Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

XP Home - boots / runs very slowly, data exchanged w unknown sites

Started by franna , May 24 2011 08:23 AM

This topic is locked

#1
franna

Posted 24 May 2011 - 08:23 AM

Member

Member
51 posts

Hi! I'm running WinXP Home Edition. The computer takes a very long time to boot fully, runs at a somewhat reasonable speed after booting but gets slower and slower till it becomes ridiculously slow. Generally use Firefox, and can see in the bottom left of screen that data seems to be exchanging with unknown sites. I ran OTL (pasted below) which shows lots of unwanted hosts.

Many thanks for your assistance!!!

Edited to add: If the C drive is too full, I can move things elsewhere in order to run scans, etc.

OTL log is pasted below:

OTL logfile created on: 5/24/2011 9:38:55 AM - Run 2
OTL by OldTimer - Version 3.2.23.0 Folder = F:\
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

255.54 Mb Total Physical Memory | 60.05 Mb Available Physical Memory | 23.50% Memory free
969.35 Mb Paging File | 504.27 Mb Available in Paging File | 52.02% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS0 | %ProgramFiles% = C:\Program Files
Drive C: | 19.10 Gb Total Space | 0.46 Gb Free Space | 2.43% Space Free | Partition Type: FAT32
Drive F: | 15.01 Gb Total Space | 12.13 Gb Free Space | 80.85% Space Free | Partition Type: FAT32

Computer Name: DESKTOP | User Name: Fran | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/24 09:03:38 | 000,580,096 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
PRC - [2010/07/10 00:08:04 | 002,048,352 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2010/03/01 17:46:44 | 000,524,632 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/03/01 17:46:40 | 001,029,456 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/08/16 09:13:24 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/16 09:13:20 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/08/16 09:13:10 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/08/16 09:12:58 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/08/16 09:12:22 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2007/06/13 07:26:04 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS0\explorer.exe
PRC - [2006/03/09 11:49:22 | 007,171,685 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

========== Modules (SafeList) ==========

MOD - [2011/05/24 09:03:38 | 000,580,096 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
MOD - [2006/08/25 08:45:56 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS0\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/03/18 08:11:02 | 000,947,528 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG8\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2010/03/01 17:46:40 | 001,029,456 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/08/16 09:12:58 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2009/08/16 09:12:22 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2005/10/06 18:12:30 | 000,855,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS)

========== Driver Services (SafeList) ==========

DRV - [2009/08/16 09:13:22 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS0\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/08/16 09:13:22 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS0\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/07/03 10:49:10 | 000,064,160 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS0\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/05/16 09:54:52 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS0\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2004/08/03 23:08:22 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS0\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2001/08/17 12:19:34 | 000,040,704 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS0\system32\drivers\es1371mp.sys -- (es1371) Creative AudioPCI (ES1371,ES1373) (WDM)
DRV - [2001/08/17 12:10:52 | 000,025,159 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS0\system32\drivers\elnk3.sys -- (ELNK3)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS0\system32\blank.htm
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.com"

[2007/08/29 07:12:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Fran\Application Data\Mozilla\Firefox\Profiles\qqin5puy.default\extensions
[2007/08/12 02:26:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/08/12 02:26:02 | 000,000,000 | ---D | M] ("Adblock Plus") -- C:\Program Files\Mozilla Firefox\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2007/08/12 02:26:02 | 000,000,000 | ---D | M] ("Adblock Filterset.G Updater") -- C:\Program Files\Mozilla Firefox\extensions\filtersetg@updater
[2006/04/14 16:47:08 | 000,165,992 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll
[2006/04/14 16:47:08 | 000,060,518 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2006/04/14 16:47:08 | 000,049,248 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2006/01/02 11:15:46 | 001,312,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll
[2006/03/09 11:49:24 | 000,001,076 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.gif
[2006/03/09 11:49:24 | 000,000,718 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.src
[2006/03/06 10:23:02 | 000,000,232 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.png
[2006/04/14 16:48:08 | 000,001,081 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.src
[2006/03/19 08:50:02 | 000,001,019 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\Wiktionary.png
[2006/03/19 09:15:46 | 000,000,717 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wiktionary.src

