Alureon virus, after SP3 100% CPU usage by svchost.exe

Inactive
By beckysellsaz
Aug 8, 2011
Topic Status:
Not open for further replies.
  1. Hi,
    Thanks in advance as all I've done to cure my computer in the past few months has failed and I am at my wits end and realize I am way out of my league with how to fix it. I will try to give a brief explanation of what I have tried and timeline and then my logs as requested will be pasted to the post.Got the Alureon re-direct virus, so to try to get rid of it, I updated AVG2011, ran it, didn't find anything, then Malwarbytes, ran it, found only adware, removed it, then Kypersky rootkit killer found it and I thought it was gone because the redirecting stopped. But computer was still painstakingly slow for even the simplest task. At the same time as this I ran Windows update and got SP3. Nightmare got worse. As soon as I did that I got a huge memory leak. All of a sudden all my disk space is used up, not even enough VM sometimes to run IE, or more than one item at a time, so I ran Process Explorer and found that the svchost was the culprit, furthermore it was the one connected with microsoft updates that came with the SP3. Unfortunately even the fixes from Microsoft didn't work to solve that so I had to disable automatic updates to get my CPU back, which is only a workaround for now, but the slowness, memory leak and buffering make it impossible to do my work, and it is still very slow even with the updates turned off. So yesterday I updated AVG and ran it again, it found one multiple runtime compression aspack,nupx problem that I have no idea how to fix, ran Malwarebytes, found nothing, then today I updated adobe and java, did the GMER scan only in safe mode because it wouldn't run any other way, in fact it gave me a BSOD everytime I tried it otherwise, and it found nothing, then did my DDS logs. Fast forward, I need lots of help.

    Thanks,
    Becky

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7390

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/6/2011 8:28:30 AM
    mbam-log-2011-08-06 (08-28-29).txt

    Scan type: Quick scan
    Objects scanned: 176030
    Time elapsed: 1 hour(s), 19 minute(s), 44 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    .
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
    Run by Owner at 21:30:27 on 2011-08-07
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.203 [GMT -7:00]
    .
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Java\jre7\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
    C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\HPZinw12.exe
    C:\WINDOWS\system32\HPZipm12.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-

    US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.google.com/
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

    files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: XBTB03748 Class: {1cbc8587-1e29-4c2b-9739-d0e563905b32} - c:\docume~1\owner\mydocu~1\e-chor~1\e-chords.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
    BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
    TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
    TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
    mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
    mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
    mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
    mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
    mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
    mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\docume~1\owner\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture

    utility\pmbcore\SPUVolumeWatcher.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480

    \program\LogitechDesktopMessenger.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    IE: &Search
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-

    D0C193E10749} - {38e51477-ddb4-4aed-

    9d61-d0c193e10749}\inprocserver32 does not exist!
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11

    \REFIEBAR.DLL
    Trusted Zone: realtytools.com
    Trusted Zone: toolkitcma.com
    Trusted Zone: toolkitcma2.com
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {2564B8E6-7D84-11D4-A689-30475BC10000} - hxxp://www.toolkitcma.com/tkweb/tkweb.cab
    DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
    DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.reoconnex.com/Image%20Uploader/ImageUploader6.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
    TCP: Interfaces\{8BCF23E9-2922-45FC-873E-7B0228D8C4A6} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480

    \program\GAPlugProtocol-8876480.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: igfxcui - igfxsrvc.dll
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\07ygroks.default\
    FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
    FF - component: c:\program files\avg\avg10\firefox4\components\avgssff5.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-

    3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0017-

    0000-0000-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5

    \windows presentation

    foundation\DotNetAssistantExtension
    FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 248656]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 297168]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
    R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro

    pdf\reader\NitroPDFReaderDriverService.exe [2011-1-28 196912]
    R2 pciinfo;HP Pci Information;c:\docume~1\owner\locals~1\temp\hpispz\hpdom\pciinfo.sys [2006-6-29 1792]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 134480]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]
    R3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2009-5-20 23096]
    S0 eevqikpc;eevqikpc;c:\windows\system32\drivers\ggto.sys --> c:\windows\system32\drivers\ggto.sys [?]
    S1 ytddioah;ytddioah;\??\c:\windows\system32\drivers\ytddioah.sys --> c:\windows\system32\drivers\ytddioah.sys [?]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-6 7398752]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-16 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-16 136176]
    S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2010-2-21 54416]
    S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2010-2-21 160272]
    S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2010-2-21 160272]
    S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [2010-2-21 11920]
    S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2010-2-21 113680]
    S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [2009-5-20 249856]
    S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
    .
    =============== Created Last 30 ================
    .
    2011-08-07 20:18:23 -------- d-----w- c:\documents and settings\owner\local settings\application data\Sun
    2011-08-07 18:34:43 128000 ----a-w- c:\windows\system32\javacpl.cpl
    2011-08-07 18:34:41 611224 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-08-07 18:34:06 544656 ----a-w- c:\windows\system32\deployJava1.dll
    2011-08-07 03:44:32 1266056 ----a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
    2011-08-07 03:41:45 3038 ----a-w- C:\fix_svchost.bat
    2011-08-07 03:26:33 6776168 ----a-w- C:\WindowsUpdateAgent30-x86.exe
    2011-08-06 14:05:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    ==================== Find3M ====================
    .
    2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
    2006-09-07 00:16:52 534112 ----a-w- c:\program files\psa30se_ytb612_a708_DLM_en_us.exe
    2006-07-13 19:57:38 7352104 ----a-w- c:\program files\ewebeditproclient.exe
    2006-06-05 20:14:16 533912 ----a-w- c:\program files\psa30se_a708_DLM_en_us.exe
    .
    ============= FINISH: 21:35:30.90 ===============
    .
    .


