24 replies to this topic

[LuLu]

Well, I'm hoping this whole problem with my cousin's laptop is a software problem, but I'm not really sure. Here's the deal...

The laptop - a Compaq running Windows XP with SP2, AMD Athlon XP 2200+ 1.79 ghz processor with 448MB of ram, 30 gig hard drive with 15 gigs of free space.

Basically her complaint is it's running slow sometimes. She said she'd asked the guy at the Compaq store about it and he told her that since it's a smaller processor and only 448MB, that it will be slow with certain programs requiring more "power", so to speak. She wasn't really satisfied with that answer so she came to me. lol She told me she wanted me to wipe out the drive and basically bring it back to the way it was when she first bought it.

So, she gives me the laptop today with the XP disk and yadda yadda yadda. Well, when I turn it on, it locks up on the blue "welcome" screen. So I turn it off, wait 5 seconds and then turn it on again. Locks up again. By now I'm thinking she's got a registry problem because that was the cause of my lock-ups on an old PC I used to have. So I turn it off and then turn it back on. This time it fully loads so I install Super Anti-Spyware, AVG AS and CCleaner. I run CCleaner first and it clears out like 159mb of crap. Then I do a check on the registry and it finds no problems. So at this point I'm puzzled, but continue on. I run Super Anti-Spyware and it finds 2 "mywebsearch" things. I get rid of them and it has me reboot. The lock-up problem starts all over again so obviously
"mywebsearch" wasn't the culprit either. Then I run AVG AS and everything is clean. I run Panda virus scan and everything comes out clean as well. Programs are loading and working just fine (at least for me) so I get back to thinking about the lock-up problem.

My original thoughts of registry/malware/virus problems have been kinda tossed out the window. Then I started thinking that maybe she's just got too much crap loading at start up and that's causing the lock ups. I do recall seeing a little window during the lock up that says "Protected By GoBack", but was thinking if that were the cause then it would happen everytime I try to boot up. Could that still be the problem though? Or does this sound more like a hardware problem? I am completely stumped at this point and will listen to whatever input/help I'm given.

[rridgely]

Post a hijackthis log.

[fireryone]

Try starting in safe mode a few times, does it still regularly freeze?

If it is a hardware problem it could be faulty ram or hard drive going bad.
Try HDTune to test the hard drive www.hdtune.com.
the are some memory test programs around but they take ages to run to get reliable results.

Though it could still be software related, so just save all you cousins important documents and format/reinstall XP ASAP.

[pwillener]

I'd recommend two more things

• defragment the HD
  
• remove any unnecessary startup items (Startup Inspector is very good at this)

[LuLu]

rridgely, on Jul 8 2007, 10:19 PM, said:

Post a hijackthis log.

I'd love to, but haven't figured out how to get it from her laptop to my PC. She doesn't have a CD burner and subscribes to a different internet provider than I do so I can't even email it to myself.

[LuLu]

fireryone, on Jul 8 2007, 10:23 PM, said:

Try starting in safe mode a few times, does it still regularly freeze?

Ok I'll try that. If it freezes up then too, I'll let you know.

Quote

If it is a hardware problem it could be faulty ram or hard drive going bad.
Try HDTune to test the hard drive www.hdtune.com.
the are some memory test programs around but they take ages to run to get reliable results.

Though it could still be software related, so just save all you cousins important documents and format/reinstall XP ASAP.

I'll download HDTune and burn it to a disc so I can install it on the laptop and will report back with any findings. Thanks!

[LuLu]

pwillener, on Jul 9 2007, 05:15 AM, said:

I'd recommend two more things

• defragment the HD
  
• remove any unnecessary startup items (Startup Inspector is very good at this)

Will do, thanks!

[LuLu]

Ok I downloaded the programs mentioned and burned them to disc, along with ComboFix. I am currently running ComboFix and am repeatedly getting the message "The process cannot access the file because it is being used by another process." Any takers on this one??