O1 HOSTS File: ([2007/09/28 20:39:50 | 000,186,191 | R--- | M]) - C:\WINDOWS0\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 hityou.com
O1 - Hosts: 127.0.0.1 www.hityou.com
O1 - Hosts: 127.0.0.1 180searchassistant.com
O1 - Hosts: 127.0.0.1 www.180searchassistant.com
O1 - Hosts: 127.0.0.1 180solutions.com
O1 - Hosts: 127.0.0.1 www.180solutions.com
O1 - Hosts: 127.0.0.1 bis.180solutions.com
O1 - Hosts: 127.0.0.1 config.180solutions.com
O1 - Hosts: 127.0.0.1 cts.180solutions.com
O1 - Hosts: 127.0.0.1 downloads.180solutions.com
O1 - Hosts: 127.0.0.1 installs.180solutions.com
O1 - Hosts: 127.0.0.1 nowhere.180solutions.com
O1 - Hosts: 127.0.0.1 ping.180solutions.com
O1 - Hosts: 127.0.0.1 tv.180solutions.com
O1 - Hosts: 127.0.0.1 uploads.180solutions.com
O1 - Hosts: 127.0.0.1 public.zangocash.com
O1 - Hosts: 127.0.0.1 www.public.zangocash.com
O1 - Hosts: 127.0.0.1 static.zangocash.com
O1 - Hosts: 127.0.0.1 www.static.zangocash.com
O1 - Hosts: 127.0.0.1 www.zangocash.com
O1 - Hosts: 127.0.0.1 zangocash.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 2search.com
O1 - Hosts: 6607 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (ElnkPubBHO Class) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\New Earthlink Total Mailbox\EarthLink MailBox\Toolbar\ElnkPub.dll (EarthLink, Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Antivirus and Antispyware\Spybot Search and Destroy\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (ElnkProtectionBHO Class) - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\New Earthlink Total Mailbox\EarthLink MailBox\Toolbar\ProtctIE.dll (EarthLink, Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O2 - BHO: (ElnkLegacyUninstBHO Class) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\New Earthlink Total Mailbox\EarthLink MailBox\Toolbar\uninsttb.dll (EarthLink, Inc.)
O3 - HKLM\..\Toolbar: (EarthLink Toolbar) - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\New Earthlink Total Mailbox\EarthLink MailBox\Toolbar\Toolbar.dll (EarthLink, Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (EarthLink Toolbar) - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\New Earthlink Total Mailbox\EarthLink MailBox\Toolbar\Toolbar.dll (EarthLink, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS0\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS0\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS0\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: EarthLink Google Search - C:\New Earthlink Total Mailbox\EarthLink MailBox\Toolbar\SearchUI.dll (EarthLink, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Antivirus and Antispyware\Spybot Search and Destroy\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.micr...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 207.69.188.185 207.69.188.186 207.69.188.187
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS0\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS0\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\WINDOWS0\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS0\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/12 03:22:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS0\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2004/04/05 08:44:22 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS0\System32\RCCOLLAB.DLL
[3 C:\WINDOWS0\*.tmp files -> C:\WINDOWS0\*.tmp -> ]
[1 C:\WINDOWS0\System32\*.tmp files -> C:\WINDOWS0\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/24 08:30:12 | 000,054,156 | -H-- | M] () -- C:\WINDOWS0\QTFont.qfn
[2011/05/24 08:27:34 | 000,013,646 | ---- | M] () -- C:\WINDOWS0\System32\wpa.dbl
[2011/05/24 08:27:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS0\bootstat.dat
[2011/05/24 08:27:14 | 268,017,664 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/23 17:46:42 | 000,000,472 | ---- | M] () -- C:\WINDOWS0\tasks\Ad-Aware Update (Weekly).job
[2011/05/22 11:39:04 | 000,001,744 | ---- | M] () -- C:\WINDOWS0\System32\d3d9caps.dat
[2011/05/21 20:34:12 | 000,168,283 | ---- | M] () -- C:\Documents and Settings\Fran\Desktop\antiangiogenic.jpg
[2011/05/17 20:55:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS0\tasks\AppleSoftwareUpdate.job
[3 C:\WINDOWS0\*.tmp files -> C:\WINDOWS0\*.tmp -> ]
[1 C:\WINDOWS0\System32\*.tmp files -> C:\WINDOWS0\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/21 20:34:08 | 000,168,283 | ---- | C] () -- C:\Documents and Settings\Fran\Desktop\antiangiogenic.jpg
[2010/05/17 17:54:39 | 000,000,054 | ---- | C] () -- C:\WINDOWS0\System32\rp_stats.dat
[2010/05/17 17:54:39 | 000,000,039 | ---- | C] () -- C:\WINDOWS0\System32\rp_rules.dat
[2009/09/21 01:23:42 | 000,015,688 | ---- | C] () -- C:\WINDOWS0\System32\lsdelete.exe
[2009/01/04 19:28:23 | 000,000,069 | ---- | C] () -- C:\WINDOWS0\NeroDigital.ini
[2008/04/01 22:22:33 | 000,000,720 | ---- | C] () -- C:\WINDOWS0\mozver.dat
[2007/10/27 18:27:21 | 000,000,379 | ---- | C] () -- C:\WINDOWS0\ODBC.INI
[2007/10/02 22:03:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS0\WinInit.Ini
[2007/09/29 10:04:43 | 000,001,744 | ---- | C] () -- C:\WINDOWS0\System32\d3d9caps.dat
[2007/08/29 07:12:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS0\nsreg.dat
[2007/08/28 23:15:44 | 000,048,640 | ---- | C] () -- C:\Documents and Settings\Fran\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/18 16:08:13 | 000,002,048 | --S- | C] () -- C:\WINDOWS0\bootstat.dat
[2007/08/18 16:00:25 | 000,021,640 | ---- | C] () -- C:\WINDOWS0\System32\emptyregdb.dat
[2007/08/18 13:45:34 | 000,004,205 | ---- | C] () -- C:\WINDOWS0\ODBCINST.INI
[2007/08/18 13:41:45 | 000,110,192 | ---- | C] () -- C:\WINDOWS0\System32\FNTCACHE.DAT
[2004/08/04 01:07:22 | 000,001,788 | ---- | C] () -- C:\WINDOWS0\System32\Dcache.bin
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS0\System32\secupd.dat
[2003/03/31 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS0\System32\oembios.bin
[2003/03/31 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS0\System32\mlang.dat
[2003/03/31 08:00:00 | 000,311,604 | ---- | C] () -- C:\WINDOWS0\System32\perfh009.dat
[2003/03/31 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS0\System32\perfi009.dat
[2003/03/31 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS0\System32\dssec.dat
[2003/03/31 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS0\System32\mib.bin
[2003/03/31 08:00:00 | 000,039,992 | ---- | C] () -- C:\WINDOWS0\System32\perfc009.dat
[2003/03/31 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS0\System32\perfd009.dat
[2003/03/31 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS0\System32\oembios.dat
[2003/03/31 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS0\System32\noise.dat
[2002/03/13 15:46:46 | 000,053,248 | R--- | C] () -- C:\WINDOWS0\System32\zlib.dll