    I will paste the 2nd DDS log into a new post.
  2. beckysellsaz

    beckysellsaz Newcomer, in training Topic Starter

    2nd DDS log

    Here is the 2nd DDS attach log. Any ideas or help will be greatly appreciated!.


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/12/2005 3:56:16 AM
    System Uptime: 8/7/2011 3:52:59 PM (6 hours ago)
    .
    Motherboard: Hewlett-Packard | | 309D
    Processor: Intel(R) Pentium(R) M processor 1.73GHz | U1 | 1729/533mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 93 GiB total, 10.671 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1530: 5/10/2011 12:24:46 AM - System Checkpoint
    RP1531: 5/11/2011 3:29:55 AM - System Checkpoint
    RP1532: 5/12/2011 10:17:36 AM - Software Distribution Service 3.0
    RP1533: 5/17/2011 3:33:00 PM - System Checkpoint
    RP1534: 5/18/2011 4:25:16 PM - System Checkpoint
    RP1535: 5/20/2011 12:38:14 AM - System Checkpoint
    RP1536: 5/21/2011 4:40:32 PM - System Checkpoint
    RP1537: 5/22/2011 5:21:57 PM - System Checkpoint
    RP1538: 5/24/2011 2:15:55 PM - System Checkpoint
    RP1539: 5/25/2011 2:58:18 PM - System Checkpoint
    RP1540: 5/26/2011 3:57:54 PM - System Checkpoint
    RP1541: 5/30/2011 5:54:19 PM - System Checkpoint
    RP1542: 6/3/2011 8:46:10 PM - System Checkpoint
    RP1543: 6/4/2011 9:44:54 PM - System Checkpoint
    RP1544: 6/7/2011 10:53:26 PM - System Checkpoint
    RP1545: 6/10/2011 11:13:57 AM - System Checkpoint
    RP1546: 6/11/2011 11:55:42 AM - System Checkpoint
    RP1547: 6/12/2011 8:27:55 PM - System Checkpoint
    RP1548: 6/14/2011 6:42:25 PM - System Checkpoint
    RP1549: 6/15/2011 7:23:40 PM - System Checkpoint
    RP1550: 6/18/2011 8:48:44 AM - Software Distribution Service 3.0
    RP1551: 6/19/2011 8:46:47 PM - System Checkpoint
    RP1552: 6/20/2011 9:21:32 PM - System Checkpoint
    RP1553: 6/30/2011 1:26:51 PM - System Checkpoint
    RP1554: 7/1/2011 3:02:41 AM - Software Distribution Service 3.0
    RP1555: 7/2/2011 3:02:32 AM - Software Distribution Service 3.0
    RP1556: 7/4/2011 12:29:06 PM - Software Distribution Service 3.0
    RP1557: 7/6/2011 10:16:20 AM - System Checkpoint
    RP1558: 7/7/2011 3:58:21 PM - System Checkpoint
    RP1559: 7/8/2011 4:09:41 PM - System Checkpoint
    RP1560: 7/13/2011 9:54:03 AM - System Checkpoint
    RP1561: 7/17/2011 5:17:45 PM - System Checkpoint
    RP1562: 8/5/2011 6:56:34 PM - System Checkpoint
    RP1563: 8/6/2011 3:02:52 AM - Software Distribution Service 3.0
    RP1564: 8/6/2011 4:13:26 PM - Removed Adobe Reader 9.3.2.
    RP1565: 8/7/2011 2:02:50 AM - Installed Adobe Reader X (10.1.0).
    RP1566: 8/7/2011 10:41:57 AM - Removed J2SE Runtime Environment 5.0 Update 4
    RP1567: 8/7/2011 10:48:48 AM - Removed J2SE Runtime Environment 5.0 Update 6
    RP1568: 8/7/2011 10:53:47 AM - Removed Java(TM) 6 Update 2
    RP1569: 8/7/2011 11:01:28 AM - Removed Java(TM) 6 Update 11
    RP1570: 8/7/2011 11:31:44 AM - Installed Java(TM) 7
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader X (10.1.0)
    Adobe Shockwave Player 11.5
    Adobe® Photoshop® Album Starter Edition 3.2
    Agere Systems AC'97 Modem
    AiO_Scan_CDA
    AiOSoftwareNPI
    AllMusicConverter 3.8.3
    ALPS Touch Pad Driver
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Auslogics Duplicate File Finder
    AutoUpdate
    AVG 2011
    AVS DVDMenu Editor 1.0.0.5
    AVS Video Tools 5.5
    Bonjour
    BufferChm
    C6100
    c6100_Help
    Compatibility Pack for the 2007 Office system