[LuLu]

Ok so ComboFix actually did clean up some files. And after disabling GoBack, it cleaned more. I ran HDTune and everything was OK there. Ran disk cleanup, defragged and then got rid of a few items with Startup Inspector. Still having the lock up on the blue welcome screen though. I'll be posting a HijackThis log in a bit since I figured out a way to get it onto my PC....

[rridgely]

If combofix is finding stuff then you need to post the log from it too. (You really shouldn't run that without posting a hijackthis log first.)

[LuLu]

HijackThis log...

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:58:11 PM, on 7/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Documents and Settings\Amanda\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {7D5AF893-CA81-498D-B2DB-87F46C405725} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136931773403
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontec...2ie06101001.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A528DCB-BCD0-4E2D-AA77-1D743F88A6FE}: NameServer = 205.152.0.8,205.152.32.8
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Unknown owner - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Unknown owner - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11932 bytes

------------------------------------------------------------------------------------------------------------------------

ComboFix Log...

"Amanda" - 07-07-09 16:41:17 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Amanda\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 ))))))))))))))))))))))))))))))))))


2007-07-09 13:43 <DIR> d-------- C:\DOCUME~1\Amanda\APPLIC~1\wsInspector
2007-07-09 13:40 <DIR> d-------- C:\Program Files\Startup Inspector for Windows
2007-07-09 13:34 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-07-08 17:42 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2007-07-08 17:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-08 17:22 <DIR> d-------- C:\DOCUME~1\Amanda\APPLIC~1\SUPERAntiSpyware.com
2007-07-08 17:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-08 17:20 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-08 17:19 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-08 17:18 <DIR> d-------- C:\Program Files\CCleaner
2007-07-07 23:02 10,160 --a------ C:\PAVPROT.BIN