< End of report >

Edited by franna, 28 May 2011 - 07:26 AM.

#2
sempai

Posted 28 May 2011 - 11:47 AM

Trusted Helper

Malware Removal
785 posts

Hello franna and sorry about the delay.

I need to see a fresh log so please run OTL again and post the new report for my review.

#3
franna

Posted 28 May 2011 - 12:29 PM

Member

Topic Starter
Member
51 posts

Thanks Sempai!

FYI - A long while back I had a major BSOD issue. In resolving that, if I remember correctly, we partitioned the drive; that's why I'm running in "C:\WINDOWS0" instead of "WINDOWS." It's got nothing to do with the current problem.

Here is a new log:

OTL logfile created on: 5/28/2011 1:54:15 PM - Run 3
OTL by OldTimer - Version 3.2.23.0 Folder = F:\
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

255.54 Mb Total Physical Memory | 17.50 Mb Available Physical Memory | 6.85% Memory free
748.79 Mb Paging File | 121.04 Mb Available in Paging File | 16.17% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS0 | %ProgramFiles% = C:\Program Files
Drive C: | 19.10 Gb Total Space | 0.40 Gb Free Space | 2.09% Space Free | Partition Type: FAT32
Drive F: | 15.01 Gb Total Space | 12.13 Gb Free Space | 80.81% Space Free | Partition Type: FAT32

Computer Name: DESKTOP | User Name: Fran | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/24 09:03:38 | 000,580,096 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
PRC - [2010/07/10 00:08:04 | 002,048,352 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2010/03/01 17:46:44 | 000,524,632 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/03/01 17:46:40 | 001,029,456 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/08/16 09:13:24 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/16 09:13:20 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/08/16 09:13:10 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/08/16 09:12:58 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/08/16 09:12:22 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2007/06/13 07:26:04 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS0\explorer.exe
PRC - [2006/03/09 11:49:22 | 007,171,685 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

========== Modules (SafeList) ==========

MOD - [2011/05/24 09:03:38 | 000,580,096 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
MOD - [2006/08/25 08:45:56 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS0\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/03/18 08:11:02 | 000,947,528 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG8\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2010/03/01 17:46:40 | 001,029,456 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/08/16 09:12:58 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2009/08/16 09:12:22 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2005/10/06 18:12:30 | 000,855,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS)

========== Driver Services (SafeList) ==========

DRV - [2009/08/16 09:13:22 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS0\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/08/16 09:13:22 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS0\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/07/03 10:49:10 | 000,064,160 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS0\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/05/16 09:54:52 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS0\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2004/08/03 23:08:22 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS0\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2001/08/17 12:19:34 | 000,040,704 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS0\system32\drivers\es1371mp.sys -- (es1371) Creative AudioPCI (ES1371,ES1373) (WDM)
DRV - [2001/08/17 12:10:52 | 000,025,159 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS0\system32\drivers\elnk3.sys -- (ELNK3)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS0\system32\blank.htm
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.com"

[2007/08/29 07:12:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Fran\Application Data\Mozilla\Firefox\Profiles\qqin5puy.default\extensions
[2007/08/12 02:26:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/08/12 02:26:02 | 000,000,000 | ---D | M] ("Adblock Plus") -- C:\Program Files\Mozilla Firefox\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2007/08/12 02:26:02 | 000,000,000 | ---D | M] ("Adblock Filterset.G Updater") -- C:\Program Files\Mozilla Firefox\extensions\filtersetg@updater
[2006/04/14 16:47:08 | 000,165,992 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll
[2006/04/14 16:47:08 | 000,060,518 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2006/04/14 16:47:08 | 000,049,248 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2006/01/02 11:15:46 | 001,312,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll
[2006/03/09 11:49:24 | 000,001,076 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.gif
[2006/03/09 11:49:24 | 000,000,718 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.src
[2006/03/06 10:23:02 | 000,000,232 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.png
[2006/04/14 16:48:08 | 000,001,081 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.src
[2006/03/19 08:50:02 | 000,001,019 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\Wiktionary.png
[2006/03/19 09:15:46 | 000,000,717 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wiktionary.src