    CP_CalendarTemplates1
    cp_OnlineProjectsConfig
    CP_Package_Basic1
    CP_Panorama1Config
    cp_PosterPrintConfig
    CueTour
    CustomerResearchQFolder
    Destinations
    DeviceManagementQFolder
    DiscAPI (Studio 10)
    Disney Pirates of the Caribbean Online
    DivX
    DocProc
    DocProcQFolder
    DocumentViewer
    DocumentViewerQFolder
    E-Chords Toolbar
    eSupportQFolder
    Fax_CDA
    FormViewer
    FullDPAppQFolder
    Google Chrome
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    GoToMeeting 4.5.0.457
    Hotfix 2050 for SQL Server 2000 ENU (KB948110)
    Hotfix 2055 for SQL Server 2000 ENU (KB960082)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Customer Participation Program 7.0
    HP Document Viewer 7.0
    HP Help and Support
    HP Imaging Device Functions 7.0
    HP Photosmart Premier Software 6.5
    HP Photosmart, Officejet and Deskjet 7.0.A
    HP Software Update
    HP Solution Center 7.0
    HP Wireless Assistant 1.01 B2
    HP_User_Guides_0005
    HPPhotoSmartExpress
    HPProductAssistant
    HpSdpAppCoreApp
    Inkscape 0.46
    InstantShareDevices
    InstantShareDevicesMFC
    Intel(R) Graphics Media Accelerator Driver for Mobile
    InterVideo WinDVD
    iTunes
    Java Auto Updater
    Java(TM) 7
    LightScribe System Software
    LiveUpdate 2.5 (Symantec Corporation)
    Logitech Desktop Messenger
    Logitech SetPoint
    M4A to MP3 Converter 1.2
    Malwarebytes' Anti-Malware version 1.51.1.1800
    MarketResearch
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Money 2005
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Basic Edition 2003
    Microsoft Office Standard Edition 2003
    Microsoft Silverlight
    Microsoft SQL Server Desktop Engine (PINNACLESYS)
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Mozilla Firefox (3.6.12)
    MSN Toolbar
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Music Transfer
    MUSICMATCH® Jukebox
    muvee autoProducer 4.0 - SE
    NewCopy_CDA
    Nitro PDF Reader
    OCR Software by I.R.I.S 7.0
    PanoStandAlone
    PANTECH UM175 Driver
    PhotoGallery
    Pinnacle Instant DVD Recorder
    Pinnacle MediaServer
    PowerTeacher Gradebook
    Primo
    PrimoPDF -- brought to you by Nitro PDF Software
    ProductContextNPI
    Quick Launch Buttons 5.10 B5
    QuickTime
    RandMap
    RAPID (Studio 10)
    Readme
    Roblox for Owner
    Runtime
    Scan
    ScannerCopy
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    SkinsHP1
    SlideShow
    SmartSound Quicktracks Plugin
    SolutionCenter
    Sonic Audio Module
    Sonic Copy Module
    Sonic Data Module
    Sonic Express Labeler
    Sonic MyDVD Plus
    Sonic Update Manager
    Sonic_PrimoSDK
    Sony Picture Utility
    SoundMAX
    Station Launcher
    Status
    Studio 10
    Texas Instruments PCIxx21/x515 drivers.
    TIxx21
    Toolbox
    ToolkitCMA
    TrayApp
    Turbo Lister 2
    Unload
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VZAccess Manager
    WebFldrs XP
    WebReg
    Windows Internet Explorer 7
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Service Pack 3
    WinRAR archiver
    .
    ==== Event Viewer Messages From Past Week ========
    .
    8/7/2011 4:09:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HP WMI Interface service to

    connect.
    8/7/2011 4:09:33 PM, error: Service Control Manager [7000] - The HP WMI Interface service failed to start due to the following error:

    The service did not respond to the start or control request in a timely fashion.
    8/7/2011 4:09:33 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service hpqwmi with arguments "-

    Service" in order to run the server: {7DC5B2D7-CACC-47F2-836E-4DF85F026072}
    8/7/2011 4:06:52 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to

    connect.
    8/7/2011 4:06:52 PM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The

    service did not respond to the start or control request in a timely fashion.
    8/7/2011 4:06:39 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "-

    Service" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
    8/7/2011 4:05:54 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the

    UMWdf service.
    8/7/2011 4:05:54 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the

    Apple Mobile Device service.
    8/7/2011 4:00:19 PM, error: Service Control Manager [7022] - The Terminal Services service hung on starting.
    8/7/2011 4:00:19 PM, error: Service Control Manager [7022] - The Pinnacle Systems Media Service service hung on starting.
    8/7/2011 4:00:19 PM, error: Service Control Manager [7022] - The AVGIDSAgent service hung on starting.
    8/7/2011 4:00:19 PM, error: Service Control Manager [7001] - The Fast User Switching Compatibility service depends on the Terminal

    Services service which failed to start because of the following error: After starting, the service hung in a start-pending state.
    8/7/2011 3:59:12 PM, error: System Error [1003] - Error code 100000d1, parameter1 0000000c, parameter2 00000005, parameter3

    00000001, parameter4 f84675f7.
    8/7/2011 3:45:58 PM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It

    has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
    8/7/2011 3:41:06 PM, error: Service Control Manager [7022] - The SSDP Discovery Service service hung on starting.
    8/7/2011 3:36:55 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the

    TermService service.
    8/7/2011 3:36:55 PM, error: Service Control Manager [7001] - The Fast User Switching Compatibility service depends on the Terminal

    Services service which failed to start because of the following error: The service did not respond to the start or control request in a timely

    fashion.
    8/7/2011 3:36:55 PM, error: Service Control Manager [7000] - The Terminal Services service failed to start due to the following error:

    The service did not respond to the start or control request in a timely fashion.
    8/7/2011 3:27:54 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in

    order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    8/7/2011 3:27:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in

    order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    8/7/2011 3:26:55 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    8/7/2011 3:25:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order

    to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    8/7/2011 3:19:43 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD

    Avgldx86 Avgmfx86 Avgtdix eabfiltr Fips intelppm IPSec MRxSmb NetBIOS NetBT PCLEPCI RasAcd Rdbss Tcpip
    8/7/2011 3:19:43 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which

    failed to start because of the following error: A device attached to the system is not functioning.
    8/7/2011 3:19:43 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which

    failed to start because of the following error: A device attached to the system is not functioning.
    8/7/2011 3:19:43 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service

    which failed to start because of the following error: A device attached to the system is not functioning.
    8/7/2011 3:19:43 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which

    failed to start because of the following error: A device attached to the system is not functioning.
    8/7/2011 3:19:43 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service

    which failed to start because of the following error: A device attached to the system is not functioning.
    8/7/2011 3:19:43 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver

    service which failed to start because of the following error: A device attached to the system is not functioning.
    .
    ==== End Of File ===========================
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Becky, when you open Notebook for a log, please click on Font and uncheck Word Wrap. I'd appreciate it if you would repost just the DDS.txt log with Word Wrap off. (You don't need to redo the Attach.log. I can't read the entries when they're split over 2 or more lines.You'll see the difference.
    ==========================================
    Please remove any of the scanning programs you used when the panic set in, such as the Kaspersky Rootkit Killer.
    ===========================================
    The Java is way outdated-Java(TM) 7- I think this is actually an update rather than a version as the current version is v6u26 and is a vulnerability, so you need to update now: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
    --------------------------------
    After the update, you will need to remove malware in the Java cache::
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    =======================================
    Please remove these domains from the Trusted Zone. Security is lower in that zone and nothing needs to be there:
    Trusted Zone: realtytools.com
    Trusted Zone: toolkitcma.com
    Trusted Zone: toolkitcma2.com
    =======================================
    Please handle the above. I have to leave for a couple of hours and will give you further instructions after I return.

    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
  4. beckysellsaz

    beckysellsaz Newcomer, in training Topic Starter

    Hi Bobbye,

    Thank you so much for helping me. I have re-pasted the DDS log with word wrap off at the end of this post. Sorry I did not know that was on.

    I followed your steps in order, however I think the Kapersky rootkit killer was already removed. All I could find was the quarantine folder and 3 logs from the scans. Should I remove those as well? Also, checked for other scans but I don't think I have any except what your site recommends still installed.

    Updated Java, no problems but should I remove that Java 7 I installed yesterday?

    Emptied Java Cache, no problems, removed the domain names from the trusted sites, and will patiently await your next instructions. My computer seems to be running about the same.