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-07-08 00:57 -------- d--h----- C:\Program Files\installshield installation information
2007-07-08 00:51 -------- d-------- C:\Program Files\windows nt
2007-07-07 23:10 -------- d-------- C:\Program Files\quicktime
2007-07-07 23:10 -------- d-------- C:\Program Files\messenger
2007-07-07 23:02 104838 --a------ C:\PAVVTS.DAT
2007-07-07 22:53 -------- d-------- C:\Program Files\google
2007-04-16 22:47 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-04-16 22:45 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-04-16 22:45 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-04-16 22:45 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-04-16 22:45 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-04-16 22:45 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-04-16 22:45 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-04-16 22:45 1710936 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-04-16 22:44 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-04-16 22:44 208248 --a------ C:\WINDOWS\system32\muweb.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{243B17DE-77C7-46BF-B94B-0B5F309A0E64} c:\Program Files\Microsoft Money\System\mnyside.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange"="Ati2mdxx.exe"
"AtiPTA"="atiptaxx.exe"
"CARPService"="carpserv.exe"
"PreloadApp"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d"
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"Display Settings"="C:\\Program Files\\HPQ\\Notebook Utilities\\hptasks.exe /s"
"QT4HPOT"="C:\\PROGRA~1\\HPQ\\ONE-TO~1\\OneTouch.EXE"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"tgcmd"="\"C:\\Program Files\\Support.com\\BellSouth\\hcenter.exe\" /starthidden /tgcmdwrapper"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Internet Security 2007\\APVXDWIN.EXE\" /s"
"SCANINICIO"="\"C:\\Program Files\\Panda Software\\Panda Internet Security 2007\\Inicio.exe\""
"MaxtorOneTouch"="C:\\Program Files\\Maxtor\\OneTouch\\utils\\Onetouch.exe"
"mxomssmenu"="\"C:\\Program Files\\Maxtor\\OneTouch Status\\maxmenumgr.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"c:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6809e580-a3a7-11d1-9a00-00a0c945b006}"="GoBack Shell Extension"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Billminder.lnk"
"backup"="C:\\WINDOWS\\pss\\Billminder.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Quicken\\billmind.exe -startup"
"item"="Billminder"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\D-Link AirPlus.lnk"
"backup"="C:\\WINDOWS\\pss\\D-Link AirPlus.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\D-LINK~1\\AirPlus.exe "
"item"="D-Link AirPlus"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Quicken Scheduled Updates.lnk"
"backup"="C:\\WINDOWS\\pss\\Quicken Scheduled Updates.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Quicken\\bagent.exe "
"item"="Quicken Scheduled Updates"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Quicken Startup.lnk"
"backup"="C:\\WINDOWS\\pss\\Quicken Startup.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Quicken\\QWDLLS.EXE "
"item"="Quicken Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express Calendar Checker For My Custom Edition.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Ulead Photo Express Calendar Checker For My Custom Edition.lnk"
"backup"="C:\\WINDOWS\\pss\\Ulead Photo Express Calendar Checker For My Custom Edition.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ULEADS~1\\ULEADP~1.0MY\\CalCheck.exe "
"item"="Ulead Photo Express Calendar Checker For My Custom Edition"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Watch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Watch.lnk"
"backup"="C:\\WINDOWS\\pss\\Watch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\PVRSER~1\\Watch.exe "
"item"="Watch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Amanda^Start Menu^Programs^Startup^AOL OpenRide.lnk]
"path"="C:\\Documents and Settings\\Amanda\\Start Menu\\Programs\\Startup\\AOL OpenRide.lnk"
"backup"="C:\\WINDOWS\\pss\\AOL OpenRide.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\AOL\\Launch\\AOLLAU~1.EXE /d suiteid=frontier_1.23.16.1 /d locale=en-US ee://aol/frontierApp /preload"
"item"="AOL OpenRide"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Amanda^Start Menu^Programs^Startup^Watch.lnk]
"path"="C:\\Documents and Settings\\Amanda\\Start Menu\\Programs\\Startup\\Watch.lnk"
"backup"="C:\\WINDOWS\\pss\\Watch.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\PVRSER~1\\Watch.exe "
"item"="Watch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link Air Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AirCFG"
"hkey"="HKLM"
"command"="C:\\Program Files\\D-Link\\Air Utility\\AirCFG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1134320277\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyKiller]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="spykiller"
"hkey"="HKCU"
"command"="C:\\Program Files\\SpyKiller\\spykiller.exe /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeper"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /0"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=dword:00000003
"HPWirelessMgr"=dword:00000002
"Ati HotKey Poller"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
HTTPFilter REG_MULTI_SZ HTTPFilter\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Registration reminder 1.job
C:\WINDOWS\tasks\Registration reminder 3.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-09 16:47:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe???????????????|?????? ?X#B?????????????l|B? ??????
MMTray = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???g????V??g????SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp??????? ?w?????????????\?wp ?w???????w???g???????????g?BY??AY????????g ???2???????|???8???? @???X???X???????????????????Y?????^?Q?????

scanning hidden files ...