O1 HOSTS File: ([2007/09/28 20:39:50 | 000,186,191 | R--- | M]) - C:\WINDOWS0\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 hityou.com
O1 - Hosts: 127.0.0.1 www.hityou.com
O1 - Hosts: 127.0.0.1 180searchassistant.com
O1 - Hosts: 127.0.0.1 www.180searchassistant.com
O1 - Hosts: 127.0.0.1 180solutions.com
O1 - Hosts: 127.0.0.1 www.180solutions.com
O1 - Hosts: 127.0.0.1 bis.180solutions.com
O1 - Hosts: 127.0.0.1 config.180solutions.com
O1 - Hosts: 127.0.0.1 cts.180solutions.com
O1 - Hosts: 127.0.0.1 downloads.180solutions.com
O1 - Hosts: 127.0.0.1 installs.180solutions.com
O1 - Hosts: 127.0.0.1 nowhere.180solutions.com
O1 - Hosts: 127.0.0.1 ping.180solutions.com
O1 - Hosts: 127.0.0.1 tv.180solutions.com
O1 - Hosts: 127.0.0.1 uploads.180solutions.com
O1 - Hosts: 127.0.0.1 public.zangocash.com
O1 - Hosts: 127.0.0.1 www.public.zangocash.com
O1 - Hosts: 127.0.0.1 static.zangocash.com
O1 - Hosts: 127.0.0.1 www.static.zangocash.com
O1 - Hosts: 127.0.0.1 www.zangocash.com
O1 - Hosts: 127.0.0.1 zangocash.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 2search.com
O1 - Hosts: 6607 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (ElnkPubBHO Class) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\New Earthlink Total Mailbox\EarthLink MailBox\Toolbar\ElnkPub.dll (EarthLink, Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Antivirus and Antispyware\Spybot Search and Destroy\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (ElnkProtectionBHO Class) - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\New Earthlink Total Mailbox\EarthLink MailBox\Toolbar\ProtctIE.dll (EarthLink, Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O2 - BHO: (ElnkLegacyUninstBHO Class) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\New Earthlink Total Mailbox\EarthLink MailBox\Toolbar\uninsttb.dll (EarthLink, Inc.)
O3 - HKLM\..\Toolbar: (EarthLink Toolbar) - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\New Earthlink Total Mailbox\EarthLink MailBox\Toolbar\Toolbar.dll (EarthLink, Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (EarthLink Toolbar) - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\New Earthlink Total Mailbox\EarthLink MailBox\Toolbar\Toolbar.dll (EarthLink, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS0\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS0\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS0\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: EarthLink Google Search - C:\New Earthlink Total Mailbox\EarthLink MailBox\Toolbar\SearchUI.dll (EarthLink, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Antivirus and Antispyware\Spybot Search and Destroy\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.micr...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 207.69.188.185 207.69.188.186 207.69.188.187
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS0\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS0\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\WINDOWS0\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS0\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/12 03:22:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS0\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2004/04/05 08:44:22 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS0\System32\RCCOLLAB.DLL
[3 C:\WINDOWS0\*.tmp files -> C:\WINDOWS0\*.tmp -> ]