    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
    Run by Owner at 21:30:27 on 2011-08-07
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.203 [GMT -7:00]
    .
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Java\jre7\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
    C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\HPZinw12.exe
    C:\WINDOWS\system32\HPZipm12.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.google.com/
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: XBTB03748 Class: {1cbc8587-1e29-4c2b-9739-d0e563905b32} - c:\docume~1\owner\mydocu~1\e-chor~1\e-chords.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
    BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
    TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
    TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
    mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
    mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
    mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
    mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
    mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
    mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\docume~1\owner\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480

    \program\LogitechDesktopMessenger.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    IE: &Search
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38e51477-ddb4-4aed-

    9d61-d0c193e10749}\inprocserver32 does not exist!
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    Trusted Zone: realtytools.com
    Trusted Zone: toolkitcma.com
    Trusted Zone: toolkitcma2.com
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {2564B8E6-7D84-11D4-A689-30475BC10000} - hxxp://www.toolkitcma.com/tkweb/tkweb.cab
    DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
    DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.reoconnex.com/Image%20Uploader/ImageUploader6.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
    TCP: Interfaces\{8BCF23E9-2922-45FC-873E-7B0228D8C4A6} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: igfxcui - igfxsrvc.dll
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\07ygroks.default\
    FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
    FF - component: c:\program files\avg\avg10\firefox4\components\avgssff5.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

    foundation\DotNetAssistantExtension
    FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 248656]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 297168]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
    R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService.exe [2011-1-28 196912]
    R2 pciinfo;HP Pci Information;c:\docume~1\owner\locals~1\temp\hpispz\hpdom\pciinfo.sys [2006-6-29 1792]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 134480]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]
    R3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2009-5-20 23096]
    S0 eevqikpc;eevqikpc;c:\windows\system32\drivers\ggto.sys --> c:\windows\system32\drivers\ggto.sys [?]
    S1 ytddioah;ytddioah;\??\c:\windows\system32\drivers\ytddioah.sys --> c:\windows\system32\drivers\ytddioah.sys [?]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-6 7398752]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-16 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-16 136176]
    S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2010-2-21 54416]
    S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2010-2-21 160272]
    S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2010-2-21 160272]
    S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [2010-2-21 11920]
    S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2010-2-21 113680]
    S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [2009-5-20 249856]
    S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
    .
    =============== Created Last 30 ================
    .
    2011-08-07 20:18:23 -------- d-----w- c:\documents and settings\owner\local settings\application data\Sun
    2011-08-07 18:34:43 128000 ----a-w- c:\windows\system32\javacpl.cpl
    2011-08-07 18:34:41 611224 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-08-07 18:34:06 544656 ----a-w- c:\windows\system32\deployJava1.dll
    2011-08-07 03:44:32 1266056 ----a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
    2011-08-07 03:41:45 3038 ----a-w- C:\fix_svchost.bat
    2011-08-07 03:26:33 6776168 ----a-w- C:\WindowsUpdateAgent30-x86.exe
    2011-08-06 14:05:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    ==================== Find3M ====================
    .
    2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
    2006-09-07 00:16:52 534112 ----a-w- c:\program files\psa30se_ytb612_a708_DLM_en_us.exe
    2006-07-13 19:57:38 7352104 ----a-w- c:\program files\ewebeditproclient.exe
    2006-06-05 20:14:16 533912 ----a-w- c:\program files\psa30se_a708_DLM_en_us.exe
    .
    ============= FINISH: 21:35:30.90 ===============
    .
    .
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thank you- that's better! Looks like you hiccuped a couple of times, but it's not a problem.
    Regarding "should I remove that Java 7 I installed yesterday?"> Yes it's not the correct Java.
    The only Java 7 I see is JDK 7 The Java Development Kit (JDK) from Sun Microsystems aimed at Java developers. So unless you're a programmer, this wouldn't be what you should have.
    Get Java v6u26 here> http://www.java.com/en/download/
    ---------------------
    Would you please do this while we're working together:
    Go into Pinnacle Studios and turn off the driver check.
    If the website moves or is down for a bit and the software checks for a driver from a link that isn't working, you get error type messages. As a general rule, you do not need software checking for driver updates. If the software/hardware is working then the driver is fine so you wouldn't want it updated anyway.
    (This is the entry in the log. You don't need to so anything with it, I'll handle that. Just wanted you so see what I'm referring to.)
    mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
    ====================================
    There are some entries in these logs I can't identify, so I'd like you to run the following:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ===================================
    Follow with Combofix. It won't run with AVG, so you will have to uninstall it temporarily as follows:
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ==================================
    These 2 scans will help us find and then remove the offenders. Logs for Eset and Combofix in next reply please.
    There is no log for the App Remover. But be sure to put of of the AV program on system- after you install it, make sure to check for updates. You do not need to run a scan with it at this time.