C:\system.sav\DAYLGSAV.reg 320 bytes
C:\system.sav\FAVTOOL.LOG 352 bytes
C:\system.sav\INFO.BOM 8192 bytes
C:\system.sav\INFO2.BOM 32 bytes
C:\system.sav\ISLOGCHK.LOG 624 bytes
C:\system.sav\logoff.bat 112 bytes
C:\system.sav\logoff.reg 288 bytes
C:\system.sav\MSAPPL.001 4096 bytes
C:\system.sav\REBOOT.ME 48 bytes
C:\system.sav\REGDEV.LOG 40 bytes
C:\system.sav\REGFLUSH.LOG 4096 bytes
C:\system.sav\RegionCF
C:\system.sav\RegionCF\euro.reg 216 bytes
C:\system.sav\RegionCF\SFr.reg 232 bytes
C:\system.sav\RmDev.log 12288 bytes
C:\system.sav\T22XGB.B21 4096 bytes
C:\system.sav\TNXHLC.001 4096 bytes
C:\system.sav\TNXXIN.B21 4096 bytes
C:\system.sav\TNXXPS.001 4096 bytes
C:\system.sav\TNXXPS.B21 4096 bytes
C:\system.sav\util
C:\system.sav\util\adobe.log 160 bytes
C:\system.sav\util\AppEvBk1.old 65536 bytes
C:\system.sav\util\ATIRES.EXE 69632 bytes
C:\system.sav\util\bootldr.flg 0 bytes
C:\system.sav\util\BOOTSEC.NT4 512 bytes
C:\system.sav\util\CHECKLOG.EXE 98304 bytes
C:\system.sav\util\CIA.INI 69632 bytes
C:\system.sav\util\CMDOOBE.CMD 72 bytes
C:\system.sav\util\COMPNAME.EXE 32768 bytes
C:\system.sav\util\DEFUSER.REG 320 bytes
C:\system.sav\util\delcia.flg 32 bytes
C:\system.sav\util\deldir.log 4096 bytes
C:\system.sav\util\Encarta.log 176 bytes
C:\system.sav\util\grnscrn.bto 552 bytes
C:\system.sav\util\grnscrn.exe 49152 bytes
C:\system.sav\util\infobomg.exe 102400 bytes
C:\system.sav\util\INSTALL.LOG 225280 bytes
C:\system.sav\util\make_rtr.flg 136 bytes
C:\system.sav\util\NbUtil.log 184 bytes
C:\system.sav\util\oca.reg 352 bytes
C:\system.sav\util\oca_mrk.bat 120 bytes
C:\system.sav\util\oobe.min 136 bytes
C:\system.sav\util\oobe.wpe 184 bytes
C:\system.sav\util\osexclude.txt 208 bytes
C:\system.sav\util\PININST.INI 112 bytes
C:\system.sav\util\PININST.LOG 160 bytes
C:\system.sav\util\POSTOOBE.CMD 280 bytes
C:\system.sav\util\POSTOOBE.LOG 24 bytes
C:\system.sav\util\postproc.ini 600 bytes
C:\system.sav\util\Powerset.log 96 bytes
C:\system.sav\util\random.ini 32 bytes
C:\system.sav\util\SecEvBk1.old 65536 bytes
C:\system.sav\util\SETNAME.EXE 32768 bytes
C:\system.sav\util\sleep.exe 36864 bytes
C:\system.sav\util\srtool.exe 36864 bytes
C:\system.sav\util\sr_on.vbs 4096 bytes
C:\system.sav\util\SysEvBk1.old 65536 bytes
C:\system.sav\util\touchpad.log 184 bytes
C:\system.sav\util\WINDVD.LOG 176 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 60


********************************************************************

Completion time: 07-07-09 16:48:19
C:\ComboFix-quarantined-files.txt ... 07-07-09 16:48
C:\ComboFix2.txt ... 07-07-09 13:34


-------------------------------------------------

ComboFix Quarantine log...

05-01-18 17:52 4442712 --a------ C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\WU\Software\en\com_microsoft.windowsxp\x86WinXP\com_microsoft.Q830786_XP_SP2_eHome\KB830786_WXP_MCE2_ENU.EXE.vir
05-01-18 17:52 99 --a------ C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\WU\Software\en\com_microsoft.windowsxp\x86WinXP\com_microsoft.Q830786_XP_SP2_eHome\ReadMore.url.vir
05-01-18 17:53 795496 --a------ C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\WU\Software\en\com_microsoft.windowsxp\x86WinXP\com_microsoft.Q811114_IIS_51\Q811114_WXP_SP2_x86_ENU.exe.vir
05-01-18 17:53 99 --a------ C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\WU\Software\en\com_microsoft.windowsxp\x86WinXP\com_microsoft.Q811114_IIS_51\ReadMore.url.vir
05-01-18 17:57 12653296 --a------ C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\WU\Software\en\com_microsoft.windowsxp\x86WinXP\com_microsoft.MP10Setup_RTW\MP10Setup.exe.vir
05-01-18 17:57 99 --a------ C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\WU\Software\en\com_microsoft.windowsxp\x86WinXP\com_microsoft.MP10Setup_RTW\ReadMore.url.vir
05-01-18 17:58 108 --a------ C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\WU\Software\en\com_microsoft.windowsxp\x86WinXP\com_microsoft.DirectX 90a Managed DirectX\ReadMore.url.vir
05-01-18 17:58 2383968 --a------ C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\WU\Software\en\com_microsoft.windowsxp\x86WinXP\com_microsoft.DirectX 90a Managed DirectX\dx90amdx.exe.vir
05-01-18 17:58 4647 --a------ C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\WU\iuhist_catalog.xml.vir