[1 C:\WINDOWS0\System32\*.tmp files -> C:\WINDOWS0\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/27 10:35:20 | 000,054,156 | -H-- | M] () -- C:\WINDOWS0\QTFont.qfn
[2011/05/27 10:32:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS0\bootstat.dat
[2011/05/27 10:32:30 | 268,017,664 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/26 11:09:24 | 000,013,646 | ---- | M] () -- C:\WINDOWS0\System32\wpa.dbl
[2011/05/24 20:56:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS0\tasks\AppleSoftwareUpdate.job
[2011/05/23 17:46:42 | 000,000,472 | ---- | M] () -- C:\WINDOWS0\tasks\Ad-Aware Update (Weekly).job
[2011/05/22 11:39:04 | 000,001,744 | ---- | M] () -- C:\WINDOWS0\System32\d3d9caps.dat
[2011/05/21 20:34:12 | 000,168,283 | ---- | M] () -- C:\Documents and Settings\Fran\Desktop\antiangiogenic.jpg
[3 C:\WINDOWS0\*.tmp files -> C:\WINDOWS0\*.tmp -> ]
[1 C:\WINDOWS0\System32\*.tmp files -> C:\WINDOWS0\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/21 20:34:08 | 000,168,283 | ---- | C] () -- C:\Documents and Settings\Fran\Desktop\antiangiogenic.jpg
[2010/05/17 17:54:39 | 000,000,054 | ---- | C] () -- C:\WINDOWS0\System32\rp_stats.dat
[2010/05/17 17:54:39 | 000,000,039 | ---- | C] () -- C:\WINDOWS0\System32\rp_rules.dat
[2009/09/21 01:23:42 | 000,015,688 | ---- | C] () -- C:\WINDOWS0\System32\lsdelete.exe
[2009/01/04 19:28:23 | 000,000,069 | ---- | C] () -- C:\WINDOWS0\NeroDigital.ini
[2008/04/01 22:22:33 | 000,000,720 | ---- | C] () -- C:\WINDOWS0\mozver.dat
[2007/10/27 18:27:21 | 000,000,379 | ---- | C] () -- C:\WINDOWS0\ODBC.INI
[2007/10/02 22:03:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS0\WinInit.Ini
[2007/09/29 10:04:43 | 000,001,744 | ---- | C] () -- C:\WINDOWS0\System32\d3d9caps.dat
[2007/08/29 07:12:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS0\nsreg.dat
[2007/08/28 23:15:44 | 000,048,640 | ---- | C] () -- C:\Documents and Settings\Fran\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/18 16:08:13 | 000,002,048 | --S- | C] () -- C:\WINDOWS0\bootstat.dat
[2007/08/18 16:00:25 | 000,021,640 | ---- | C] () -- C:\WINDOWS0\System32\emptyregdb.dat
[2007/08/18 13:45:34 | 000,004,205 | ---- | C] () -- C:\WINDOWS0\ODBCINST.INI
[2007/08/18 13:41:45 | 000,110,192 | ---- | C] () -- C:\WINDOWS0\System32\FNTCACHE.DAT
[2004/08/04 01:07:22 | 000,001,788 | ---- | C] () -- C:\WINDOWS0\System32\Dcache.bin
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS0\System32\secupd.dat
[2003/03/31 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS0\System32\oembios.bin
[2003/03/31 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS0\System32\mlang.dat
[2003/03/31 08:00:00 | 000,311,604 | ---- | C] () -- C:\WINDOWS0\System32\perfh009.dat
[2003/03/31 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS0\System32\perfi009.dat
[2003/03/31 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS0\System32\dssec.dat
[2003/03/31 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS0\System32\mib.bin
[2003/03/31 08:00:00 | 000,039,992 | ---- | C] () -- C:\WINDOWS0\System32\perfc009.dat
[2003/03/31 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS0\System32\perfd009.dat
[2003/03/31 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS0\System32\oembios.dat
[2003/03/31 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS0\System32\noise.dat
[2002/03/13 15:46:46 | 000,053,248 | R--- | C] () -- C:\WINDOWS0\System32\zlib.dll