    __________________
  6. beckysellsaz

    beckysellsaz Newcomer, in training Topic Starter

    Hi Bobbye,

    I am still working on the items from your last post. I have run into a problem and want to ask a question before I continue. I am up to running the combofix scan, but everytime I try to run it I get a warning that says the AVG 2011 reatime scanner is active and to disable it before clicking ok, but there is no trace that I can find of AVG still on the system. I ran the Appremover program and the uninstall said it was complete. Just to be sure after I got the warning I reran it and it could not detect the AVG, I rebooted but no change. I found that the AVG website has a download for a last resort tool that will remove any remaining traces but states that it will remove registry entries, etc. and I remember you said not to use anything you haven't approved so I wanted to check with you before continuing. BTW, the combofix warning states that if I continue without disabling the AVG I will be puting my system at great risk so I will wait til I hear from you before doing the scan.

    Thanks,
    Becky
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Oh my! AVG give us so much problem! They have left no way for it to be disabled to run scans, so we uninstall it. But it sounds like the Resident Shield is still active. If you can bypass this and run Combofix, okay- but be sure you have added one of the temporary AV programs so the system will be safe.

    If you cannot bypass and Combofix won't run, use the following tool:
    AVG Remover eliminates all the parts of your AVG installation from your computer, including registry items, installation files, user files, etc.
    Note:
    • AVG user settings will be removed.
    • Virus Vault contents will be removed.
    • All other items related to AVG installation and use will be removed.
    • You will be asked during the removal procedure to restart your computer. Please do so.
    • Make sure there is no open work in process prior to launching AVG Remover.
    AVG Remover:32bit
  8. beckysellsaz

    beckysellsaz Newcomer, in training Topic Starter

    Hi Bobbye,

    Well that was painful, but we got through it. I have attached the logs from the scans. Here is a rundown of how things went. Java is most recent version only now. I turned off the Pinnacle Studio driver check, then ran the Eset scan. Since my computer is soooo slow, that took 15 hours, but it did find two threats. Next I used the appremover to uninstall the AVG, and installed the Avira AV in its place. Then I installed the Combofix and as you know ran into the problem of AVG still being on the system when I tried to run that scan. So I tried to use the AVG removal tool from AVG to fully remove AVG, but I tried running that scan twice and it froze halfway through both times and would not finish. I finally just ran the combo fix anyway. The only problem I had with that was that it asked to install the recovery console but then could not connect to the internet, so after awhile it just ran the scan by itself without installing the recovery console. So should I try to manually install the recovery console in case I need it later? Also, since AVG has caused me so many headaches, do you recommend another good free one I can use long-term? I will just leave Avira on for now. So far, the speed of everything is still slow, so not much of a change after the scans. I also have a text log of the AVG remover scan if you want to see that.

    Eset Scan


    C:\Documents and Settings\Owner\autorun.inf INF/Autorun virus
    C:\Documents and Settings\Owner\My Documents\2_lnk.zip BAT/TrojanDownloader.Ftp.NIJ.Gen trojan