Folder PATH listing
Volume serial number is 0000-72D8
C:\QOOBOX
\---Quarantine
+---C
| \---WINDOWS
| \---DOWNLO~1
| \---WU
| | iuhist_catalog.xml.vir
| |
| \---Software
| \---en
| \---com_microsoft.windowsxp
| \---x86WinXP
| +---com_microsoft.DirectX 90a Managed DirectX
| | dx90amdx.exe.vir
| | ReadMore.url.vir
| |
| +---com_microsoft.MP10Setup_RTW
| | MP10Setup.exe.vir
| | ReadMore.url.vir
| |
| +---com_microsoft.Q811114_IIS_51
| | Q811114_WXP_SP2_x86_ENU.exe.vir
| | ReadMore.url.vir
| |
| \---com_microsoft.Q830786_XP_SP2_eHome
| KB830786_WXP_MCE2_ENU.EXE.vir
| ReadMore.url.vir
|
\---Registry_backups

[rridgely]

One problem is that you have the whole panda suite installed and Zone alarm too. Having both of those is going to slow down that system a lot.
Get rid of Zone Alarm.

After you do that bring up the task manager(ctrl+alt+del) and tell me what the number is in the bottom right where it says "commit charge".

[LuLu]

Ok ZoneAlarm is gone.

And the magic number is....305m/1057m

[rridgely]

You could do better by cutting down on some processes but the machine isn't really running low on ram.
Did they pay for the panda suite?

Things I would do that could maybe speed things up at start up and maybe during use:

Uninstall adobe reader and use Foxit reader instead.
Get rid of real player and quicktime player and get either the klite mega codec pack or the real and quicktime alternatives. (if they use itunes then dont get rid of quicktime)
Dump all those toolbars and make sure they are using IE7 or firefox.(both will increase security and already have built in search bars.)

roxio go back and maxtor one touch.. are these both back up programs? If so only use one of them and disable the other from running at start up.

Try defragging and see if that speeds anything up either.

[LuLu]

I have no idea if she paid for Panda or not. Most likely she did, but I can't say for sure.

I disabled GoBack and will probably uninstall it after she gives me the OK. Have no idea what the Maxtor One Touch is but will play around with it to find out.

She does use iTunes, so Quicktime has to stay, and she uses RealPlayer for some women's basketball crap she watches online. I don't know if it'll play in any other program.

She uses some AOL Explorer mess because IE 7 crashed her laptop when she had initially downloaded it. I can have her download and install it again if you think she should.

Already did a defrag and it didn't seem to change much. To be honest, the biggest improvement came after running ComboFix. I have no problems running programs and now the start up is faster. And I had 2 successful boot-ups in a row. It's a world record! lol

I'll go dump the toolbars.

[rridgely]

Run the kaspersky online scanner on it and post back the results:

Run Kaspersky WebScanner

• Please go HERE and click Kaspersky Online Scanner
  
• Read and Accept the Agreement
  
• You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  
• If you see a Windows dialog asking if you want to install this software, click the Install button.
  
• The program will launch and then begin downloading the latest definition files,
  
• When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  
• Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  
• Under "Please select a target to scan:", click My Computer to start the scan.
  
• When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
  
• Paste kaspersky log onto forum.

[LuLu]

That would work if I could go online with her laptop. lol Should I download the trial version and transfer it to the laptop instead?

[rridgely]

Why cant you go online? Cant you just hook it up to your modem?
Don't install the trial because it would probably conflict with panda.

[LuLu]

It doesn't work. I plugged it into my modem and got no where...I'm guessing it's because she has a different internet provider than I do but I don't really know. Figured I'd dial up to AOL with the landline, but she has the free version of AOL now so I can't even do that.

[rridgely]

You cant bum wireless off a neighbor?
You should be able to get on the internet with that computer just like you would with your desktop...