< End of report >

#4
sempai

Posted 28 May 2011 - 11:39 PM

Trusted Helper

Malware Removal
785 posts

FYI - A long while back I had a major BSOD issue. In resolving that, if I remember correctly, we partitioned the drive; that's why I'm running in "C:\WINDOWS0" instead of "WINDOWS." It's got nothing to do with the current problem.

Can you please enlighten me how this happened? I did partitioned so many drives before but didn't experience this, thanks.

Please download Malwarebytes' Anti-Malware from here:

MalwareBytes' AntiMalware download link

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

#5
franna

Posted 29 May 2011 - 08:52 AM

Member

Topic Starter
Member
51 posts

Thanks again Sempai.

The WINDOWS0 thing - This was several years ago, and I was working with Wannabe1 (now retired) to fix a really nasty BSOD on startup problem. I think the original plan was to reformat the drive and do a clean re-install. But - there was one windows file (I suppose it was either malware or a corrupt file) which just wouldn't delete, no matter what we tried. So we left it there, then partitioned the drive and named the new one WINDOWS0, making all activity directed to WINDOWS0. I hope that makes sense, I'm afraid I might be using poor language to describe what happened. If you can contact Wannabe1, perhaps he might remember. (And tell him I will always thank him for saving my sorry [bleep].)

Back to the current problem:

I'm wondering if the files MBAM removed somehow re-installed on startup, or maybe there's something else, because the computer seems to be running in much the same way....