    Combofix scan

    ComboFix 11-08-10.03 - Owner 08/13/2011 18:14:04.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.184 [GMT -7:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Owner\Cookies.lnk
    c:\documents and settings\Owner\g2mdlhlpx.exe
    c:\documents and settings\Owner\My Documents\~WRL0884.tmp
    c:\documents and settings\Owner\My Documents\~WRL2220.tmp
    c:\documents and settings\Owner\My Documents\~WRL2399.tmp
    c:\documents and settings\Owner\My Documents\~WRL3252.tmp
    c:\documents and settings\Owner\My Documents\~WRL3644.tmp
    c:\documents and settings\Owner\Recent\Thumbs.db
    c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
    c:\windows\system32\_000013_.tmp.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-14 to 2011-08-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-10 16:30 . 2011-08-10 16:30 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira
    2011-08-10 04:22 . 2011-08-11 03:16 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-08-10 04:22 . 2011-08-11 03:16 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-08-10 04:22 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-08-10 04:22 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-08-10 04:22 . 2011-08-10 04:22 -------- d-----w- c:\program files\Avira
    2011-08-10 04:22 . 2011-08-10 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-08-10 00:15 . 2011-08-10 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-08-09 05:30 . 2011-08-09 05:30 -------- d-----w- c:\program files\ESET
    2011-08-08 22:55 . 2011-08-08 17:06 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-08-07 20:18 . 2011-08-07 20:18 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sun
    2011-08-07 18:34 . 2011-08-08 17:06 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-08-07 18:34 . 2011-08-08 17:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-08-07 08:09 . 2011-08-07 08:09 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2011-08-07 03:53 . 2011-08-07 03:54 -------- d-----w- c:\documents and settings\Administrator.PC326916935110
    2011-08-07 03:44 . 2011-08-07 03:44 1266056 ----a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
    2011-08-07 03:41 . 2011-08-07 03:41 3038 ----a-w- C:\fix_svchost.bat
    2011-08-07 03:26 . 2011-08-07 03:26 6776168 ----a-w- C:\WindowsUpdateAgent30-x86.exe
    2011-08-06 14:05 . 2011-08-06 14:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-07 02:52 . 2011-03-26 01:18 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-07 02:52 . 2011-03-26 01:17 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-02 14:02 . 2004-08-04 08:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2006-09-07 00:16 . 2006-09-07 00:16 534112 ----a-w- c:\program files\psa30se_ytb612_a708_DLM_en_us.exe
    2006-07-13 19:57 . 2006-07-13 19:57 7352104 ----a-w- c:\program files\ewebeditproclient.exe
    2006-06-05 20:14 . 2006-06-05 20:14 533912 ----a-w- c:\program files\psa30se_a708_DLM_en_us.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-15 67128]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-04-13 2387968]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]
    "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
    "AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 88209]
    "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744]
    "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
    "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
    "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
    "PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-11 406016]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-03-10 28160]
    "mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-20 53248]
    "MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-04-20 118784]
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-14 421160]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
    .
    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-12-30 333088]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
    Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-2-14 67128]
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-12-28 438272]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/9/2011 9:23 PM 136360]
    R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe [1/28/2011 10:51 AM 196912]
    R2 pciinfo;HP Pci Information;\??\c:\docume~1\Owner\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\Owner\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?]
    R3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [5/20/2009 9:50 PM 23096]
    S0 eevqikpc;eevqikpc;c:\windows\system32\drivers\ggto.sys --> c:\windows\system32\drivers\ggto.sys [?]
    S1 ytddioah;ytddioah;\??\c:\windows\system32\drivers\ytddioah.sys --> c:\windows\system32\drivers\ytddioah.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2010 12:17 PM 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2010 12:17 PM 136176]
    S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2/21/2010 1:36 PM 54416]
    S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2/21/2010 1:36 PM 160272]
    S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2/21/2010 1:36 PM 160272]
    S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [2/21/2010 1:36 PM 11920]
    S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2/21/2010 1:36 PM 113680]
    S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [5/20/2009 9:50 PM 249856]
    S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2009-04-13 22:08 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-07 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]
    .
    2011-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-16 19:17]
    .
    2011-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-16 19:17]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.google.com/
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.reoconnex.com/Image%20Uploader/ImageUploader6.cab
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\07ygroks.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-HP Document Viewer - c:\program files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe
    AddRemove-HP Imaging Device Functions - c:\program files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe
    AddRemove-HP Photo & Imaging - c:\program files\HP\Digital Imaging\uninstall\hpzscr01.exe
    AddRemove-HPExtendedCapabilities - c:\program files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe
    AddRemove-HPOCR - c:\program files\HP\Digital Imaging\OCR\hpzscr01.exe
    AddRemove-{36C41D70-56F5-4E2B-81DA-6BEB7502D7A1} - c:\program files\InstallShield Installation Information\{36C41D70-56F5-4E2B-81DA-6BEB7502D7A1}\setup.exe
    AddRemove-{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C} - c:\program files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe
    AddRemove-{D5068583-D569-468B-9755-5FBF5848F46F} - c:\program files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-13 18:57
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(752)
    c:\windows\system32\igfxsrvc.dll
    c:\windows\system32\hccutils.DLL
    .
    Completion time: 2011-08-13 19:12:32
    ComboFix-quarantined-files.txt 2011-08-14 02:11
    .
    Pre-Run: 11,706,716,160 bytes free
    Post-Run: 12,536,242,176 bytes free
    .
    - - End Of File - - D539B46286554703F2EF80A58C2B72EC

    thanks,
    Becky
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry Becky, I've gotten a bit behind.

    As you may have seen in the Eset log, you have the Autorun virus, which, as the name suggests, uses the Autorun.inf feature in the Windows OS that is used for launching the programs that are stored in the removable media such as DVDs, USB Devices, CD ROMs, as well as Memory Sticks.

    When your computer is infected, viruses can connect to the malicious web site and install the key logger on your PC. The key logger steals all your private information like usernames, account numbers, social security, passwords, credit card information, as well as other sensitive information. So the possibility exists that the computer has been so compromised that only a reformat/reinstall will restore it, as well as changing all of your passwords and carefully monitoring any online financial transactions you have,

    If there is autorun.inf virus in USB drive, each time you insert the removable media and double-click your drives to open it, virus files begin executing and infect your computer: which spreads itself onto the computer by making the multiple copies of the autorun.inf and .exe files on every drive of your computer.

