyceShirtz\Desktop

Loaded Profiles: NyceShirtz (Available Profiles: NyceShirtz & Administrator)

Boot Mode: Normal

 

==============================================

 

fixlist content:

*****************

CreateRestorePoint:

reg: reg export HKCR\Applications\WFVIEW.EXE\shell\open\command "C:\Documents and Settings\All Users\Desktop\HKCRWFVIEW.reg"

reg: reg export HKCU\Software\Classes\Applications\WFVIEW.EXE\shell\open\command "C:\Documents and Settings\All Users\Desktop\HKCUWFVIEW.reg"

reg: reg delete HKCR\Applications\WFVIEW.EXE

reg: reg delete HKCU\Software\Classes\Applications\WFVIEW.EXE

Reboot:

 

 

*****************

 

Error: (0) Failed to create a restore point.

 

========= reg export HKCR\Applications\WFVIEW.EXE\shell\open\command "C:\Documents and Settings\All Users\Desktop\HKCRWFVIEW.reg" =========

 

 

The operation completed successfully

 

 

========= End of Reg: =========

 

 

========= reg export HKCU\Software\Classes\Applications\WFVIEW.EXE\shell\open\command "C:\Documents and Settings\All Users\Desktop\HKCUWFVIEW.reg" =========

 

 

The operation completed successfully

 

 

========= End of Reg: =========

 

 

========= reg delete HKCR\Applications\WFVIEW.EXE =========

 

 

Permanently delete the registry key Applications\WFVIEW.EXE (Y/N)? 

The operation completed successfully

 

 

========= End of Reg: =========

 

 

========= reg delete HKCU\Software\Classes\Applications\WFVIEW.EXE =========

 

 

Permanently delete the registry key Software\Classes\Applications\WFVIEW.EXE (Y/N)? 

Error:  The system was unable to find the specified registry key or value

 

 

========= End of Reg: =========

 

 

 

The system needed a reboot. 

 

==== End of Fixlog 12:05:37 ====

Attached Files

•  Fixlog.txt   1.83KB   121 downloads

[BrianDrab]

Since we narrowed it down to a networking issue then it just had to be something that was trying to reach a network location of some sort. The RegScanner I had you run earlier pointed to WinFax. I saw the following two entries.

 

HKCR\Applications\WFVIEW.EXE\shell\open\command                         "\\Laptopy\f\WINFAX\WFVIEW.EXE" %1
HKCU\Software\Classes\Applications\WFVIEW.EXE\shell\open\command        "\\Laptopy\f\WINFAX\WFVIEW.EXE" %1

 

I had a strong suspicion that this was it. If you have to put those registry keys back we made exports of them on your desktop but at least you know what was causing the issue. I love finding root cause. Not always possible but I strive for that. I would guess that this issue has been happening since April 11th but that's just a guess.

 

If you are satisfied and there is nothing else we should clean up our tools and leave with you some info.

 

OK! Well done, your computer is clean again! Part of our jobs here at G2G is to help you clean your computer. But beyond that and just as important is to provide you with some information to keep you safe and secure on the net as well as to share knowledge. Following is that information.
 
1. Clean Up!
We need to remove all the tools that we used so that should you ever be re-infected, you will download updated versions which may have updated detection logic.
1. Download Delfix from here.
2. Ensure everything is checked.
3. Click Run.
Note: The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply.
Note: Delete any  other .bat, .log, .reg, .txt,  and any other files created during this process, and left on the desktop and empty the Recycle Bin.
 
2. Keeping Programs Updated
You need to ensure that any programs installed on your machine are kept current. The bad guys exploit vulnerabilities that are found in older versions of software. A very good piece of software that keeps your programs up-to-date is Secunia Personal Software Inspector (PSI). You can download and install it from here. You can read more information about this free software as well as a video walkthrough from here.
 
3. Antimalware- Preventative
Note: Let's keep Malwarebytes installed as it's a fantastic piece of software. Malwarebytes is an anti-malware software and not an antivirus software so it won't conflict with the Antivirus that you are running. I would recommend that you open up this program, allow it to update and scan your machine at least quarterly...monthly if you can.
 
4. Crypto Warning!!!! - Complete Data Loss can occur!
There are particularly nasty infections out there at the moment that encrypt your data and hold it for ransom. You may read more about this here.
 

• Download CryptoPrevent free for home use here following the instructions below.
• Save the file to your desktop from the link above and then open the program by clicking Run when prompted from your browser or by going to the desktop where the file was saved and double-clicking.
• Accept all the defaults during the install. The last screen of the install has a checkmark in "Launch CryptoPrevent". This is good and will launch the program once you click Finish.
• You will get a prompt asking if you purchased a Product Key for Automatic Updates. You can answer No.
• You will then be prompted to learn more about automatic updates or if you want to purchase a key. This is up to you but you don't have to.
• You will be prompted to click OK to continue and select your protection level. Go ahead and click OK.
• Click the Apply button to set Default protection.
• You may get a message stating that Windows Sidebar and Desktop Gadgets are a major security vulnerability and asking you if you want to disable them. If you don't use these features, answer Yes.
• That's it. The protection is in place.

Note: The free version doesn't provide automatic updates. Periodically, you should open up the program (there is a shortcut on your desktop now) and select the Updates! menu....and select Check for Updates to see if there are any as this infection has serious consequences.
 

 

 

 
For more information about computer security and how to protect yourself when on the internet, please read this guide Best Practices for Safe Computing
 
OK, all the best, and stay safe!
 
Items for your next post
1. Contents of the delfix log

 

 

 

 

 

[nyceshirtz]

thank you so much for staying with this problem...i am impressed with your xp knowledge..

 

if you dont mind me asking, what is your xp resume?(i mean, where did you learn all this crap?)

 

if you dont want to post it here, my email is

 

 

 

# DelFix v1.010 - Logfile created 22/05/2015 at 15:28:17

# Updated 26/04/2015 by Xplode

# Username : NyceShirtz - MASTER

# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

 

~ Removing disinfection tools ...

 

Deleted : C:\FRST

Deleted : C:\AdwCleaner

Deleted : C:\Documents and Settings\NyceShirtz\Desktop\FRST-OlderVersion

Deleted : C:\Documents and Settings\NyceShirtz\Desktop\Fixlog.txt

Deleted : C:\Documents and Settings\NyceShirtz\Desktop\Fixlog.zip

Deleted : C:\Documents and Settings\NyceShirtz\Desktop\FRST.exe

Deleted : HKLM\SOFTWARE\AdwCleaner

 

~ Creating registry backup ... OK

 

~ Cleaning system restore ...

 

 

New restore point created !

 

########## - EOF - ##########

Edited by BrianDrab, 22 May 2015 - 01:39 PM.
Removed OPs Email Address