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6714

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

5/29/2011 10:13:06 AM
mbam-log-2011-05-29 (10-13-06).txt

Scan type: Quick scan
Objects scanned: 209271
Time elapsed: 22 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 37

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\adware away (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\backup (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\adware away (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\adware away\othertools (Rogue.AdwareAway) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\adware away\unins000.dat (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\hosts.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\iedlls.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\unins000.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\AdAway.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\AdAway.chm (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\keylogger.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\global.dll (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\customize.dll (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\AdAway.dll (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\fa.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\othernormal.dat (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\EProcess.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\piracy.txt (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\ListDlls.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\FixForV8.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\ab_old.reg (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\overall.log (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\ieurlprefix.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\ieurlsearchhook.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\iebhotoolbar.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\ietoolbarbutton.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\shellextensions.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\process.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\service.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\socket.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\sharedresource.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\LSP.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\autorun.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\ierestriction.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\iepage.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\program files\adware away\activex.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\adware away\adware away.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\adware away\user manual.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\adware away\uninstall.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\adware away\othertools\ListDlls.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\adware away\othertools\FixForV8.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.

Edited by franna, 29 May 2011 - 10:04 AM.

#6
sempai

Posted 29 May 2011 - 09:15 AM

Trusted Helper

Malware Removal
785 posts

Thanks for the clarification. Please temporary uninstall AVG so it will not interfere with Combofix.

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE

Close any open windows, including this one.

Double click on ComboFix.exe & follow the prompts.

ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.

When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.
ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Please do not mouseclick combofix's window while its running because it may call it to stall.
ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.

#7
franna

Posted 29 May 2011 - 03:25 PM

Member

Topic Starter
Member
51 posts

Hi Sempai, one question before I download and run Combofix.

I went to control panel to uninstall AVG. AVG is set to automatically update and run every day. I launched it to check, and the main window of the program itself said that it did update and run last night. But Control Panel said that it was only used rarely, and I think it said the last time it ran was 1/10/2009.

I also have both Ad-Aware and Spybot Search and Destroy installed, but haven't run them in ages. Strangely, control panel says that Ad-Aware is used 'rarely' and the last use was today (!) - I certainly didn't manually launch it - and Spybot Search and Destroy is used 'frequently' with the last use being 1/10/2009 - which makes no sense at all.

Should I also uninstall both Ad-Aware and Spybot S&D before downloading and running ComboFix? And should I leave MBAM installed or remove that, too?

Thanks!

#8
sempai

Posted 30 May 2011 - 07:11 AM

Trusted Helper

Malware Removal
785 posts

Hi Franna,

I actually experienced that too, even with the software that I use everyday. But anyway the main reason why we want to remove AVG because Combofix will not run as long as it is installed in your system.

You can keep MBAM for on demand malware scan and also keep SpybotS&D and use the immunization feature, tutorial here -> http://www.bleepingc...tutorial43.html

You can remove Ad-Aware, it also comes with Antivirus and you already have AVG installed. Running two anti virus at the same time is not recommended.

#9
franna

Posted 30 May 2011 - 08:30 AM

Member

Topic Starter
Member
51 posts

OK, I removed Ad-Aware before running ComboFix and left Spybot S&D. Ad-Aware is still mentioned in the ComboFix log. Weird.