    So first, you disinfect the flash drive: And note that if they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    Note that the above should be used on all movable nedia by connecting them when you run the disinfection.
    ================================================
    For the Eset entires:
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Documents and Settings\Owner\autorun.inf 
      C:\Documents and Settings\Owner\My Documents\2_lnk.zip 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =================
    You surely tried to fix things! My compliments to you. What I need to know is if the following made any difference in the CPU usage. If that has been handled, I can remove those entries with script I'm using for other entries to be removed.

    Has anything changes from the original problems?
  10. beckysellsaz

    beckysellsaz Newcomer, in training Topic Starter

    Hi Bobbye,

    Please do not close my thread. I have been working alot the past few days so haven't had time to try to remove the viruses yet. Can you answer one question before I begin cleaning it? Which items do I need to clean? I will list the drives I have that may have been inserted into the computer in the past 4 months, assuming I got the virus the first week of March when all the slowness started. If you could tell me which ones need to be cleaned and which ones I don't need to worry about. I have two digital cameras with memory cards, one external hard drive, 2 different printers, but I don't think they have any memory cards, several ipods that have music and pictures on them, and we have cell phones although none of them have ever been connected through a usb to the computer so I don't know if it is necessary to clean those. Is my email infected as well? because I do get that remotely on my blackberry. I have burned music cds and movie dvds from the computer during this time. Are those infected too? Can I clean them or should I just throw them away and make new ones when it is clean?

    Thanks and I will start cleaning all the drives when I hear back from you.

    Becky
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Becky, I think this may sum it up:
    An analysis from Computer Associates:
    Malware authors have taken full advantage of the uses of these devices by so many. And they are also busy on the social networking sites. And so many users participate in file sharing, so the potential for unprotected systems is great!
     
  12. beckysellsaz

    beckysellsaz Newcomer, in training Topic Starter

    Hi Bobbye,

    I cleaned all the USB ports and devices using the Flash Disinfector. It worked with no problems on each item except once when the Avira said it blocked the autorun.inf file for protection. After that happened I simply started over and cleaned that flash drive a second time til I got an ok.

    Next I followed your instructions for using Old Timer to remove the viruses. My log is attached to this post but unfortunately the computer is still running slowly. I hope you can see something in the log that we can still try to improve the performance of the computer. I just don't understand why it lags so badly after all I have tried to clean it.

    Thanks so much for all your help through this.

    Becky

    Oldtimer log
    All processes killed
    ========== FILES ==========
    File/Folder C:\Documents and Settings\Owner\autorun.inf not found.
    C:\Documents and Settings\Owner\My Documents\2_lnk.zip moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 3336 bytes
    ->Flash cache emptied: 2836 bytes

    User: Administrator.PC326916935110
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Flash cache emptied: 56468 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 1127634 bytes
    ->Flash cache emptied: 2813 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 488372 bytes
    ->Java cache emptied: 119641 bytes
    ->Flash cache emptied: 24600 bytes

    User: Owner
    ->Temp folder emptied: 1781296 bytes
    ->Temporary Internet Files folder emptied: 64830323 bytes
    ->Java cache emptied: 133230270 bytes
    ->FireFox cache emptied: 44295562 bytes
    ->Google Chrome cache emptied: 40164008 bytes
    ->Flash cache emptied: 3406647 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 19569 bytes
    %systemroot%\System32 .tmp files removed: 896529 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 98968 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 1065 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 8014 bytes

    Total Files Cleaned = 277.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 08282011_225120

    Files moved on Reboot...

    Registry entries deleted on Reboot...
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Becky, using the DDS log as a guide, ALL if the following were running:

    None of the above need to start on boot. None need to be checked on the Startup Menu. Each can be accessed in Programs when needed.

    To remove entries from the Startup Menu using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
      [​IMG]
    • Click on Selective Startup
    • Choose the Startup tab:
      [​IMG]
      All images courtesy NetSquirrel
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Uncheck any processes you do not need to start on boot. This would be all of the processes I listed for the programs above[/b]
      [*] Click on Apply> OK when finished.

    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.
    ======================================
    These programs aren't to go anywhere if you don't start them on boot. They will sit on your hard drive, only using hard drive 'space', but not system resources. They don't do that until you select the program and open it- effectively saying GO!!!
    -----------------------------------
    Some may be started by a Service, like 'jqs'- that is JavaQuickStart for instance. For that:
    Click on start> Run> type in services.msc> enter> double click on Java QuickStart> Change Startup Type to Disabled> Stop the Service........You don't need this to run at all.

    If any of the other programs have a Service, that can be changed to Manual instead of Automatic.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.