ComboFix 11-05-29.02 - Fran 05/30/2011 10:10:32.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.256.134 [GMT -4:00]
Running from: c:\documents and settings\Fran\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-30 )))))))))))))))))))))))))))))))
.
.
2011-05-29 13:45 . 2011-05-29 13:45 -------- d-----w- c:\documents and settings\Fran\Application Data\Malwarebytes
2011-05-29 13:45 . 2010-12-20 22:09 38224 ----a-w- c:\windows0\system32\drivers\mbamswissarmy.sys
2011-05-29 13:44 . 2011-05-29 13:44 -------- d-----w- c:\documents and settings\All Users.WINDOWS0\Application Data\Malwarebytes
2011-05-29 13:44 . 2010-12-20 22:08 20952 ----a-w- c:\windows0\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-04-14 20:47 . 2007-08-12 06:26 165992 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2006-04-14 20:47 . 2007-08-12 06:26 60518 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-04-14 20:47 . 2007-08-12 06:26 49248 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
.
c:\documents and settings\All Users.WINDOWS0\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-8-4 113664]
Microsoft Office.lnk - c:\microsoft office\Office10\OSA.EXE [2001-2-13 83360]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R3 ELNK3;3Com EtherLink III;c:\windows0\system32\drivers\elnk3.sys [8/18/2007 1:48 PM 25159]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows0\system32\drivers\mbamswissarmy.sys [5/29/2011 9:45 AM 38224]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-25 c:\windows0\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\micros~1\Office10\EXCEL.EXE/3000
IE: EarthLink Google Search - c:\new earthlink total mailbox\EarthLink MailBox\Toolbar\SearchUI.dll/search.html
TCP: DhcpNameServer = 207.69.188.185 207.69.188.186 207.69.188.187
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-ShockwaveFlash - c:\windows0\system32\Macromed\Flash\FlashUtil9c.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-30 10:18
Windows 5.1.2600 Service Pack 2 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-05-30 10:22:06
ComboFix-quarantined-files.txt 2011-05-30 14:22
.
Pre-Run: 2,652,164,096 bytes free
Post-Run: 2,845,843,456 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS0
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS0="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - B3BBFFB317DFEE686B2A90D3080B9256

#10
sempai

Posted 30 May 2011 - 09:13 AM

Trusted Helper

Malware Removal
785 posts

We need to execute a ComboFix script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy-paste the text in the code box below into it:

Folder::
c:\program files\Lavasoft

Driver::
Lavasoft Ad-Aware Service

4. Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

#11
franna

Posted 30 May 2011 - 10:32 AM

Member

Topic Starter
Member
51 posts

Hi Sempai. I followed your instructions and ComboFix ran all the way through, at the end it showed that it was deleting the Lavasoft Ad-Aware entry. It then went to "Rebooting Windows. . . Please wait" and has been hanging for over 30 mins (probably a lot longer). It has not generated a log yet.

I've gotten an old laptop running Win98 out of the closet so I can still communicate, I'm on that now (very happy it's working, but it's crazy slow!).

Should I manually restart the computer that's hanging?

Also - I didn't mess around with the innoculate function (or anything else) on Spybot S&D before running either ComboFix scan. I just left Spybot alone. I hope I didn't misunderstand and you actually wanted me to "innoculate" first.

Thanks for your help!

Edited by franna, 30 May 2011 - 10:38 AM.

#12
sempai

Posted 31 May 2011 - 06:41 AM

Trusted Helper

Malware Removal
785 posts

Spybot S&D will not affect the combofix run, how's the scan?

#13
franna

Posted 31 May 2011 - 07:17 AM

Member

Topic Starter
Member
51 posts

I haven't touched the computer since my last post and nothing has changed.

The ComboFix scan ran, it deleted a Lavasoft/Ad-Aware entry in, I think, C:/programfiles, and it began to reboot. The wallpaper is still up but the desktop icons are gone, the icons in the quick start tray are still there (I hate those, how do I get rid of them, I don't use them - but I guess that's a question for another time), the usual icons and the time are still visible in the bottom right, and the ComboFix window is still open, saying "Rebooting Windows . . . Please wait." Actually one thing has changed, yesterday there was a blinking cursor in the window below that message and now that cursor is gone.

Bottom line, ComboFix is still hanging on reboot and I haven't done anything since my earlier post. Help!

Thanks!

#14
sempai

Posted 31 May 2011 - 07:44 AM

Trusted Helper

Malware Removal
785 posts

We will tackle all non malware related issues later, please manually restart the computer and post back the outcome.

#15
franna

Posted 31 May 2011 - 08:21 AM

Member

Topic Starter
Member
51 posts

*sigh of relief* Windows booted normally and everything seems to be working. I can open files and connect to the web. Haven't tried anything else. Performance seems much faster. There used to be an alert in the bottom right that there were windows updates for download (haven't downloaded any lately), that alert never loaded this time.

Edited by franna, 31 May 2011 - 08:32 AM.